Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume III - Issue #35

August 29, 2001


Good news on SANS Network Security 2001 (NS01) in San Diego
(October 15-22). The deadline for early registration discounts is
extended to midnight this Friday (August 31). NS01 is the largest
training conference in the security field, featuring eight in-depth
certification tracks, a huge exhibition, great SANS@Night courses,
birds of a feather sessions, Navy-Wide IA Leadership Conference,
and more. Or if you want to go to a program with more intimate class
sizes, join us in Boston September 5-12 or in Washington Sept. 16-22
for the Wargames Conference and Complete Hacking Training Program -
the only hacking course that teaches you how to block the attacks.
(See http://www.sans.org for details on all three both programs.)

More free resources from SANS:

-- More than 8,700 people use the SANS Information Security Reading
Room every day to find detailed research reports on dozens of security
topics. Try it at http://www.sans.org/infosecFAQ/index.htm or use
SANS search function at http://www.sans.org/cgi-bin/htdig/htsearch

-- If you want to know more about security products and services,
check out the free white papers supplied by the leading vendors in
each area:

Security Tools: http://www.sans.org/tools.htm
Security Services: http://www.sans.org/mssp.htm

TOP OF THE NEWS

24 August 2001 Microsoft Releases IIS Lockdown Tool
24 August 2001 MPSA Surprised Conscientious Users
21 & 23 August 2001 Man Prosecuted After Alerting Company to Security Problems
22 August 2001 Qwest Won't Give Customers Credit for Code Red Related DSL Outages

THE REST OF THE WEEK'S NEWS

27 August 2001 Shakeout Threatens Managed Security Customets
24 August 2001 E-Signature Use Trickles Into Government Agencies
24 August 2001 Government Refuses Scarfo Technology Details
24 August 2001 Allegro Worm
24 August 2001 Researchers Present SSH Password Security Weakness
20 & 24 August 2001 Wireless Encryption Breaking Tool Released
23 & 24 August 2001 "Offensive" Trojan
22 August 2001 Microsoft Files Suit Against Alleged Pirated Software Sellers
22 August 2001 VA Tightens Security for Managers and Employees
22 August 2001 Security Industry Avoids Financial Setback
22 August 2001 HP to Release Enhanced Security Linux
21 August 2001 CIO Council Mentorship Program
21 August 2001 Mitnick Investigating Alleged Phone Hacking
21 August 2001 CERT/CC and AusCERT to Cooperate
20, 21 & 22 August 2001 Security Companies to Collaborate Against DDoS Attacks
20 & 21 August 2001 Hotmail Hole Repaired
20 August 2001 Used Computers Still Hold Company Files
20 August 2001 HTML Form Protocol Attack
20 August 2001 Insurer Hikes Premiums for IIS Users
17 August 2001 Patch Available for ISA Server 2000 Flaws


********************** Sponsored by NetIQ Corp. **********************
FREE NETIQ SECURITY AUDIOCAST
Go one-on-one with leading security analyst Frank Prince from Forrester
Research and NetIQ security experts during our FREE audiocast,
"Security in the Era of E-Business, An Analyst's Perspective."
You'll gain insights on IT trends, business challenges and management
issues.
Register today!
http://webevents.road-show.com/netiq/20010911/start/register.asp?origin=sans
************************************************************************

TOP OF THE NEWS

24 August 2001 Microsoft Releases IIS Lockdown Tool

In the aftermath of Code Red, Microsoft released an IIS Lockdown Tool that disables many functions and services that could be exploited by attackers.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO63310,00.html
[Editor's (Schultz) Note: I understand the desire to turn off FTP and SMTP services, too, but I question the wisdom of doing this when the real problem is IIS Web servers. It is important to disable all unnecessary services, but having a tool that purports to fix IIS but then goes and does other things is not necessarily desirable. ]

24 August 2001 MPSA Surprised Conscientious Users

Microsoft customers in a test group, all of whom purported to be security conscious and conscientious about applying fixes, used the company's new Microsoft Personal Security Advisor (MPSA) tool; they were surprised at the number of patches they had to install and frustrated by confusing instructions about changing settings.
-http://www.wired.com/news/technology/0,1282,46272,00.html
[Editor's (Murray) Note: The solution becomes the problem. ]

21 & 23 August 2001 Man Prosecuted After Alerting Company to Security Problems

An Internet services salesman who alerted a newspaper to security holes he discovered in its website is being charged with computer crime. The Oklahoma newspaper has received many angry messages regarding the man's prosecution; federal authorities discovered he had downloaded passwords and other sensitive data from the site.
[Editor's (Murray) Note: En early article by the Register
[which implied the man was a good Samaritan ]
has been discredited. (Paller) As you think about the issues raised in this story, recall that the Russian and Ukrainian criminals who extorted money from dozens of financial institutions and ecommerce sites, used the ruse of telling their victims that security holes had been found in their web sites. ]

