SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume III - Issue #25

June 20, 2001

Last month, the three most popular Hacker Exploits courses were run
head-to-head at SANS2001. The highest rated was Eric Cole and Ed
Skoudis' course "Computer and Network Hacker Exploits." It was also the
only one of the three courses that taught students how to block the
attacks as well as how to run them.

You may attend Eric and Ed's course in Boston or Washington in July.
If you take the entire five-day track, which combines the hacker
exploits courses with advance incident handling, you'll have finished
the course work for one of the GIAC Level 2 security certifications.
http://www.sans.org/sansfire/track4.html

---

TOP OF THE NEWS

15 June 2001 Israeli Hacker Won't Go to Jail
13 June 2001 IU Computers Breached for Second Time This Year
9 - 14 June 2001 Cal-ISO Servers Compromised

THE REST OF THE WEEK'S NEWS

15 June 2001 Wireless Keyboard Security
15 June 2001 New Malicious Hacking Tools
14 June 2001 Houston Floods Bring Physical Security Lessons
14 June 2001 Trojan Exploits Word RTF/Macro Flaw
13 & 14 June 2001 Morbid Curiosity Yields Trojan
11 & 13 June 2001 MacSimpson Worm
13 & 14 June 2001 Exchange 2000 Patch Woes
13 June 2001 Former FAA Employee Gets Jail Sentence for Stealing Source Code
13 June 2001 Cracker Group Defaces More Sites Because They Can
13 June 2001 SQL Server Flaw Bulletin and Patch
13 & 14 June 2001 Malicious E-Mail Could Cause Problems for Japanese Wireless Internet Customers
11 June 2001 DMCA Shadow Looms

TUTORIAL

11 June 2001 Outsourcing Pros and Cons: Security Manager's Journal

---

******************** Sponsored by NetIQ Corporation ********************
FREE SECURITY GUIDE:
Get the in-depth knowledge you need to secure your enterprise with
NetIQ's FREE step-by-step security guide - "Selecting The Right Security
Solution" - at
http://www.netiq.com/sponsor/default.asp?236
NetIQ's security solutions not only identify intruders, but ensure that
threats don't ever become incidents.
***********************************************************************

---

TOP OF THE NEWS

15 June 2001 Israeli Hacker Won't Go to Jail

Ehud Tenenbaum, the Israeli hacker who was part of the force behind the "Solar Sunrise" attack on US Defense Department computer systems in 1998, was sentenced to six months of community service. Tenenbaum was also fined approximately $18,000 and sentenced to one year of probation. A two-year suspended prison sentence will be enforced if he commits a computer crime within the next three years.
-http://www.securityfocus.com/news/217

13 June 2001 IU Computers Breached for Second Time This Year

According to Indiana University (IU) officials, crackers broke into IU School of Music computers where they accessed names, addresses and social security numbers of people who had requested information about the school; the crackers also used the breached servers as a private chatroom and for file storage. Technicians said that the crackers exploited the rpc.statd buffer overflow flaw to gain access to the servers, and that they deleted any log files which could have offered clues to their identities.
-http://www.wired.com/news/culture/0,1284,44501,00.html

9 - 14 June 2001 Cal-ISO Servers Compromised

Crackers recently infiltrated two servers that were part of a development network at the California Independent System Operator (ISO) - - an integral part of the power grid - raising concerns that foreign governments or terrorist groups are probing the US's critical infrastructure networks. Security specialists say they cannot tell who was responsible for the attacks, and that many security measures, including firewalls, tripwires, and logs, were not in place.
-http://www.latimes.com/business/cutting/20010609/t000047994.html
-http://www.computerworld.com/storyba/0,4125,NAV47_STO61313,00.html
-http://news.cnet.com/news/0-1003-200-6272438.html?tag=prntfr
[Editor's (Murray) Note: One might well ask why systems intended for the development of such a sensitive application are connected to the public network at all, much less without routine security measures. ]

