[nylug-talk] SECURITY WIRE DIGEST, VOL. 4, NO. 3, JANUARY 14, 2002
Inker, Evan
EInker at GAM.COM
Mon Jan 14 09:39:00 EST 2002
Hmmmm....
New Trojan that attacks only Linux Systems...
-----Original Message-----
From: Security_Wire_Digest at bdcimail.com
[mailto:Security_Wire_Digest at bdcimail.com]
Sent: 2002-Jan-14 09:10
To: EINKER at GAM.COM
Subject: SECURITY WIRE DIGEST, VOL. 4, NO. 3, JANUARY 14, 2002
SECURITY WIRE DIGEST, VOL. 4, NO. 3, JANUARY 14, 2002
Security Wire Digest is an e-mail newsletter brought to you on Mondays and
Thursdays by Information Security magazine.
1. INFOSEC NEWS
*Linux OS Targeted by New Breed of Trojan
*CISSP Requirements to Change
*Flash Fix Not a Solution
2. INFOSEC BRIEFS
*Convicted Cracker Says Depression Made Him Do It
*SiliconValley.com's "Good Morning" Anything But
*Microsoft Gives the "Boot" to 20,000 Developers
*DeCSS Author Comes Under Indictment
*IRS Gets $16M to Secure Systems
3. INDUSTRY NOTEBOOK
4. MARKET MONITOR
TO UNSUBSCRIBE, REFER TO THE INSTRUCTIONS AT THE END OF THIS MESSAGE
=====================================================
SECURITY WIRE DIGEST IS SPONSORED BY: Computer Associates International,
Inc.
For comprehensive virus protection and productivity, there's no need to
look any further. CA's eTrust InoculateIT lets you focus on your
business--not worry about battling viruses, threats and signature updates.
CA's NEW five-user version of eTrust InoculateIT is a perfect fit for
small businesses in search of enterprise strength protection that reduces
virus infections, simplifies and automates updating, eases administration,
and enforces security polices. Visit
http://www3.ca.com/Solutions/ProductFamily.asp?ID=128 or call Computer
Associates at 1-800-225-5225. Promo code 1006.
=====================================================
1. INFOSEC NEWS
*LINUX OS TARGETED BY NEW BREED OF TROJAN
By Shawna McAlearney
A Trojan, Remote Shell Trojan b, is demonstrating a new twist by adding a
viral component to malicious code targeting Linux systems.
"We see more of a trend targeting Linux systems--systems that are
increasingly being used in corporate environments," says Gerhard
Eschelbeck, vice president of engineering at Qualys. "RST.b is not
currently in the wild, but it--and Trojans like it--have a much higher
probability of success in compromising a system than a standard Trojan."
Since it uses any of nearly 65,000 UDP ports as a control vector, compared
with only one or two ports used by most Trojans, chances of an infected
system being utilized by an attacker are exponentially increased. It
self-replicates and infects Linux Executable and Linking Format (ELF)
binary executable programs. Once a system is infected--often through the
execution of binary e-mail attachments or downloaded software--RST.b then
initiates a virus-like self-replication process that infects additional
executable binaries in the current working directory and in the /bin
directory. No memory resident infection activities have been identified so
far, according to Qualys.
"A virus-based Trojan placed on a public FTP server or Web server where
many users download software could really take off," says Paul Robertson,
director of risk assessment at TruSecure. (TruSecure publishes Security
Wire Digest.) "When getting binary code from a public site, you need to
verify its integrity before you install it. Linux admins aren't used to
dealing with viral code so clean up is going to be a problem."
Systems infected with RST.b can be hijacked by the attacker, used as a
secondary attack platform, searched for sensitive data or be destroyed.
"This Trojan turns any infected system into a network sniffer," says
Eschelbeck. "And the tiniest hole in a firewall--for example, UDP port 53
for DNS--can be exploited."
Qualys offers free Remote Shell Trojan RST.b detection and cleaning tools
at:
https://www.qualys.com/forms/remoteshellb.html
Alert:
http://www.qualys.com/alert/remoteshellb.html
*CISSP REQUIREMENTS TO CHANGE
By Anne Saita
To help maintain the prestige of a Certified Information Systems Security
Professional (CISSP), a college degree--or the equivalent in life
experience--will be required of certification hopefuls beginning Jan. 1,
2003. Currently, certification requires only three years of professional
experience in the security field.