-http://www.securitynewsportal.com/article.php?sid=1617&mode=thread&order
=0

22 August 2001 Qwest Won't Give Customers Credit for Code Red Related DSL Outages

The Washington state Attorney General's office is asking Denver-based Qwest to issue refunds to customers whose DSL service was interrupted due to Cisco router problems caused by Code Red. A Qwest executive apparently e-mailed the attorney general's office that the company would not be issuing refunds for problems caused by a worm.
-http://www.msnbc.com/local/PISEA/M82660.asp?0si=-
-http://news.cnet.com/news/0-1004-200-6950192.html?tag=prntfr


****** Also sponsored by VeriSign - The Internet Trust Company *******
Whether you manage two, ten or sixty servers, failing to secure just
one of them with a SSL ID can jeopardize the security of your entire
network. Learn how to securely manage multiple servers and streamline
your SSL ID management. Download our FREE guide "Strong Security in
Multiple Server Environments".
Click here now:
http://www.verisign.com/cgi-bin/go.cgi?a=n167745070216000
**********************************************************************

THE REST OF THE WEEK'S NEWS

24 August 2001 E-Signature Use Trickles Into Government Agencies

Federal, state and local government agencies are beginning to use digital signatures primarily for internal administrative documents. People are shying away from using the technology for weightier matters, such as legal documents and financial contracts, because they are unaccustomed to the technology and because there is no clear standard for e-signatures.
-http://www.fcw.com/fcw/articles/2001/0820/web-esign-08-24-01.asp

24 August 2001 Government Refuses Scarfo Technology Details

The government has invoked the Classified Information Procedures Act (CIPA) in an effort to keep from public scrutiny details about the keystroke-logging technology used in a case against a alleged crime boss. Federal law enforcement agents planted the technology on Nicodemo Scarfo's computer in order to obtain a password to an encrypted file, but the defense wants to know how the technology works in order to formulate its arguments.
-http://news.cnet.com/news/0-1005-200-6962301.html?tag=prntfr

24 August 2001 Allegro Worm

The Allegro worm masquerades as a helpful program with the purported goal of purging viruses from computers. Instead, the worm deletes files from contaminated computers and self-propagates with the help of the infected machine's Outlook/Outlook Express address book. Experiments with beneficial worms in the 1970s and 1980s demonstrated the dangers inherent in such programs.
-http://www.msnbc.com/news/619013.asp?0dm=C14LT
[Editor's (Murray) Note: With the very best of intentions and even with skill, vigilantes destabilize a community, ours no less than others. ]

24 August 2001 Researchers Present SSH Password Security Weakness

Researchers described a method that greatly simplifies guessing passwords sent with the SSH encryption standard. The method relies on analysis of the time elapsed between each keystroke of the password. While SSH Communications says the threat is largely theoretical, it will do further investigation.
-http://news.cnet.com/news/0-1003-200-6962993.html?tag=prntfr

20 & 24 August 2001 Wireless Encryption Breaking Tool Released

Airsnort exploits the recently divulged WEP encryption weakness to pluck passwords and other sensitive information from wireless networks using a Linux-based computer, a wireless network card, and access to the targeted network. Airsnort's authors said they released the tool to prove the inefficacy of WEP/802.11b, the commonly used wireless encryption standard. Wireless networks can be made more secure with Virtual Private Networks (VPNs).
-http://www.wired.com/news/technology/0,1282,46187,00.html
-http://www.usatoday.com/life/cyber/tech/2001-08-24-password-sniffer.htm

23 & 24 August 2001 "Offensive" Trojan

A Trojan horse named "Offensive" exploits a hole in Microsoft's Java Virtual Machine and overwrites important registry settings. Afflicted computers are rendered useless, requiring a reinstallation or laborious repair of the operating system. The program is forwarded manually; it does not self-propagate. A patch for the flaw has been available for some time.
-http://www.zdnet.com/zdnn/stories/news/0,4586,5096155,00.html
-http://www.theregister.co.uk/content/56/21276.html
-http://www.zdnet.com/zdnn/stories/news/0,4586,2802480,00.html

22 August 2001 Microsoft Files Suit Against Alleged Pirated Software Sellers

Microsoft has initiated legal action against two UK computer concerns for allegedly selling pirated software. The case will be handled as a civil matter.
-http://news.cnet.com/news/0-1003-200-6947001.html?tag=prntfr

22 August 2001 VA Tightens Security for Managers and Employees

In a move to improve security at the Department of Veterans Affairs (VA), program managers will have to sign contracts certifying that they have installed security measures to protect information in all projects under their leadership. The VA will also publish a new telecommuting policy for employees.
-http://www.fcw.com/fcw/articles/2001/0820/web-va-08-22-01.asp

22 August 2001 Security Industry Avoids Financial Setback

Although the tech industry is in a financial slump, the Internet security industry is unlikely to feel the pinch. Companies forced to be careful with their spending are likely to focus on areas where security software is helpful, such as reducing costs and establishing trusted relationships with customers.
-http://news.cnet.com/news/0-1003-200-6948645.html?tag=prntfr

22 August 2001 HP to Release Enhanced Security Linux

Hewlett-Packard plans to release its own version of Linux that will incorporate helpful security features not usually built into the open source operating system.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO63240,00.html

21 August 2001 CIO Council Mentorship Program

In an effort to address the problems faced by the government information technology workforce, the General Services Administration and the CIO Council are launching a mentoring program.
-http://www.gcn.com/vol1_no1/daily-updates/16890-1.html

21 August 2001 Mitnick Investigating Alleged Phone Hacking

A Las Vegas businessman has hired Kevin Mitnick to help investigate the possibility that a telephone company has allowed calls to his business to be monitored, diverted, and blocked. Mitnick had to get permission from his probation officer to take the job, and the terms of his probation prohibit him from touching a computer.
-http://www.securityfocus.com/news/242

21 August 2001 CERT/CC and AusCERT to Cooperate

The US's CERT/CC and Australia's AusCERT have signed an agreement to work together on developing methods for protecting computer networks. The organizations also plan to release joint advisories.
-http://news.cnet.com/news/0-1003-200-6939066.html?tag=prntfr

20, 21 & 22 August 2001 Security Companies to Collaborate Against DDoS Attacks

McAfee plans to work with three network security firms to develop tools to protect servers and home computers from distributed denial-of- service (DDoS) attacks and the zombie programs used to launch the attacks.
-http://news.cnet.com/news/0-1003-200-6931389.html?tag=prntfr
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO63220,00.html
-http://news.bbc.co.uk/hi/english/sci/tech/newsid_1503000/1503988.stm

20 & 21 August 2001 Hotmail Hole Repaired

A Hotmail vulnerability could allow attackers to read another customer's e-mail. Implementing the attack successfully would require knowledge of the targeted user's e-mail address and the precise time the message was read. In addition, the exploit would leave a hacking trail. A Microsoft representative says the problem has been fixed.
-http://news.bbc.co.uk/hi/english/sci/tech/newsid_1500000/1500703.stm
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO63202,00.html
-http://www.zdnet.com/zdnn/stories/news/0,4586,5096001,00.html?chkpt=zdnnp1tp02

20 August 2001 Used Computers Still Hold Company Files

In the chaos that ensues when dot-coms go under, some company machines are sold at auction before they've been wiped clean of sensitive data. There are programs available that will clear hard drives.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2805690,00.html?chkpt=zdnnp1tp02

20 August 2001 HTML Form Protocol Attack

A German computer programmer has written a paper describing how crackers could manipulate HTML technology to trick browsers into sending commands through firewalls.
-http://www.newsbytes.com/news/01/169207.html

20 August 2001 Insurer Hikes Premiums for IIS Users

J. S. Wurzler Underwriting Managers, the insurance broker that recently raised rates for customers using NT software, has now increased premiums for IIS users by 15 percent. Wurzler based the decision on analysis that indicates system administrators working on open source systems have lower employment turnover rate and better training than do those working on Windows systems. The company will reduce premiums for IIS and NT customers if they are able to demonstrate they are using best practices.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2805929,00.html?chkpt=zdnnp1tp02
[Editors' (Multiple) Note: This same story comes up so often, it appears the press is being used as a marketing tool for an insurance broker. ]

17 August 2001 Patch Available for ISA Server 2000 Flaws

Microsoft has issued a patch to repair three holes in its Internet Security and Acceleration (ISA) Server 2000. Two of the flaws are memory leaks: one in the voice-over-IP capability, and one in the proxy service that could lead to denial of service. The third is an error message-handling problem that could allow attackers to execute malicious code and use cookies on the affected machines.
-http://computerworld.com/nlt/1%2C3590%2CNAV65-663_STO63199_NLTSEC%2C00.html


==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites


Editorial Team:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz