SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume III - Issue #37
September 12, 2001
Tuesday's horrors demonstrate the lack of any boundaries on
what terrorists are willing to do. That's a reminder that we in
information security must plan for catastrophic attacks as well as
the more limited types of attacks we have been facing.
Stephen Northcutt writes from the SANS conference in Boston: One
incredible story from yesterday was how Instant Messenger kept
running without a hitch. We had a bunch of stranded Secret Service
and FBI agents (they were having a Fed convention down the hall),
and we let them use our wireless access point and wired switches. They
were staying in touch and getting their assignments via IM, who would
have thought it! Meanwhile, we were using it as SANS CiC as well and
I bet this story was repeated all over!
Bill Murray, with assistance from the other NewsBites editors, has
created a brief tutorial on protecting home and small business systems
with persistent connections. It's at the end of this note. Feel free
to pass it along to anyone whom it might help.
AP
TOP OF THE NEWS
7 September 2001 Code Blue7 September 2001 Crackers Steal ISP Account Passwords
5 September 2001 More Banks Opt to Reissue Debit Cards After Database Compromised
5 September 2001 Pirated XP Versions Already Inspiring Crackers
4 & 5 September 2001 Magistr.B Emerges in Europe
THE REST OF THE WEEK'S NEWS
7 September 2001 NSF Security Scholarship Recipients7 September 2001 Code Red Good for Security
7 September 2001 Gauntlet Firewall Patch
7 September 2001 Senate Approves Easing Computer Export Restrictions
6 September 2001 Qwest Says No to Refunds, Offers Code Red Fix
6 September 2001 Some Assert That DMCA Restrains Research
5 September 2001 European Parliament's Report on Echelon
5 September 2001 On Line IRS Payments
5 September 2001 VA Security to be Tightened
5 September 2001 Lara Croft Worm
4 September 2001 Inherited Configurations Offer Poor Security
4 September 2001 How to Build a Faster, Meaner Worm
3 September 2001 Managed Security Services
2 September 2001 DoD Foreign Hacker Study
31 August 2001 Exploit Archive Site Limits Access
29 August 2001 Oregon Human Services Agency's Security Woes
TUTORIAL
Protection of Home/SOHO Systems with Persistent Connections and IP Addresses******************* Sponsored by NetIQ Corporation *******************
Free Security Guide from NetIQ.
Keep the bad guys out with NetIQ's security guide, "Jack the Hacker
Tells All:
Insights into Security Dos and Don'ts." Respond to threats before
they become major incidents.
Download it now before it's too late.
http://www.netiq.com/sponsor/default.asp?302
**********************************************************************
TOP OF THE NEWS
7 September 2001 Code Blue
A new worm, dubbed Code Blue, has been identified in China where it is currently being analyzed. Written in Visual Basic Script (VBS) and C programming language, Code Blue uses the IIS directory transversal exploit by sending an abnormal GET request to gain control of the targeted server. Code Blue launches a denial of service attack on a Chinese security company's web site; it also disables printing services and slows infected servers to the point where they may crash. Only systems running Windows 2000 or NT with IIS 4.0 or 5.0 are affected; a patch for the vulnerability has been available since October 2000.-http://www.wired.com/news/technology/0,1282,46624,00.html
-http://news.cnet.com/news/0-1003-200-7086783.html?tag=prntfr
7 September 2001 Crackers Steal ISP Account Passwords
Two teenage crackers allegedly broke Data Encryption Standard (DES) technology to obtain over 12,500 account passwords belonging to customers of a Hong Kong ISP. The case is being investigated.-http://www.hk-imail.com/inews/public/article_v.cfm?articleid=28867&intcatid=
1
5 September 2001 More Banks Opt to Reissue Debit Cards After Database Compromised
Several more banks are following the lead of Riggs Bank by canceling and reissuing Visa debit cards that were compromised in a security breach. The cards were all used on the web site of a Washington state on line merchant, but it is not clear whether the breach took place on the merchant's system or that of a payment processing company.-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO63555,00.html
5 September 2001 Pirated XP Versions Already Inspiring Crackers
Pirated versions of the yet-to-be-released Windows XP are circulating on the Internet, as are cracks purporting to circumvent the operating system's Activation anti-piracy protection.-http://www.wired.com/news/business/0,1367,46531,00.html
4 & 5 September 2001 Magistr.B Emerges in Europe
A new variant of the Magistr worm with an even more malicious payload has surfaced in Europe, but no infections have been reported in the US. Magistr.B arrives in an attachment with a .bat, .bif, .exe, .pif, or .com extension, and can spread through a variety of e-mail programs. The new version also disables ZoneAlarm personal firewalls, overwrites hard drives, and erases BIOS system data.-http://www.zdnet.com/zdnn/stories/news/0,4586,2810273,00.html?chkpt=zdnnp1tp02
-http://news.cnet.com/news/0-1003-200-7065793.html?tag=prntfr
[Editor's (Paller) Note: It is now in the US and out-of-date antivirus signatures are not detecting it. It makes sense to update your AV signatures every day. ]
******* Also sponsored by VeriSign - The Internet Trust Company ******
Secure all your Web servers now - with a proven 5-part strategy.
