[Evolution] [The SANS Institute <sans+ZZ5769589789155285 sans org>] SANS NewsBites Vol. 3 Num. 19

Evolution doesn't automatically verify a signature when it's a embedded
into the message. I don't think this is the desirable behavior.

It also doesn't understand a signed message when it's in HTML format.

Evo is actually able to verify a message when sen't in a specific format
(ok, the 'standard' way,) but there are 2 or 3 formats very used and I
don't think it would be very hard to implement them.

I think evo should be able to recognize a signed message when it finds:


But these are only my thoughts. I hope this can help.

I also send you an example message of what I mean:

-----Mensaje Reenviado-----
De: The SANS Institute <sans+ZZ5769589789155285 sans org>
A: Juan Alonso <jah nekkar es>
Asunto: SANS NewsBites Vol. 3 Num. 19

To:   Juan Alonso (SD557284) 
From: Alan for the SANS NewsBites service 
Re:   May 9 SANS NewsBites 


Hash: SHA1

Steve Ballmer, Microsoft's CEO, walked into a meeting with a dozen
customers a few days ago and said disgustedly, "You would think we could
figure out how to fix buffer overflows by now."  He was talking about
the latest IIS buffer overflow fiasco through which (SANS has received
reliable confirmation to prove) well over 9,000 Microsoft- powered web
sites have been defaced.  And that pain is nothing compared to the
extortion and reputation damage organizations will soon face in trying
to recover the credit card numbers and other private information of
their clients.

Steve is right about buffer overflows.  Enough is enough.  It is time
to bring accountability to the programming profession.  We hope that
Microsoft will take the lead, guaranteeing all its internal programmers
get basic secure programming skills training and that the company helps
train developers outside of Microsoft.  And if that isn't enough,
perhaps as a security community, we can invite developers of important
code with buffer overflows to come to SANS conferences where they can
tell us all why they are subjecting us to this pain. Programmers have
been taught simple tests to avoid buffer overflows at least since 1960.
Some of them have forgotten the basics.  It's time to give them a reason
to remember.

On a more upbeat note.
If your CIO is looking for a conference on security this summer, and
SANS is a little too technical, tell her (or him) to look at the Gartner
Group's Annual Information Security Conference.  It provides the type
of strategic level knowledge in security governance and policies that
is missing in the older security conferences aimed at non-technical
folks. See: http://www.gartner.com/infosec/usa



                             SANS NEWSBITES 

                 The SANS Weekly Security News Overview 

Volume 3, Number 19                                        May 9, 2001 

Editorial Team: 
     Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray, 
          Stephen Northcutt, Alan Paller, Eugene Schultz 



1 May 2001  Internet Information Server (IIS) 5.0 Buffer Overflow 
3 & 4 May 2001  Buffer Overflow Vulnerability Exploits Published 
1 May 2001  FBI Data Gathering Methodology in Cracker Case Raises 
4 May 2001  White House Site DDoSed 
1 & 2 May 2001  US Government Web Sites Attacked 


7 May 2001  Protecting Your Site From Defacement 
4 May 2001  ILOVEYOU Worm One Year Later: Could It Happen Again? 
4 May 2001  FBI Documents Detail Carnivore Use 
4 May 2001  Microsoft Sites Defaced 
30 April and 3 & 4 May 2001  Chinese Hacking Threat Loses Steam 
3 May 2001  Lucent Employees Charged with Theft of Proprietary Info 
3 May 2001  CERT Warns of ISN Vulnerability 
3 May 2001  German Government Wants to Build CERT Network 
2 May 2001  "Hacktivists" are Not Activists 
1 May 2001  Uncovering a Cracker's Footsteps 
1 May 2001  W32/Hello Worm Spreads Via MSN Messenger 
1 May 2001  Spitzner Interview 
30 April 2001  Group to Release Filter-Foiling Tool 
30 April 2001  Biometrics and Privacy 
30 April 2001  The Human Factor: The Security Manager's Journal 

*********** This issue sponsored by SurfControl, Inc. **************** 
Relying on your firewall for complete network protection?  
You're leaving yourself vulnerable to a host of harmful threats.
SurfControl adds an extra layer of security.  Monitor/manage all traffic
down to the port level.
FREE 30-Day Trial: http://www.surfcontrol.com/promo/SNB0509



