SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume III - Issue #45
November 07, 2001
Reminder: Today is the deadline for the early registration discount
for Cyber Defense West in San Francisco next month (www.sans.org)
and both Cyber Defense East (Washington DC) and West programs will
have the full five-day hands-on hacker exploits course, the nation's
highest rated security training program) as well as other great
immersion training tracks.
AP
TOP OF THE NEWS
5 November 2001 Netcraft Survey Says 130,000 IIS Users Switched to Apache2 November 2001 Passport e-Wallet Vulnerability
1 November 2001 California Court Says DeCSS is "Pure Speech"
31 October & 1 November 2001 NY Times Attack Was Nimda, Not DoS
30 October 2001 Nimda-E Still A Major Problem
THE REST OF THE WEEK'S NEWS
1 & 2 November 2001 Aibo Hacker Threatened With DMCA1 November 2001 Florida IS Director Wants Critical Infrastructure Protection Center
1 November 2001 A Place for Hackers to Work
31 October & 1 November 2001 Virus-Tainted DVD Recalled
31 October 2001 Proposed European Legislation Takes Aim at Cookies
31 October 2001 Sewage spills; Hacker jailed
31 October 2001 Phony WTO Site
31 October 2001 The Human Element of Security
30 October 2001 Plans for a Virtual Pentagon
30 October 2001 Microsoft Warns Against Installing Pirated Versions of Windows XP
1 November 2001 Microsoft Admits XP Has Been Cracked
FREE SECURITY GUIDE:
***********************************************************************
Get the in-depth knowledge you need to secure your enterprise with
NetIQ's FREE step-by-step security guide - "Selecting The Right
Security Solution" - at http://www.netiq.com/f/form/form.asp?id=109
NetIQ's security solutions not only identify intruders, but ensure
that threats don't ever become incidents.
***********************************************************************
TOP OF THE NEWS
5 November 2001 Netcraft Survey Says 130,000 IIS Users Switched to Apache
Netcraft's September survey of 33 million web servers showed 300,000 fewer IIS servers than in August, with 130,000 of those sites moving to Apache. The survey also reported that 11 percent of all IIS servers were infected and completely unprotected from exploitation and use by malicious persons.-http://www.cw360.com/bin/bladerunner?REQSESS=Z097P4P&690REQEVENT=&CARTI=
107480&CARTT=14&CCAT=2&CCHAN=20&CFLAV=
1&CPAGEN=ArticlePage&CPAGET=-99999&CSEARCH=&CSESS=-99999&CTOPIC=
2 November 2001 Passport e-Wallet Vulnerability
A researcher discovered that by sending specially constructed e-mails to Hotmail accounts, he could view the contents of that user's Passport e-wallet. Marc Slemko alerted Microsoft to the vulnerability, and the company temporarily shut users out of their e-wallets while they fixed the network.-http://www.msnbc.com/news/652089.asp?0dm=C219T
[Editor's (Schultz) Note: At least two years ago a number of malicious Java applets (e.g., "BookMarker," "DemonDialer," and "Pickpocket") that raid electronic wallets surfaced. These applets are still widely available at certain web sites. (Irwin) The summary paragraph makes it sound like Microsoft fixed the problem after being alerted. And, in the most literal sense, they did. But if you read Mark Slemko's paper, you'll see that there is a fundamental design flaw in the Passport "single sign-on" implementation ... specifically (quoting the paper) "The Hotmail HTML filtering hole and this particular cross-site scripting issue on passport.com will quickly be fixed, making this particular exploit stop working. But unless the deeper issues are addressed, it is still fairly trivial to come up with a new exploit using slightly different techniques. The key problems here are that the cookies go to all passport.com servers, broadening the attack space, and that when the user uses a password to authenticate for one purpose, the resulting token can be used for other purposes." Incidents.Org Handler's Diary article for a technical overview
-http://www.incidents.org/diary/november01/110501.php#2
Mark Slemko's paper
-http://alive.znep.com/~marcs/passport/]
1 November 2001 California Court Says DeCSS is "Pure Speech"
A three judge panel of the California Court of Appeal has ruled that DeCSS, the program written to descramble DVDs, is "pure speech" and web sites posting the program are protected by the First Amendment.-http://www.msnbc.com/news/651673.asp?0dm=C16PT
-http://www.wired.com/news/print/0,1294,48075,00.html
-http://news.cnet.com/news/0-1005-200-7751876.html?tag=prntfr
31 October & 1 November 2001 NY Times Attack Was Nimda, Not DoS
What at first appeared to be a denial-of-service attack on the New York Times computers instead turned out to be the work of a variant of the Nimda worm.-http://news.cnet.com/news/0-1003-200-7739301.html?tag=prntfr
-http://www.computerworld.com/storyba/0,4125,NAV47_STO65249,00.html
30 October 2001 Nimda-E Still A Major Problem
Complete analysis at.-http://www.incidents.org/diary/october01/103001.php#1
THE REST OF THE WEEK'S NEWS
1 & 2 November 2001 Aibo Hacker Threatened With DMCA
Sony is threatening to invoke the Digital Millennium Copyright Act (DMCA) against a hacker who has tinkered with the electronics company's Aibo robotic dog and placed software enhancements on his web site. The augmented programs still require that users purchase Sony Memory Sticks.-http://news.cnet.com/news/0-1006-200-7746625.html?tag=prntfr
