Fwd: SANS NewsBites Vol. 3 Num. 49

[ddm at pizzashack.org (Derek D. Martin)]

With the recent focus on security, and with everyone scrambling to
clean up messes caused by worms, I thought this might be of interest.
If people really object to me reposting this stuff here, please let me
know, and I won't!

I hope you enjoy...

DM


----- Forwarded message from The SANS Institute <sans at sans.org> -----

From: The SANS Institute <sans at sans.org>
To: DEREK MARTIN (SD544808) <ddm at pizzashack.org>
Date: Wed, 5 Dec 2001  8:14:09 -0700 (MST)
Subject: SANS NewsBites Vol. 3 Num. 49
Precedence: bulk
Errors-To: bounce at sans.org

To:   DEREK MARTIN (SD544808)
From: Alan for the SANS NewsBites service 
Re:   December 5 SANS NewsBites



Goner is a dangerous worm that is spreading far too rapidly. However,
it caused no problem at all in those organizations that block
attachments of most malicious types. An increasing number of
organizations use filtering and secure configuration management to
protect their users and reduce the cost of cleaning up after worms
and other attacks. Makes sense to me.


                                     AP


**********************************************************************

                             SANS NEWSBITES
                 The SANS Weekly Security News Overview

Volume 3, Number 49                                   December 5, 2001

Editorial Team:
      Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin,
             Bill Murray, Stephen Northcutt, Alan Paller,
             Marcus Ranum, Howard Schmidt, Eugene Schultz

**********************************************************************


TOP OF THE NEWS

5 December 2001  Goner Worm Hits Hard
30 November 2001  Security Patch Demand is Overwhelming
28, 29 & 30 November 2001  WU-FTPD Vulnerability
28, 29 & 30 November 2001  Appeals Courts Uphold DCMA
26 & 28 November 2001  Google Search Results Could Present Security
                       Problem


THE REST OFTHE WEEK'S STORIES
5 December 2001  US Cyber Security Chief Asks Vendors To Do More To
                 Protect Users
3 December 2001  Federal Agencies Need Security Specialists
30 November 2001  Dreamcast Game Screensaver Infected with Kriz Virus
30 November 2001  Gary McGraw Interview
30 November 2001  Government Sites Defaced
26 November 2001  Sklyarov Hearing Date Set
29 November 2001  National IDs Won't Work
27 & 28 November 2001  McNealy Interview
29 November 2001  Russian Man Arrested in ATM Fraud Case
29 November 2001  Former Cisco Accountants Sentenced for Fraud
28 November 2001  GSA Team to Review GovNet Input
27 November 2001  Network Associates Denies Working with FBI
26 November 2001  Disclosure Waiting Period Wouldn't Work
26 November 2001  Security Funds Misallocated, Says Oppenheimer VP

UPCOMING TRAINING OPPORTUNITIES

**SANS Cyber Defense Initiative (5 tracks), San Fran. CA, Dec. 16-22
**Microsoft IIS Security in multiple cities
**Hackers Beware: Live! in multiple cities
**Ewarfare in multiple cities
**Marty Roesch's Intrusion Detection with Snort in multiple cities
**SANS Gateway Asia (2 tracks), Singapore, Jan 10-15
**SANS Down Under (1 tracks), Melbourne, Jan 10-15
**SANS Darling Harbour (4 tracks), Sydney, Jan 19-24
**Plus new, on-line, security training programs.
   See www.sans.org for details.


************************ Sponsored by NetIQ **************************

Free Security Guide from NetIQ.

Learn How to Unlock Your Firewall's Secrets with Security Manager.

Find out how to maximize the return on your firewall investment.
Download NetIQ's free white paper, "Reporting and Incident Management
for Firewalls: The Keys to Unlocking Your Firewall's Secrets."

Visit http://www.netiq.com/f/form/form.asp?id=397

**********************************************************************


TOP OF THE NEWS
 --5 December 2001  Goner Worm Hits Hard
The goner worm comes by email, offers a screen saver, spreads rapidly,
infects large numbers of user files, and tries to delete firewall
and antivirus software.
http://www.cnn.com/2001/TECH/internet/12/04/goner.worm/index.html

 --30 November 2001  Security Patch Demand is Overwhelming
IT managers are overwhelmed with patches and updates, according to a
recent study.  A UK-based study found that most companies would have
to make an average of 5 updates every work day to keep up with the
steady flow of fixes from security vendors.
http://www.computerworld.com/storyba/0,4125,NAV47_STO66215,00.html

 --28, 29 & 30 November 2001  WU-FTPD Vulnerability
CERT/CC has issued a warning about a vulnerability in the Washington
University FTP daemon that could allow crackers to gain complete
control of computer systems unless patches are installed.  A group
of vendors had agreed to release their patches on December 3, but
Red Hat mistakenly released an advisory on November 27.
http://news.cnet.com/news/0-1003-200-8007615.html?tag=prntfr
http://www.theregister.co.uk/content/55/23082.html
http://www.computerworld.com/storyba/0,4125,NAV47_STO66202,00.html

 --28, 29 & 30 November 2001  Appeals Courts Uphold DCMA
A federal appeals court upheld a ruling that prohibits Eric Corley,
operator of the 2600 magazine web site, from publishing or linking to
code that breaks DVD encryption, marking a victory for proponents of
the Digital Millennium Copyright Act (DCMA).  In another DCMA-related
case, a New Jersey federal district court judge dismissed a case
brought by Princeton Professor Edward Felten against the Recording
Industry Association of America (RIAA) and the Secure Digital Music
Initiative (SDMI).  Felten alleged the RIAA threatened him with legal
action if he presented his code-breaking research at conferences.
http://news.cnet.com/news/0-1005-200-8011238.html?tag=prntfr
http://www.wired.com/news/politics/0,1283,48726,00.html
http://www.usatoday.com/life/cyber/tech/2001/11/29/princeton-professor.htm
http://www.cnn.com/2001/TECH/industry/11/30/dmca.appeal.idg/index.html

 --26 & 28 November 2001  Google Search Results Could Present Security
                          Problem
A new tool in the Google search engine can return results not intended
for public viewing.  Not only can the searches turn up credit card
numbers and other sensitive information, but they are capable of
pinpointing sites running software with known vulnerabilities.
http://news.cnet.com/news/0-1005-200-7946411.html?tag=prntfr
http://www.theregister.co.uk/content/55/23069.html


**************** Also Sponsored by Cyber Defense West ****************

Turbo charge your security career with one of the great immersion
training tracks in San Francisco, December 16-20.

http://www.sans.org/CDI.htm

**********************************************************************


THE REST OF THE WEEK'S STORIES

 --5 December 2001  US Cyber Security Chief Asks Vendors To Do More To
                    Protect Users
Dick Clarke told software companies that their responsibility doesn't
end when they fix a hole in their products and announce it on their
web site. They can take more responsibility for ensuring the fixes
are implemented.
http://www.siliconvalley.com/docs/news/svfront/033011.htm

 --3 December 2001  Federal Agencies Need Security Specialists
Government agencies have had trouble attracting strong applicants for
computer security jobs not only because of the significant salary
discrepancies, but also because of the length of time it takes to
get employees the necessary security clearances and the small pool
of applicants with sufficient expertise.  In addition, some agencies
do not make security a priority.
http://www.fcw.com/fcw/articles/2001/1203/mgt-ranks-12-03-01.asp
[Editor's (Schultz) Note: I'm convinced that many agencies do not make
security a priority because they do not really know what to do.  Some
of them, for example, entangle themselves in complex risk assessment
methods to the degree that they divorce themselves from reality or
drain a disproportionate amount of their resources on activities that
do not directly result in elevated protection of systems and networks.
(Murray) The problem is not nearly so much a problem of absence of
technical skills as one of absence of management attention.]

 --30 November 2001  Dreamcast Game Screensaver Infected with Kriz
                     Virus
A screensaver included with the Dreamcast game Atelier Marie is
infected with the Kriz virus; its malicious payload includes attempts
to corrupt BIOS chips and overwrite all files on hard disks and
network drives.  The developers have recalled the game.
http://www.theregister.co.uk/content/56/23139.html

 --30 November 2001  Gary McGraw Interview
Gary McGraw, co-author of Building Secure Software, speaks to CNET
News.com about his ten principles for better security, which include
identifying and securing the weakest link and keeping things simple,
and the five worst security problems, which include buffer overflows
and misused cryptography.
http://www.zdnet.com/zdnn/stories/news/0,4586,2829102,00.html?chkpt=zdhpnews01
http://www.zdnet.com/zdnn/stories/news/0,4586,2829117,00.html
[Editors' (Multiple) Note: McGraw is 100% correct. Many of the
same principles have been promoted for more than a decade by people
like Steve Bellovin, Gene Spafford and Matt Bishop.  The fact that
programmers have systematically ignored them illuminates the absence
of security in the priorities set by the people who manage programmers.
(Murray) Quality software is useful but not sufficient for good
security. Teaching "security" in colleges will not help to get quality
software; we must teach software engineering.  Further, even misused
cryptography is better than unused cryptography.  It may be sufficient
to get you off of the target of opportunity list.]

