SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IV - Issue #21
May 22, 2002
SANS Alert! A Worm Is Attacking Microsoft SQL Server 7 Users
Microsoft shipped SQL Server 7 so it was automatically configured to
run without an administrator password. If you are running SQL Server
7, and are connected to the Internet, set an administrator password
right away to block the new worm. If the worm infects your system, it
will steal your account and password file, and force your machine to
scan for additional targets using as many as 100 threads. The attacker
can use the stolen account names and passwords to log back in and steal
other private data. Thousands of systems have already been taken over.
http://www.vnunet.com/News/1131940
http://www.reuters.com/news_article.jhtml?type=internetnews&Storyclass=99129
1
Kudos to Congress
The Senate Commerce Committee has reported out a bill, unanimously,
that implements the only effective defense against worms like the
SQL Worm (above), Code Red and other mass attacks. Senate Bill
2182 requires government agencies to make sure their computers are
configured using best security practices appropriate for their use
(like having a password on every administrator account on SQL Server),
before the systems are connected to the Internet. The bill implements
for government the techniques used in-house by computer companies like
Microsoft and Sun Microsystems, and by many other large organizations
including most large banks. Extending the practice to all federal
systems and developing benchmarks agencies can use (and extend),
will be an enormous contribution to government Internet safety.
http://www.gcn.com/vol1_no1/security/18706-1.html
Alan
TOP OF THE NEWS
20 May 2002 Hackers' Club May be Aiming to Launch Cyber Attack17 May 2002 Second Sentencing in Piracy Ring.
16 & 17 May 2002 Phony Fingerprints Fool Biometric Readers
16 May 2002 Facial Recognition Technology Not Highly Accurate
15, 16 & 17 May 2002 FBI Confiscates Deceptive Duo Equipment; One Under House Arrest
THE REST OF THE WEEK'S NEWS
20 May 2002 Benjamin Virus Infects Kazaa Network20 May 2002 Benjamin's Authors Defend Action
20 May 2002 State Dept. Sends Klez to Mailing List
13, 15 & 20 May 2002 Critical Infrastructure Protection Project
19 May 2002 Falun Gong TV Hackers Sentenced
17 May 2002 ID Thieves Stole Credit Reports Using Ford's Authorization Code
16 & 17 May 2002 Sustainable Computing Consortium
16 May 2002 Supermarket Tests Pay-by-Fingerprint System
16 May 2002 DISA Security Cameras on Unsecured WLAN
16 May 2002 DoD Must Purchase Only NIAP Certified Products
16 May 2002 JS.Fortnight Worm
15 & 16 May 2002 Microsoft Issues Patch for IE Vulnerabilities
16 May 2002 Media Player Vulnerability Also Addressed by Patch
16 & 17 May 2002 Researchers Say Microsoft Patch Doesn't Do Its Job
17 May 2002 Microsoft Says Patch May Illuminate New Vulnerability
15 May 2002 JDBGMGR.exe Hoax Has Some Basis in Fact
15 May 2002 Klez Information Site
17 May 2002 Klez Still Spreading
15 May 2002 Linux Defacements on the Rise
15 May 2002 Australia Budgets $25 Million for Cyber Security
14 May 2002 Border Security Bill Mandates Biometric Data in Visitors' Documents
14 May 2002 Flowgo Pop-up Ad Leads to Surreptitious Downloads
14 May 2002 Phony Xbox Emulator Not a Trojan, Says Author
************************ Sponsored by NetIQ **************************
FREE Security Webcast from Microsoft and NetIQ
Are hackers threatening your Windows network? Tune in to "Defending the
Enterprise: Hacker Methods and Countermeasures" and get the tactics you
need to combat hacker exploits. You'll also receive a free white paper,
"Defense in Depth," via e-mail after the Webcast.
Register now!
http://webevents.tpcnet.com/netiq/20020611/start/default.asp?origin=sans522
**********************************************************************
TOP OF THE NEWS
20 May 2002 Hackers' Club May be Aiming to Launch Cyber Attack
The Muslim Hackers Club website offers tutorials on viruses, hacking and other sorts of cyber attacks. The FBI and the DIA believe the group aims to develop software tools that can be used to launch cyber attacks on Western targets.-http://www.msnbc.com/news/751115.asp
17 May 2002 Second Sentencing in Piracy Ring.
John Sankus, Jr., the ringleader of the software piracy group known as DrinkOrDie, was sentenced to 46 months in prison. Another member of the group, Barry Erickson, received a 33-month sentence several weeks ago.-http://www.newsbytes.com/news/02/176649.html
-http://www.usatoday.com/life/cyber/tech/2002/05/17/software-piracy.htm
16 & 17 May 2002 Phony Fingerprints Fool Biometric Readers
Fake fingerprints fashioned from gelatin were able to fool biometric fingerprint readers 80% of the time, according to research performed by Japanese researchers. The researchers also devised a way to create fake fingerprints from fingerprints left on glass surfaces.-http://news.com.com/2100-1001-915580.html
-http://www.theregister.co.uk/content/55/25300.html
-http://news.bbc.co.uk/hi/english/sci/tech/newsid_1991000/1991517.stm
[Editor's (Ranum) Note: It is probably worth mentioning that under $10 worth of stuff was needed to pull this off - no rocket science required. (Murray) This attack is a classic replay (or forgery) attack. Nothing impressive about it. Replays are not unique to fingerprints. Replays are a fundamental vulnerability of all biometrics. That is why we insist upon strong authentication, that is, at least two forms of evidence (something only one person has, knows, is, or can do) at least one of which is implemented in such a way as to resist replay. Those who continue to search for the perfect authenticator (easy to use, can be reconciled at a distance, easy to enroll, cannot be forgotten, lost, stolen or copied) are looking for magic. ]
16 May 2002 Facial Recognition Technology Not Highly Accurate
The American Civil Liberties Union (ACLU) says that tests of facial recognition technology at the Palm Beach (FL) International Airport fail to correctly identify faces more than half of the time. The recognition rate went down when people wore glasses, turned their heads, or were moving.-http://www.newsbytes.com/news/02/176621.html
ACLU report:
-http://www.aclu.org/issues/privacy/FaceRec_data.pdf
15, 16 & 17 May 2002 FBI Confiscates Deceptive Duo Equipment; One Under House Arrest
The FBI has confiscated computer equipment from two men believed to be responsible for defacing at least 52 US federal and business web sites. Calling themselves "the Deceptive Duo," the two maintain they were trying to demonstrate the poor state of security on the web sites. One of the men, Robert Lyttle, is under house arrest for violating his parole; he had been convicted of defacing sites with pro-Napster propaganda. Lyttle can use computers only at school and may leave home only to attend classes. No charges have been filed yet.-http://online.securityfocus.com/news/414
-http://www.wired.com/news/business/0,1367,52566,00.html
-http://www.newsbytes.com/news/02/176601.html
-http://news.com.com/2100-1001-914848.html
-http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,71
264,00.html
************************* Sponsored Links ****************************
(1) FREE WEBINAR: Gartner on Web Application Security -- Presented
by Stratum8 Networks
http://www.sans.org/cgi-bin/sanspromo/NB37
(2) FREE white paper sheds new light on deception technologies:
http://www.sans.org/cgi-bin/sanspromo/NB38
**********************************************************************
THE REST OF THE WEEK'S NEWS
20 May 2002 Benjamin Virus Infects Kazaa Network
Members of Kazaa's peer-to-peer file-sharing network have found their computers infected with a virus called Benjamin. The virus creates a directory on infected machines and copies itself into that directory many times with a variety of names. It also manages to vary its size. These copies are open to Kazaa members; if a member downloads the file, their machine will become infected. Benjamin takes up a lot of file space and consumes resources. The worm also opens an anonymous web site containing banner ads.-http://www.washingtonpost.com/wp-dyn/articles/A43859-2002May20.html
-http://news.com.com/2100-1001-918132.html
-http://zdnet.com.com/2100-1105-917771.html
-http://news.bbc.co.uk/hi/english/sci/tech/newsid_1998000/1998686.stm
-http://www.viruslist.com/eng/index.html?tnews=1001&id=49822
20 May 2002 Benjamin's Authors Defend Action
The worm's creators say they wrote it to thwart the efforts of people seeking pirated software and child pornography.-http://www.newsbytes.com/news/02/176684.html
[Editor's (Schultz) Note: The ends do not justify the means. It is truly sad that people who write code that does things without proper authorization can justify their actions so smugly. (Murray) Nice people do not soil their own sandbox. ]
20 May 2002 State Dept. Sends Klez to Mailing List
The State Department unwittingly sent the Klez virus to a travel advisory mailing list over the weekend, then sent an apology on Monday morning. The list software has been reconfigured not to send on attachments. The State Department says a third-party vendor bears responsibility for the incident.-http://www.msnbc.com/news/754879.asp?0dm=C21ET
13, 15 & 20 May 2002 Critical Infrastructure Protection Project
George Mason University and James Madison University will establish the Critical Infrastructure Protection (CIP) Project, to be housed at GMU's School of Law. Funded by a $6.5 million grant from the National Institute of Standards and Technology (NIST), the CIP Project aims to centralize and organize cyber security research. The program will take a three-pronged approach to cyber security, focusing not just on technology, but on law and public policy as well. The program will also sponsor research and provide training for businesses and government.-http://www.washingtonpost.com/wp-dyn/articles/A10820-2002May13.html
-http://www.washingtonpost.com/wp-dyn/articles/A17577-2002May14.html
-http://www.fcw.com/fcw/articles/2002/0520/news-cyber-05-20-02.asp
19 May 2002 Falun Gong TV Hackers Sentenced
Four Falun Gong followers received prison sentences of between seven and sixteen years for their roles in hacking into a cable television network to broadcast information about their group.-http://europe.cnn.com/2002/WORLD/asiapcf/east/05/19/china.falungong.ap/index.htm
l
17 May 2002 ID Thieves Stole Credit Reports Using Ford's Authorization Code
Ford Motor Credit Company authorization codes were fraudulently used to obtain 13,000 credit reports from Experian. Information on the reports, which were stolen over a ten-month period, includes names, addresses, social security numbers and bank and credit card account information. Ford has sent certified letters to all the people affected by the security breach, advising them to get copies of their credit reports and check them for unauthorized inquiries or incorrect information. The FBI is investigating.-http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,71267
,00.html
-http://www.cnn.com/money/2002/05/17/news/companies/ford_credit/index.htm
-http://www.nytimes.com/2002/05/17/technology/17IDEN.html
(Note: This site requires free registration.)
16 & 17 May 2002 Sustainable Computing Consortium
Government agencies, technology companies and academic researchers have come together to establish the Sustainable Computing Consortium at Carnegie Mellon University in Pittsburgh. The group plans to create engineering standards for software and create tools to test software for security and reliability prior to its release. The group also plans to address issues in public policy and law.-http://zdnet.com.com/2100-1104-916026.html
-http://www.washingtonpost.com/wp-dyn/articles/A29874-2002May16.html
16 May 2002 Supermarket Tests Pay-by-Fingerprint System
Kroger supermarkets in Houston, TX are testing a "biometric electronic financial transaction processing system," otherwise described as a pay-by-fingerprint shopping system.-http://www.ananova.com/news/story/sm_588924.html
[Editor's (Murray) Note: This is a tuning issue. However, in this application too many false negatives are better than too many false positives. ]
16 May 2002 DISA Security Cameras on Unsecured WLAN
The CTO of an intrusion detection services company found that the closed circuit security cameras at the Defense Information Systems Agency (DISA) in Arlington, VA were connected to an unsecured wireless LAN; the network was not using the WEP protocol. A DISA said the camera system was not connected to other DISA systems, and that encryption would be in place soon.-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,71231,0
0.html
16 May 2002 DoD Must Purchase Only NIAP Certified Products
Starting in July, the Defense Department will be required to purchase only the information assurance products that have been certified by the National Information Assurance Partnership (NIAP). NIAP, an NSA initiative, has certified about two dozen products so far.-http://www.fcw.com/fcw/articles/2002/0513/web-niap-05-16-02.asp
[Editor's (Ranum) Note: This is interesting. What about the installed base? What about enforcing this? What organizations will be able to get waivers? Excuse me if I am cynical but I remember "C2 by 92!" and the orange book. I bet this is going to accomplish nothing. ]
16 May 2002 JS.Fortnight Worm
The JS.Fortnight worm places an HTML file into the default signatures of e-mail sent through Outlook Express; the worm attaches a link to an adult site to all the outgoing Outlook e-mail. It also changes the browser's home page, and adds sites to the favorites list. The worm affects Windows 95, 98, NT, 2000, ME and XP.-http://www.theregister.co.uk/content/55/25301.html
-http://www.newsbytes.com/news/02/176613.html
-http://www.vnunet.com/News/1131804
15 & 16 May 2002 Microsoft Issues Patch for IE Vulnerabilities
Microsoft has issued a "critical" patch that addresses six new security holes, including a cross-site scripting vulnerability, in Version 6 of its Internet Explorer web browser. The download also fixes flaws in IE 5.01, 5.5, and it changes the "restricted sites" zone's default settings to block all frames.-http://zdnet.com.com/2100-1104-914836.html
-http://www.theregister.co.uk/content/55/25307.html
-http://www.cnn.com/2002/TECH/internet/05/17/ms.security.holes.idg/index.html
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,71203,0
0.html
Microsoft security bulletin:
-http://www.microsoft.com/technet/security/bulletin/MS02-023.asp
Patch: www.microsoft.com/windows/ie/downloads/critical/q321232/default.asp
16 May 2002 Media Player Vulnerability Also Addressed by Patch
Microsoft has thanked a Japanese firm for reporting an Internet Explorer vulnerability that could allow malicious code to execute automatically on computers if Windows Media Player is installed. The problem is addressed in the IE patch Microsoft has released.-http://www.newsbytes.com/news/02/176623.html
16 & 17 May 2002 Researchers Say Microsoft Patch Doesn't Do Its Job
Research indicates that the patch released for the six holes in Microsoft's IE browsers 5.01, 5.5 and 6.0 only addresses the cross-site scripting vulnerability in one of the browser versions, and leaves another vulnerability unaddressed altogether.-http://www.newsfactor.com/perl/story/17798.html
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,71256,0
0.html
-http://www.theregister.co.uk/content/55/25326.html
17 May 2002 Microsoft Says Patch May Illuminate New Vulnerability
Microsoft says the researchers may have found a new vulnerability that closely resembles the one described in the security bulletin and for which a patch was issued. They are investigating.-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,71269,0
0.html
15 May 2002 JDBGMGR.exe Hoax Has Some Basis in Fact
One reason the jdbgmgr.exe virus warning hoax is not losing steam is the fact that the Magistr-A virus actually does send infected copies of the jdbgmer.exe file. If the file is already on your computer, it's probably not infected, but if you receive one as an attachment, it probably is infected. As always, delete e-mail containing unexpected .exe files and don't pass on warnings.-http://www.theregister.co.uk/content/55/25294.html
15 May 2002 Klez Information Site
This site offers a description of the Klez virus, and links to infection statistics and information about removing it from infected systems.-http://www.net-security.org/virus_news.php?id=13
17 May 2002 Klez Still Spreading
Klez continues to spread and to generate traffic due to response and refusal mechanisms.-http://news.com.com/2100-1001-916945.html
15 May 2002 Linux Defacements on the Rise
The number of defacements on computers running Linux is on the rise; the number of incidents this year so far is already almost twice that of last year's total. The defacements are especially prevalent on web sites with domain names of German-speaking countries: Germany (.de), Austria (.at) and Switzerland (.ch); many of the defacements appear to have been perpetrated by the same group, known as hax0rs lab.-http://www.vnunet.com/News/1131782
15 May 2002 Australia Budgets $25 Million for Cyber Security
The Australian government plans to spend $25 million to protect the country's banks, telecommunications companies and financial concerns from cyber criminals. The fact that many of these institutions are privately owned will complicate the effort.-http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8100
14 May 2002 Border Security Bill Mandates Biometric Data in Visitors' Documents
President George W. Bush signed H.B. 3525 into law. The bill allows a $150 million budget for improving border security. Provisions include a requirement that all documentation issued to visiting foreigners contain biometric data. The bill also provides for creating a database of suspected terrorists.-http://www.govexec.com/dailyfed/0502/051402td1.htm
14 May 2002 Flowgo Pop-up Ad Leads to Surreptitious Downloads
People who clicked on a certain pop-up ad on the Flowgo site were taken to another site which appeared to be a digital slot machine and which actually exploited a flaw in old versions of Internet Explorer's Java engine to download files onto their computers. Researchers are not yet entirely sure what the files do; some monitor surfing habits and others let more files be sent to the computer. An install program also turns off firewalls.-http://www.vnunet.com/News/1131727
14 May 2002 Phony Xbox Emulator Not a Trojan, Says Author
The man who claims to have written the purported Trojan called "Net BUIE" disguised as an Xbox emulator says it is not a Trojan at all, but a failed attempt to make money on pay-per-click scheme. He made six revisions to the program; people who have downloaded the two most recent versions will get a pop-up window with instructions for uninstalling the program. The others will continue to get pop-ups, but their computers will not be harmed.-http://www.vnunet.com/News/1131736
==end==
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites
Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Eugene Schultz