The FREE Server Security Guide shows you how to:
DEPLOY THE LATEST ENCRYPTION and authentication techniques
DELIVER TRANSPARENT PROTECTION with the strongest security without
disrupting users.
And more.
Get your FREE Guide now:
http://www.verisign.com/cgi-bin/go.cgi?a=n094442310013000
**********************************************************************
THE REST OF THE WEEK'S NEWS
7 September 2001 NSF Security Scholarship Recipients
This article profiles three University of Tulsa students who are among the approximately 200 recipients of the National Science Foundation's (NSF) computer security training scholarships. After completing their studies, the recipients will work for the government two years.-http://www.wired.com/news/politics/0,1283,46567,00.html
[Editor's (Murray) Note: The headline of the article on the Wired News site suggests that the government is selecting and rewarding rogue hackers. In fact, these people have exemplary records. ]
7 September 2001 Code Red Good for Security
Two studies indicate that the Code Red worm was actually good for computer security. One company scanned several hundred systems for certain vulnerabilities and found their numbers dropping throughout July and August. Both the publicity surrounding Code Red and Microsoft's cumulative vulnerability patch are probably responsible.-http://www.zdnet.com/zdnn/stories/news/0,4586,2811107,00.html?chkpt=zdnnp1tp02
7 September 2001 Gauntlet Firewall Patch
PGP Security has issued a patch for a buffer overflow vulnerability in its Gauntlet firewall. The security hole could be exploited to gain administrative access.-http://www.cnn.com/2001/TECH/internet/09/07/firewall.patch.idg/index.html
-http://www.cert.org/advisories/CA-2001-25.html
7 September 2001 Senate Approves Easing Computer Export Restrictions
The Senate approved legislation relaxing export restrictions on high power computers to China, Russia, India, and other countries considered security risks. The issue may meet with some resistance in the House; arguments for the reform include the availability of comparable computing power from other markets and the current downturn in the tech market.-http://www.wired.com/news/politics/0,1283,46633,00.html
6 September 2001 Qwest Says No to Refunds, Offers Code Red Fix
Qwest Communications will not reimburse customers whose DSL service was impeded by the Code Red worm in August, but the company says it has produced a fix for the worm and is notifying customers who need to install the software.-http://seattlep-i.nwsource.com/business/37804_quest06.shtml
6 September 2001 Some Assert That DMCA Restrains Research
Dmitry Sklyarov's arrest for violating the Digital Millennium Copyright Act (DMCA) has inspired a spate of protests that have included the removal of some security research information from the Internet. Fred Cohen maintains he removed his Forensix program from his website because he feared prosecution under the DMCA; an attorney suggests Cohen's fear is unfounded and his action was more likely a political statement.-http://www.zdnet.com/zdnn/stories/news/0,4586,5096601,00.html
[Editor's (Murray) Note: Fearful reaction to laws which can only be enforced arbitrarily or capriciously can hardly be said to be "unfounded." The intended purpose of such laws is to sow fear, uncertainty, and doubt. ]
5 September 2001 European Parliament's Report on Echelon
The European Parliament has adopted a report affirming the existence of Echelon, an international electronic surveillance network believed to be used in industrial espionage. The United States, Britain, Canada, Australia, and New Zealand are identified as associates in the enterprise. The report recommends that Europe establish a cooperative intelligence gathering system, and that sensitive e-mail should be encrypted; it also calls for stronger data and privacy protection in Europe and the United States.-http://www.usatoday.com/life/cyber/tech/2001-09-05-echelon.htm
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO63553,00.html
5 September 2001 On Line IRS Payments
Starting on September 6th, businesses and individuals paying taxes quarterly can take care of their IRS bills on line. The Electronic Federal Tax Payment System (EFTPS-Online) uses Social Security or taxpayer numbers to identify payers; separately mailed PINs and passwords will allow system users to transfer money electronically.-http://news.cnet.com/news/0-1007-200-7068189.html?tag=prntfr
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO63543,00.html
-http://www.gcn.com/vol1_no1/daily-updates/16982-1.html
5 September 2001 VA Security to be Tightened
Following the arrests of three suspects who allegedly defrauded the Department of Veterans Affairs (VA) of almost $6 million in phony disability claims, the VA secretary has called for plans to identify and correct vulnerabilities in the agency's payment system.-http://www.fcw.com/fcw/articles/2001/0903/web-va-09-05-01.asp
5 September 2001 Lara Croft Worm
Traveling in the guise of a tempting screensaver, the Lara Croft worm is spreading through Internet Relay Chat channels.-http://www.zdnet.com/zdnn/stories/news/0,4586,2810433,00.html
4 September 2001 Inherited Configurations Offer Poor Security
Computers brought home or purchased at auction from defunct companies are likely to be configured for corporate use where users relied on system administrators, firewalls, and other security measures for protection. The loose security environments of these second-hand computers could lead to problems for home users. A Microsoft Security Response Center manager suggests that people do new installations and careful configuration to protect themselves from hackers and viruses. If Windows NT and 2000 users do not have the necessary software disks, they can also scan their computers with a security tool and apply the appropriate fixes.-http://www.wired.com/news/culture/0,1284,46417,00.html