---

********************* Also sponsored by Trend Micro ********************
TREND ANTIVIRUS ISPC MAGAZINE'S EDITORS' CHOICE
If you are worried about email viruses, you need Trend Micro ScanMail
for Exchange. It is the best solution for your Exchange server and PC
Magazine agrees: ScanMail and its plug-in eManager are PC Magazine's
Editors' Choice for Best Email Virus Protection. Buy a license for
ScanMail and get the content-management plug-in eManager FREE:
http://www.antivirus.com/banners/tracking.asp?si=19&bi=106&ul=/promo1
************************************************************************

---

THE REST OF THE WEEK'S NEWS

15 June 2001 Wireless Keyboard Security

Daten-Treuhand, a German security concern, has posted a warning on Bugtraq that crackers can sniff passwords from wireless keyboards from up to 30 meters.
-http://www.theregister.co.uk/content/8/19736.html
-http://www.daten-treuhand.de/sicherheitsnews/logitech/bugtraq.htm

15 June 2001 New Malicious Hacking Tools

Security consultants say there are two new hacking tools available on the Internet: GodMessage and Choke. GodMessage lets crackers put ActiveX code on web pages which would make browsers download a compressed program. Users with current antivirus software should be protected. The Choke worm circumvents security controls using MSN Messenger.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2775804,00.html

14 June 2001 Houston Floods Bring Physical Security Lessons

The recent flooding in Houston not only underscored the importance of having a detailed emergency plan in place, but also brought to light some important physical security considerations. Data and communications equipment centers should not be on the lower floors of buildings, provisions need to be made for refueling generators, and IT staff members should be included as members of emergency command centers.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO61363,00.html

11 & 13 June 2001 MacSimpson Worm

A mass mailing worm that targets Macintosh computers arrives as an attachment purporting to be secret episodes of The Simpsons. The attachment is actually an AppleScript that sends copies of itself to everyone in the Outlook Express or Entourage address book(s) of infected machines. Finally, the worm moved the contents of the sent mail folder to the deleted items folder and opens Internet Explorer to a Simpsons archive. The worm affects Macintosh Systems 9.0 and higher, and Outlook Express 5.02 and higher. The Computerworld article offers advice for removing the worm from infected systems.
-http://news.cnet.com/news/0-1006-200-6250087.html?tag=prntfr
-http://www.zdnet.com/zdnn/stories/news/0,4586,2772050,00.html
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO61323,00.html

14 June 2001 Trojan Exploits Word RTF/Macro Flaw

A Trojan horse named Goga exploits a recently disclosed security flaw in Microsoft Word. Goga arrives in the guise of a Rich Text Format (RTF) attachment that links to a template file on a Russian web site. A macro in the file circumvents Windows security and gathers logons and passwords.
-http://news.cnet.com/news/0-1003-200-6280162.html?tag=prntfr
-http://www.microsoft.com/technet/security/bulletin/ms01-028.asp

13 & 14 June 2001 Morbid Curiosity Yields Trojan

Computer users who thought they were downloading a bootlegged video of Timothy McVeigh's execution were actually being tricked into installing the SubSeven Trojan horse program on their computers. The program, which affects only computers running Windows operating systems, allows crackers to remotely control infected machines. The web page that contained the program is no longer up, and users with current antivirus software should be protected.
-http://news.bbc.co.uk/hi/english/sci/tech/newsid_1386000/1386606.stm
-http://www.zdnet.com/zdnn/stories/news/0,4586,2775026,00.html?chkpt=zdhpnews01
[Editor's (Murray) Note: Those who do not take the bait should also be safe. ]

