To: Milis Hackerlink (SD434033)
From: Rob for the SANS NewsBites service
Re: January 27 SANS NewsBites
The SANS2000 hotel and travel reservations are filling up just *real*
fast because of spring break schedule and the attractive Orlando venue.
Be sure you have your hotel and travel arrangements made soon if you
intend to go!
RK
**********************************************************************
SANS NEWSBITES
The SANS Weekly Security News Overview
Volume 2, Number 4 January 27, 2000
Editorial Team:
Kathy Bradford, Crispin Cowan, Roland Grefer, Rob Kolstad,
Bill Murray, Alan Paller, Howard Schmidt, Eugene Schultz
<[EMAIL PROTECTED]>
*********************************************************************
24 January 2000 Library of Congress Site to Evaluate On Line Security
18 January 2000 Library of Congress Site Attacked, Defaced
24 January 2000 Teens Crack AOL Instant Message Accounts
24 January 2000 DOJ Says It's Getting Harder to Prosecute Cyber Crime
24 January 2000 DOD Says Computer Y2K Problem was not Serious
24 January 2000 Outpost.com Personal Data Vulnerability
22 January 2000 Injunctions Granted Against DVD Decryption Code
Defendants in NY and CA
21 January 2000 Protecting Your On-Line Identity
21 January 2000 Monitoring Software Will Add Notification/Acknowledgment
Banner
21 January 2000 Mitnick Released From Prison
21 January 2000 Privacy Groups Want Regulations Overturned
20 January 2000 Insurance for E-Commerce Sites
20 January 2000 Windows 2000 to Ship with Stronger Encryption
20 January 2000 Credit Card Companies Take Action in Response to CD Universe
Theft
20 January 2000 Customer Credit Card Numbers Exposed on Web Site
20 January 2000 Transitions to New Software Systems Can be Problematic
20 January 2000 NSA at RSA
19 January 2000 WTO Sponsor Site Fended Off Flood Attack
19 January 2000 55 Alleged Crackers Arrested in Spain
19 January 2000 State Privacy Legislation Burgeoning
19 January 2000 Administration Asserts Authority to Search For Encryption Keys
18 January 2000 Dinosaur Auction Security Cracked
18 January 2000 UK Internet Investigation Unit
18 January 2000 Australian Site Ordered Taken Down
18 January 2000 Exposed Customer Data Included Bank Information
14 January 2000 Digital Certificate Bug Crashes Browser
************** This issue's sponsor: surfCONTROL, Inc. **************
Is "Internet Seduction" consuming your network bandwidth?
Are employees using the Internet for business? Or are they using it for
recreation, such as:
* Sports gambling
* Personal shopping
* Stock day-trading
* Viewing pornographic pictures
or, even worse ... hate propaganda?
Find out today! Download surfCONTROL and try it *free* for 30-days at:
http://www.surfcontrol.com/promo/sans
**********************************************************************
-- 24 January 2000 Library of Congress Site to Evaluate On Line Security
In response to the recent attack on a Library of Congress web site,
staff members examined the site's security precautions and procedures.
A systems upgrade had already been planned due to steadily increasing
traffic on the site. http://www.gcn.com/vol19_no2/news/1196-1.html
Precursor: 18 January: Library of Congress Site Attacked, Defaced A
group of crackers attacked a Library of Congress site that allows people
to track Congressional legislation. The group defaced the site with
fragments of the code used to crack the site's security, and with links
to other sites, including one to a site about Kevin Mitnick. In the
same article, some Internet Service Providers (ISPs) in the northwest
have experienced a rash of denial of service attacks.
http://www.apbnews.com/newscenter/internetcrime/2000/01/18/attacks0118_01.html
-- 24 January 2000 Teens Crack AOL Instant Message Accounts
A group of teen-aged crackers have been hijacking AOL Instant Message
screen names by resetting passwords, then using the purloined identities
to glean information about the victims through chats with friends and
family. The crackers informed the press of their exploits because they
say AOL has not responded to warnings about the security holes.
http://news.cnet.com/category/0-1005-200-1530654.html
http://www.msnbc.com/news/361415.asp?0m=N1AR
-- 24 January 2000 DOJ Says It's Getting Harder to Prosecute Cyber Crime
The Justice Department (DOJ) says that while computer crime is on the
rise, prosecuting those responsible is becoming increasingly difficult.
