SANS Security Digest Vol 3 Num 1 - Excellent security digest with current information on vulnerabilities, exploits, security news, security vendors, patches, and more. From The SANS Institute
3c7ed180d7b684c5cd87995dfd57e256b2d4bda4171293cc88cea35e752d863b
Date: Thu, 21 Jan 1999 11:38:55 -0500 (EST)
From: sans@clark.net
Subject: SANS Security Digest Vol 3 Num 1
Here's the first security digest of 1999. I have almost completely
re-done the database, removed duplicates, added conference attendees,
and combined the NT list. Please return this message with directions if
you'd like to unsubscribe, change your address, or report a duplicate.
Rob
-----BEGIN PGP SIGNED MESSAGE-----
=================================================================
| @@@@ @@ @ @ @@@@ |
| @ @ @ @@ @ @ |
| @@@@ @ @ @ @ @ @@@@ Vol. 3, No. 1 |
| @ @@@@@@ @ @ @ @ January 20, 1998 |
| @ @ @ @ @ @@ @ @ |
| @@@@ @ @ @ @ @@@@ |
| The SANS Network Security Digest |
| Editor: Michele D. Crabb-Guel |
| Contributing Editors: |
| Matt Bishop, Gene Spafford, Steve Bellovin, Gene Schultz, |
| Bill Cheswick, Marcus Ranum, Dorothy Denning, Dan Geer, |
| Rob Kolstad, Peter Neumann, David Harley, Jean Chouanard, |
| Fred Avolio, Peter Galvin, John Stewart, Liz Coolbaugh, |
| Mark Edmead, Michael Kuhn |
====A Resource for Computer and Network Security Professionals===
CONTENTS:
i) LAST CHANCE TO REGISTER FOR SANS IDR99
ii) SANS99 REGISTRATION IS NOW OPEN
iii) CALL FOR PAPERS FOR THE FIFTH ANNUAL SANS NETWORK SECURITY CONFERENCE
1) TCP/IP DENIAL OF SERVICE VULNERABILITY
2) CERT SUMMARY RELEASED
3) MULTIPLE DISCUSSIONS REGARDING "REMOTE EXPLORER" VIRUS
4) HP SECURITY PROBLEMS AND PATCHES
5) SUN SECURITY PROBLEMS AND PATCHES
6) SGI SECURITY PROBLEMS AND PATCHES
7) NT/WIN95 SECURITY PROBLEMS AND PATCHES
8) FREEBSD/OPENBSD/BSD4.4 PROBLEMS AND PATCHES
9) LINUX SECURITY PROBLEMS AND PATCHES
10) CISCO SECURITY PROBLEMS AND PATCHES
11) VIRUS UPDATE INFORMATION
12) QUICK TIDBITS
*****************************************
i) LAST CHANCE TO REGISTER FOR SANS IDR99
The Third SANS Conference and Workshop on Intrusion Detection and Response
will be held in San Diego, California, February 9-13. The program
features a Unique, In-Depth Practical Training Program PLUS Windows NT
Security - Basic Hands-on and Advance. For more information see:
http://sans.org/id/main.htm
============================================================================
ii) SANS99 REGISTRATION IS NOW OPEN
Registration for the Eighth Annual System Administration, Networking and
Security Conference is now open. The conference will be held in Baltimore
Inner Harbor, May 7-14. We have over 60 tutorials to choose from,
including many new ones along with the SANS classics. The technical
conference will feature 19 two-hour short courses including such topics as
"Packet Filtering Firewalls", "PKI Implementation Issues" and "Oracle DBs
>from a Systems Administrator's Perspective". In addition to the Short
Courses, we have over 25 technical talks on a wide range of topics.
Register before February 26th and receive a free book! To register online
go to:
https://nt4.corpsite.com/secure_escal/SANS99register.htm
Over the next 3-4 weeks look for your SANS99 Brochure and a new, updated
2-sided poster: Roadmap to Network Security and Roadmap to Intrusion
Detection and Vulnerability Analysis.
============================================================================
iii) CALL FOR PAPERS FOR FIFTH ANNUAL SANS NETWORK SECURITY CONFERENCE
The CFP for the fifth Annual SANS Network Security Conference will be
posted on the SANS web site at http://www.sans.org/ns99call.html within
a few days. Submissions are due by March 15th. SANS NS'99 will be held
in New Orleans LA, October 3rd - 10th. We will again be including
ever popular Intrusion Detection Track!
============================================================================
1) TCP/IP DENIAL OF SERVICE VULNERABILITY (12/21/1998)
CERT released an advisory regarding a new variation of a TCP/IP
vulnerability which may lead to a denial of service attack or cause the
target system to crash. This new vulnerability is similar to other
TCP/IP DoS attacks discussed in previous SANS Digest and the CERT Advisory
at:
http://www.cert.org/advisories/CA-97.28.Teardrop_Land.html
One defense against these types of attacks is to implement "Network
Ingress Filtering". More information on this filtering can be found at:
http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2267.txt
There are a number of BSD-derived TCP/IP stacks that are vulnerable,
please consult the CERT Advisory for a complete list:
http://www.cert.org/advisories/CA-98-13-tcp-denial-of-service.html
============================================================================
2) CERT SUMMARY RELEASE (12/14/1998)
CERT released their latest summary regarding current trends in internet
incidents. The summary reported increased incidents involving: mountd
vulnerabilities, Windows-based Trojan Horse programs, widespread scans
using "mscan", and a small increase in stealth scans. For more
information see the CERT Summary at:
http://www.cert.org/summaries/CS-98.08.html
============================================================================
3) MULTIPLE DISCUSSIONS REGARDING "REMOTE EXPLORER" VIRUS (12/17/1998)
During the month of December there was a large amount of discussion (and
over-rated according to some of the experts) concerning a new NT virus
called "Remote Explorer". It was discovered at a customer site on
12/17/1998; however there have been no other reports of infections. At
first it was thought to be a nasty new virus, but some of the discussions
note that Remote Explorer is more of a hybrid worm/virus rather than
only a virus since it can transport itself to other NT systems via the
network. Several of the anti-virus vendors have updated their definitions
files to include a check for Remote Explorer. For information see the
following resources:
http://www.cert.org/incident_notes/IN-98-07.html
http://www.microsoft.com/security/bulletins/remote.asp
http://www.iss.net/xforce/alerts/advise16.html
http://www.symantec.com/avcenter/warn/remoteexplorer.html
A good summary of the virus/worm was posted to Bugtraq by David
LeBlanc on 12/23/1998:
http://www.geek-girl.com/bugtraq/1998_4/0700.html
============================================================================
4) HP SECURITY PROBLEMS AND PATCHES
The HP Electronic Support Center is located at:
http://us-support.external.hp.com/ (US and Canada)
http://europe-support.external.hp.com/ (Europe)
---------------
HP has not released any security bulletins since 12/16/1998.
============================================================================
5) SUN SECURITY PROBLEMS AND PATCHES
Sun Security Bulletins are available at:
http://sunsolve.sun.com/pub-cgi/secbul.pl
Sun Security Patches are available at:
http://sunsolve.sun.com/sunsolve/pubpatches/patches.html
---------------
Sun has not released any security bulletins since 12/17/1998.
============================================================================
6) SGI SECURITY PROBLEMS AND PATCHES
SGI maintains a security home page at:
http://www.sgi.com/Support/security/security.html
SGI patches are available at:
ftp://ftp.sgi.com/security/
---------------
SGI has not released any security advisories since 12/10/1998.
============================================================================
7) NT/WIN95 SECURITY PROBLEMS AND PATCHES
The Microsoft Security page is located at:
http://www.microsoft.com/security/
Additional NT Security Related web pages may be found at:
http://ntbugtraq.ntadvice.com/archives/default.asp
http://www.ntsecurity.net/
---------------
A) 01/05/1999 - L0pht Heavy Industries released a security advisory
regarding a vulnerability in WIN 95/98 Network File Sharing. A malicious
user is able to reuse the SMB challenge to establish a connection
impersonating a valid user. According the advisory, the same challenge
is used for a period of 15 minutes, during which a replay attack can be
done. For more information see the L0pht Advisory at:
http://www.l0pht.com/advisories/95replay.txt
---------------
B) 12/17/1998 - Microsoft announced the release of a patch for the ISS
"GET" vulnerability that may result result in a denial of service attack
against an IIS web server. The vulnerability results from the way the
server improperly handles a malformed GET request -- the process begins
to consume all the server resources and the server hangs. This
vulnerability effect ISS Versions 3.0 and 4.0 on X86 and Alpha platforms.
For more information see the Microsoft Security Bulletin at:
http://www.microsoft.com/security/bulletins/ms98-019.asp
Additional information is available at:
http://support.microsoft.com/support/kb/articles/q192/2/96.asp
---------------
C) 12/23/1998 - Microsoft announced the release of a patch for the "Frame
Spoof" vulnerability in multiple versions of Internet Explorer. The
vulnerability results from the fact that cross domain protection does
not extend to the navigation of frames. The end result is that a malicious
user could post a "dummy" frame inside a legitimate window on a valid
web site. This vulnerability was first discussed in the November 1998
SANS Digest. Multiple versions of IE are vulnerable, please refer to
the Microsoft Security Bulletin for a complete list:
http://www.microsoft.com/security/bulletins/ms98-020.asp
Additional information is available at:
http://support.microsoft.com/support/kb/articles/q167/6/14.asp
============================================================================
8) FreeBSD/OpenBSD/BSD4.4 PROBLEMS AND PATCHES
BSDI maintains a support web page at:
http://www.BSDI.COM/support/
FreeBSD maintains a security web page at:
http://www.freebsd.org/security/security.html
OpenBSD's Security web page is at
http://www.openbsd.org/security.html
NetBSD's Security web page is at:
http://www.NetBSD.ORG/Security/
---------------
No security related postings were made by these groups during the period
12/18/1998 - 01/16/1999.
============================================================================
9) LINUX SECURITY PROBLEMS AND PATCHES
Red Hat Linux maintain a support page at:
http://www.redhat.com/support/
RedHat ftp site:
ftp://updates.redhat.com/
Debian GNU/Linux maintain a security web page at:
http://www.debian.org/security/
Caldera information can be found at:
http://www.calderasystems.com
S.u.S.E. information can be found at:
http://www.suse.com
The latest Slackware release and patches can be found at
ftp://cdrom.com/pub/linux
---------------
A) 12/22/1998 - Red Hat released a new version of their ftp client to
correct a security vulnerability. See the errata notes at:
http://www.redhat.com/support/docs/rhl/rh52-errata-general.html#ftp-client
http://www.redhat.com/support/docs/rhl/rh51-errata-general.html#ftp-client
http://www.redhat.com/support/docs/rhl/rh50-errata-general.html#ftp-client
---------------
B) 01/03/1999 - Red Hat released new boot images, new kernels and a new
version of PAM and NFS which correct several known security problems.
For more information see the errata notes at:
http://www.redhat.com/support/docs/rhl/rh52-errata-general.html#pam
http://www.redhat.com/support/docs/rhl/rh51-errata-general.html#pam
http://www.redhat.com/support/docs/rhl/rh50-errata-general.html#pam
http://www.redhat.com/support/docs/rhl/rh52-errata-general.html#BootImg
http://www.redhat.com/support/docs/rhl/rh52-errata-general.html#kernal
http://www.redhat.com/support/docs/rhl/rh51-errata-general.html#kernal
http://www.redhat.com/support/docs/rhl/rh50-errata-general.html#kernal
http://www.redhat.com/support/docs/rhl/rh51-errata-general.html#NFS
http://www.redhat.com/support/docs/rhl/rh50-errata-general.html#NFS
---------------
C) 01/04/1999 - Debian GNU/Linux released a new version of netstd which
corrects two buffer overflows. For more information see the announcements
at:
http://www.debian.org/Lists-Archives/debian-security-announce-9901/\
msg00000.html
http://www.debian.org/security/1999/19990104
---------------
D) 01/12/1999 - Red Hat released a new RMS for XFree86 that corrects
several security problems. For more information see the errata notes
at:
http://www.redhat.com/support/docs/rhl/rh52-errata-general.html#XFree86
http://www.redhat.com/support/docs/rhl/rh51-errata-general.html#XFree86
http://www.redhat.com/support/docs/rhl/rh50-errata-general.html#XFree86
============================================================================
10) CISCO PROBLEMS AND PATCHES
Cisco Systems maintains an Internet Security Advisories page at:
http://www.cisco.com/warp/public/779/largeent/security/advisory.html
---------------
A) 01/11/1999 - Cisco released a Field Notice concerning a Classic IOS
syslog crash vulnerability. The vulnerability results from IOS not
properly handling invalid user datagrams that are sent to port 514,
which is used for syslog requests. Cisco reported that there is one
commonly used internet scanning tool, called nscan, which causes these
crashes. IOS versions effected are 11.3AA, 11.3DB and any 12.0 or higher
release. The vulnerability has already been corrected in certain special
releases. Please see the Cisco Field Notice for full details. As a
workaround you may apply an access list to block UDP traffic destined
for port 514. For additional information, see the Cisco Field Notice
at:
http://www.cisco.com/warp/public/770/iossyslog-pub.shtml
Or the CIAC Information Bulletin at:
http://ciac.llnl.gov/ciac/bulletins/j-023.shtml
============================================================================
11) GENERAL VIRUS UPDATE INFORMATION
We will only include items on virus that have been widely discussed.
This is not meant to be an all-inclusive update on recent viruses.
Virus information is available from a variety of sites, including:
http://www.avpve.com/
http://www.drsolomon.com/
http://www.nai.com/
http://www.sophos.com/
http://www.symantec.com/avcenter/
Good sources for virus myths and hoaxes are:
http://ciac.llnl.gov/ciac/CIACHoaxes.html
---------------
A) Sophos lists their Top Ten Viruses of 1998:
http://www.sophos.com/virusinfo/topten
---------------
B) 01/1999 - Several antivirus vendors reported that the PICTURE.EXE
program is a Trojan Horse (ala AOL password stealer) and not a virus.
The Trojan was sent to many Internet users as a file attachment in late
December 1998. The file, once downloaded an opened, expands to two files:
note.exe and manager.exe and places them in the windows directory. The
note.exe program, then tries to mail information to a site in China.
For more information see:
http://www.symantec.com/avcenter/venc/data/picture-exe-th.html
http://www.DataFellows.com/v-descs/backnote.htm
http://www.nai.com/products/antivirus/picture_exe.asp
For an associated story see:
http://www.zdnet.com/zdnn/stories/news/0,4586,2183935,00.html
============================================================================
12) QUICK TIDBITS
A) 01/18/1999 - Xforce released an ISS Vulnerability Alert regarding a
vulnerability in the BackWeb Polite Agent Protocol. The vulnerability
may allow a malicious user on the local network to spoof a BackWeb
server. According to the alert, many hardware and software vendors
include BackWeb software as part of their product distribution. The
ISS Alert has not been posted to their web site yet. For more information
on BackWeb, see their web site at:
http://www.backweb.com/home.html
---------------
B) 01/12/1999 - The Apache Group announced the release of version 1.3.4
of the Apache HTTP server. In addition to "90 significant improvements",
this version adds support to avoid some of the current Denial of Service
attacks. For more information see:
http://www.apache.org
or the Bugtraq posting at:
http://www.geek-girl.com/bugtraq/1999_1/0166.html
---------------
C) 12/31/1998 - Sendmail version 8.9.2 was released. This version
corrects a Denial of Service attack vulnerability for Linux systems, as
well as several other minor bugs. For more information see:
http://www.sendmail.org/
---------------
D) 12/30/1998 - A message posted to the ssh mailing list, announced a
patch has released for security vulnerability in sshd2 which may allow
a valid user to request "remote forwarding from privileged ports without
being root." The patch is available at:
http://www.ssh.fi/sshprotocols2/
For more information see the Bugtraq posting at:
http://www.geek-girl.com/bugtraq/1998_4/0769.html
---------------
E) 12/25/1998 - Phrack Magazine released Issue 54 containing various
interesting articles. To download, see:
http://www.phrack.com/
---------------
F) L0pht Heavy Industries released version 2.5 of L0phtCrack. The
L0phtCrack development team has hunkered down over the past few months
and came up with some major improvements: 450% speed improvement;
Graphical network SMB packet capture; Works on NT and 95/98; new hybrid
crack gets combination dictionary and numeric/symbol passwords. Fore
more information see:
http://www.l0pht.com/l0phtcrack/
---------------
G) Network Flight Recorder released a new, experimental version of NFR,
called "Version 2.0.2 Research". This differs from the commercial version.
For more information see:
http://www.nfr.net/nfr/nfr-2.0.2-research/RELEASE_NOTES.html
---------------
H) Irish teen wins Young Scientist of the Year with her public key
encryption code. The 16-year old based her algorithm on 2 X 2 matrix
systems and named it the Cayley-Purser algorithm. According to various
articles that have appeared, the code is as much as 30 times faster than
the RSA code. For more information see the article at:
http://www.zdnet.com/zdnn/stories/news/0,4586,2189301,00.html
**********************
Copyright 1999, The SANS Institute. No copying, forwarding, or posting
allowed without written permission (write <sans@clark.net> for
permission).
