SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume III - Issue #29

July 18, 2001

Breaking News: New "Code Red" worm is spreading rapidly through
systems running Microsoft IIS. Both ISS 4.0 and 5.0 are affected.
http://www.crn.com/components/Nl/direct/article.asp?Articleclass=28301
Also Today: Users Band Together To Persuade Vendors To Improve Security Configurations
If you work for one of the tens of thousands of organizations that
rely on Solaris systems for important applications, you'll want to
get the newly revised Solaris security benchmark being published
today by the Center for Internet Security (formed by 160 leading user
organizations). The benchmark defines a global consensus of minimum
security settings that are not likely to break any applications and
that protect your systems from many common attacks. More sophisticated
Solaris benchmarks, for greater protection, are being created. Windows
2000 and several other benchmarks will follow. The benchmarks are free
and come with tools (also free) that allow you to test your systems
instantly and as often as you like. If you have ever wished system
vendors would provide their products with a more secure configuration
"out of the box," and that they would take a greater responsibility
for protecting you, their customers, join the Center. When the
security community speaks with one voice, you will be hard to ignore.
See www.cisecurity.org

---

TOP OF THE NEWS

13 July 2001 Sans.org Defaced
13 July 2001 Leave Worm Variant Disguised as Microsoft Security Bulletin
13 July 2001 Honeynet Expansion Planned
12 July 2001 New Mailing List To Improve Speed and Accuracy Of Security Bug Reports
12 July 2001 New Wireless Security Vulnerability Reported

THE REST OF THE WEEK'S NEWS

13 July 2001 Outlook E-Mail Vulnerability
12 July 2001 Welsh Cracker Tells His Story
11 July 2001 Worms Will Become More Dangerous
10 & 12 July 2001 GAO Report Enumerates Payroll Center Security Problems
10 & 11 July 2001 NCTP Research and Recommendations for Local Law Enforcement and Cyber Crime
10 July 2001 I-Worm.Mari
9 July 2001 FreeBSD Security To Be Improved with $1.2 Million US Grant
9 July 2001 Microsoft Warns of SMTP Vulnerability, Issues Patch
9 July 2001 Easing the Security Headache for Users
6 & 9 July 2001 Security Hole in Safe Harbor Site
6 July 2001 S1 Corp. Computer Intrusion
5 July 2001 IIS Exploit Code Posted
2 July 2001 Stopping Distributed Denial of Service Attack's
2 July 2001 Panel Urges Legislators to Strengthen Cyber Security

RESEARCH REPORT

Research Report: How Much Time Do American's Spend On the Internet?

---

******************* Sponsored by Tripwire, Inc. **********************
Worried about the integrity of your data? Rest easy with Tripwire.
Tripwire data and networking integrity solutions tell you if, when, and
how data or business processes have been changed on your system. This
leads to less time consuming & labor intensive recovery processes.
Attend a free online seminar & get a Tripwire cap!
http://www.tripwire.com/products/register.cfml?semclass=65
**********************************************************************

---

TOP OF THE NEWS

13 July 2001 Sans.org Defaced

The Sans.org web site was defaced on Friday morning. The site was taken off line immediately. It was brought back up Sunday evening. Forensic analysis is ongoing.
-http://www.msnbc.com/news/600122.asp?0dm=C12NT
[Editor's (Northcutt) Note: This has been a startling reminder of just how devastating an Internet attack can be. Every single program and setting has to be reviewed and in many cases, redesigned so that they can safely operate, not just in today's attacks, but also in the face of the threat level we will experience two years down the road. Some services may not be available for days. Editor's (Paller) Note: Though we would have greatly preferred not to have been attacked, the subsequent analysis is reaping far more fruit than we expected or hoped. We will provide a complete report of the lessons learned. We are gratified and humbled by the outpouring of active, unsolicited assistance being provided by many of the most experienced people in security. It helps a lot! ]

13 July 2001 Leave Worm Variant Disguised as Microsoft Security Bulletin

A variant of the W32-Leave worm is wending its way about the Internet pretending to be a Microsoft security bulletin. The worm, which affects only machines previously infected with the SubSeven Trojan, downloads components from web sites and could potentially be used to plant denial-of-service software on infected machines. Computers with current antivirus software and firewall protection should be safe from infection.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO62194,00.html

13 July 2001 Honeynet Expansion Planned

The founders of the Honeynet project (that uses fake web sites to track and fingerprint attackers) are proposing mechanisms that will greatly expand the number of honeypots, making them more difficult for the attackers to recognize.
-http://news.cnet.com/news/0-1003-200-6560377.html?tag=prntfr

12 July 2001 New Mailing List To Improve Speed and Accuracy Of Security Bug Reports

Three well-known vulnerability researchers, Rain Forest Puppy, Weld Pond, and Steve Manzuik, have formed a new vulnerability mailing list for reporting new vulnerabilities and threats. The new site, at www.vulnwatch.org is designed to improve both the timeliness and quality of bug reports over what has been provided by Bugtraq and NTBugtraq.
-http://www.newsbytes.com/news/01/167891.html

12 July 2001 New Wireless Security Vulnerability Reported

A third vulnerability in the WEP protocol was reported by security researcher Tim Newsham. The vulnerability involves breaking a 64 bit key which Newsham says can be done in less than 30 seconds.
-http://news.cnet.com/news/0-1003-200-6554365.html?tag=prntfr
Additional stories on Wireless insecurity:
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO62144,00.html
-http://www.newscientist.com/news/news.jsp?id=ns99991018
-http://www.zdnet.com/zdnn/stories/comment/0,5859,2783681,00.html

---

****************** Also sponsored by Oblix, Inc. *********************
Learn how IDENTITY MANAGEMENT drives down the COST OF OWNERSHIP and
increases security in a UNIFIED ACCESS CONTROL system for e-business.
Attend a FREE web conference on July 26 @ 11:00AM PT/2:00PM ET
featuring Frank Prince, Sr. Analyst, Forrester Research and Oblix.
Register today at http://www.oblix.com/reply/sans07182001
**********************************************************************

---

THE REST OF THE WEEK'S NEWS

13 July 2001 Outlook E-Mail Vulnerability

Georgi Guninski has reported an ActiveX control flaw in Outlook 98, 2000, and 2002 e-mail software that could allow an attacker to alter calendar information, delete e-mail, or run malicious code on the affected computer. Users can be exposed to the vulnerability either by viewing a specially crafted web page or by opening specially crafted HTML e-mail. Microsoft Corp. has issued a security bulletin, and a company security manager indicates that they would have preferred having had time to prepare a fix before the vulnerability became public knowledge.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO62182,00.html
-http://www.msnbc.com/news/599983.asp?0dm=T18NT
-http://www.microsoft.com/technet/security/bulletin/MS01-038.asp
[Editor's (Murray) Note: Guninski has not yet decided whether he wants to be part of the problem or part of the solution. ]

13 July 2001 Microsoft Speaks Out On Raw Sockets

Microsoft's Security Program Manager, Scott Culp, tells why he believes raw socket support is useful for effective security in Windows XP and why taking raw sockets out would not stop DDOS attacks. The interview was presented by the Register as a rebuttal to claims made by Windows guru Steve Gibson.
-http://www.theregister.co.uk/content/4/20387.html
[Editor's (Murray) Note: Gibson does not "say necessary and sufficient," and as Culp suggests. He merely says useful, that it will so lower the cost that it will result in a dramatic increase. ]

12 July 2001 Welsh Cracker Tells His Story

Raphael Gray, the Welsh teenager who stole a plethora of credit card data from a variety of web sites, describes his background in cracking and the events that led to his arrest.
-http://news.bbc.co.uk/hi/english/uk/newsid_1434000/1434530.stm

11 July 2001 Worms Will Become More Dangerous

Jose Nazario, a security expert speaking at the Black Hat Security Briefings, said that computer worms will evolve into stealthier programs capable of targeting specific victims. University of washing to security engineer Dave Dittrich agreed, drawing an analogy between computer systems' security and the human immune system.
-http://news.cnet.com/news/0-1003-200-6548363.html?tag=prntfr
[Editor's (Murray) Note: Biological viruses evolve of biological necessity. It is part of their essential nature. Computer viruses and worms are artifacts. They have only the motivation that people program into them. There is nothing necessary, essential, or inevitable about them. ]

10 & 12 July 2001 GAO Report Enumerates Payroll Center Security Problems

A General Accounting Office (GAO) report asserts the National Business Center, based in Denver, has inadequate physical security, does not sufficiently limit employee access to systems, and lacks monitoring and investigative programs. The security weaknesses could potentially be exploited to alter payroll data. An official says that work is well underway to fix the problems.
-http://www.usatoday.com/life/cyber/tech/2001-07-10-govt-payroll-computer-securit
y.htm
-http://www.fcw.com/fcw/articles/2001/0709/web-safe-07-12-01.asp
[Editors' (multiple) Note: These conclusions are as true for most sites as they are for the National Business Center. GAO would do far more good for security of government systems if it were to provide agencies with specific, measurable, technical criteria (metrics) for what constitutes due care and adequate security of federal systems. ]

10 & 11 July 2001 NCTP Research and Recommendations for Local Law Enforcement and Cyber Crime

The National Cybercrime Training Partnership (NCTP) conducted research that reveals state and local police are not well equipped to manage cyber crimes. Problems they face include lack of funding, equipment, and forensic expertise. Among the 10 recommendations NCTP issued are establishing specialized crime units, working with technology companies, offering standardized training and certification, and updating forensic tools.
-http://news.cnet.com/news/0-1007-200-6538290.html?tag=prntfr
-http://www.wired.com/news/technology/0,1282,45129,00.html

10 July 2001 I-Worm.Mari

The I-Worm.Mari spreads, as many do, via Outlook address books when uses click on e-mail attachments. The worm does no harm to computers, but spreads a short polemic in favor of legalizing marijuana, and sets Internet Explorer's start page to marijuana.com. Though the site asserts it has nothing to do with the worm, angry victims have launched denial of service attacks in retaliation.
-http://www.wired.com/news/technology/0,1282,45101,00.html

9 July 2001 FreeBSD Security To Be Improved with $1.2 Million US Grant

With funds from the Defense Advanced Research Projects Agency, the Navy's SPAWAR organization is providing $1.2 million to add anti DDOS capabilities to FreeBSD. This grant is one of a series being made under the Community-Based Open Source Security project administered by NAI Labs.
-http://news.cnet.com/news/0-1003-200-6526301.html?tag=prntfr

9 July 2001 Microsoft Warns of SMTP Vulnerability, Issues Patch

A Microsoft security bulletin warns of an authentication vulnerability in Windows 2000 Simple Mail Transfer Protocol (SMTP) that could permit crackers to gain user-level privileges and potentially use compromised computers as spamming zombies. Microsoft has issued a patch for the security hole.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO62059,00.html
-http://www.microsoft.com/technet/security/bulletin/ms01-037.asp

9 July 2001 Easing the Security Headache for Users

Because security measures are generally tacked on after computer systems are designed, users often find them cumbersome and develop methods for bypassing permissions, virus filters, digital certificates and the like. Unfortunately, passwords on post-its and disabled filters undermine security.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO62041,00.html

6 & 9 July 2001 Security Hole in Safe Harbor Site

A security hole in the Commerce Department Safe Harbor web site allowed any visitor to read and even modify private information about companies who had registered for the program. Participants in the Safe Harbor program agree to abide by a set of privacy practices and in turn gain legal protection from the Europe's stringent privacy laws. The Commerce Department says no data was altered; the two affected pages have been taken down while the situation is investigated.
-http://www.wired.com/news/print/0,1294,45031,00.html
-http://www.zdnet.com/zdnn/stories/news/0,4586,5093806,00.html?chkpt=zdnn_nbs_hl
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO62076,00.html

6 July 2001 S1 Corp. Computer Intrusion

Intruders who broke into a computer at web-based banking services company S1 Corp. may have been able to access sensitive customer data, according to one source. Federal law enforcement authorities are investigating.
-http://www.msnbc.com/news/597071.asp?0dm=T26CT

5 July 2001 IIS Exploit Code Posted

A hacker has posted code that can be used to exploit a known buffer overflow vulnerability in Microsoft Internet Information Server (IIS). Microsoft customers received a security alert about the problem in mid- June and the company has released a patch.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2782723,00.html

2 July 2001 Stopping Distributed Denial of Service Attack's

Shawn McCarthy offers a brief tutorial on types of DDOS attacks and how your ISPs can help you counter them.
-http://www.gcn.com/vol20_no17/news/4573-1.html

2 July 2001 Bureaucrats Urge Legislators to Strengthen Cyber Security Oversight

A panel of bureaucrats told the Joint Economic Committee that all the attention paid to defacements, hacking and other minor cyber threats distracts from the larger risk of cyber warfare launched by foreign governments. The panel urged the legislators to strengthen federal security oversight.
-http://www.gcn.com/vol20_no17/news/4564-1.html

---

RESEARCH REPORT

|||Research Report How Americans Use The Internet

The Pew Foundation Internet and American Life Foundation just released a study of the amount of time spent and the activities performed on the Internet. Also compares veteran Internet users with newcomers.

---

==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites


Editorial Team:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt,
Alan Paller, Marcus Ranum, Howard Schmidt, Eugene Schultz