SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume III - Issue #43

October 24, 2001

A few hours ago, the US National Security Agency made available
a new draft security document for pre-publication technical
review. It is called The 60 Minute Network Security Guide (First
Steps Towards a Secure Network Environment). It is 35 pages of
rich, experienced-based guidance. To help the NSA experts get broad
technical input to identify any errors before final publication, SANS
offered to invite all GIAC certified folks to review it. Others with
in-depth network security expertise are also invited. All we ask is
that if you download it, you agree in advance to provide feedback
within seven days listing errors you have found. To order a copy,
email 60minuteguide@sans.org with the subject "60 Minute Guide."

AP

---

TOP OF THE NEWS

18 October 2001 New Worms Could be More Troublesome
18 October 2001 Microsoft Crash Reports Could Contain Personal Information
17 October 2001 Sen. Gregg Backs Off On Encryption Back Doors
17 October 2001 Russian Cracker/Extortionist Found Guilty
17 October 2001 Cracker Pleads No Contest
15 October 2001 Microsoft to Rate Security Warning

THE REST OF THE WEEK'S NEWS

22 October 2001 Pennsylvania Security Initiative
19 October 2001 Red Cross Says Trojan Could Steal Personal Data
19 October 2001 Microsoft Removes Flawed Patch
19 October 2001 Microsoft Anti-Piracy Protection Cracked
19 October 2001 Support for FOIA Exemptions is Growing
18 October 2001 Experts Call for Increased Cybersecurity Funding
18 October 2001 Redesi Worm
18 October 2001 New Technique Yields DSL Customer Passwords
17 & 18 October 2001 Microsoft's Culp Speaks Out Against Full Disclosure
16 October 2001 Antrax Worm Errors Curtail its Spread
16 October 2001 Passwords Still Too Easy to Crack
15 October 2001 CERT/CC Predicts Incident Reports Will Double in 2001
15 October 2001 Review Internal Security, Say Experts

---

*********************** Sponsored by N2H2 ****************************
DOES YOUR NETWORK HAVE A HOLE - ON THE INSIDE?
If you're not actively managing Internet use, you're leaving your
organization exposed to wasted bandwidth, lost productivity and worst
of all - potential legal liability. Eliminate these disruptions from
your life with a versatile Internet filtering solution from N2H2.
http://www.n2h2.com/sans.html
**********************************************************************

---

TOP OF THE NEWS

18 October 2001 New Worms Could be More Troublesome

The advent of the "blended worm," heralded by Code Red and Nimda, removes the need for human intervention in the spread of infection and could cause enormous Internet slowdowns. Symantec's Eric Chien predicts that antivirus and intrusion detection groups will need to work together in order to keep up with security threats.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2818419,00.html

18 October 2001 Microsoft Crash Reports Could Contain Personal

Information A feature in Windows XP and Internet Explorer (IE) 5 that sends data back to Microsoft in the event of a crash could send back personal documents along with Digital Product IDs and Internet Protocol (IP) addresses. The program sends back the current contents of the computer's memory which could include sensitive information possibly include passwords and encryption keys.
-http://news.cnet.com/news/0-1003-200-7571224.html?tag=prntfr
[Editor's (Paller) note: A discussion group inside Microsoft carried the following description: "The Program works like this: when something on XP crashes or reports an error, a dialogue box appears asking the user if information can be sent back to Microsoft to determine the reason for the crash/error. (Often, it is not an OS but an application issue, and therefore, the aggregate data gathered is shared with the party involved to help them to respond to the issue, fix a problem, etc.) No information is reported to Microsoft unless the user clicks "yes" in the dialogue box." There's a web page that details the information in the crash report at
-http://watson.microsoft.com/dw/1033/dcp.asp,
including a link to the detailed data formats on MSDN. ]

17 October 2001 Sen. Gregg Backs Off On Encryption Back Doors

A few days after the September 11 attack, Sen. Gregg (Republican, NH) told the Associated Press that he was preparing legislation to prohibit data-scrambling products to be sold without backdoors allowing government surveillance. On October 16, a spokesman for the Senator said he has no intention of introducing such an encryption bill.
-http://www.wired.com/news/conflict/0,2100,47635,00.html

