Lots of stuff going on this week.

Brought to you by our friends at the SANS Institute.
SANS NewsBites February 5, 2003 Vol. 5, Num. 5

Bush Approves National Cybersecurity Strategy; Cybersecurity Advisor
Clarke Resigns
GEWIS Internet Monitoring System
Slammer is Fastest Spreading Worm
Man Sentenced for Selling Certification Exam Answers
Trojan Writers Exploit Outlook Express To Get Around Content

Air Force Staff Sergeant Sentenced for Theft of Notebook Computers
and PDAs
Slammer Demonstrates Microsoft Has a Long Way to Go on Trustworthy
Strong Opposition to Electronic Voting in Silicon Valley
Benchmark Could Have Slowed Slammer's Progress
FAA Security Practices Helped Fend off Slammer
FAA CIO Mehan Interview
Missing Hard Drive Contains Data that Could be Used in Identity Theft
Take Steps to Protect Databases, Warn Lawyers
Consortium Wants Increased Cybersecurity R&D
Researcher Questions Publishing Proof-of-Concept Code
Georgia to Implement Behavior Based Intrusion Detection System
Dummy Server (Honeypot) Attracts Attacks
Coordinated Effort Helps Track Down Leaves Author
Fourth Man Arrested in Credit Report Theft Ring
Symantec's Buy-Out Proposal Site Exposed Information
Company Will No Longer Work with CERT/CC
Kansas Issuing Digital Certificates for Statewide PKI
Survey Says Companies are Still Reluctant to Share Security Breach
Root Server Traffic Largely Unnecessary
Social Security Number Misuse Prevention Act
OMB Minimum Security Standards Don't Apply in Some Contractor
Thieves Stealing Bank Logon Data from Public Access Terminals in UK

Looking for CISSP training? SANS Track 1 cover both CISSP and GIAC GSEC
topics and earns much higher teacher ratings than simple CISSP courses.
And Track 9 gives you both Security+ and GIAC GISO training. Two
for the price and time of one - and great teachers, too. Both are
available for groups in house, as are our other training tracks. They
are also being held in San Diego, Baltimore and many other cities.
See: http://www.sans.org


--Bush Approves National Cybersecurity Strategy; Cybersecurity
Advisor Clarke Resigns
(31 January 2003)
President Bush has signed the National Strategy to Secure Cyberspace.
The document will be released to the public within the next few weeks.
In addition, Richard Clarke, White House cybersecurity advisor, is
resigning his post; Clarke's deputy, Howard Schmidt, has assumed his
duties. Schmidt is the former chief security officer for Microsoft
Corp. and has a strong sense of the importance of government and the
private sector working together to address cybersecurity.
[Editor's Note (Schultz): Howard Schmidt is a top-notch person, and I
am glad to see that he is assuming the role vacated by Richard Clarke.
(Paller) Dick Clarke did more to advance the cause of cybersecurity
than anyone else inside or outside government. He'll be sorely missed
by everyone who cares about protecting networks from attack.]

--GEWIS Internet Monitoring System
(31 January 2003)
The Bush administration is creating an Internet monitoring system
that will provide a picture of the Internet's health. The Global
Early Warning Information System (GEWIS - "Gee-whiz") will detect
and respond to denial-of-service attacks and other cyber incidents.
GEWIS is being built by the National Communications System, a defense
agency, which receives real time network status information from ISPs
and telecommunications providers.
[Editor's Note (Ranum): The only way to respond to DOS is to be in the
route the traffic is going to traverse. Detection by itself is a hard
problem, but this whole concept is ridiculous as it's described. Of
course phase 1 is just to provide a "Gee whiz" graphical picture of
the health of the Internet. That's doable, given the right data. I
bet that they won't get farther than that.
(Paller) I disagree with Marcus on this one. Marcus is correct that
only someone "in the path" can stop the attack. That "someone" is
usually the ISP. When Internet Storm Center found the Lion worm,
SANS analysts quickly informed the folks at the ISPs who acted
instantly to block the China.com site where the worm was sending
stolen password files. In other words, early detection can lead to
immediate remediation.]

--Slammer is Fastest Spreading Worm
(3 February 2003)
The Slammer worm infected 90% of vulnerable computers within ten
minutes, according to the Cooperative Association for Internet Data
Analysis (CAIDA). The number of infections doubled in size every
8.5 seconds; after three minutes, Slammer was generating 55 million
scans for vulnerable computers every second.

--Man Sentenced for Selling Certification Exam Answers
(31 January 2003)
Robert Kepple, who last summer pleaded guilty to selling answers to
Microsoft certification examinations on the Internet, was sentenced
to a year and a day in prison and ordered to pay a fine of half a
million dollars. In addition, Kepple will be under supervision for
three years after his release.
[Editor's Note (Paller): As intellectual property becomes a larger
component of wealth, this type of prosecution will become much more

--Trojan Writers Exploit Outlook Express To Get Around Content
(31 January 2003)
Virus authors and Trojan writers are using fresh malware tricks to fool
traditional content filtering packages, email security firm MessageLabs
says. A feature of Microsoft Outlook Express can be exploited to evade
content filters and persuade an email recipient that an attachment
is safe to open - even when it contains malicious code. Microsoft
Outlook is not at risk (contrary to first reports of the problem).

