SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume III - Issue #19
May 09, 2001
Steve Ballmer, Microsoft's CEO, walked into a meeting with a dozen
customers a few days ago and said disgustedly, "You would think we could
figure out how to fix buffer overflows by now." He was talking about
the latest IIS buffer overflow fiasco through which (SANS has received
reliable confirmation to prove) well over 9,000 Microsoft- powered web
sites have been defaced. And that pain is nothing compared to the
extortion and reputation damage organizations will soon face in trying
to recover the credit card numbers and other private information of
their clients.
Steve is right about buffer overflows. Enough is enough. It is time
to bring accountability to the programming profession. We hope that
Microsoft will take the lead, guaranteeing all its internal programmers
get basic secure programming skills training and that the company helps
train developers outside of Microsoft. And if that isn't enough,
perhaps as a security community, we can invite developers of important
code with buffer overflows to come to SANS conferences where they can
tell us all why they are subjecting us to this pain. Programmers have
been taught simple tests to avoid buffer overflows at least since 1960.
Some of them have forgotten the basics. It's time to give them a reason
to remember.
On a more upbeat note.
If your CIO is looking for a conference on security this summer, and
SANS is a little too technical, tell her (or him) to look at the Gartner
Group's Annual Information Security Conference. It provides the type
of strategic level knowledge in security governance and policies that
is missing in the older security conferences aimed at non-technical
folks. See: http://www.gartner.com/infosec/usa
AP
TOP OF THE NEWS
1 May 2001 Internet Information Server (IIS) 5.0 Buffer Overflow Vulnerability3 & 4 May 2001 Buffer Overflow Vulnerability Exploits Published
1 May 2001 FBI Data Gathering Methodology in Cracker Case Raises Concerns
4 May 2001 White House Site DDoSed
1 & 2 May 2001 US Government Web Sites Attacked
THE REST OF THE WEEK'S NEWS
7 May 2001 Protecting Your Site From Defacement4 May 2001 ILOVEYOU Worm One Year Later: Could It Happen Again?
4 May 2001 FBI Documents Detail Carnivore Use
4 May 2001 Microsoft Sites Defaced
30 April and 3 & 4 May 2001 Chinese Hacking Threat Loses Steam
3 May 2001 Lucent Employees Charged with Theft of Proprietary Info
3 May 2001 CERT Warns of ISN Vulnerability
3 May 2001 German Government Wants to Build CERT Network
2 May 2001 "Hacktivists" are Not Activists
1 May 2001 Uncovering a Cracker's Footsteps
1 May 2001 W32/Hello Worm Spreads Via MSN Messenger
1 May 2001 Spitzner Interview
30 April 2001 Group to Release Filter-Foiling Tool
30 April 2001 Biometrics and Privacy
30 April 2001 The Human Factor: The Security Manager's Journal
*********** This issue sponsored by SurfControl, Inc. ****************
WORMS, VIRUSES, TROJAN HORSES...
Relying on your firewall for complete network protection?
You're leaving yourself vulnerable to a host of harmful threats.
SurfControl adds an extra layer of security. Monitor/manage all traffic
down to the port level.
FREE 30-Day Trial: http://www.surfcontrol.com/promo/SNB0509
**********************************************************************
TOP OF THE NEWS
1 May 2001 Internet Information Server (IIS) 5.0 Buffer Overflow Vulnerability
Microsoft warned of a security hole in machines running Windows 2000 with IIS 5.0. By sending the servers carefully crafted strings, attackers could cause a buffer overflow that would allow them system administrator level control of the machines. System administrators can protect their systems by turning off the Internet printing component. Microsoft has released a patch for the vulnerability, and is delaying the release of Service Pack 2 until the patch is incorporated.-http://www.msnbc.com/news/567192.asp
-http://news.cnet.com/news/0-1003-200-5784437.html?tag=prntfr
-http://www.cert.org/advisories/CA-2001-10.html
Microsoft security advisory and patch information:
-http://www.microsoft.com/technet/security/bulletin/MS01-023.asp
3 & 4 May 2001 Buffer Overflow Vulnerability Exploits Published
In addition to the proof-of-concept exploit created by the company that discovered the buffer new overflow vulnerability in Microsoft's IIS 5.0, and reported it to Microsoft, a malicious exploit for the vulnerability has been making its way around the Internet.-http://www.msnbc.com/news/568503.asp?0nm=T23F
-http://www.infoworld.com/articles/hn/xml/01/05/03/010503hnattacktool.xml
-http://www.usatoday.com/life/cyber/tech/2001-05-03-microsoft-
security-flaw-published.htm
-http://www.theregister.co.uk/content/4/18734.html
1 May 2001 FBI Data Gathering Methodology in Cracker Case Raises Concerns
Some cyber law experts have expressed concern that the FBI's method used in gathering incriminating evidence in the case of two Russian cyber criminals may invite indiscriminate international hacking. The FBI, unable to gain Russian authorities' cooperation in gathering data from the servers the crackers used, took it upon themselves to gather, compress, and download 1.3 GB of data to agency computers without a search warrant. They obtained a warrant before examining the files.-http://news.cnet.com/news/0-1003-200-5785729.html?tag=prntfr
4 May 2001 White House Site DDoSed
Whitehouse.gov was the victim of a distributed denial-of-service attack that lasted just over two hours. An Albuquerque-based Internet service provider (ISP) discovered six of its servers had been planted with DDoS tools and were sending data to Whitehouse.gov. The attack was similar to one directed at the CIA earlier in the week.-http://www.zdnet.com/zdnn/stories/news/0,4586,5082369,00.html?