"Most professions require a degree. Most jobs in that sector of IT require
a degree," explained James E. Duffy, managing director of the
International Information Systems Security Certification Consortium--or
ISC(2)--which oversees the CISSP program internationally.
"What we're doing is basically saying, 'Get a degree.' Because that says
you've got a liberal education and that, beyond technical competence,
you're able to talk to management without making their heads spin around,"
he added.
The life experience provision is aimed at older professionals who don't
have a formal education but ample on-the-job experience. For all others:
any bachelor's degree will do; it doesn't need to be in computer science
or a related field.
The new requirement doesn't impact current CISSPs in good standing--those
who earn 120 education credits and pay annual fees during a three-year
period. It does, however, affect test-takers who fail the rigorous
examination this year and retake the test in 2003.
The new requirement was announced shortly after a CISSP was granted to a
17-year-old prodigy in India who's still in high school. Namit Merchant
was issued certification after an investigation into his credentials,
which included three years of professional security auditing for his
father's firm.
Duffy says the timing is coincidental and that ISC(2) had been discussing
a college degree requirement for a couple of years. The motion to add the
requirement was made by the nonprofit organization's board of directors
prior to Merchant's unprecedented feat.
"The board at ISC(2) is always looking at ways to ensure there's some
assurance that people taking the test meet the qualifications. The more
information you can get, the better a job you'll do," he said.
*FLASH FIX NOT A SOLUTION
By Shawna McAlearney
Macromedia's new tool, designed to eliminate the threat posed by
SWF/LFM-926, doesn't fix the vulnerability exploited by the virus, leaving
users of the standalone Flash player vulnerable to further exploits,
according to security experts.
"Macromedia hasn't plugged the hole yet," says Chris Wraight, technical
director for Sophos Inc. "There's still an opportunity for it to be
exploited by additional malware. They've just made it slightly harder for
end users to launch Flash files."
The SWF Clear Utility, modifies the Windows registry, disabling the
Shockwave Flash mime type in the standalone Flash player. However, any
user who downloads or receives a Flash file by e-mail won't be able to run
it without re-associating the .swf with an application.
Calling Macromedia's tool "a silly kind of fix," Roger Thompson, malicious
code expert at TruSecure Corp. says the utility is "a start," but just
removes the file association so that double-clicking doesn't work. If a
user double-clicks, Explorer will then ask what program the user want to
use to open the file and if it should remember the choice to open future
files. According to Thompson, this means users will set up their systems
for future infections.
"They need to address the potential security flaws in their product
engine," said Thompson, who noted that re-installing the standalone Flash
player will restore the SWF file association.
http://www.macromedia.com/support/flash
http://www.sophos.com/virusinfo/analyses/swflfm926.html
http://www.fsecure.com/v-descs/swflfm.shtml
=====================================================
*ADVERTISEMENT*
CONFUSED BY ALL THE SECURITY CERTIFICATIONS OUT THERE?
Join TruSecure on Thursday, January 24th, for our FREE webinar, "Practical
Security Certification for the IT Professional". TruSecure's new TruSecure
ICSA Certified Security Associate (TICSA) certification is the clear
choice for network and systems administrators seeking to validate and
improve foundation-level IT security skills. Click below to register.
http://www.trusecure.com/offer/s0049/
=====================================================
2. INFOSEC BRIEFS
*CONVICTED CRACKER SAYS DEPRESSION MADE HIM DO IT
A 22-year-old Minnesota man last week pleaded guilty to breaking into an
unclassified Lawrence Livermore National Laboratory network and installing
a backdoor to download budget materials. Benjamin Brueninger, also known a
"Konceptor," reportedly told authorities he committed the 1999 intrusions
to alleviate depression and suicidal tendencies. The damage from the
attack cost the nuclear plant $20,000 in stolen records and cleanup costs,
according to federal prosecutors. The cracker faces up to five years in
prison and $25,000 in fines when he is sentenced April 12 in Oakland,
Calif.
