SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume III - Issue #27
July 04, 2001
Ham Radio Operators?
The threat to critical Internet resources from distributed denial of
service attack tools continues to increase. An effective emergency
communications network may be of great value if damage is done to both
the Internet and to phone systems. SANS is looking for ham and packet
radio operators who are willing to take a leadership role to help
establish and maintain an emergency communication channel. If you are
qualified and interested please send an email telling us about your ham
radio and computer security activities. Send it to info@sans.org with
Emergency Communications Network in the subject line.
SANSFire
This summer, take advantage of the Washington, DC gathering of the
industry's highest rated security teachers at SANSFire (July 30-August
4). Full certification preparation tracks in SANS Security Essentials;
Firewalls, Perimeter protection, and VPNs; Hacker Exploits and Advanced
Incident Handling; Intrusion Detection In-Depth; Forensics; Windows
Security; and UNIX Security. http://www.sans.org/sansfire/sansfire.html
AP
TOP OF THE NEWS
29 June 2001 Oracle8i Database Buffer Overflow Vulnerability29 June 2001 Cisco IOS Security Flaw
25 June 2001 W32-Leaves.worm Exploits Compromised PCs
THE REST OF THE WEEK'S NEWS
2 July 2001 Hackers May Profit From Spamming Trojan29 June 2001 Human Rights Group is Victim of Crackers
29 June 2001 Peekabooty Release Delayed
28 June 2001 Smart Tags Not Included This Time Around
28 June 2001 Sprint Denial-of-Service Attack
27 June 2001 Alldas.de Defacement
27 June 2001 Computer Virus as Art
26 & 27 June 2001 ICQ Servers Defaced
26 June 2001 "Problem" Allows Surreptitious Forwarding of Encrypted E-Mail
25 June 2001 Termination Policies for Good Security
25 June 2001 Microsoft Windows Function Affects Norton Anti-Virus
24 June 2001 Vendor Group to Coordinate Vulnerability Reporting
*********************** Sponsored by Websense ************************
WHAT DO CISCO, MICROSOFT AND CHECK POINT HAVE IN COMMON?
They are all integrated with Websense, the leading Internet filtering
software solution. Transparently monitor, manage and report on traffic
from your internal networks to the Internet. Maximize your network
bandwidth, increase productivity and reduce legal liability.
Try Websense free for 30-days.
http://www.websense.com/index.cfm?id=070101
**********************************************************************
TOP OF THE NEWS
29 June 2001 Oracle8i Database Buffer Overflow Vulnerability
Security experts found and disclosed a pair of vulnerabilities in the standard and enterprise editions of Oracle8i database. The Transport Network Substrate (TNS) Listener has a buffer overflow vulnerability; a flaw in the SQL Net protocol leaves the system vulnerable to denial-of- service attacks. Patches are available.-http://www.computerworld.com/storyba/0,4125,NAV47_STO61802,00.html
29 June 2001 Cisco IOS Security Flaw
Cisco and CERT/CC have both issued warnings about a vulnerability in routers running Cisco's Internetwork Operating System (IOS). Crackers can gain high level control of the router by sending a specially crafted URL; from there, the crackers could intercept sensitive data and alter device configuration. Patches are available for the security flaw.-http://www.cnn.com/2001/TECH/internet/06/29/cisco.flaw.idg/index.html
-http://www.zdnet.com/zdnn/stories/news/0,4586,5093506,00.html
-http://www.cert.org/advisories/CA-2001-14.html
25 June 2001 W32-Leaves.worm Exploits Compromised PCs
The W32-Leaves.worm apparently seeks out PCs compromised with the SubSeven trojan, plants additional code onto the machines and synchronizes their internal clocks with the US Naval Observatory clock, leading experts to surmise crackers are preparing the machines to launch a distributed denial-of-service attack.-http://news.cnet.com/news/0-1003-200-6374839.html?tag=prntfr
-http://www.nipc.gov/warnings/advisories/2001/01-014.htm
******************* Also Sponsored by Trend Micro ********************
TREND ANTIVIRUS ISPC MAGAZINE'S EDITORS' CHOICE
If you are worried about email viruses, you need Trend Micro ScanMail
for Exchange. It is the best solution for your Exchange server and PC
Magazine agrees: ScanMail and its plug-in eManager are PC Magazine's
Editors' Choice for Best Email Virus Protection. Download a 30-day trial
copy and get FREE technical support for that duration:
http://www.antivirus.com/banners/tracking.asp?si=19Bbi=114&ul=/products/smex
**********************************************************************
THE REST OF THE WEEK'S NEWS
2 July 2001 Hackers May Profit From Spamming Trojan
A worm has been found in the wild that forces infected machines to send spam that apparently advertises services on an adult web site.-http://www.zdnet.com/intweek/stories/news/0,4164,2781893,00.html
29 June 2001 Human Rights Group is Victim of Crackers
Crackers allegedly destroyed information on the hard disks on a computer system belonging to an Argentine human rights organization.-http://dailynews.yahoo.com/htx/nm/20010629/wr/argentina_hackers_dc_1.html
29 June 2001 Peekabooty Release Delayed
The Cult of the Dead Cow (cDc) will not release Peekabooty, its censorship-evading project, at July's Def Con as planned because the group does not feel the software is stealthy enough yet.-http://www.cnn.com/2001/TECH/internet/06/29/hackers.delay.sw.idg/index.html
28 June 2001 Smart Tags Not Included This Time Around