17 October 2001 Russian Cracker/Extortionist Found Guilty

One of a pair of Russian crackers who allegedly attempted to extort funds from companies after breaking into their computer systems and stealing customer data has been found guilty of conspiracy, computer crimes and fraud. Vasily Gorshkov was arrested after the FBI, tipped off to the duo's activities, set up a phony business and invited them to demonstrate their cracking abilities at a job interview; the FBI used an electronic wiretap to glean password information for Gorshkov's Russian computer systems and Internet accounts. A judge rejected a defense motion for dismissal, noting that the two had "no expectation of privacy."
-http://www.wired.com/news/politics/0,1283,47650,00.html

17 October 2001 Cracker Pleads No Contest

Armen Oganesyan, a cracker who once worked for a Department of Defense (DoD) contractor and abused his insider status to break into and shut down company computers has pleaded no contest to computer access and fraud. Oganesyan faces up to five years in prison and $250,000 in restitution.
-http://www.msnbc.com/news/643977.asp?0dm=N228T

15 October 2001 Microsoft to Rate Security Warning

In an effort to clarify the relative seriousness of its security warnings, Microsoft will implement a rating system. Bulletins will be designated critical, moderate, or low, and will be sorted into categories that include client systems, Internet servers, and internal servers.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO64798,00.html
[Editor's (Murray) Note: While I am satisfied that Microsoft will try to be objective, I would not encourage my clients to use Microsoft as their exclusive, or even their primary, source of intelligence. ]

---

***************** Also sponsored by Ecora Corporation ****************
Tighten Infrastructure Security by Automatically Tracking Configuration
Changes Ecora's Configuration Auditor scans your infrastructure on a
scheduled basis and automatically builds a report on precisely what
configurations have changed. Maintain a detailed configuration history
of your IT infrastructure. Available for NT/Win2000/XP, Solaris,
Cisco, Oracle, Exchange, & Domino.
Try it FREE: https://www.ecora.com/ecora/products/welcome_sans.asp
**********************************************************************

---

THE REST OF THE WEEK'S NEWS

22 October 2001 Pennsylvania Security Initiative

The state of Pennsylvania plans to strengthen computer security and privacy concerns with a three-pronged approach: educating state employees about security and privacy policies, hiring an ombudsman to manage policy compliance, and updating the criminal code to reflect cybercrime concerns, including jurisdictional authority.
-http://www.fcw.com/geb/articles/2001/1022/web-penn-10-22-01.asp

19 October 2001 Red Cross Says Trojan Could Steal Personal Data

The American Red Cross has issued a warning about the Septer.Trojan that appears to be an e-mail donation form. When the bogus form is filled out, the information is sent to a web site that is not affiliated with the Red Cross. The program does not self-replicate; the e-mails with the infected attachments must be sent out manually.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO64948,00.html
[Editor's (Murray) Note: This is neither a virus nor a Trojan Horse attack. In spite of the name of the object, this is simply a fraud. The big advantage that it has over the same fraud on paper is that the postage cost is lower. ]

19 October 2001 Microsoft Removes Flawed Patch

Microsoft removed from its website a patch for the RDP security hole after reports that it was causing system problems once applied.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO64947,00.html

19 October 2001 Microsoft Anti-Piracy Protection Cracked

A cracker has written code, now circulating on the Internet, that strips anti-piracy protections from Microsoft's media protection system.
-http://news.cnet.com/news/0-1005-200-7590303.html?tag=prntfr

19 October 2001 Support for FOIA Exemptions is Growing

Senator Robert Bennett 's Critical Infrastructure Information Security Act would relax anti-trust regulations to allow companies to share critical cyber security information. The act would also exempt the shared information from disclosure under the Freedom of Information Act (FOIA).
-http://www.wired.com/news/politics/0,1283,47704,00.html
Separately, President Bush has sent a letter to National Security Telecommunications Advisory Committee chairman Daniel P. Burnham which says he would support a proposal narrowly restricting FOIA disclosure of shared cyber security information.
-http://www.washingtonpost.com/wp-dyn/articles/A18052-2001Oct18.html
[Editor's (Murray) Note: This is very ill-advised. No one in business is much worried about their competitors using FOIA to learn about their vulnerabilities, much less their business strategies. ]