*SILICONVALLEY.COM'S "GOOD MORNING" ANYTHING BUT
Subscribers of SiliconValley.com's daily e-mail newsletter "Good Morning
Silicon Valley" may have begged to differ after the company sent a Magistr
worm variant to subscribers. The company, operated by Knight Ridder
Digital, this month discovered that one of its e-mail servers was
compromised, according to a company spokesman. It immediately sent an
alert to readers last Monday telling them to delete the infected e-mail
bearing the subject line "If the hyperlinks in your documents." Those who
got the message too late, didn't have updated AV software and opened the
e-mail's attachment may have found their PC's hard drive and CMOS/BIOS
information destroyed if they ran Windows 9x/NT/2000. The alert also
included removal instructions.
*MICROSOFT GIVES THE "BOOT" TO 20,000 DEVELOPERS
Microsoft is sending all 20,000 of its Windows developers to a one-day
security boot camp soon, in the hope that the compulsory training will
prompt its coders to pay closer attention to security issues, according to
a published report. No other details of the program were immediately
available. The employee initiative follows a year of embarrassing attacks
on vulnerable Microsoft products, including IIS Web server holes that
helped launch the successful spread of the Code Red and Nimda worms. Most
recently, the Universal Plug and Play in the new XP OS was found to have
serious flaws.
*DeCSS AUTHOR COMES UNDER INDICTMENT
The Norwegian government has indicted the 18-year-old creator of a
controversial DVD decryption program known as DeCSS. Jon Johansen faces up
to two years in prison if convicted of a computer trespass law. This is
the first prosecution of someone accused of breaking an encryption system.
Johansen was 15 when he created DeCSS to break the digital seal on DVDs in
order to run movies on Linux systems. It later became a method used to
pirate digital movies and led to numerous U.S. lawsuits filed by the
Motion Picture Association of America (MPAA) and the DVD Copyright Control
Association. The MPAA urged the Norwegian government to investigate
Johansen and his father, who has not been charged.
*IRS GETS $16M TO SECURE SYSTEMS
The Internal Revenue Service will be receiving $16 million to secure its
information systems, with a vast majority going to fund a backup recovery
system. The money comes from a 2002 defense appropriations bill created in
the wake of the Sept. 11 terrorist attacks. The IRS hasn't provided
details on how the money will be spent, other than to say it's to enhance
security and is part of its $391 million Business Systems Modernization
project to place old tax records in electronic databases.
=====================================================
3. INDUSTRY NOTEBOOK
--Sanctum Receives Patent
Sanctum, a Web application control and security software provider, last
week received a U.S. patent for its Dynamic Policy Recognition Engine
(DPRE). DPRE automatically and continuously defines policy for Web sites
without the use of signatures or rules, enforcing the intended business
behavior of all Web applications, from the Web site interface to the
back-end databases, according to the company.
http://www.sanctuminc.com
--Digital Signature Trust Announces SimpleSign
Digital Signature Trust (DST), an affiliate of Zions Bancorporation, last
week announced SimpleSign, its newest standalone offering to help
government agencies and businesses
sign confidential documents easily, legally and entirely online.
SimpleSign permits the signing of any electronic document or file. When
activated from a participating Web site, SimpleSign delivers a
non-persistent browser-based applet to the user's computer and prompts the
user for a file to sign and upload. The user selects his digital
certificate and a legally binding signature is applied. SimpleSign is
compatible with the TrustID program, Access Certificates for Electronic
Services (ACES) and State of Washington digital certificates.
http://www.trustDST.com.
--Vericept Appoints New President and CEO
Vericept, a developer of plug-and-play network security appliances, last
week announced that its board of directors named Tery Larrew as the
company's new president and chief executive officer. Prior to joining
Vericept, Larrew served as chairman and CEO of UPDATE Systems. Vericept
Co-founder Tom Donahue, formerly president and CEO, will assume the role
of chief technology officer.
http://www.vericept.com
=====================================================
INFORMATION SECURITY'S EXCELLENCE AWARDS--VOTE NOW!