Email <digest@sans.org> for information on subscribing. You'll receive
a free subscription package and sample issue in return.
To unsubscribe, forward this note to <autosans@clark.net with the subject
`unsubscribe security digest'.
The digest is available at no cost to practicing security, networking
and system administration professionals in medium and large organizations.
Archives of past issues are posted at http://www.sans.org/digest.htm
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBNqY3yqNx5suARNUhAQGq1wP/alA0tyMF2XCwd0waS0p7nOdFNj9jfgi6
K9uENGu4rPIHyAp5VPqKd3M07oFS4y96hortxHIDCaffBpbpBNd+EgRfNMIf1HxJ
e7mZr7/Mbj++zN9CMQ+1mMNYubk8BmnP8zj4lHWRG2X590PomCmxhSEC1vArGgO7
hyw2ZXyqihA=
=9HBI
-----END PGP SIGNATURE-----
Alan Paller & Rob Kolstad The SANS Institute sans@clark.net 301-951-0102
----- Upcoming Events: ------------------------ Current Publications: ----
Intr Detect & Response (San Diego 2/99) SANS Network Security Digest
The SANS NT Digest
SANS '99 (Baltimore, 5/99) Windows NT Security: Step-by-Step
Network Security 99 (New Orleans, 10/99) Incident Handling: Step-by-Step
Intrusion Detection: Shadow Style
1998 SANS Salary Survey
See http://www.sans.org for info WindowsNT Power Tools: Consensus
------------------------------------------------------------------------------
Subject: SANS Digest Correction: Vol. 3 Num. 1a
Here's a quick correction to the SANS Digest that went out earlier
this month. Don't confuse it with the NT Digest, which is also
going out tonight. Forward this note along with any subscribe,
unsubscribe, duplicate reporting, or address change requests to
sans@clark.net.
RK
================================================================
| |
| @@@@ @@ @ @ @@@@ |
| @ @ @ @@ @ @ |
| @@@@ @ @ @ @ @ @@@@ Vol. 3, No. 1a |
| @ @@@@@@ @ @ @ @ January 26, 1999 |
| @ @ @ @ @ @@ @ @ |
| @@@@ @ @ @ @ @@@@ |
| |
| The SANS Network Security Digest |
| Editor: Michele D. Crabb-Guel |
| Guest Editor: Rob Kolstad |
| |
| E X T R A -- Important corrections and interesting data |
| |
===A Resource for Computer and Network Security Professionals===
This SANS Digest EXTRA corrects some errors in the recent Digest, requests
your participation in two different studies, and includes a table that
reports tool adoption rates by industry.
CONTENTS:
i) Correction: Date
ii) Correction: Typographical error in TLA
iii) Call for participants: Security practices study
iv) Call for participants: Security software and services eval
v) Gift: Exclusive new data on tool adoption rates
vi) Call for papers: Network Security '99
============================================================================
i) CORRECTION: Date on last Digest
An incorrect year was shown as the date of the last Digest. Of course,
the year should have been 1999, not 19989.
============================================================================
ii) CORRECTION: For Item 7B in the January SANS Network Security Digest
An inadvertent typographical error confused IIS with ISS. Here's the
correct paragraph:
Microsoft announced the release of a patch for the IIS "GET"
vulnerability that may result in a denial of service attack against
an IIS web server. The vulnerability results from the way the server
improperly handles a malformed GET request -- the process begins to
consume all the server resources and the server hangs. This
vulnerability effect IIS Versions 3.0 and 4.0 on X86 and Alpha
platforms. For more information see the Microsoft Security Bulletin
at: http://www.microsoft.com/security/bulletins/ms98-019.asp.
============================================================================
iii) CALL FOR PARTICIPANTS: Low-cost, high impact security practices
A central question to be answered at the Federal Computer Security
Conference in May is "What are the lowest-cost, highest-impact actions
that organizations can take to raise the bar against internal and external
threats, to reduce embarrassment and economic loss. To support that
program, The SANS Institute is conducting a consensus research project
(similar to the research that led to the just re-issued Windows NT
Security: Step-by-Step consensus) to help select the actions with the
highest value.