 --1 May 2001  Internet Information Server (IIS) 5.0 Buffer Overflow 
Microsoft warned of a security hole in machines running Windows 2000
with IIS 5.0.  By sending the servers carefully crafted strings,
attackers could cause a buffer overflow that would allow them system
administrator level control of the machines.   System administrators
can protect their systems by turning off the Internet printing
component.  Microsoft has released a patch for the vulnerability, and
is delaying the release of Service Pack 2 until the patch is
Microsoft security advisory and patch information: 

 --3 & 4 May 2001  Buffer Overflow Vulnerability Exploits Published 
In addition to the proof-of-concept exploit created by the company that
discovered the buffer new overflow vulnerability in Microsoft's IIS 5.0,
and reported it to Microsoft, a malicious exploit for the vulnerability
has been making its way around the Internet.
 --1 May 2001  FBI Data Gathering Methodology in Cracker Case Raises 
Some cyber law experts have expressed concern that the FBI's method used
in gathering incriminating evidence in the case of two Russian cyber
criminals may invite indiscriminate international hacking.  The FBI,
unable to gain Russian authorities' cooperation in gathering data from
the servers the crackers used, took it upon themselves to gather,
compress, and download 1.3 GB of data to agency computers without a
search warrant.  They obtained a warrant before examining the files.

 --4 May 2001  White House Site DDoSed 
Whitehouse.gov was the victim of a distributed denial-of-service attack
that lasted just over two hours.  An Albuquerque-based Internet service
provider (ISP) discovered six of its servers had been planted with DDoS
tools and were sending data to Whitehouse.gov.  The attack was similar
to one directed at the CIA earlier in the week.

 --1 & 2 May 2001  US Government Web Sites Attacked 
A number of US government web sites came under attack last week, 
possibly by crackers acting on threats to escalate cyber attacks during 
the first week of May.  Affected sites include the Department of 
Transportation's Surface Transportation Board, the US Geological Survey 
and the Federal Emergency Management Agency's (FEMA's) Hurricane 
Liaison team.  Security experts have focused on the fact that many 
systems are unsecured. 

****************** Also sponsored by Symantec ************************ 
Who Gets In?  Who Stays Out?  Who Decides? 
The dilemma every company faces.  Symantec(tm) has a solution. With
Managed Intrusion Prevention, security experts assess, monitor and
maintain your company's perimeter security, around the clock. Using
world-class technology, we keep your organization's networked assets
secure and protected.
Find out how at: http://www.symantec.com/ses5


 --7 May 2001  Protecting Your Site From Defacement 
Defacements, unlike stealthy attacks, make it clear your site's security
has been violated.  According to an Attrition.org staff member, users
can reduce the risks of defacement and other security breaches by
maintaining back-ups, monitoring systems for unusual behavior, and
disabling unnecessary services.
[Editor's (Murray) Note: Resist, detect, and repair in that order.
Defacements are generally perpetrated against soft targets and targets
of opportunity, though there is a clear preference for government and
other authoritarian or authoritative sites, e.g., the NY Times.
Defacements are overt, patent, and obvious as opposed to covert, latent,
and devious.  However, they do represent a genuine compromise of the
target.  If the only thing the attacker does is embarrass you, then you
are lucky.  The same vulnerabilities that can be exploited to deface
your site might well be exploited for other purposes.]

 --4 May 2001  ILOVEYOU Worm One Year Later: Could It Happen Again? 
The significant difference between the fallout of the ILOVEYOU worm and
that of the AnnaKournikova worm may be attributable to antivirus
software, Outlook patches, and increased user caution regarding
attachments.  Other factors that reduce the likelihood of a massive
outbreak include software that restricts the execution of unknown code
or that recognizes suspicious behavior.
 --4 May 2001  FBI Documents Detail Carnivore Use 
FBI documents obtained under the Freedom of Information Act (FOIA) show
that the agency used Carnivore and a similar, commercially available
network monitoring device called Etherpeek 24 times between October 1999
and August 2000.  The tools were used in cases involving hacking,
extortion, intellectual property, and national security.
 --4 May 2001  Microsoft Sites Defaced 
A Brazilian-based cracker group has defaced MSNBC.com's Sports
scoreboard as well as Microsoft home pages in Mexico, Saudi Arabia, and
Great Britain.
[Editor's (Murray) Note: For the media to suggest that "none of the
sites contains sensitive data"  is to demonstrate contempt, no doubt
bred from familiarity, for what they do.  News from authoritative sites
is about as sensitive as data gets.]
 --30 April and 3 & 4 May 2001  Chinese Hacking Threat Loses Steam 
Despite threats of massive attacks on US computer networks, the
purported cyberwar between China and the US has largely deteriorated
into a rash of site defacements.  Some experts have speculated that the
cyber attacks were largely fueled by the media.
 --3 May 2001  Lucent Employees Charged with Theft of Proprietary Info 
Two Lucent scientists and a third conspirator have been charged with
stealing software for Lucent's PathStar system and giving it to a
Chinese company.
 --3 May 2001  CERT Warns of ISN Vulnerability 
The Computer Emergency Response Team (CERT/CC) has issued an advisory
regarding a vulnerability in the way initial sequence numbers (ISNs)
are generated for TCP use.  TCP was built for reliability, not security,
and the predictability of ISNs could allow an attacker who has deduced
the correct ISN to access a victim's computer.  A CERT/CC Internet
security analyst pointed out that exploiting the vulnerability would
require statistical analysis tools.
[Editor's (multiple) Note: This is one more reason to move to IPv6.]
 --3 May 2001  German Government Wants to Build CERT Network 
Germany's Interior Ministry intends to build a network of existing
Computer Emergency Response Teams (CERTs) to protect the country's
networks from cyber attacks.  Coordination of efforts between the CERTs
will help prevent major network damage without the need to publicize
attacks, said a ministry spokesman.
 --2 May 2001  "Hacktivists" are Not Activists 
The author of this opinion piece deplores the use of the word
"hacktivism," claiming the activity it describes is usually neither
hacking nor activism.  While the perpetrators may not be activists in
the true sense of the word, they do serve to point out the lamentable
condition of Internet security; the author would like to see systems
administrators and software companies taken to task for poor security

 --1 May 2001  Uncovering a Cracker's Footsteps 
A systems administrator describes the process of figuring out how a
cracker broke into a Linux box and what the cracker did there.  The
author also offers some advice on securing servers: keep current with
patches, turn off unnecessary services, download and install portsentry,
and familiarize yourself with security resources.
 --1 May 2001  W32/Hello Worm Spreads Via MSN Messenger 
The Hello worm arrives as an executable file via MSN Messenger; if
activated, it sends itself on to the infected machine's MSN e-mail
contact list.  The worm is unlikely to cause significant damage because
users must deliberately download and execute the file to become
infected.  While Hello appears to be largely a proof of concept worm,
future variants could prove more harmful.
Advice for securing instant messaging services. (25 April 2001) 
 --1 May 2001  Spitzner Interview 
In an interview, Honeynet Project founder Lance Spitzner describes what
brought him into the field of computer security and how he began the
project.  He also explains the difference between a Honeypot and a
 --30 April 2001  Group to Release Filter-Foiling Tool 
A hacker group plans to introduce a peer-to-peer censorship-thwarting
tool at this year's Defcon in July.  "Peekabooty" will be distributed
between systems, and will allow people in countries that restrict
Internet content to receive controversial web pages in a compacted,
encrypted form that will not be filtered out.
[Editor's (Murray) Note: Yes, and we all know what it will be used to
share.  Perhaps they fooled the reporter but they do not fool me.]
 --30 April 2001  Biometrics and Privacy 
The Pentagon is considering using biometric technology for physical
facility and information network security.  Some employees are concerned
that the stored biometric templates (constructed from the initial scan
of the person's fingerprint, iris, or face) could invade their privacy.
The director of the Pentagon's Biometrics Management Office, suggested
that the templates may be protected under section 6 of the Freedom of
Information Act (FOIA) which prohibits agencies from disclosing personal
information that could be deemed an invasion of privacy.
A brief explanation of how biometrics works: 
 --30 April 2001  The Human Factor: The Security Manager's Journal 
In this week's column, the security manager discusses the human factor
in computer security.  He believes that showing people the consequences
of their actions gets better results than simply requiring them to
follow procedures without explanation.  This year he rewarded employees
who didn't open questionable attachments.
[Editor's (Murray) Note: People are as much the solution as they are
the problem as any manager who attempts an exclusively technological
remedy will quickly learn.]


Please feel free to share this with interested parties via email (not
on bulletin boards).  For a free subscription, (and for free posters)
e-mail sans sans org with the subject: Subscribe NewsBites
To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the headers.)
You will receive your personal URL via email.
You may also email <sans sans org> with complete instructions and your
SD number for subscribe, unsubscribe, change address, add other digests,
or any other comments.

Version: GnuPG v1.0.5 (BSD/OS)
Comment: For info see http://www.gnupg.org


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]