chkpt=zdhpnews01
1 & 2 May 2001 US Government Web Sites Attacked
A number of US government web sites came under attack last week, possibly by crackers acting on threats to escalate cyber attacks during the first week of May. Affected sites include the Department of Transportation's Surface Transportation Board, the US Geological Survey and the Federal Emergency Management Agency's (FEMA's) Hurricane Liaison team. Security experts have focused on the fact that many systems are unsecured.-http://www.usatoday.com/life/cyber/tech/2001-05-02-china-hack-usat.htm
-http://www.usatoday.com/life/cyber/tech/2001-05-01-dot-hack.htm
-http://www.msnbc.com/news/567402.asp?0nm=T24F
****************** Also sponsored by Symantec ************************
Who Gets In? Who Stays Out? Who Decides?
The dilemma every company faces. Symantec(tm) has a solution. With
Managed Intrusion Prevention, security experts assess, monitor and
maintain your company's perimeter security, around the clock. Using
world-class technology, we keep your organization's networked assets
secure and protected.
Find out how at: http://www.symantec.com/ses5
**********************************************************************
THE REST OF THE WEEK'S NEWS
7 May 2001 Protecting Your Site From Defacement
Defacements, unlike stealthy attacks, make it clear your site's security has been violated. According to an Attrition.org staff member, users can reduce the risks of defacement and other security breaches by maintaining back-ups, monitoring systems for unusual behavior, and disabling unnecessary services.-http://www.dotcom.com/news/deface.html
[Editor's (Murray) Note: Resist, detect, and repair in that order. Defacements are generally perpetrated against soft targets and targets of opportunity, though there is a clear preference for government and other authoritarian or authoritative sites, e.g., the NY Times. Defacements are overt, patent, and obvious as opposed to covert, latent, and devious. However, they do represent a genuine compromise of the target. If the only thing the attacker does is embarrass you, then you are lucky. The same vulnerabilities that can be exploited to deface your site might well be exploited for other purposes. ]
4 May 2001 ILOVEYOU Worm One Year Later: Could It Happen Again?
The significant difference between the fallout of the ILOVEYOU worm and that of the AnnaKournikova worm may be attributable to antivirus software, Outlook patches, and increased user caution regarding attachments. Other factors that reduce the likelihood of a massive outbreak include software that restricts the execution of unknown code or that recognizes suspicious behavior.-http://www.msnbc.com/news/568574.asp?0nm=T21A
4 May 2001 FBI Documents Detail Carnivore Use
FBI documents obtained under the Freedom of Information Act (FOIA) show that the agency used Carnivore and a similar, commercially available network monitoring device called Etherpeek 24 times between October 1999 and August 2000. The tools were used in cases involving hacking, extortion, intellectual property, and national security.-http://www.wired.com/news/business/0,1367,43570,00.html
4 May 2001 Microsoft Sites Defaced
A Brazilian-based cracker group has defaced MSNBC.com's Sports scoreboard as well as Microsoft home pages in Mexico, Saudi Arabia, and Great Britain.-http://www.msnbc.com/news/568535.asp?0nm=T22F
-http://www.zdnet.com/zdnn/stories/news/0,4586,2715515,00.html
[Editor's (Murray) Note: For the media to suggest that "none of the sites contains sensitive data" is to demonstrate contempt, no doubt bred from familiarity, for what they do. News from authoritative sites is about as sensitive as data gets. ]
30 April and 3 & 4 May 2001 Chinese Hacking Threat Loses Steam
Despite threats of massive attacks on US computer networks, the purported cyberwar between China and the US has largely deteriorated into a rash of site defacements. Some experts have speculated that the cyber attacks were largely fueled by the media.-http://news.cnet.com/news/0-1003-200-5773288.html?tag=prntfr
-http://www.thestandard.com/article/0,1902,24202,00.html
-http://www.wired.com/news/politics/0,1283,43520,00.html
3 May 2001 Lucent Employees Charged with Theft of Proprietary Info
Two Lucent scientists and a third conspirator have been charged with stealing software for Lucent's PathStar system and giving it to a Chinese company.-http://www.wired.com/news/business/0,1367,43536,00.html
3 May 2001 CERT Warns of ISN Vulnerability
The Computer Emergency Response Team (CERT/CC) has issued an advisory regarding a vulnerability in the way initial sequence numbers (ISNs) are generated for TCP use. TCP was built for reliability, not security, and the predictability of ISNs could allow an attacker who has deduced the correct ISN to access a victim's computer. A CERT/CC Internet security analyst pointed out that exploiting the vulnerability would require statistical analysis tools.-http://news.cnet.com/news/0-1003-200-5815298.html?tag=prntfr