-http://www.wired.com/news/business/0,1367,48088,00.html
1 November 2001 Florida IS Director Wants Critical Infrastructure
Protection Center Florida's Information Security Office Director is asking the State legislature to establish and fund a critical infrastructure protection center to alert law enforcement, infrastructure managers, some private companies and emergency workers in the event of an attack. The center would have four levels of redundancy, including a secure Internet connection, to ensure communications.-http://www.gcn.com/vol1_no1/daily-updates/17400-1.html
1 November 2001 A Place for Hackers to Work
Thubten Comerford, a former Buddhist monk and now the CEO of White Hat Technologies, takes issue with using the word "hackers" to refer to bad guys. Comerford created his company to guide young hackers toward helping people.-http://www.theregister.co.uk/content/55/22599.html
[Editor's (Murray) Note: "By their fruits you shall know them." Like it or not, the word carries a lot of baggage. It seems to mean those who reject professionalism, formal and supervised learning, order, identification with the community of users, identification with the common good, submission to authority, discipline, private property, etc. It seems to mean those that reserve the right to interfere with, not to say contaminate, the systems of others. That is the fault of those who so identify and how they behave, not of the rest of us. Anyone who does not like the baggage that comes with the word can simply reject the identification. "A rose is a rose is rose" and garlic by any name still smells like garlic. (Paller) Bill may be right and the task may be harder than Mr. Comerford thinks, but I for one, wish him great success. ]
31 October & 1 November 2001 Virus-Tainted DVD Recalled
In the first reported instance of a DVD acting as the vector of infection, a Powerpuff Girls cartoon DVD has been recalled because it contains the Funlove virus. The virus infects PCs when the disk's supplemental software is installed; DVD players are unaffected.-http://news.cnet.com/news/0-1003-200-7735109.html?tag=prntfr
-http://news.bbc.co.uk/hi/english/sci/tech/newsid_1632000/1632896.stm
31 October 2001 Proposed European Legislation Takes Aim at Cookies
The European Commission has introduced legislation that would prohibit the use of cookies, or personal identification tags. Proponents of the proposed directive maintain cookies violate citizens' privacy; people in the advertising business say the move, if approved, could seriously damage e-commerce and Internet advertising sales.-http://www.wired.com/news/politics/0,1283,48025,00.html
[Editor's (Schultz) Note: This news item once again shows the clash of two cultures, the one in the US (in which insufficient attention to privacy is paid), and the one in much of Europe, where privacy is a major concern. What we are seeing here is a proverbial time bomb waiting to go off. ]
31 October 2001 Sewage spills; Hacker jailed
An Australian man was sent to prison for two years after he was found guilty of hacking into a Queensland computer-controlled waste management system and causing millions of gallons of raw sewage to spill out into local parks, rivers and even the grounds of a Hyatt Regency hotel.-http://www.theregister.co.uk/content/4/22579.html
31 October 2001 Phony WTO Site
A phony WTO site that has been around for two years recently changed its appearance to closely resemble that of the official site; the phony site also began collecting e-mail addresses of visitors without permission. Some search engines are sending surfers to the fake site instead of the real one.-http://www.computerworld.com/storyba/0,4125,NAV47_STO65229,00.html
31 October 2001 The Human Element of Security
John Dickinson reminds readers that people are an important line of defense in computer security: don't open attachments if you don't know what they are, who they're from or weren't expecting them, be wary of attachments with certain extensions, including .exe, .vbs, and .dll, and adjust program security settings.-http://www.zdnet.com/zdnn/stories/comment/0,5859,2821467,00.html
30 October 2001 Plans for a Virtual Pentagon
The Defense Department (DoD) is working on plans for a "virtual Pentagon" or "distributed Pentagon" that would allow DoD employees to keep working after a disaster. The September 11 attack underscored the need for distributed remote storage sites and redundant measures to avoid single points of failure.-http://www.fcw.com/fcw/articles/2001/1029/web-pent-10-30-01.asp
30 October 2001 Microsoft Warns Against Installing Pirated Versions of Windows XP
Microsoft warns users not to install pirated versions of the recently released software because it could leave them vulnerable to malicious code. An IT security firm says the software's copy protection has been broken.-http://www.newsbytes.com/news/01/171651.html
1 November 2001 Microsoft Admits XP Has Been Cracked
Crackers have been distributing code that removes the product activation technology from Windows XP, allowing users to install the software on multiple machines. Microsoft is aware of the situation.-http://www.computerworld.com/storyba/0,4125,NAV47_STO65240,00.html
==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites
Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Howard Schmidt, Eugene Schultz