Citing "external feedback," Microsoft says it will drop Smart Tags from the October 25th release of Windows XP and from Internet Explorer 6. The technology, which is a part of Office XP and which may appear in later versions of Windows XP and IE 6, turns chosen words on web pages into links to related sites of Microsoft's choice.-http://news.cnet.com/news/0-1003-200-6399150.html?tag=prntfr
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO61727,00.html
-http://www.theregister.co.uk/content/4/20033.html
28 June 2001 Sprint Denial-of-Service Attack
Sprint officials confirmed that the company's network was hit with a "low-impact" denial of service attack. Engineers contacted the Internet service providers (ISPs) where the attacking addresses originated, and the ISPs blocked those addresses.-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO61729,00.html
27 June 2001 Alldas.de Defacement
Alldas.de, a site that mirrors defaced web pages, was itself defaced by a cracker who immediately followed up with an e-mail in which he described his methods and maintained he meant no harm. However, site administrators say log files show the intruder tried to gain root access.-http://news.cnet.com/news/0-1003-200-6395146.html?tag=prntfr
[Editor's (Murray )note: There is no reliable correlation between the motive of the attacker and the amount of damage done. Those people who really "mean no harm" restrict their activities to their own systems. ]
27 June 2001 Computer Virus as Art
A computer infected with a virus is on display at the Venice Bienale. The bienale.py virus is a collaborative effort from the European Net Art Collective and epidemiC, spreads via infected software and floppies and affects only those programs written in Python. The source code has been printed on T-shirts and a limited number of CD-ROMs.-http://www.wired.com/news/culture/0,1284,44728,00.html
[Editor's (Schultz) Note: Viruses as art? This is stooping to a new low---glorifying malicious activity. How pathetic! ]
26 & 27 June 2001 ICQ Servers Defaced
Two ICQ servers were defaced, but a spokesperson for AOL, which owns IQC instant messaging, says that no customer or corporate information was compromised.-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO61694,00.html
-http://www.newsfactor.com/perl/story/11568.html
26 June 2001 "Problem" Allows Surreptitious Forwarding of Encrypted E-Mail
A researcher has found that encryption standards allow people to forward encrypted e-mail messages and make it appear that the message came from the original sender. The vulnerability could be exploited by forwarding proprietary information to a third party to frame someone or by editing portions of the e-mail that won't invalidate the signature to give the message a different meaning. Experts suggest making clear who the intended recipient is by putting specific context into the body of the message or by including the To: and cc: fields within the signed portion of the message.-http://news.cnet.com/news/0-1003-200-6384176.html?tag=prntfr
[Editor's (Schultz) Note: You have to be kidding! This is a flaw? Digital signatures have always worked this way. If you do not protect their context of usage, of course they can be misused. Saying that this is a flaw is like saying that having keys to unlock car doors and to start the car is a flaw. No way! ]
25 June 2001 Termination Policies for Good Security
Security analysts warn that layoffs could present security problems for companies unless explicit termination policies are established and followed. The security concern @Stake recommends logging perimeter connections so holes can be closed upon an employee's departure, and disabling passwords and accounts - remembering to check for any unofficial accounts that may have been set up.-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO61663,00.html
25 June 2001 Microsoft Windows Function Affects Norton Anti-Virus
Changing the value of the registry key NAV 2001 disables Norton Anti- Virus, according to Peter Kruse of Scandinavian telco Telia. Symantec maintains that the problem affects only the on-demand scanner and not AutoProtect, but plans to change the way its anti-virus product uses PC registries.[Editor's (Schultz) Note: This widely reported story is completely specious. Being able to change a Registry key in Windows systems to disable some function or executable is commonplace. If anything, it represents a weakness in Windows systems, not a weakness in any program. This is not Symantec's problem at all. ]
24 June 2001 Vendor Group to Coordinate Vulnerability Reporting
A coalition of security and other software vendors plans to form an industry group that will establish standards for reporting vulnerabilities. The group would disclose vulnerability and exploit information to members first, then to the public, and only after fixes are available. The proposed procedure raises the debate over vulnerability disclosure: some maintain it's best not to publicize security holes before a fix is available, while others contend immediate disclosure keeps vendors honest.-http://www.zdnet.com/zdnn/stories/news/0,4586,2779503,00.html
[Editor's (Murray) Note: There does not appear to be sufficient trust or sense of responsibility in the community to make this approach viable. There are simply too many people who insist upon their right to know everything that anyone else knows as soon as they know it and a like number who insist upon their right to publish without regard for the consequences. ]
==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites
Editorial Team:
Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
Stephen Northcutt, Alan Paller, Eugene Schultz