-http://www.cert.org/advisories/CA-2001-09.html
[Editor's (multiple) Note: This is one more reason to move to IPv6. ]
3 May 2001 German Government Wants to Build CERT Network
Germany's Interior Ministry intends to build a network of existing Computer Emergency Response Teams (CERTs) to protect the country's networks from cyber attacks. Coordination of efforts between the CERTs will help prevent major network damage without the need to publicize attacks, said a ministry spokesman.-http://www.cnn.com/2001/TECH/internet/05/03/warning.system.idg/index.html
2 May 2001 "Hacktivists" are Not Activists
The author of this opinion piece deplores the use of the word "hacktivism," claiming the activity it describes is usually neither hacking nor activism. While the perpetrators may not be activists in the true sense of the word, they do serve to point out the lamentable condition of Internet security; the author would like to see systems administrators and software companies taken to task for poor security practices.-http://www.msnbc.com/news/568036.asp?0nm=T23D
1 May 2001 Uncovering a Cracker's Footsteps
A systems administrator describes the process of figuring out how a cracker broke into a Linux box and what the cracker did there. The author also offers some advice on securing servers: keep current with patches, turn off unnecessary services, download and install portsentry, and familiarize yourself with security resources.-http://www2.linuxjournal.com/articles/culture/0022.html
1 May 2001 W32/Hello Worm Spreads Via MSN Messenger
The Hello worm arrives as an executable file via MSN Messenger; if activated, it sends itself on to the infected machine's MSN e-mail contact list. The worm is unlikely to cause significant damage because users must deliberately download and execute the file to become infected. While Hello appears to be largely a proof of concept worm, future variants could prove more harmful.-http://www.zdnet.com/zdnn/stories/news/0,4586,5082130,00.html
Advice for securing instant messaging services. (25 April 2001)
-http://www.zdnet.com/anchordesk/stories/story/0,10738,2711950,00.html
1 May 2001 Spitzner Interview
In an interview, Honeynet Project founder Lance Spitzner describes what brought him into the field of computer security and how he began the project. He also explains the difference between a Honeypot and a Honeynet.-http://news.cnet.com/news/0-1014-201-5784065-0.html?tag=bt_pr
30 April 2001 Group to Release Filter-Foiling Tool
A hacker group plans to introduce a peer-to-peer censorship-thwarting tool at this year's Defcon in July. "Peekabooty" will be distributed between systems, and will allow people in countries that restrict Internet content to receive controversial web pages in a compacted, encrypted form that will not be filtered out.-http://www.zdnet.co.uk/news/2001/17/ns-22536.html
[Editor's (Murray) Note: Yes, and we all know what it will be used to share. Perhaps they fooled the reporter but they do not fool me. ]
30 April 2001 Biometrics and Privacy
The Pentagon is considering using biometric technology for physical facility and information network security. Some employees are concerned that the stored biometric templates (constructed from the initial scan of the person's fingerprint, iris, or face) could invade their privacy. The director of the Pentagon's Biometrics Management Office, suggested that the templates may be protected under section 6 of the Freedom of Information Act (FOIA) which prohibits agencies from disclosing personal information that could be deemed an invasion of privacy.-http://www.fcw.com/fcw/articles/2001/0430/pol-bio-04-30-01.asp
A brief explanation of how biometrics works:
-http://www.fcw.com/fcw/articles/2001/0430/pol-biobox-04-30-01.asp
30 April 2001 The Human Factor: The Security Manager's Journal
In this week's column, the security manager discusses the human factor in computer security. He believes that showing people the consequences of their actions gets better results than simply requiring them to follow procedures without explanation. This year he rewarded employees who didn't open questionable attachments.-http://www.computerworld.com/cwi/Printer_Friendly_Version/
0,1212,NAV65-663_STO60016,00.html
[Editor's (Murray) Note: People are as much the solution as they are the problem as any manager who attempts an exclusively technological remedy will quickly learn. ]
==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites
Editorial Team:
Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
Stephen Northcutt, Alan Paller, Eugene Schultz