If you are willing to participate in developing the consensus, please
e-mail to <sans@clark.net> to join the discussion group. As usual your
name will be used only with your specific written permission and not
associated with the specific advice you offer.
============================================================================
iv) CALL FOR PARTICIPANTS: Which security software and services are worth
the money?
Please share your experiences using security products and services. In
June, SANS will publish the first "Intelligent Guide to Security Products
and Services" which will summarize the community's answers to questions
about the value of various tools and services. We'll be sending out
300,000 copies of the guide so we want it to cover the broadest array
possible.
If you have used commercial tools or hired consultants to help you
develop security policies or run vulnerability tests or any of several
other services, please share your opinions with your peers. Your
responses will be confidential. Visit http://www.delos.com/sanstool to
participate.
============================================================================
v) GIFT: New data on adoption rates of Intrusion Detection tools
The January web teleconference on "trends in intrusion detection" had
an unexpected side benefit: Data on adoption rates of intrusion detection.
More than 5,000 individuals registered for the program and, in
registering, more than 80% of them provided data about their industry
and the status of their implementation of host and network-based intrusion
detection systems. The summary tables below give you a unique picture
of the adoption of intrusion detection across various industries.
Host-Based Intrusion Detection
Already Implementing
implemented Within
Industry Org-wide Pilot 6 mo. Learning Planning
(unknown) 3.8% 3.2% 4.4% 28.5% 5.3%
Education 3.9% 8.6% 6.0% 49.5% 13.8%
Other Gov't 8.6% 5.8% 5.7% 39.3% 12.1%
Manufacturing 7.9% 6.8% 3.9% 46.3% 12.3%
Accounting/Cons/
Sys Integ'r 9.9% 8.3% 6.0% 38.1% 12.4%
Software 12.8% 6.8% 2.5% 42.0% 9.8%
Financial/Banking/
Insurance 13.3% 7.0% 7.5% 30.1% 10.2%
Computer/
Comm HW 11.3% 9.4% 6.4% 36.7% 12.8%
Telecomm 14.5% 8.9% 8.5% 29.7% 14.8%
Aerospace 10.8% 13.5% 0.0% 36.4% 13.5%
Military 20.6% 15.3% 4.8% 23.5% 12.9%
Grand Total 9.6% 7.4% 5.6% 36.3% 11.2%
* row totals do not sum to 100% because of missing responses
Network Based Intrusion Detection
Already Implementing
implemented Within
Industry Org-wide Pilot 6 mo. Learning Planning
(unknown) 4.7% 4.3% 5.5% 25.8% 6.3%
Education 4.5% 8.2% 5.8% 48.0% 16.2%
Other Gov' t 9.7% 7.4% 5.3% 37.9% 12.3%
Manufacturing 11.2% 6.5% 5.4% 44.2% 11.2%
Accounting/Cons /
System Integ'r 12.6% 6.7% 7.0% 35.5% 13.9%
Software 12.4% 6.8% 3.0% 40.3% 13.7%
Aerospace 10.8% 9.4% 6.7% 33.7% 10.8%
Financial/Banking/
Insurance 13.1% 9.7% 7.2% 28.8% 11.1%
Computer/
Comm HW 11.3% 11.7% 5.3% 36.7% 12.1%
Telecomm. 16.3% 7.4% 6.3% 30.4% 15.2%
Military 27.8% 14.9% 6.7% 21.6% 11.0%
Grand Total 10.9% 7.8% 5.9% 34.6% 11.9%
* row totals do not sum to 100% because of missing responses
============================================================================
vi) Call for papers: Network Security '99
The Call For Papers for Network Security '99 in New Orleans in October
has been posted to http://www.sans.org/ns99call.htm Please consider
writing a paper or organizing a panel or some other exciting presentation.
Alan Paller & Rob Kolstad The SANS Institute sans@clark.net 301-951-0102
----- Upcoming Events: ------------------------ Current Publications: ----
Intr Detect & Response (San Diego 2/99) SANS Network Security Digest
The SANS NT Digest
SANS '99 (Baltimore, 5/99) Windows NT Security: Step-by-Step
Network Security 99 (New Orleans, 10/99) Incident Handling: Step-by-Step
Intrusion Detection: Shadow Style
1998 SANS Salary Survey
See http://www.sans.org for info WindowsNT Power Tools: Consensus