 --30 November 2001  Government Sites Defaced
Crackers defaced two US government sites, one belonging to the National
Oceanic and Atmospheric Administration (NOAA) and the other to the
National Institute of Health (NIH), with anti-American propaganda.
A different cracker defaced the Army's Waterways Experiment Station
home page.
http://www.newsbytes.com/news/01/172582.html

 --26 November 2001  Sklyarov Hearing Date Set
Dmitry Sklyarov, the Russian programmer charged with violating the
Digital Millennium Copyright Act (DMCA) for writing a program that
lets Adobe eBook Reader users to copy books, will have a court hearing
on April 15, 2002.
http://news.cnet.com/news/0-1005-200-7983072.html?tag=prntfr

 --29 November 2001  National IDs Won't Work
Jay Stanley and Barry Steinhardt of the American Civil Liberties Union
(ACLU) offer five reasons why a national identity system is not a
good idea, including the "slippery slope of surveillance" and the
potential for discrimination and harassment.
http://www.computerworld.com/cwi/community/story/0,3201,NAV65-663_STO66153,00.html

 --27 & 28 November 2001  McNealy Interview
Sun Microsystems Chairman and CEO Scott McNealy discusses last year's
external memory cache problem, customer nondisclosure agreements
(which have since been dropped), national ID cards, and the upcoming
Solaris 9.
http://www.computerworld.com/storyba/0,4125,NAV47_STO66102,00.html
http://www.computerworld.com/storyba/0,4125,NAV47_STO66121,00.html

 --29 November 2001  Russian Man Arrested in ATM Fraud Case
A Russian organized crime ring stole account and personal
identification numbers (PINs) from people using point of sale ATMs
in Manhattan, New Your City.  The group allegedly stole $1.5 million
from the victims, who are largely Chase and Citibank customers.
The US Treasury's Secret Service police have arrested one man in
connection with the thefts and are looking for another.
http://www.msnbc.com/news/664990.asp?0dm=T217T

 --29 November 2001  Former Cisco Accountants Sentenced for Fraud
Geoffrey Osowski and Wilson Tang, formerly accountants at Cisco,
have been sentenced to nearly three years in prison for exploiting
their insider status to commit computer and securities fraud.
http://www.theregister.co.uk/content/55/23100.html

 --28 November 2001  GSA Team to Review GovNet Input
A General Services Administration (GSA) team will look at industry
responses to the proposed GovNet, a secure voice and data network
not connected to the Internet.
http://www.gcn.com/vol1_no1/daily-updates/17552-1.html

 --27 November 2001  Network Associates Denies Working with FBI
An Associated Press article alleged that McAfee has spoken with the
FBI about ensuring that its antivirus software wouldn't detect the
agency's Magic Lantern software.  Network Associates, which makes
McAfee products, was roundly criticized by security specialists and
denied having contacted the FBI.
http://www.wired.com/news/politics/0,1283,48648,00.html

 --26 November 2001  Disclosure Waiting Period Wouldn't Work
Computerworld senior columnist Frank Hayes points out that had
Microsoft's proposed 30-day waiting period been in place, we would
only just now officially be hearing about Nimda.  A waiting period
for vulnerability disclosures would not reduce security risks because
virus and worm writers are not likely to abide by the 30-day rule.
http://www.computerworld.com/storyba/0,4125,NAV47_STO65969,00.html

 --26 November 2001  Security Funds Misallocated, Says Oppenheimer VP
Mike Hager, Oppenheimer Funds VP of network security and disaster
recovery, says that companies spend 80% of their security budgets
guarding against outside threats while 80% of attacks come from
internal sources.
http://computerworld.com/nlt/0%2C3590%2CNAV65-663_STO66046_NLTSEC%2C00.html
[Editor's (Schultz) Note: Hager is wrong here; he is perpetrating
a myth based on 1983 FBI statistics.  Most attacks now come from
the outside, but organizations generally deploy firewalls and other
perimeter measures that stop most outside attacks.  Hager should
carefully examine organizations' firewall logs before making a
statement such as the one he has made.  I agree with the premise that
insider attacks are still by far the greater source of loss, however.]



==end==


Please feel free to share this with interested parties via email (not
on bulletin boards).  For a free subscription, (and for free posters)
e-mail sans at sans.org with the subject: Subscribe NewsBites

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.

You may also email <sans at sans.org> with complete instructions and
your SD number for subscribe, unsubscribe, change address, add other
digests, or any other comments.


----- End forwarded message -----

-- 
Derek Martin               ddm at pizzashack.org    
---------------------------------------------
I prefer mail encrypted with PGP/GPG!
GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu
Learn more about it at http://www.gnupg.org