18 October 2001 Experts Call for Increased Cybersecurity Funding

Speaking at a conference sponsored by the Information Technology Association of America (ITAA) and the Center for Strategic and International Studies, ITAA president Harris Miller said that the US government needs to devote at least $10 billion to cybersecurity if the country is to be adequately protected from cyber attacks. The money would be used primarily for training, education, and upgrading critical systems.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO64886,00.html

18 October 2001 Redesi Worm

An e-mail attachment purporting to be a Microsoft software security patch is actually a worm, dubbed Redesi, that spreads through e-mail and carries a malicious payload; on November 11 (11/11/01) the worm could reformat the C: drive of infected machines. To avoid being affected by this worm, set the date to the long (four-digit) format. People are encouraged to remember that Microsoft does not e-mail patches.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2818442,00.html?chkpt=zdnnp1tp02
-http://www.theregister.co.uk/content/56/22347.html

18 October 2001 New Technique Yields DSL Customer Passwords

Crackers have found a way to glean account names and passwords from DSL subscribers' routers. The trick affects Cayman Systems' 3220-H DSL router.
-http://www.securityfocus.com/news/268
[Editor's (Murray) Note: This is a combination of an unsafe default, administrative access available from the public side of the router and failure of the user to reset the default password. ]

17 & 18 October 2001 Microsoft's Culp Speaks Out Against Full Disclosure

Decrying "information anarchy," Microsoft security chief Scott Culp says people should stop publishing step-by-step exploits of known vulnerabilities because they do not help solve the problem. A Gartner commentary (the last URL) asserts that the problem is hype.
-http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/secur
ity/noarch.asp
-http://www.zdnet.com/zdnn/stories/news/0,4586,5098438,00.html?chkpt=zdhpnews01
-http://www.theregister.co.uk/content/55/22332.html
-http://news.cnet.com/news/0-1003-201-7573979-0.html?tag=prntfr
[Editor's (Schultz) Note: Microsoft's statement sounds like something out of the Dark Ages where knowledge was suppressed from the masses. Until vendors produce better quality code, the best defense we have is to understand how to exploit vulnerabilities and the effect that patches have. (Ranum) Odd position Gartner takes; there's lots of public information to show that disclosure results in a large number of incidents once the technique is disclosed - how can someone ignore that? Of course, Culp's position (coming from Microsoft) just comes off as whining. (Murray) I agree with Scott. Real "security experts" publish work- arounds, not exploits. ]

16 October 2001 Antrax Worm Errors Curtail its Spread

The Antrax worm, which purports to be an attachment depicting the effects of the disease, has widely received low severity ratings due to errors which prevent it from spreading. Antrax, which is the Spanish spelling of the word, was created with the same worm generator used by the author of the Kournikova worm. Updated anti-virus software will thus recognize the signature.
-http://news.cnet.com/news/0-1003-200-7549706.html?tag=prntfr

16 October 2001 Passwords Still Too Easy to Crack

A book written by risk management consultants says that users still choose passwords that are very easy to crack. Some people choose easy to guess passwords like names of family members; others use the same password for a variety of systems. The book points out that while a four-character password that uses only letters can be broken within minutes, a seven-character password that incorporates digits significantly increases the cracking time.
-http://it.mycareer.com.au/news/2001/10/16/FFX45L36TSC.html

15 October 2001 CERT/CC Predicts Incident Reports Will Double in 2001

The Computer Emergency Response Team Coordination Center (CERT/CC) predicts that the number of Internet attacks reported in 2001 is likely to be double that of the previous year. The dramatic increase is due in large part to a growing Internet and heightened security awareness. Automated vulnerability scans and web site defacements helped boost this year's numbers; viruses and worms are counted only once even if the attacks are massive.
-http://www.zdnet.com/zdnn/stories/news/0,4586,5098301,00.html

15 October 2001 Review Internal Security, Say Experts

In the wake of the September 11 attacks, cybersecurity experts are encouraging businesses to reexamine their security policies with special attention paid to internal threats and physical security. No scenario is too improbable to consider. This article also includes a list of suggested security measures.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO64774,00.html

---

==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites


Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Howard Schmidt, Eugene Schultz