Brought to you by our friends at the SANS Institute.
***********************************************************************
SANS NewsBites January 22, 2003 Vol. 5, Num. 3
***********************************************************************
TOP OF THE NEWS
$4.7 Billion Budgeted for Federal IT Security
Virus Writer Jailed for Two Years
Rumsfeld Orders Material Removed from Web
Ohio State Computer System Overwhelmed with 11 Million e-Mails
Microsoft to Share Windows Source Code
THE REST OF THE WEEK'S NEWS
Peer-to-Peer Hydra Worm Claim is a Hoax
Study Shows Old Drives Not Adequately Cleaned
Allstate Banned from On-Line CA DMV Access
SPV Phone Vulnerability
Advice for Choosing a VPN
Agencies are Encouraged to Use FedCIRC's Patch System
DHCP Buffer Overflow Flaws
New Mexico to Deploy Identity Management Program for State Web Access
Sobig Worm Upgraded
Spammer's Site Exposes Customer Data
Mullen Defends Striking Back at Systems Running Worms
Instant Messaging Security Risks
Microsoft Will Release APIs to Ensure Longhorn Works Well with AV
Products
SECURITY COMMUNITY PROJECTS
SANS seeks reviewers for Business Law and Computer Security and for
New SSH Step-by-Step
Dartmouth ISTS Seeks Comments on Security Research Gap Analysis
TOP OF THE NEWS
4.7 Billion Budgeted for Federal IT Security
(21 January 203)
President Bush will ask Congress for $59 billion in new information
technology spending in his FY 2004 budget. $4.9 billion of that is
targeted for computer security.
http://www.govexec.com/dailyfed/0103/012103h1.htm
Virus Writer Jailed for Two Years
(21 January 2003)
Simon Vallor, a Welsh web designer, was jailed for 24 months for
writing and spreading viruses. This sentence is four moths longer
than the one given in the US to David Smith, author of Melissa.
http://news.independent.co.uk/uk/cri...p?story=371624
Rumsfeld Orders Material Removed from Web
(16 January 2003)
Defense Secretary Donald Rumsfeld has issued an order restricting
what information is to be available on armed forces web sites. An al
Qaeda training manual found in Afghanistan indicates the group used
US military web sites to gather information.
http://online.securityfocus.com/news/2062
http://news.com.com/2100-1023-981057.html?tag=fd_top
[Editor's Note (Ranum): Some of us pointed this out back in the early
1990's, when (for example) Ft Huachuca posted intelligence analysts'
training manuals on the web. It's sad that something so obvious had
to go as high as the SecDef.
(Denning): The DoD has been cracking down on this since at least 1998.
See the 1998 memo from the secdef on information vulnerability on
the web http://www.defenselink.mil/other_info/depsecweb.pdf .
The official DoD policy on web content (issued Nov 98 and updated
Jan 02) is at http://www.defenselink.mil/webmasters/]
Ohio State Computer System Overwhelmed with 11 Million e-Mails
(15 January 2003)
Police believe they know who is responsible for sending 11 million
e-mail messages into Ohio State University's computer system.
The attack made Internet access difficult and delayed e-mail delivery
for several days.
http://www.marionstar.com/news/stori...ws/780708.html
Microsoft to Share Windows Source Code
(15 January 2003)
Microsoft will share Windows source code with governments and
international organizations to allow them to conduct security reviews.
Participants in the Government Security program will also be able to
visit Microsoft's development facilities.
http://www.computerworld.com/securit...77599,00.html.
http://www.fcw.com/fcw/articles/2003...p-01-15-03.asp
http://www.theregister.co.uk/content/55/28869.html
http://www.eweek.com/article2/0,3959,830236,00.asp
SANS Local Mentor Programs begin in 31 cities in 5 countries
during the next 16 days. Details and schedule at the SANS Web site:
http://www.sans.org/onlinetraining/mentor.php
THE REST OF THE WEEK'S NEWS
Peer-to-Peer Hydra Worm Claim is a Hoax
(14/16 January 2003)
A hacking group called Gobbles Security admitted that claims it had
been hired by the Recording Industry Association of America (RIAA)
to create a worm to infect peer-to-peer file sharing networks was
a hoax. However, the phony announcement included a description of
a real security flaw and source code to exploit it. The flaw could
be exploited to delete files on Unix-based computers.
http://www.wired.com/news/infostruct...,57229,00.html
http://news.com.com/2100-1023-980649.html
http://www.eweek.com/article2/0,3959,827970,00.asp
Study Shows Old Drives Not Adequately Cleaned
(15/16 January 2003)
According to a study conducted by two MIT graduate students, people who
sell their old disk drives are not doing an adequate job of ensuring
the information they hold is removed. Of 158 drives purchased on eBay
or computer salvage stores, only 12 had been appropriately sanitized;
of the rest were either broken or contained personal data that were
easy to recover and read. The report says people need to be better
educated about methods for cleaning their data off drives they are
selling.
http://www.computerworld.com/securit...,77623,00.html
http://www.msnbc.com/news/859843.asp?0dm=T216T
[Editor's Note (Shpantzer): IT assets should be tracked and
managed in some sort of formal manner. One way to do this is to
use the System Development Life Cycle model (SDLC). This model
includes the disposal phase of assets, which should be given
due regard in accordance with the data sensitivity, as well as
updated to defend against new threats such as advances in forensic
recovery techniques. Here is how one agency works with the SDLC:
http://wwwoirm.nih.gov/security/nih-sdlc.html]
Allstate Banned from On-Line CA DMV Access
(16 January 2003)
Allstate Insurance has been banned from checking on line driving
records at the California Department of Motor Vehicles after officials
discovered that employees at the company were violating confidentiality
rules. Among the infractions: a confidential home address of one
driver was given to another driver, computer passwords were shared,
and false claim numbers were submitted to gain access to friends and
family members' records.
http://www.siliconvalley.com/mld/sil...ey/4965810.htm
[Editor's Note (Grefer): Who'd believe that they're the only ones
abusing the system?]
SPV Phone Vulnerability
(16 January 2003)
Microsoft and Orange, a mobile phone operator, are together developing
a patch for a vulnerability in the SPV phone, which they market
in Europe. The SPV phone is able to run certain downloadable
applications; users and developers who were unhappy with the
restrictions apparently circulated information about disarming that
security feature.
http://www.pcworld.com/news/article/0,aid,108834,00.asp
Advice for Choosing a VPN
(16 January 2003)
This article describes the differences between trusted virtual
private networks (VPNs) and secure VPNs. The article also discusses
implementing VPNs, deciding how they will be managed and what to
expect to pay for VPN gateways and client software.
http://www.idg.net/ic_1020898_9677_1-5044.html
Agencies are Encouraged to Use FedCIRC's Patch System
(16 January 2003)
Presidential cyber security advisor Richard Clarke and the Office of
Management and Budget's (OMB's) associate director for IT Mark Forman
both recommend that government agencies make use of the Federal
Computer Incident Response Center's (FedCIRC's) security patch
distribution service. The Patch Authentication and Dissemination
Capability (PADC) could help agencies meet the FISMA requirements.
Agencies can enter system profiles and receive information about
potential vulnerabilities and how to address them. Patches will
be tested and stored to a secure server for agencies to download
as needed.
http://www.gcn.com/vol1_no1/security/20885-1.html
DHCP Buffer Overflow Flaws
(16 January 2003)
The Computer Emergency Response Team Coordination Center (CERT/CC)
has issued an advisory warning of buffer overflow vulnerabilities
in Internet Software Consortium's (ISC) Dynamic Host Configuration
Protocol (DHCP) software. DHCP versions 3.0 through 3.0.1RC10 are
affected. The ISC has released an update that addresses the flaws.
http://www.computerworld.com/securit...,77622,00.html
http://www.cert.org/advisories/CA-2003-01.html
http://www.kb.cert.org/vuls/id/284857#systems
http://www.isc.org/products/DHCP/
New Mexico to Deploy Identity Management Program for State Web Access
(16 January 2003)
Within the next month, the state of New Mexico plans to implement a
centralized identity management program so that employees and citizens
can access web applications securely. Administrators will be able
to alter employees' profiles, so that if they leave their job, their
permissions change at the same time.
http://www.fcw.com/geb/articles/2003...m-01-16-03.asp
[Editor's Note (Schultz): New Mexico's system appears to be a big
step forward. Too often organizations neglect revoking access to
former employees. Hopefully, the changes in profiles and permissions
that New Mexico is implementing will occur soon after employees leave
their jobs.]
Sobig Worm Upgraded
(15 January 2003)
Several anti-virus companies have upgraded warnings for the Sobig worm
which spreads through e-mail and shared folders affects Windows-based
systems.
http://www.computerworld.com/securit...,77598,00.html
http://www.vnunet.com/News/1138044
Spammer's Site Exposes Customer Data
(15 January 2003)
A web site operated by a spammer who mass mails people with offers
of cheap, pirated software has exposed customer data, leaving it ripe
for picking by other spammers.
http://www.internetnews.com/IAR/article.php/1569901
Mullen Defends Striking Back at Systems Running Worms
(13 January 2003)
Tim Mullen defends his "strikeback" position; he believes people
should be allowed to "neutralize a worm process" on others' systems.
He reasons that if an entity has no responsibility for worms running
on their systems without their knowledge, they have no rights to the
process, either. In other words, if entities claim their rights were
violated by a strikeback, that claim carries with it an acknowledgment
of responsibility for the worm's actions.
http://online.securityfocus.com/columnists/134
[Editor's Note (Ranum): "Blame the victim" is not a moral position.
(Paller) Whether or not it is moral, blaming the victim may be
legal. In the BNA Electronic Commerce Law Report, Raul, Volpe and
Meyer write, "Under a tort liability model, security breach victims
may be able to seek damages from a company if they can prove the
existence of: (1) a reasonable duty of care necessary to prevent
security breaches, (2) a breach of that duty, (3) a proximate
relationship between the breach of the duty and the injury, and
(4) actual loss or damage sustained as a result of the breach."
<http://www.sidley.com/cyberlaw/featu....asp?print=yes>
The problem with Tim Mullen's thesis is that he is not asking for
damages from the victim, but for a right to break into the victim's
computer. Federal statutes clear say that is illegal without the
victim's permission.
(Schultz) Mr. Mullen certainly has the right to his opinions, but
frankly, I'm disappointed that a well-respected site like Security
Focus would resort to publishing a white paper that advocates the
right to become a cyber-vigilante.]
Instant Messaging Security Risks
(13 January 2003)
This article describes the various security threats associated with
Instant Messaging clients: worms, backdoors, hijacking, and denial
of service. Because the use of Instant Messaging is increasing, the
possibility of becoming infected with malware is increasing as well.
http://online.securityfocus.com/infocus/1657
Microsoft Will Release APIs to Ensure Longhorn Works Well with
AV Products
(13 January 2003)
Microsoft is taking steps to ensure that its next-generation operating
system, code-named Longhorn, will work well with anti-virus software.
The company is releasing approximately 100 APIs to anti-virus
vendors, which should help with virus scanning and detection and
reduce interference with operating systems and applications.
http://www.nwfusion.com/news/2003/0113antivirus.html
SECURITY COMMUNITY PROJECTS
SANS seeks reviewers for Business Law and Computer Security and for
New SSH Step-by-Step
Two consensus research opportunities:
The first draft of our new SANS SSH Step-By-Step is ready for review.
This work includes configuration, usage and verification steps for SSH.
In addition, we are seeking Attorneys who are interested in reviewing
the first draft of our new SANS one day course that is slated to be
come the book: Business Law and Computer Security
To participate in either project, please include any relevant
experience and credentials along with your Bio/resume and respond
to review@sans.org
Selected reviewers who make substantial contributions will receive
credit by having your name and organization listed on the inside
front cover. In addition, you will receive a free copy of the book.
Dartmouth ISTS Seeks Comments on Security Research Gap Analysis
The Institute for Security Technology Studies (ISTS) is doing an
analysis of the gap between needs and available technology for cyber
attack investigation. If you have tools that are useful in this field,
email Andrew MacPherson at amacpherson@ists.dartmouth.edu.
Reply With Quote