13 & 14 June 2001 Exchange 2000 Patch Woes

The first patch Microsoft issued for an Exchange 2000 security flaw contained an error that caused servers to hang. The second, which contained outdated files, did the same thing. The company released a third version of the patch last week. One security consultant described the patch's effect as essentially launching a denial-of- service attack on one's own server.
-http://www.zdnet.com/zdnn/stories/news/0,4586,5092661,00.html?chkpt=zdhpnews01
-http://www.computerworld.com/storyba/0,4125,NAV47_STO61353,00.html

13 June 2001 Former FAA Employee Gets Jail Sentence for Stealing Source Code

Thomas A. Varlotta, the Federal Aviation Administration (FAA) engineer who stole O'Hare International Airport air traffic control monitoring software shortly before he left the FAA's employ, was sentenced to a year in prison and ordered to pay $13,000 in fines and restitution. Varlotta had headed the team that developed the source code he stole.
-http://www.chicagotribune.com/news/metro/dupage/printedition/article/0,2669,SAV-
0106130346,FF.html

13 June 2001 Cracker Group Defaces More Sites Because They Can

A cracker group notorious for its defacing scads of Chinese web sites earlier this year has recently defaced a dozen sites worldwide; all the sites have in common is the word "security" in their domain names. In an email to CNET, the group claims that they target Windows NT and 2000 servers because they are so easy to infiltrate.
-http://news.cnet.com/news/0-1003-200-6269253.html?tag=prntfr

13 June 2001 SQL Server Flaw Bulletin and Patch

Microsoft simultaneously posted a bulletin about and a patch for a flaw in SQL Server 7.0 and 2000 Gold databases that could allow a cracker to hijack an administrative connection. The flaw affects servers that are configured for mixed-mode authentication, and attackers must already have access to the server in order to take advantage of the vulnerability.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO61332,00.html
Bulletin:
-http://www.microsoft.com/technet/security/bulletin/MS01-032.asp
Patch:
-http://support.microsoft.com/support/kb/articles/Q299/7/17.asp

13 & 14 June 2001 Malicious E-Mail Could Cause Problems for Japanese Wireless Internet Customers

A Japanese wireless phone carrier has warned subscribers of its I-Mode wireless Internet service that malicious e-mail messages could cause their phones to dial an emergency number, make lots of calls, or freeze the phone screen. The company advises its customers not to open e-mail from unknown sources and offers suggestions for thwarting the potential problems.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO61340,00.html
-http://news.cnet.com/news/0-1004-200-6282498.html?tag=prntfr
[Editor's (Cowan) Note: Script-enabled mail and web clients are a disaster, and apparently G3 cell phone manufacturers have fallen into the same trap as the designers of MS Outlook and the people who invented Javascript for web browsers. At least with Netscape the user can disable Java and Javascript for web and mail. One suspects that G3 (third generation) cell phone users will not be so lucky. ]

[Editor's (Grefer) Note: This incident should serve as another reminder to set up a separate machine that has been hardened (a.k.a. a bastion host) to serve as log server for all systems. Once the syslog configurations of the other systems have been adjusted to point to the hardened log server or log host, it will be much more difficult for intruders to cover their tracks. Any logged activities up to the point where they manipulate the syslog daemon or its configuration will be preserved. ]

11 June 2001 DMCA Shadow Looms

Fearful of violating the Digital Millennium Copyright Act (DMCA), the administrator of a TiVo web forum has asked users to refrain from posting information about methods for sharing saved content.
-http://news.cnet.com/news/0-1005-200-6249739.html?tag=prntfr

---

TUTORIAL

11 June 2001 Outsourcing Pros and Cons: Security Manager's Journal

On one hand, managed security services offer round-the-clock monitoring, a staff with detailed knowledge, and "herd immunity." On the other hand, the commitment to security may not be as strong as that of someone in-house, the companies must look like gold mines to crackers, and the cost of such services is still quite high.
-http://www.computerworld.com/cwi/community/story/0,3201,NAV65-663_STO61232,00.ht
ml

---

==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites


Editorial Team:
Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
Stephen Northcutt, Alan Paller, Eugene Schultz