SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume III - Issue #17

April 25, 2001

Security Alert for Microsoft's Premier Support Customers Microsoft
Premier Support customers were notified on Monday night that several
Microsoft Hotfixes downloaded from the Premier Support and Gold
Certified Partner web sites (between April 6 and 20)were infected with
the Fun Love virus. We do not yet know whether other Microsoft Hotfix
download sites were also affected. It makes sense to have your virus
detection software current.

AP

---

TOP OF THE NEWS

23 April FBI Busts Russian E-commerce Extortion Ring
23 April Argus' $50,000 "Hack Me" Challenge Cracked
23 April 2001 SDMI Hacking Research Draws Legal Threats
19 April 2001 Chinese and American Hackers Waging Private War
17 April 2001 Anti-Hacking Insurance Higher For NT Users

THE REST OF THE WEEK'S NEWS

20 April 2001 Agency Cybercrime Often Goes Unreported
19 & 20 April 2001 ISA Members will Receive CERT Warnings for a Fee
19 April 2001 SMBRelay
19 April 2001 UK's National Hi-Tech Crime Unit
19 April 2001 OMB Guidelines for Annual Security Reports
19 April 2001 Matcher Trojan
18 April 2001 Behavior Blocking
17 & 19 April 2001 Microsoft Internet Security and Acceleration (ISA) Server Vulnerability
17 April 2001 Another BDM Laptop Missing
17 April 2001 Former Investment Firm Employee Charged with Data Theft
17 April 2001 2600 Club Good for Teens
16 April 2001 Security Testing Checklist
10 April 2001 New DoD Cybercrimes Center Position

---

*************** This issue sponsored by NetIQ Corp. ***************
FREE SECURITY GUIDE:
Get the in-depth knowledge you need to secure your enterprise with
NetIQ's FREE step-by-step security guide -
"Selecting The Right Security Solution" - at
http://www.netiq.com/sponsor/default.asp?236
NetIQ's security solutions not only identify intruders, but ensure that
threats don't ever become incidents.
******************************************************************

---

TOP OF THE NEWS

23 April FBI Busts Russian E-commerce Extortion Ring

Two men have been indicted in what was described as a Russian computer hacking ring that victimized banks and other businesses through extortion and the theft of credit card numbers. The FBI lured the hackers to the US with the promise of a job with a fictitious company.
-http://news.cnet.com/news/0-1007-200-5699762.html

23 April Argus' $50,000 "Hack Me" Challenge Cracked

Argus Pitbull's latest public "hack me" challenge has fallen. Within 24 hours of the opening of the contest, the team Last Stage of Delirium (LSD) cracked the Pitbull server, notified Argus, and claimed the 35,000 prize. Argus reports that the flaw exploited was in the underlying Solaris operating system, and not in the Pitbull software.
-http://uk.news.yahoo.com/010423/152/bmqfd.html
-http://uk.news.yahoo.com/010423/175/bmqng.html
-http://www.wired.com/news/technology/0,1282,43234,00.html
[Editors' Notes (Grefer): Argus' statement referenced in the Wired article, "In hindsight,
[the Solaris ]
operating system isn't even worth using underneath
[our ]
security software." features them as sore losers. (Cowan): Indeed. Protecting the host from the weaknesses of Solaris is exactly why one buys such a product. Argus' statement is akin to a secret service agent whining that the President is not very good at ducking. ]

23 April 2001 SDMI hacking research draws legal threats

The Secure Digital Music Initiative (SDMI) in September invited volunteers to test the security of embedded "watermark" codes as antipiracy technology. The consortium now is pressuring Princeton professor Edward Felten to suppress research that makes educated guesses about how the watermarking was done. SDMI insinuates a possible violation of the Digital Millennium Copyright Act (DMCA). Some scholars believe the DMCA might be unconstitutional, holding the potential to affect free speech and academic research into cryptography.
-http://www.zdnet.com/zdnn/stories/news/0,4586,5081595,00.html
-http://interactive.wsj.com/articles/SB988069076366601618.htm

