Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume III - Issue #9

February 28, 2001


Two extra notes this week:
First, SANS' Global Incident Analysis Center has received a series of
reports of Windows NT web servers being compromised and used as secret
FTP servers for people who need extra storage. Uses could range from
MP3 files to stolen data files to pornography. A brief explanation of
the attack, how to determine whether your systems are vulnerable, and
the newest patches are posted at http://www.sans.org/y2k/unicode.htm
Second, if you are planning to attend either of SANS two most popular
certification tracks - SANS Security Essentials or Firewalls, Perimeter
Protection and VPNs, please consider attending SANS Security Essentials
in Orlando, Raleigh, or Dallas, and Firewalls in Orlando. Those cities
will be much less crowded than SANS 2001 in Baltimore. For details,
see "Upcoming Training Opportunities" below or http://www.sans.org.

AP

TOP OF THE NEWS

Indiana University Data Taken
23 February 2001 Microsoft Exec: Human Error Behind Security Breach
23 February 2001 Java Vulnerability Could Allow Malicious Code Execution
23 February 2001 Outlook vCard Security Hole
19 February 2001 Server Probes On the Rise
19 February 2001 NIST Intrusion Detection System Guidelines

THE REST OF THE WEEK'S NEWS

23 February 2001 Worm Attention Begets More Worm Activity
23 February 2001 Worm Generator Author Blames Programmers, Users
23 February 2001 Swiss Man Arrested in WEF Cracking Incident
23 February 2001 DOJ Wants to Intervene in DMCA DeCSS Case
23 February 2001 Home Page Hijacking
23 February 2001 HP Sites Cracked
22 February 2001 Embedded Applications in UPS Software Irk Customers
22 February 2001 Toshiba Australia DoS-ed
21 & 22 February 2001 Accused Spy Used Encryption, Cracked FBI Computer
21 February 2001 Columbia House Security Hole
21 February 2001 Earthlink Security Breach Revisited
21 February 2001 Biometric Authentication
20 & 21 February 2001 Unbreakable Encryption
20 February 2001 The Art of Steganalysis
20 February 2001 UK Anti-Terrorism Law Includes Cyber Criminals
20 February 2001 GSA Wants Patch Administration System
19 February 2001 SSA Card Key Security
19 February 2001 New Security Manager
19 February 2001 Federal Agencies Not Hurt by Anna K


****************** This Issue Sponsored By PentaSafe *****************
You know what your security policies are and what they are meant to do.
Does everyone else?
"By introducing the new VigilEnt Policy Center(tm), PentaSafe has
finally given security officers a single point for automating security
policy creation, distribution, awareness, and tracking throughout the
enterprise."
Click here http://www.pentasafe.com/products/policyoverview.htm to see
an online demo, or sign up for a webinar or seminar in your area.
**********************************************************************

TOP OF THE NEWS

Indiana University Data Taken

A Swedish hacker removed student data and replaced it with music files.
-http://news.excite.com/news/ap/010227/12/university-computer-security

23 February 2001 Microsoft Exec: Human Error Behind Security Breach

A Microsoft executive revealed that a cracker was able to breach the company's network security in October because an employee left a password blank when configuring a server. The intruder then searched the network for PCs with blank passwords to pursue increasingly higher access levels.
-http://seattletimes.nwsource.com/cgi-bin/WebObjects/SeattleTimes.woa/wa/gotoArti
cle?zsection_id=268448455&text_only=0&slug=hack23&document_id=134269
414

23 February 2001 Java Vulnerability Could Allow Malicious Code Execution

Certain versions of Sun's Java Runtime Environment and Java Developer Kit could allow commands from outside the environment to be executed. While the default setting on the software executes nothing without permission, a user could alter that setting. Sun advises upgrading to a newer release of the affected components.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO58023,00.html

23 February 2001 Outlook vCard Security Hole

Malicious data placed in the birthday field of vCards could crash the program or allow code to execute on the computer. The code is triggered only when a user opens the attachment or places the vCard in the Contacts folders. Microsoft has released a patch for the vulnerability.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO58036,00.html
-http://www.zdnet.com/zdnn/stories/news/0,4586,2689657,00.html

19 February 2001 Server Probes On the Rise

Not surprisingly, scans and probes seeking assailable domain name servers have risen nearly three-fold in the last month. The scanners are likely searching for systems that have not repaired the BIND server vulnerabilities disclosed last month.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO57830,00.html

19 February 2001 NIST Intrusion Detection System Guidelines

The National Institute of Standards and Technology (NIST) has released a draft intrusion detection system guidance primer for federal agencies. NIST hopes that the document will help clarify how intrusion detection addresses security goals, and how to choose, configure and integrate intrusion detection systems.
-http://www.fcw.com/fcw/articles/2001/0219/news-rules-02-19-01.asp
The URL of the draft itself is
-http://csrc.nist.gov/publications/drafts/idsdraft.pdf