E-criminals are harder to find, prosecution across borders is complex,
and many businesses are reluctant to make public any cyber attacks they
have suffered. http://www.currents.net/newstoday/00/01/24/news2.html
-- 24 January 2000 DOD Says Computer Y2K Problem was not Serious
The Defense Department (DOD) says the spy satellite computer outage was
"insignificant", and intelligence collection systems were never "blinded."
http://www.gcn.com/vol19_no2/news/1192-1.html
-- 24 January 2000 Outpost.com Personal Data Vulnerability
An Outpost.com customer discovered that by changing a digit in the URL
of his order information page, he could view confidential information
about other customers and their orders. Such a vulnerability could be
exploited to harvest information for databases of target customers.
Outpost.com said it would fix the hole.
http://www.wired.com/news/print/0,1294,33842,00.html
-- 22 January 2000 Injunctions Granted Against DVD Decryption Code
Defendants in NY and CA
A new York district judge sided with the Motion Picture Association of
America (MPAA) and granted a preliminary injunction against three
individuals who posted DeCSS, a DVD decryption code, to remove it from
their web sites. In California, a state court granted a similar
injunction in a case brought by the DVD Copy Control Association (CCA).
http://www.washingtonpost.com/wp-srv/business/feed/a14204-2000jan22.htm
http://www.msnbc.com/news/360352.asp?0m=T16P
-- 21 January 2000 Protecting Your On-Line Identity
New service lets web surfers determine how much personal information
they wish to divulge to the sites they visit, and hides Internet Protocol
(IP) addresses and other electronic breadcrumbs.
http://www.wired.com/news/technology/0,1282,33805,00.html
-- 21 January 2000 Monitoring Software Will Add Notification/Acknowledgment
Banner
Invisible keystroke monitoring software e-mails reports of computer
activity to the systems administrator or employee supervisor. A new
version of the software will incorporate the option of banners that will
let users acknowledge that their activity will be monitored.
http://www.techweb.com/wire/story/TWB20000121S0014
-- 21 January 2000 Mitnick Released From Prison
Kevin Mitnick, the cracker whose case has received extensive coverage,
was released from prison late last week. The terms of his probation
call for him to stay away from computers and cellular phones for three
years. http://www.msnbc.com/news/178825.asp
http://www.usatoday.com/life/cyber/tech/cth191.htm
http://news.cnet.com/category/0-1005-200-1528757.html
-- 21 January 2000 Privacy Groups Want Regulations Overturned
Privacy groups fear that federal regulations would allow law enforcement
agencies to track web browsing and e-mail without warrants, and they
are asking an appeals court to overturn the regulations.
http://www.wired.com/news/politics/0,1283,33810,00.html
-- 20 January 2000 Insurance for E-Commerce Sites
Insurance for web sites covers viruses and break-ins, losses incurred
from fraudulently used credit cards, extortion, and loss of revenue from
down time. Sites must first undergo risk assessment.
http://www.wired.com/news/business/0,1367,33734,00.html
-- 20 January 2000 Windows 2000 to Ship with Stronger Encryption
Thanks to the newly loosened encryption export regulations, Windows 2000
will now be shipped internationally with 128-bit encryption. Microsoft
says Windows 2000 is attack resistant, but critics say its complexity
is likely to introduce a new batch of security holes.
http://www.computerworld.com/home/print.nsf/all/000120E18E
http://www.techweb.com/wire/story/reuters/REU20000118S0007
-- 20 January 2000 Credit Card Companies Take Action in Response to CD
Universe Theft
Some credit card companies are taking a proactive stance by issuing new
account numbers to all their customers whose card information was recently
stolen from the CD Universe site.
http://www.usatoday.com/life/cyber/tech/cth186.htm
-- 20 January 2000 Customer Credit Card Numbers Exposed on Web Site
A web hosting company, CIHost, inadvertently omitted password protection
from a server, exposing customer credit card information. A company
official said that the exposed database kept track of fraudulent charges
and that some of the card numbers were phony. CIHost fixed the security
hole. http://www.msnbc.com/news/360102.asp?0m=T14P
-- 20 January 2000 Transitions to New Software Systems Can be Problematic
In Rhode Island, the transfer of criminal justice records to a new
software system was responsible for eight false arrests due to bad data
from incorrect warrant information. Police have been ordered to
crosscheck their computer records against court hard copies. Others
experiencing trouble with moving data to new systems include Whirlpool,
Hershey's, and the city of Oakland, CA.
http://news.cnet.com/category/0-1008-200-1527734.html
-- 20 January 2000 NSA at RSA
The National Security Agency (NSA) was at the RSA Security conference
to connect government agencies with commercial security technology.
