Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume III - Issue #40

October 03, 2001


Some great stories this week. Write us if you disagree with the
editorial commentary.

Ten days to the start of SANS Network Security 2001 in San Diego. Join
1,900 security folks in immersion training there. (http://www.sans.org)
Reminder: Still available are 24 technical white papers
authored by vendor-sponsors of the current SANS Security Tools &
Services and MSSP posters. You can request any of them for free at
http://www.sans.org/tools.htm before they are rotated out when the
new poster replaces the old.

AP

TOP OF THE NEWS

1 October 2001 FBI and SANS List Top Twenty Vulnerabilities and Free Scanner
28 September 2001 Microsoft Considers Security/Anti-Virus Integration
27 September 2001 Group Hacks Bank, Finds bin Laden Accounts
27 September 2001 Good Samaritan Hacker Not So Good
24, 25 & 26 September 2001 Gartner Analyst Advises Users to Drop IIS
24 September 2001 Analysts Advise Contracting with ISPs for DoS protection
24 & 27 September 2001 Proposed Legislation Reframes Hacking as Terrorism

THE REST OF THE WEEK'S NEWS

28 September 2001 Chemical Exchange Security
28 September 2001 Pulsing Zombies
27 & 28 September 2001 ICANN Meeting Focus Will be Security
27 September 2001 Kournikova Author Sentenced to Community Service
27 September 2001 Physical Security Counts
27 September 2001 Nimda Likely to Resurface
26 & 27 September 2001 PSA Aimed At Hackers
26 September 2001 Steganography Study Yields No Hidden Information
26 September 2001 Trojan Posted on Vuln-Dev Mailing List
26 September 2001 Schneier: Security is Getting Worse
24 September 2001 AIM Accounts Vulnerable to Take Oversee
21 September 2001 Employees are Key to Security


*************** This Issue Sponsored by Oblix, Inc. ****************
TODAY IT ISN'T JUST ABOUT KEEPING THE BAD GUYS OUT
It IS about opening up your e-business network to partners, customers
and suppliers. It IS about secure access to your applications and
information. It IS about letting the good guys in.
How do you let ONLY the good guys in? The answer: Oblix NetPoint(tm)
- - - a secure web access management solution.
Visit us at http://www.oblix.com/reply/sans1001 for a free IDC white
paper on e-business integration and security including "Protecting
What's Inside as You Open Up."
**********************************************************************

TOP OF THE NEWS

1 October 2001 FBI and SANS List Top Twenty Vulnerabilities and Free Scanner

Security leaders from 30 organizations, led by the FBI's NIPC and the SANS Institute published a list of the top twenty Internet security vulnerabilities (7 general, 6 Windows NT/2000, and 6 UNIX/Linux), along with instructions on how to fix them. In a surprise move, the Center for Internet Security simultaneously released a free vulnerability scanner that focuses on the SANS/FBI Top Twenty.
-http://news.cnet.com/news/0-1003-200-7387419.html?tag=lh
[Editor's (Paller) Note: The first release of the top twenty has now been substantially updated in the first twenty four hours, including a newly discovered function from Microsoft that blocks the LM Hash problem and a clarification that RDS does not affect Windows 2000. Get the updated document at
-http://www.sans.org/top20.htm
and, if you are good with UNIX, ask for the scanner by emailing info@cis.org. ]

28 September 2001 Microsoft Considers Security/Anti-Virus Integration

Microsoft is considering employing anti-virus vendors to distribute its security patches alongside virus definition updates. The idea met with some concerns - for instance, patches should be applied when they become available instead of when a virus that exploits the vulnerability is on the loose - but security and virus update integration could be useful.
-http://www.theregister.co.uk/content/56/21928.html
[Editor's (Murray) Note: There has been resistance to any automatic application of patches by Microsoft for fear that the solution becomes the problem. However, AOL has been doing automatic updates for years. As far as I know, there have not been any problems. Similarly, the success of the antivirus community in controlling viruses depends on the use of automatic updates. (Schultz) I fail to appreciate the view of those who are critical of this idea. The success of so many worms that have spread so quickly and widely lately shows conclusively that people are simply not applying Microsoft patches to the degree they should.]

27 September 2001 Group Hacks Bank, Finds bin Laden Accounts

A German man claims a group of hackers in the UK infiltrated the computers at a Sudanese bank, gathered information about accounts associated with Al Qaeda and bin Laden, and gave the information to the FBI. The hackers allegedly exploited a Check Point FireWall-1 vulnerability; the group's activity was not sanctioned by authorities.
-http://www.newsbytes.com/news/01/170588.html

27 September 2001 Good Samaritan Hacker Not So Good

Originally thought to have been unfairly prosecuted for simply alerting a newspaper to vulnerabilities in its web site, an Oklahoma man has now pleaded guilty to offenses which cast the situation in a different light. Brian K. West admitted to downloading proprietary files, adding a page to the web site and modifying password files. He also planned to rewrite some of the paper's applications and sell them as his own.
-http://www.wired.com/news/politics/0,1283,47146,00.html

24, 25 & 26 September 2001 Gartner Analyst Advises Users to Drop IIS

In the wake of Code Red and the Nimda worm, John Pescatore, research director for the Gartner group, recommends that people switch from Microsoft Internet Information Server (IIS) server software to a more secure platform. Gartner does not believe Microsoft will provide a fully rewritten IIS until the end of 2002. Full report:
-http://www3.gartner.com/DisplayDocument?doc_cd=101034
-http://www.usatoday.com/life/cyber/tech/2001/09/25/microsoft-servers-vulnerable.
htm

-http://www.zdnet.com/zdnn/stories/news/0,4586,2814546,00.html
-http://dailynews.yahoo.com/h/nf/20010924/tc/13700_1.html
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO64226,00.html
[Editors' Notes: (Schultz) Despite its grossly inaccurate predictions about security-related losses expected as the result of the W2K rollover, the Gartner Group is really on to something here. The IIS Web server, even with all the bells, whistles, and band aids that are available, is simply not capable of withstanding the level of security- related threat that the Internet poses. Microsoft needs to go back to the proverbial drawing boards concerning the design and out-of-the-box configuration of this Web server. (Northcutt) While I want to agree with Gartner, folks with custom applications and investment in IIS servers can't just suddenly switch to Apache or Iplanet. There is a lot more to security than just patches. This is why the special one-day Securing IIS courses SANS ran in the wake of CodeRed sold out with more than 2,000 people attending. (Paller) Because so many people were turned away when the first round of classes filled, we've scheduled the Securing IIS course in eight additional US and Canadian cities over the next 11 weeks. For information,
-http://www.sans.org/IIS/sec_IIS.htm]

24 September 2001 Analysts Advise Contracting with ISPs for DoS protection

Gartner, Inc. recommends that companies contract with their Internet Service Providers (ISPs) for denial-of-service (DoS) protection. While the service may seem costly, dealing with the flood of traffic further upstream could help prevent lost revenue or operating time from DoS attacks.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO64164,00.html

24 & 27 September 2001 Proposed Legislation Reframes Hacking as Terrorism

Civil liberties groups have expressed concern that proposed legislation would modify the definitions of terrorists to include hackers; the legislation also retroactively abolishes the 5 year statute of limitations for prosecuting cybercrimes, and could punish offenders with life in prison.
-http://www.securityfocus.com/news/257
-http://www.computerworld.com/cwi/story/0,1199,NAV47_STO64194,00.html
-http://www.zdnet.com/zdnn/stories/news/0,4586,2815197,00.html


******* Also Sponsored by VeriSign - The Internet Trust Company ******
Protect your servers with 128-bit SSL encryption!
Get VeriSign's FREE guide "Securing Your Web Site for Business." You
will learn everything you need to know about using SSL to encrypt
your e-commerce transactions for serious online security.
Click here! http://www.verisign.com/cgi-bin/go.cgi?a=n016042310008000
**********************************************************************

THE REST OF THE WEEK'S NEWS

28 September 2001 Chemical Exchange Security

On-line chemical exchanges are scrutinizing their security in the wake of the events of September 11. One company is considering using digital certificates and biometric identifiers; another is inspecting its screening and approval processes and is blocking users from countries on the U.S. State Department's warning lists.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO64342,00.html