--Air Force Staff Sergeant Sentenced for Theft of Notebook Computers
and PDAs
(3 February 2003)
Air Force Staff Sergeant Sheridan Ferrell II was sentenced to six
years in military prison for stealing four notebook computers and two
Palm Pilots from US Central Command in Tampa, Florida. The items,
some of which contained sensitive data, were stolen last summer and
were recovered at Ferrell's home. He apparently stole the items
because he was angry that he had been passed over for promotion.
Ferrell was also demoted and will be dishonorably discharged after
he completes his prison term.

--Slammer Demonstrates Microsoft Has a Long Way to Go on Trustworthy
(1 February 2003)
Some security experts are pointing to Slammer as evidence that
Microsoft's Trustworthy Computing Initiative is not living up to its
initial billing.

--Strong Opposition to Electronic Voting in Silicon Valley
(30 January/1 February 2003)
Some local computer scientists have expressed concern over Santa Clara
(CA) County's plan to introduce direct-recording electronic voting
as a replacement for its present punch card system. The computer
scientists fear that the all-electronic system offers no way for
voters to validate that their selections were recorded accurately;
they would rather see a system that prints out a paper ballot and
provides an audit trail.
[Editor's Note (Schultz): It's premature to say that Microsoft's
Trustworthy Computing Initiative (TCI), which is not even one year old
yet, is a failure. It's true that serious vulnerabilities in Microsoft
products are being discovered all the time, but these vulnerabilities
are in older products, products that were not developed when the TCI
went into effect. We should instead turn our attention towards new
Microsoft products such as Windows Server 2003 when deciding whether
or not TCI is successful.]

--Benchmark Could Have Slowed Slammer's Progress
(31 January 2003)
Slammer's rapid spread across the Internet could have been slowed
if companies had installed the patch Microsoft had issued for the
vulnerability and if they had used the free Consensus Minimum Security
Benchmarks, which are designed to detect vulnerabilities, including
the one exploited by Slammer. The benchmarks were developed by five
federal agencies, the SANS Institute and the Center for Internet
Security (CIS).
[Editor's Note (Schultz): There was no patch for those who installed
the Microsoft Desktop Engine (MSDE) using the Microsoft .NET Framework
Software Developer's Kit until several days after Slammer first struck
the Internet.]

--FAA Security Practices Helped Fend off Slammer
(28 January 2003)
The Federal Aviation Administration (FAA) came through Slammer
relatively unscathed: only one administrative server was compromised.
FAA CIO Daniel Mehan credited his agency's cyber security strategies,
which include keeping current on patches, providing regular training
for employees, isolating mission critical flight control computers
from web connected machines, using firewalls and conducting regular
internal security audits. The FAA is also working with some vendors
on building security into their products.

--FAA CIO Mehan Interview
(31 January 2003)
In an interview, Federal Aviation Administration (FAA) CIO Dan Mehan
discussed the need for developers to integrate security into the
design of their products and the FAA's policy on wireless technologies.

--Missing Hard Drive Contains Data that Could be Used in Identity
(30 January 2003)
The Royal Canadian Mounted Police (RCMP) and the Regina (Saskatchewan)
Police Service are investigating the disappearance of a computer hard
drive that contains personal information belonging to 180,000 customers
of Co-operators Life Insurance Company; the information could be used
to steal people's identities. Co-operators' customers have been sent a
letter describing the situation. ISM Canada, the company that stored
the data, says other clients' data is also on the disk.

--Take Steps to Protect Databases, Warn Lawyers
(30 January 2003)
Lawyers in the UK are warning companies to take steps to better protect
their databases after two incidents of attempted data theft were
reported recently. The databases may have been targeted to harvest
e-mail addresses for mass mailings. The lawyers say companies should
document the steps they take to secure the data and develop disaster
plans that can be implemented in the case of an attack.

--Consortium Wants Increased Cybersecurity R&D
(30/31 January 2003)
The Institute for Information Infrastructure Protection (I3P) wants
the government and private sector companies to conduct research and
development in eight areas of cybersecurity, including secure system
and network response and recovery, enterprise security management
and traceback, identification and forensics. I3P is a consortium
of security research institutions funded by the National Institute
of Standards and Technology (NIST) and based at Dartmouth College in
Hanover, New Hampshire.

--Researcher Questions Publishing Proof-of-Concept Code
(30 January 2003)
David Litchfield, the man who discovered the vulnerability exploited
by the Slammer worm last week says the worm was created from code he
published as a proof-of-concept. In the wake of Slammer's rampant
spread, Litchfield questioned the wisdom of continuing to publish
such code.