19 April 2001 Chinese and American Hackers Waging Private War

American cracker group PoizonBOx has defaced at least a hundred Chinese websites since April 4. Chinese hackers are now vowing to retaliate with a planned week-long all-out crack attack on American websites and networks which will start on May 1.
-http://www.wired.com/news/business/0,1367,43134,00.html
[Editor's (Paller) Note: The Chinese attacks started at least a week ago. A single large US site reports sustained Chinese traffic at over 60,000 packets per second. ]

17 April 2001 Anti-Hacking Insurance Higher For NT Users

One insurance underwriter charges 25% higher premiums on anti-hacking policies for companies using Windows NT. While acknowledging that system configuration and architecture play a crucial role in security, the company maintains that Microsoft products are laden with vulnerabilities.
-http://www.theregister.co.uk/content/8/18324.html

---

*************** Also sponsored by Oblix, Inc. ***************
TODAY IT ISN'T JUST ABOUT KEEPING THE BAD GUYS OUT
It IS about opening up your eBusiness network to partners, customers
and suppliers. It IS about secure access to your applications and
information. It IS about letting the good guys in.
How do you let ONLY the good guys in? The answer: Oblix NetPoint(tm)
- - a secure web access management solution.
Visit us at www.oblix.com/reply/sans for a free IDC white paper on
eBusiness integration and security including "Protecting What's Inside
as You Open Up."
******************************************************************

---

THE REST OF THE WEEK'S NEWS

20 April 2001 Agency Cybercrime Often Goes Unreported

Only an estimated 20% of attacks against government agency computers are reported each year, due largely to undetected attacks and the desire to keep quiet about security problems. FedCIRC has recorded 55 root compromises at civilian nondefense agencies in the first quarter of this year, marking an increase for the third year in a row; analysts are unclear as to whether this is due to increased detection, increased reporting, or a rise in actual intrusions.
-http://www.computerworld.com/cwi/story/0,1199,NAV47_STO59856,00.html
Similarly British banks and corporate entities tend to avoid negative publicity by not reporting intrusions:
-http://www.guardian.co.uk/uk_news/story/0,3604,474802,00.html

19 & 20 April 2001 ISA Members will Receive CERT Warnings for a Fee

The Internet Security Alliance (ISA) is a joint effort between the Electronic Industries Association and the Software Engineering Institute at Carnegie Mellon University, which includes the CERT Coordination Center. Businesses may join for a fee ranging from $2,500 to $70,000 depending on gross revenues; in return, they will receive real-time Internet security warnings which have until now been available only to the Defense Department and the General Services Administration. CERT will continue to make the alerts public 45 days after members receive them. Critics have expressed concern that the ISA is duplicating efforts already undertaken by such groups as the Partnership for Critical infrastructure, the Internet Software Consortium, and the various ISACs.
-http://dailynews.yahoo.com/h/nm/20010419/wr/internet_security_dc_1.html
-http://www.zdnet.com/zdnn/stories/news/0,4586,2709721,00.html?chkpt=zdhpn
ews01
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO59847,00.html

19 April 2001 SMBRelay

An application named "SMBRelay," written by a member of a cracking group, capitalizes on a flaw in Microsoft's Server Message Block (SMB) protocol on Windows NT and Windows 2000 machines. The application hijacks the user's connection and steals password hashes to be decrypted later. The author blames the security hole on the need for backward compatibility with workstations that have lower-ended security capabilities. Blocking access via TCP port 139 will stop this hijacking attack.
-http://www.theregister.co.uk/content/8/18370.html

19 April 2001 UK's National Hi-Tech Crime Unit

The National Hi-Tech Crime Unit (NHTCU) will work with local police and advise government on policy and legislation. The unit currently employs 40 officers and plans to increase than number to 80; Home Secretary Jack Straw says the government plans to spend 25 million pounds (US$36 million) over three years to fight cybercrime. Critics say that the NHTCU is underfunded, and that because the Internet is global in nature, national initiatives will not have much of an effect. However, the unit could be effective in raising awareness of cybercrime threats. Some have also expressed concern about citizens' privacy.
-http://news.bbc.co.uk/hi/english/sci/tech/newsid_1283000/1283866.stm
-http://www.wired.com/news/business/0,1367,43171,00.html
-http://www.guardian.co.uk/uk_news/story/0,3604,474802,00.html