4 September 2001 How to Build a Faster, Meaner Worm
Researchers have published two papers describing methods for creating rapidly spreading worms. One proposes including a list of tens of thousands of "well connected" servers; the other proposes scanning the Internet to identify susceptible systems before launching the worm. One author defends his decision to post his research on line, maintaining that people need to be aware of the dangers of a homogenous Internet. He advocates stringent firewall protection and regular backups.-http://www.zdnet.com/zdnn/stories/comment/0,5859,2810238,00.html?chkpt=zdnnt0905
01co
3 September 2001 Managed Security Services
The number of managed security service providers is on the rise. Charging between $500 and $5,000 a month, the companies provide a variety of services, including vulnerability assessment, firewall and VPN management and incident response.-http://www.fcw.com/fcw/articles/2001/0903/tec-secsde1-09-03-01.asp
[Editors' Note: Last week we ran a story that said market cannot continue to support the current number of Managed Security Services Providers (MSSPs),
-http://www.zdnet.com/intweek/stories/news/0,4164,2807738,00.html
(Murray) It seems to me that the number of such firms is not nearly as significant as the number of their customers. (Paller) The number of clients signing up for these services is far too small to support the current crop of vendors. ]
2 September 2001 DoD Foreign Hacker Study
The Defense Intelligence Agency (DIA) will contract with a security company to study cyber attacks launched from China against the US Department of Defense (DoD) networks. The study will include attack methodologies and lists of systems and network functions attacked.-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO63486,00.html
31 August 2001 Exploit Archive Site Limits Access
A popular hacking tool site will cease offering its free goods to everybody; instead, the site's operator plans to use a password system to restrict access to those who share "useful, unpublished code." The operator maintains he is weary of security companies and script kiddies using his resources.-http://www.newsbytes.com/news/01/169648.html
29 August 2001 Oregon Human Services Agency's Security Woes
Inadequate security measures at the Oregon Department of Human Services allowed employees to steal $200,000 in benefit funds; in addition, an audit found confidential client data exposed on the agency's web site. While the agency ignored repeated warnings about security problems in the past, a three-year reorganization plan should help tighten security.-http://www.oregonlive.com/news/oregonian/index.ssf?/
xml/story.ssf/html_standard.xsl?/base/front_page/99908613017192111.xml
TUTORIAL
Protection of Home/SOHO Systems with Persistent Connections and IP Addresses
Users that connect to the Internet via dial get a certain amount of protection from the fact that their IP address is constantly changing. By default, home and SOHO users that are persistently and peer connected to the Internet, at whatever speed, do not enjoy this same protection. That they are "always on" and always at the same address may be sufficient to make them targets of opportunity. Once penetrated, they become a hazard to their neighbors. As their numbers increase, they become a threat to the health of the net. It is urgent that the security of these systems be improved. While no single security mechanism is sufficient to protect them from all attacks and while all have limitations, many are efficient. Applied in combination, they can be very effective. The mechanism of first choice is the hardware firewall appliance. These devices cost in the neighborhood of $50 to $120 and their price has fallen by 40% since Christmas. They effectively hide the system from the internet. While the firewalls will have a persistent address, they will not respond to scans from the network. They resist most attacks except those in which the user cooperates and clearly take a system out of the target of opportunity population. Their function is bound at manufacturing time and most resist later change. They are easy to install, easy to configure, and provide other non-security[connectivity ]
benefits.
Their limitations include that, by default, they do not warn about attacks in progress and they do not protect the network from systems that are penetrated through user cooperation, i.e., through viruses and bait programs, or other means. Therefore, they are best used in combination with anti-virus software and with software personal firewalls that are configured to resist and warn the user of outgoing attacks, i.e., to alert him that he has been penetrated by a program that is now trying to attack others from his system. While anti-virus programs cannot protect a system from all novel viruses, used pervasively they protect the network and kill off most viruses within weeks. Software personal firewalls are useful for and can be configured to resist outgoing attacks. They range in cost from free to about $70. Like anti-virus software, they must be kept current. Their limitations include that they are vulnerable to interference from other programs running on the same system. However, even by themselves they may be sufficient to take a system out of the target of opportunity population. Used wisely these measures will protect most systems from most attacks and will go a long way toward protecting the network. Even in combination, these measures are not sufficient to protect a system whose user "takes the bait." However, because they may still protect his neighbor and the Internet we should encourage their pervasive use.
==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites
Editorial Team:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt,
Alan Paller, Marcus Ranum, Howard Schmidt, Eugene Schultz