******************* Also sponsored by Network ICE ********************
Protect Your Network and Remote Users from Hackers
Network ICE solves the problem of intrusion detection for high-speed
environments and remote users. Network ICE provides centrally managed
intrusion protection solutions for networks and individual systems,
including Gigabit segments and VPN clients to detect, identify and block
attacks.
Visit: http://www.networkice.com/sans
**********************************************************************

THE REST OF THE WEEK'S NEWS

23 February 2001 Worm Attention Begets More Worm Activity

The attention paid to the recent Anna Kournikova worm may be partially to blame for an increase in copycat attempts. While the Anna creator's hometown mayor praised the teen's abilities, cracker wannabes have been attempting to use the same kit to deploy more worms.
-http://www.wired.com/news/culture/0,1284,41947,00.html

23 February 2001 Worm Generator Author Blames Programmers, Users

The Argentine creator of the worm-writing kit used to create the Anna Kournikova worm says he has not removed the program from his web site. He maintains that worm generator kits are good for learning, and that the blame for the damage from the worms lies with programmers who write sloppy software and users who open attachments indiscriminately.
-http://www.wired.com/news/culture/0,1284,41991,00.html

23 February 2001 Swiss Man Arrested in WEF Cracking Incident

Swiss police have arrested a 20-year-old man in connection with the cyber break-in and data theft from the computer system at the World Economic Forum (WEF). If he is found guilty, the man could face five years in prison or a fine.
-http://www.usatoday.com/life/cyber/tech/2001-02-23-hacker.htm

23 February 2001 DOJ Wants to Intervene in DMCA DeCSS Case

The Department of Justice wants to play a larger role in the case brought under the Digital Millennium Copyright Act (DMCA) against an on-line magazine that links to a site containing DeCSS, a DVD- descrambling utility. In a brief, the DOJ states that the magazine's link to DeCSS ventures beyond advocacy into the realm of "unlawful action", and that software is "nonexpressive" and is therefore not protected by the First Amendment.
-http://www.wired.com/news/politics/0,1283,41992,00.html
-http://www.msnbc.com/news/534141.asp?0nm=T14M
Editor's (Cowan) Note: Prominent computer scientists including Brian Kernighan, Marvin Minsky, P.J.Plauger, Ron Rivest, Eugene Spafford, and Richard Stallman have filed an amici curiae brief supporting the EFF and 2600 magazine
-http://cryptome.org/mpaa-v-2600-bac.htm.
In a separate brief, numerous cryptographers including Steve Bellovin, Matt Blaze, Ian Goldberg, and Bruce Schneier also wrote in support of the EFF and 2600, arguing that code is speech, and therefore subject to First Amendment protection
-http://eon.law.harvard.edu/openlaw/DVD/NY/appeal/000126-cryptographers-amicus.ht
ml
]

23 February 2001 Home Page Hijacking

In an attempt to generate more traffic, some marketing companies are diverting Internet users' home page settings to certain web sites. One Internet marketer said that some home page settings were inadvertently switched while his company was testing a method of routing people's home pages through its servers, which raises concerns about monitoring. Some browsers are more susceptible to home page hijacking than are others.
-http://news.cnet.com/news/0-1005-200-4931077.html?tag=prntfr

22 February 2001 Embedded Applications in UPS Software Irk Customers

Many UPS customers were unpleasantly surprised to find their web browsers diverted to the UPS homepage after they installed the most recent version of the company's shipping software. The new software also placed several UPS links in users Internet favorites lists. UPS has offered to help uninstall the software or fix any resultant problems.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2688734,00.html?chkpt=zdnn_rt_late
st

-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO57944,00.html

23 February 2001 HP Sites Cracked

Two Hewlett-Packard web sites were defaced last week; both were running on Windows NT and IIS/4.0.
-http://news.cnet.com/news/0-1003-200-4929264.html?tag=prntfr
--22 February 2001 Toshiba Australia DoS-ed Toshiba Australia said it was the victim of a denial of service attack, which it believes was orchestrated to impress other crackers. The site was defaced and links rendered inoperable.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2689159,00.html

21 & 22 February 2001 Accused Spy Used Encryption, Cracked FBI Computer

Robert Philip Hanssen, the FBI agent charged last week with spying for Russia used encrypted floppy disks and removable storage devices to give information to Russian intelligence and had accessed the agency's Electronic Case File database, which monitors on-going cases, to see if he was under investigation. Hanssen's actions underscore the threat insiders pose to security. A computer and telecommunications crime pundit says that organizations ought to consider using software that alerts them to "anomalous activity" inside their networks. In the early 1990s, Hanssen also broke into the computer of the top FBI Russian counterintelligence official, ostensibly to demonstrate the system's vulnerability.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO57889,00.html
-http://www.usatoday.com/life/cyber/tech/2001-02-22-spy-hacker.htm
-http://www.wired.com/news/politics/0,1283,41950,00.html

21 February 2001 Columbia House Security Hole

By eliminating part of the URL for the Columbia House web site, a software developer found he could access a directory containing links to customer data, coupon codes, logs, and passwords. A spokeswoman for the music company said that no sensitive data was exposed and that the hole has been fixed.
-http://news.cnet.com/news/0-1005-200-4891643.html?tag=prntfr

21 February 2001 Earthlink Security Breach Revisited

Earthlink kept quiet about an intrusion into its network because it says customer information was not exposed; the affected servers were isolated from the rest of the system as soon as the company became aware of the problem. An anonymous source told Wired news that the crackers broke into Earthlink's development servers and installed a back door into the system.
-http://www.wired.com/news/business/0,1367,41934,00.html
[Editors' (Grefer and Paller) Note: The standard method of determining whether a back door has been placed on your system is to have installed and configured one of the file integrity checkers (Examples: TripWire (commercial product) (
-http://www.tripwire.com)
or AIDE - Advanced Intrusion Detection Environment (freeware) (
-http://www.cs.tut.fi/~rammer/aide.html)
prior to the incident. ]

21 February 2001 Biometric Authentication

Since passwords cracking tools are readily available, other methods of users authentication become necessary. The reliability of biometrics has risen as its cost has decreased, making it an attractive addition to authentication systems.
-http://www.cnn.com/2001/TECH/ptech/02/21/biometric.works.idg/index.html
[Editors' Note: Biometrics are vulnerable to machine replay attacks and should be used only as the second form of evidence in a strong authentication system. ]

20 & 21 February 2001 Unbreakable Encryption

A Harvard University computer science professor proposed a provably unbreakable encryption code. The code uses disappearing keys, which are based on a continuous and high-speed stream of random numbers.
-http://www.newsfactor.com/perl/story/7626.html
-http://www.nytimes.com/2001/02/20/science/20CODE.html
(please note this site requires free registration)

20 February 2001 The Art of Steganalysis

Most steganography tools - programs that hide information in other digitized information -- leave fingerprints of sorts. One research project is underway to develop a set of tests that can detect hidden messages and identify the steganographic method used to embed them.
-http://www.wired.com/news/politics/0,1283,41861,00.html

20 February 2001 UK Anti-Terrorism Law Includes Cyber Criminals

A new UK law widens the definition of terrorism to include certain types of cyber activity, raising concerns that the law could be used to thwart legitimate activism. The law is intended to target UK groups plotting terrorist acts and foreign group plotting terrorist acts within the UK, according to Home Secretary Jack Straw.
-http://www.theregister.co.uk/content/8/17062.html
-http://www.zdnet.com/zdnn/stories/news/0,4586,2687991,00.html
-http://www.cnn.com/2001/TECH/internet/02/20/hackers.terrorists.idg/index.html

20 February 2001 GSA Wants Patch Administration System

The General Services Administration (GSA) wants industry to help define a system to keep federal agencies up to date with software patches. The proposed system would customize notification based on each agency's systems and create a "trusted repository" from which the agencies can receive the patches.
-http://www.fcw.com/fcw/articles/2001/0219/web-patch-02-20-01.asp

19 February 2001 SSA Card Key Security

A new Social Security Administration (SSA) key card system for authenticating access to offices also maintains a log of employee movement. While the logs are to be kept secure and accessed only on a "need to know" basis, privacy advocates are still concerned. The card key system is presently used only in Seattle SSA offices.
-http://www.fcw.com/fcw/articles/2001/0219/mgt-ssa-02-19-01.asp

19 February 2001 New Security Manager

The new author of the Security Manager's Journal is actually a new security manager at a start-up that's never had one before, and he describes his plans for addressing the security issues uncovered by an audit, which recommended hiring a security manager in the first place.
-http://www.computerworld.com/cwi/story/0,1199,NAV65-663_STO57782,00.html

19 February 2001 Federal Agencies Not Hurt by Anna K

Firewalls, early detection, alert notices, and quickly written scripts helped federal agencies escape any major problems with the Anna Kournikova worm last week. However, interagency coordination is not as strong it could be, despite a policy issued by FedCIRC and the CIO Council calling for a standard for sharing security incident information.
-http://www.gcn.com/vol20_no4/news/3704-1.html
-http://www.fcw.com/fcw/articles/2001/0219/news-anna-02-19-01.asp


== End ==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites


Editorial Team:
Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
Stephen Northcutt, Alan Paller, Howard Schmidt, Eugene Schultz