19 April 2001 OMB Guidelines for Annual Security Reports

The Office of Management and Budget (OMB) released draft guidelines for security reports that agencies must submit to OMB this fall. The reports, required under the Government Information Security Reform Act (GISRA-October 2000), should include an executive summary on GISRA implementation and details about annual program reviews and evaluations.
-http://www.fcw.com/fcw/articles/2001/0416/web-draft-04-19-01.asp

19 April 2001 Matcher Trojan

The Matcher or Lonely Heart virus appears to be a Melissa variant that mails itself as an attachment to the infected user's entire address book twice.
-http://www.cnn.com/2001/TECH/internet/04/19/virus.matcher/index.html

18 April 2001 Behavior Blocking

Unlike traditional anti-virus software which scans for viruses based on known signatures, behavior blocking software uses policies to determine whether code and/or applications are attempting to perform unauthorized actions.
-http://www.techweb.com/wire/story/TWB20010418S0011
[Editor's (Cowan) Note: The article describes one instance of behavior blocking technology. Others include eSafe
-http://www.ealaddin.com/esafe/desktop/index.asp
and Entercept
-http://www.entercept.com/
for Windows, Argus Pitbull LX
-http://www.argussystems.com/feature/pblxinfo.shtml
, and SELinux
-http://www.nsa.gov/selinux/
and SubDomain
-http://immunix.org/subdomain.html
for Linux. ]

17 & 19 April 2001 Microsoft Internet Security and Acceleration (ISA) Server Vulnerability

A security hole in Microsoft's ISA server 1.0 could allow attackers to block all web traffic. By sending specific strings of characters to the server, attacker could take web sites off line and prevent those behind the firewall from accessing the web until the server is restarted. The malicious string could be contained in an image tag in HTML e-mail, sent to the server from someone behind the firewall, or, if the server's Web publishing feature has been turned on, sent from outside the firewall. The exploits do not give the attacker network access nor does it allow for the execution of other attacks.
-http://www.infoworld.com/articles/hn/xml/01/04/17/010417hnisa.xml
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO59697,00.html
-http://www.zdnet.co.uk/news/2001/15/ns-22324.html

17 April 2001 Another BDM Laptop Missing

A British Defense Ministry (BDM) laptop reportedly containing new weapons system data was left in the back of a taxi; this brings the Ministry's four-year total to 205 missing laptop computers. The BDM has plans to equip its workers with special briefcases with built-in tracking devices and the capacity to erase laptop hard drives if the proper code is not entered.
-http://www.wired.com/news/politics/0,1283,43088,00.html

17 April 2001 Former Investment Firm Employee Charged with Data Theft

A former Barksdale Group employee has been arrested on charges of embezzlement of funds and trade secrets. The woman allegedly downloaded sensitive company information after being dismissed from her job; her attorney says she was merely cleaning up her computer.
-http://news.cnet.com/news/0-1007-200-5642068.html?tag=prntfr

17 April 2001 2600 Club Good for Teens

Despite its reputation as a place for hackers to share secrets and plan cyber attacks, the 2600 club provides computer-savvy teenagers with informal mentorships and opportunities to meet peers with similar interests and abilities. The club encourages its members to abide by the "hacker ethic;" learning about vulnerabilities is fine, but causing damage is not.
-http://www.washingtonpost.com/wp-dyn/articles/A25357-2001Apr16.html

16 April 2001 Security Testing Checklist

Comprehensive security testing includes network topology analysis, review of policies, practices and procedures, vulnerability assessment, and both technological and social engineering penetration testing. It is also helpful to use outside security auditors.
-http://www.fcw.com/fcw/articles/2001/0416/tec-ryan-04-16-01.asp

10 April 2001 New DoD Cybercrimes Center Position

Brig. Gen. Francis Taylor, commanding general of the Air Force Office of Special Investigations says the Defense Department (DoD) has created the position of executive director of the Defense Cybercrimes Center. In addition to overseeing the DoD's computer forensics lab and investigator training program, the director will help develop a long-term strategy for the center, which may include forming an institute that would function as a resource for private industry and academics.
-http://www.fcw.com/fcw/articles/2001/0409/web-cyber-04-10-01.asp

---

==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites


Editorial Team:
Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
Stephen Northcutt, Alan Paller, Howard Schmidt, Eugene Schultz