--Georgia to Implement Behavior Based Intrusion Detection System
(29 January 2003)
The State of Georgia plans to implement a behavior based intrusion
detection system. The state's computer network security has included
firewalls and signature-based intrusion detection systems; the addition
of the behavior-based system should help reduce the likelihood that
state computer systems will be hit with viruses and worms whose
signatures are unknown. The system established a normal network
behavior baseline and notifies the administrator about any anomalies.
[Editor's Note (Ranum); Many organizations have planned behavior-based
IDS. Very few of the behavioral systems have paid off, unless they
are supported with vast amounts of expertise or manpower. Perhaps
this would be more newsworthy after they've succeeded.]

--Dummy Server (Honeypot) Attracts Attacks
(29 January 2003)
PSINet Europe set up an unprotected "dummy" server at its Amsterdam
Internet Data Center; the server was attacked more than 450 times
within 24 hours of going on line. The server contained no data and
had no public profile. Many of the attacks were made from broadband
or cable ISPs; most attacks came from the United States and Western
[Editor's Note (Schultz): When deployed properly, honey pots can
be extremely valuable. At a minimum they can serve as a "barometer"
of the amount and types of malicious activity on the Internet.]

--Coordinated Effort Helps Track Down Leaves Author
(29 January 2003)
This article offers a detailed account of a coordinated effort between
the White House, FBI and members of the private sector to track the
author of the Leaves worm in the summer of 2001. In the midst of
their work, the team was forced to deal with another Internet fiend --
Code Red. In the end the team uncovered the worm's author in the UK,
but his identity was never disclosed.

--Fourth Man Arrested in Credit Report Theft Ring
(29 January 2003)
A fourth man has been arrested in connection with a massive identity
theft ring in which thousands of credit reports were stolen and
sold. The newly arrested man could face up to 35 years in prison
and more than $1 million in fines if convicted. Another man, who
exploited his position at a technology company to obtain the records,
will be arraigned this week.

--Symantec's Buy-Out Proposal Site Exposed Information
(29 January 2003)
A security hole in Symantec's "Submit a Deal" website exposed proposals
from businesses offering to be bought out by the security company.
The compromised information was stored in a Lotus database; the
website has since been taken offline.

--Company Will No Longer Work with CERT/CC
(28/29/30 January 2003)
Next Generation Software Ltd. will no longer work with the
Computer Emergency Response Team Coordination Center (CERT/CC)
because researchers at the company say the organization shared
vulnerabilities reported by NGS with a vendor and government agencies.
CERT/CC's disclosure policy indicates that it does provide advance
notice of vulnerabilities to its sponsors, Internet Software Alliance
members and owners of critical infrastructure. NGS says it will now
work directly with vendors instead of going through CERT/CC.

--Kansas Issuing Digital Certificates for Statewide PKI
(28 January 2003)
The state of Kansas has begun issuing digital certificates to its
employees for use in a public key infrastructure (PKI). Kansas is the
first state to implement a statewide PKI, which eliminates the need to
integrate systems from multiple providers at a later date. This year,
1,500 employees at two state agencies will receive the certificates.

--Survey Says Companies are Still Reluctant to Share Security Breach
(28 January 2003)
A survey conducted by Defcom, a security consultancy, found that
companies in the United Kingdom are still reluctant to report security
breaches to authorities. Two thirds of the companies participating in
the survey indicated they would be fearful of damaging their company's
reputation by disclosing cyber security events. Additionally,
almost half of the companies' directors were not informed about
security breaches.

--Root Server Traffic Largely Unnecessary
(28 January 2003)
After analyzing the traffic received in one day by one of the
Internet's 13 root servers, researchers at the San Diego Supercomputer
Center (SDSC) concluded that the vast majority of the queries were
unnecessary and could have been managed by other parts of the network.
Approximately 70% of the queries were for duplicate sites which
could be handled by ISP caching; other traffic included requests
for non-existent domains and for numerical addresses. The SDSC is
developing software tools to help address this problem.

--Social Security Number Misuse Prevention Act
(27 January 2003)
A bill introduced in the US Senate would prohibit the use of social
security numbers on such readily available forms of identification
as drivers' licenses and checks and other public records available
on the Internet. The goal is to make it harder for identity thieves
to obtain the numbers.

--OMB Minimum Security Standards Don't Apply in Some Contractor
(27 January 2003)
The Office of Management and Budget (OBM) Circular A-130 establishes
minimum security standards for federally owned and operated computer
systems; it also requires periodic security awareness training for
employees involved with those systems. Though Circular A-130 applies
to contractor employees as well, it does not apply to computer systems
that are owned and operated by contractors.
[Editor's Note (Ranum): That's silly. If it's got access to your
network, it's just as critical to your security as your own machine.]

--Thieves Stealing Bank Logon Data from Public Access Terminals in UK
(27 January 2003)
Cyber thieves have been gleaning bank account logon data from public
access Internet terminals and stealing money from people's accounts.
Lloyds TSB advises its customers not to leave public terminals while
still logged on and to clear auto-complete records from browsers.
[Editor's Note (Ranum): Clear records from browsers?!!? What are
they smoking? Haven't they heard of KEYSTROKE LOGGERS? Never ever
do ANYTHING important (like enter a password) from a public access