The NSA advises many government agencies on security systems purchases,
and provides software evaluation services for the government.
http://www.wired.com/news/politics/0,1283,33776,00.html
-- 19 January 2000 WTO Sponsor Site Fended Off Flood Attack
The sponsor of the World Trade Organization (WTO) meetings held in
Seattle late last year said its site experienced almost 700 probes, 54
crack attempts, and that it successfully defended itself against a flood
attack on December 3, 1999.
http://www.usatoday.com/life/cyber/tech/cth175.htm
-- 19 January 2000 55 Alleged Crackers Arrested in Spain
Spanish authorities arrested 55 people on charges of fraudulently using
toll-free phone lines to access the Internet. The crackers allegedly
broke into other systems and stole user names and passwords.
http://sg.dailynews.yahoo.com/headlines/technology/afp/article.html?s=singapore/headlines/000119/technology/afp/Spanish_police_break-up__Internet_hacking_ring_.html
-- 19 January 2000 State Privacy Legislation Burgeoning
Across the nation, states are considering a wealth of privacy legislation,
including proposals aimed at protecting financial, medical, and on-line
privacy. http://www.usatoday.com/life/cyber/tech/cth172.htm
Editors Note [Paller]: Privacy legislation is a catalyst for increased
investments in information security. Executives implementing new privacy
laws quickly discover that information security is the single most
important prerequisite for effective information privacy.
-- 19 January 2000 Administration Asserts Authority to Search for
Encryption Keys
In a letter to Congress, Attorney General Janet Reno and Deputy Defense
Secretary John Hamre said that law enforcement has the authority to
search computers for encryption keys without immediately notifying the
owners. The letter also encourages support of Fidnet, a federal computer
intrusion-monitoring plan.
http://www.wired.com/news/business/0,1367,33779,00.html
-- 18 January 2000 Dinosaur Auction Security Cracked
Crackers found their way around security measures on an on-line auction
site and placed 17 phony bids on a Tyrannosaurus Rex skeleton.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_608000/608634.stm
-- 18 January 2000 UK Internet Investigation Unit
The UK's National Criminal Intelligence Service (NCIS) plans to establish
an Internet investigation unit to stem a steadily rising tide of
electronic crime. Civil liberties groups say there is no evidence to
substantiate the claim of increasing cyber crime, and that the NCIS
wants the authority to intercept and decrypt communications.
http://www.techweb.com/wire/story/TWB20000118S0022
-- 18 January 2000 Australian Site Ordered Taken Down
The Australian Broadcasting Authority (ABA), invoking its new Online
Services Act, ordered that a web site containing sexually explicit
material be taken down. Under the act, Internet Service Providers (ISPs)
are not held responsible for monitoring site content, but are required
to help the ABA enforce its regulations once informed of the problem.
http://www.wired.com/news/politics/0,1283,33750,00.html
-- 18 January 2000 Exposed Customer Data Included Bank Information
Customer information, including bank account numbers, was accessible in
plain text on the globalhealthtrax.com web site. A former employee may
be responsible for the security hole. The company removed the
confidential customer data. http://www.msnbc.com/news/358952.asp?0m=T19P
-- 14 January 2000 Digital Certificate Bug Crashes Browser
A digital certificate encryption key-length bug in Microsoft Internet
Information Server (IIS) crashes international versions of Netscape
Communicator 4.7 browsers. Netscape has altered Communicator so it will
no longer crash, but the connection will still fail. One suggested
workaround is to disable 56-bit encryption in international versions of
the browser. http://www.msnbc.com/news/357775.asp?0m=T25A
********************** Also Sponsored By: AXENT **********************
AXENT's VPN Webcast -- Win a Palm Vx!
"Everything You Need to Know About VPNs." Learn how to: Implement VPNs
for site-to-site, extranets, and remote access. See the differences
between firewall, hardware, software, and router VPNs. Overcome
interoperability, security, and IPSec concerns. Reduce costs and increase
bandwidth & uptime.
Register today: http://www.axent.com/redirect/newsbites.
== End ==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, e-mail [EMAIL PROTECTED] with
the subject: Subscribe NewsBites
Email <[EMAIL PROTECTED]> with complete instructions and your SD number
(from the headers) for subscribe, unsubscribe, change address, add other
digests, or any other comments.
http://www.indolinux.com - Nikmati Layanan Personal INDOLINUX ::
http://techscape.net/ - Webhosting: Dual T3 on Dual Pentium III 450Mhz
Only US$1.95/month -> CGI SSL 5MB Unlimited Traffic & Mail FP2000
-------------------------------------------------------------------
untuk berhenti kirim email ke [EMAIL PROTECTED]
untuk melihat peraturan kirim email ke [EMAIL PROTECTED]
arsip berada di http://www.mail-archive.com/[email protected]