What are the industry's top firewalls, IDSes and VPNs? Cast your vote and
enter a drawing for a free conference pass to the InfoSec World Conference
this March!
Balloting for Information Security Magazine's 2002 Excellence Awards is
now open. If you subscribe to Information Security, go to
http://www.infosecuritymag.com/2002awards and vote for the products you
use in 10 categories. To cast your ballot, you'll need your subscriber ID
number and zip code from the magazine subscription label.
=====================================================
4. MARKET MONITOR
Market Monitor is a weekly stock performance review of select information
security companies. The prices indicated reflect the official close and do
not reflect after-hour trading.
CO./TICKER...................1/4....1/11.....Change
Aladdin/ALDN.................3.72....3.5.....-0.22
BindView/BVEW................2.32....2.04....-0.28
Computer Associates/CA.......35.87...36.78...0.91
Check Point/CHKP.............45.37...47.19...1.82
Cisco Systems/CSCO...........20.83...20.19...-0.64
Cylink/CYLK..................2.46....2.6.....-0.14
Datakey/DKEY.................5.81....6.05....0.24
Entrust/ENTU.................12.05...11.14...-0.91
Hi/fn/HIFN...................17.44...17.6....0.16
Hewlett-Packard/HWP..........23.16...22.85...-0.31
IBM/IBM......................125.6...120.58..-5.02
Internet Sec. Sys./ISSX......36.14...35.16...-0.18
Intrusion.com/INTZ...........1.95....1.77....-0.18
Lucent/LU....................7.1.....6.95....-0.15
Network Assoc./NETA..........28.93...30......1.07
Novell/NOVL..................4.86....5.23....0.37
Network-1 Sec./NSSI..........1.78....1.88....0.1
Red Hat/RHAT.................8.25....8.76....0.51
Rainbow/RNBO.................7.82....10.9....3.08
RSA Security/RSAS............18.72...18.84...0.12
SafeNet/SFNT.................18.65...16.84...0.19
Secure Computing/SCUR........22.62...22.54...-0.08
SonicWALL....................19.53...20.62...1.09
Symantec/SYMC................68.89...70.69...1.8
Trend Micro/TMIC.............24.7....23.65...-1.05
Unisys/UIS...................13.5....12.74...-0.76
Vasco Data Sec./VDSI.........2.31....2.73....0.42
VeriSign/VRSN................36.31...36.39...0.08
WatchGuard/WGRD..............7.2.....7.29....0.09
=====================================================
Security Wire Digest is written, edited and produced by:
Shawna McAlearney, editor, mailto:smcalearney at infosecuritymag.com
Andy Briney, mailto:abriney at infosecuritymag.com
Anne Saita, mailto:annes at sbcglobal.net
Christine St. Pierre, mailto:cpierre at infosecuritymag.com
Lawrence M. Walsh, mailto:lwalsh at infosecuritymag.com
=====================================================
Security Wire Digest and Information Security magazine are published by
TruSecure, the world's leader in Internet security services.
Copyright (c) 2001. All rights reserved. Redistribution of this newsletter
is permitted provided all content (including this notice) is reproduced
verbatim with proper attribution to Security Wire Digest and Information
Security magazine. http://www.infosecuritymag.com
=====================================================
To SUBSCRIBE to Security Wire Digest, go to:
http://infosecuritymag.bellevue.com
To UNSUBSCRIBE from SecurityWire Digest, go to:
http://infosecuritymag.bellevue.com/USL.asp?EM=EINKER@GAM.COM
To CHANGE your e-mail address, go to:
http://infosecuritymag.bellevue.com/CEL.asp?EM=EINKER@GAM.COM
To subscribe or renew your existing subscription to Information Security
magazine, print edition, please go to:
http://www.submag.com/sub/is
****************************************************************************
This message contains confidential information and is intended only
for the individual or entity named. If you are not the named addressee
you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of this
message which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
This message is provided for informational purposes and should not
be construed as an invitation or offer to buy or sell any securities or
related financial instruments.
Global Asset Management operates in many jurisdictions and is
regulated or licensed in those jurisdictions as required.
****************************************************************************
More information about the nylug-talk
mailing list