28 September 2001 Pulsing Zombies

A security expert speaking at a virus conference in Prague warned that pulsing zombies, programs planted on computers intended for use in launching distributed denial of service (DDoS) attacks, will be hard to detect because they are not always active.
-http://www.theregister.co.uk/content/55/21930.html
[Editor's (Murray) Note: However, we need not rely upon detection to resist these programs. Firewalls should be configured to resist unanticipated (i.e., presumed attack) traffic in both directions. ]

27 & 28 September 2001 ICANN Meeting Focus Will be Security

The Internet Corporation for Assigned Names and Numbers (ICANN) plans to use its annual meeting in November to assess the domain name service's security. Though the system's decentralized organization makes it unlikely that the Internet could be completely taken down in an attack, a worm designed to attack the root servers could cause serious problems.
-http://www.usatoday.com/life/cyber/tech/2001/09/27/icann-net-security.htm
-http://www.washingtonpost.com/wp-dyn/articles/A38036-2001Sep27.html

27 September 2001 Kournikova Author Sentenced to Community Service

Jan de Wit, the Dutch man responsible for unleashing the Anna Kournikova worm on the world earlier this year, received a sentence of 150 hours of community service. He could have received a harsher sentence had victims filed claims with the court.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO64271,00.html

27 September 2001 Physical Security Counts

A network administrator's boss denied his request to house a server for a new application in a secure location; several weeks later, the administrator found that someone had reinstalled DOS on the machine and loaded a game.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO64267,00.html

27 September 2001 Nimda Likely to Resurface

Researchers say that Nimda will start to spread again 10 days after the host computers were first infected. Because more systems have been patched recently, the worm is not likely to have as much of an effect as it did when it first appeared. IT managers are advised to check their patches, ensure that their anti-virus software blocks Nimda, and block executables at the e-mail gateway.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO64265,00.html
-http://news.cnet.com/news/0-1003-200-7318967.html?tag=prntfr

26 & 27 September 2001 PSA Aimed At Hackers

Vinton Cerf will appear in a television public service announcement (PSA) urging hackers away from cyber-vigilantism and toward helping the PSA's sponsor, the Cyberangels. An Internet safety group, Cyberangels, is an offshoot of the Guardian Angels.
-http://www.wired.com/news/politics/0,1283,47099,00.html
-http://www.msnbc.com/news/635187.asp?0dm=T16MT

26 September 2001 Steganography Study Yields No Hidden Information

Two University of Michigan researchers analyzed over 2 million images downloaded from eBay and found no hidden, or steganographic, messages. The researchers concluded that, in all likelihood, steganography is not used on the Internet.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2814840,00.html?chkpt=zdhpnews01
[Editor's (Grefer) Note: I disagree with their conclusion. Why would anybody want to pay for posting images (you have to pay for each eBay auction, even if you don't sell the item), and thus also leave a paper/information trail? It just does not make any sense. Free webspace providers, Usenet Groups, etc. are more likely venues for this approach. (Schultz) Agreed. I wonder if the researchers' conclusions have been accurately represented here. ]

26 September 2001 Trojan Posted on Vuln-Dev Mailing List

Crackers posted a Trojan masquerading as a wu-ftpd exploit on the Vuln-Dev mailing list. If the code is compiled and run, it will delete most files on the host's hard drive.
-http://www.vnunet.com/News/1125685

26 September 2001 Schneier: Security is Getting Worse

Speaking at the Information Security Solutions Europe (ISSE) conference in London, Bruce Schneier voiced the opinion that security cannot keep pace with the growing complexity of the Internet. Schneier also spoke out in favor of collaboration, pointing out that hackers combine forces while businesses isolate themselves.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2814883,00.html?chkpt=zdnnp1tp02

24 September 2001 AIM Accounts Vulnerable to Take Oversee

Several programs are available that let crackers take over AIM accounts, allowing them to access buddy lists and possibly send out infected files. AOL has threatened legal action against the web sites that offer the programs if they are not removed.
-http://www.wired.com/news/technology/0,1282,47072,00.html

21 September 2001 Employees are Key to Security

Security software and hardware cannot do their jobs effectively without employees who are well-trained in good security practices.
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci771517,00
.html



==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites

Editorial Team:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz