SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IV - Issue #22
May 29, 2002
TOP OF THE NEWS
25 May 2002 CA State Personnel Database Security Breach24 & 27 May 2002 Klez Tops the List
23 May 2002 Qwest Customer Data Exposed
21 & 22 May 2002 SQLSnake Worm
THE REST OF THE WEEK'S NEWS
24 May 2002 Report Warns of Chinese Hacking Threat24 & 27 May 2002 New Worms Could Wreak Havoc
24 May 2002 Ford Credit Breach Makes case for Ensuring Partners' Security
22 May 2002 Indiana State University Student Info Exposed
24 May 2002 OMB Site Will Contain Agency Architectures
23 & 24 May 2002 State CIOs Will Offer Guidance on Homeland Security
23 May 2002 Windows Debugger Bug
23 May 2002 Microsoft Security Chief Speaks Out On GovNet
23 May 2002 Paucity Of PDA Protection Policies
23 May 2002 Bloomberg Cyber Extortionists Extradited
23 May 2002 Government Uses Open Source Products Despite Microsoft's Protests
23 May 2002 SJC Approves $10 Million for National Cybersecurity Defense Team
22 May 2002 Senate Committee Approves Dept. of Homeland Security Bill
21 & 27 May 2002 Cybersecurity Research and Development Act Gets Committee Approval; Software Industry Lobby Opposes Configuration Standards
23 May 2002 UK Cyber Law Under Review
22 May 2002 Virus Exhibit
15 May 2002 Museum Takes Down Hacking Piece
22 May 2002 Biometrics Fizzle
21 May 2002 State Dept. Klez Incident Exposes Mailing List Flaw
21 May 2002 Anonymizer Offers Free Service to Bug Finders
21 May 2002 DoD Smart Cards
21 May 2002 Wireless Voting Devices Not Very Secure
20 May 2002 Date Set for ElcomSoft DMCA Trial
20 May 2002 Telecoms, Secure Thyselves
******************* Sponsored by Tripwire Inc. ***********************
ASSURE INTEGRITY WITH TRIPWIRE. GET A FREE POSTER
Tripwire data integrity assurance solutions pinpoint changes to your
servers and network devices accelerating discovery and increasing
uptime making you the hero of your IT organization. Click here to
get our FREE Security Exploit and Vulnerability Matrix Poster.
http://www.tripwire.com/literature/poster/index.cfm?djinn=530
**********************************************************************
TOP OF THE NEWS
25 May 2002 CA State Personnel Database Security Breach
Hackers breached security at California's state personnel database and were able to see names, social security numbers and payroll information about all 265,000 state workers. The intrusion took place on April 5, though it was not detected until May 7.-http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2002/05/25/MN179392.DTL
[Editor's (Schultz) Note: If you go to the URL for this news item, you'll read a statement by Steve Maviglio, spokesperson for the California governor's office, which essentially says "our security is not that bad and besides, this kind of thing happens all the time." The governor's office should instead take responsibility for what happened and then investigate ways to improve security instead of simply glossing it over. ]
24 & 27 May 2002 Klez Tops the List
Klez has passed SirCam to top the charts at anti-virus companies, and a shockingly high percentage of emails (1 in 300) carries it. Klez generates extra e-mail traffic due to anti-virus filters that warn senders they have sent along an infected e-mail; because Klez spoofs return addresses, the people getting the warnings are not those whose computers sent out the worm.-http://www.wired.com/news/technology/0,1282,52765,00.html
-http://www.cnn.com/2002/TECH/05/27/virus.klezh/index.html
-http://www.theregister.co.uk/content/55/25461.html
[Editor's (Murray) note: In addition to being pervasive, this is persistent and resistant to attempts stop the messages based on spoofed return addresses. ]
23 May 2002 Qwest Customer Data Exposed
Personal information belonging to Qwest long-distance customers who have chosen the paperless billing option was exposed on the Internet for at least a week. The company's on line bill paying system stopped checking passwords and allowed anyone entering a valid userid to gain access to account information. Exposed data includes names, addresses and credit card information.-http://online.securityfocus.com/news/431
[Editor's (Murray) Note: Implementing user identification and authentication is not trivial. With everyone implementing and operating their own, these kinds of errors are inevitable. While they represent an exposure to the institution, most of us will accept our share of the resultant risk. ]
21 & 22 May 2002 SQLSnake Worm
Machines running Microsoft's SQL Server software version 7.0 (and other applications with run-time versions of SQL Server) could be vulnerable to a JavaScript worm called SQLSnake (also known as Spida.a.worm and DoubleTap) if their administrative accounts are not protected by passwords. SQLSnake sends password files from the registry on the infected server to an e-mail account and then scans for other vulnerable servers to infect. Analysts became aware of the worm after noticing a spike in port 1433 scans.-http://www.incidents.org/diary/diary.php?id=156
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,71353,0
0.html
-http://zdnet.com.com/2100-1105-920614.html
-http://www.theregister.co.uk/content/55/25392.html
THE REST OF THE WEEK'S NEWS
24 May 2002 Report Warns of Chinese Hacking Threat
A report from the US Army War College's Institute for Strategic Studies warns that Chinese students may be planning to launch cyber attacks, including defacements and virus-spreading, this summer. Chinese hackers have rallied their forces before in reaction to the NATO bombing of the Chinese embassy in Belgrade.-http://www.vnunet.com/News/1132068
24 & 27 May 2002 New Worms Could Wreak Havoc
Research suggests that new developments in worm writing could produce "uberworms." Among the possibilities are worms capable of compromising 10 million hosts, and worms that spread with alarming rapidity. The authors of the paper argue for the creation of a cyber equivalent of the Centers for Disease Control and Prevention.-http://www.vnunet.com/News/1132084
-http://www.theregister.co.uk/content/55/25453.html
[Editor's (Shultz) Note: The term "uberworm" is catchy, but I wonder whether the authors of the paper cited here are acting responsibly. What they are in effect doing is "raising the bar" for worm writers. (Murray) While there is interesting arithmetic in this work, it is not sufficient to justify otherwise gratuitous speculation in doomsday scenarios. (Paller) I disagree, Bill. The paper's analyses (found at
-http://www.icir.org/vern/papers/cdc-usenix-sec02/index.html)
parallel and extend less formal research completed last Fall, when Nimda's rate of propagation exceeded what we had seen before. The paper also offers a sensible set of tasks for a formal Center chartered to deal with these worms: identifying outbreaks, rapidly analyzing pathogens, fighting infections, anticipating new vectors, proactively devising detectors for new vectors, resisting future threats. CERT/CC, Incidents.Org's Storm Center, SANS, and other security folks are continuously working with government agencies to meet these goals, but more help would most definitely be appreciated and would add real value. ]
24 May 2002 Ford Credit Breach Makes case for Ensuring Partners' Security
The fact that thieves stole an authorization code from Ford Motor Credit to obtain credit reports on 13,000 individuals underscores the importance of making sure business partners are employing good security practices. Suggestions include requiring audits and vulnerability assessments of partners' systems, and making sure that external log-ins are disabled by default. The cost of (employing) the measures is a more palatable alternative than failing to have exercised "due diligence."-http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,71
459,00.html
22 May 2002 Indiana State University Student Info Exposed
Indiana State University inadvertently posted the names and social security numbers of 10,000 of its students on line. The information has been removed, but had been available for about two weeks. The University has apologized and notified the affected students.-http://www.usatoday.com/life/cyber/tech/2002/05/22/isu-snafu.htm
24 May 2002 OMB Site Will Contain Agency Architectures
The Office of Management and Budget (OMB) is working to put the Enterprise Architecture Management System on line by the end of June. The web site will hold agency system architecture plans, possibly including security architectures, and will be accessible to vendors and government officials.-http://www.gcn.com/vol1_no1/daily-updates/18777-1.html
23 7 24 May 2002 State CIOs Will Offer Guidance on Homeland Security
The CIO of the Office of Homeland Security, Steve Cooper, has asked the National Association of State CIOs to help develop the technology component of homeland security strategy.-http://www.govexec.com/dailyfed/0502/052402td1.htm
-http://www.fcw.com/geb/articles/2002/0520/web-nascio-05-24-02.asp
23 May 2002 Windows Debugger Bug
A flaw in the debugging tools for Windows NT and 2000 could allow an attacker to take control of systems. In order to exploit the vulnerability, an attacker would need to be able to log into the system with privileges that allow him or her to execute code.-http://zdnet.com.com/2100-1104-921107.html
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,71407,0
0.html
-http://www.theregister.co.uk/content/55/25407.html
-http://www.microsoft.com/technet/security/bulletin/MS02-024.asp
[Editor's (Murray) Note: This vulnerability might permit a legitimate user who knows about it to expand his privileges. Most legitimate users are fully privileged in any case. ]
23 May 2002 Microsoft Security Chief Speaks Out On GovNet
Microsoft's new chief of security Scott Charney expressed a need to balance security and effectiveness for GovNet, the proposed closed federal network. Charney suggests that government resources might be better spent on long term R & D for security and on educating people about computer security. The government should also act as a role model in purchasing, choosing only those products which provide good security.-http://www.govexec.com/dailyfed/0502/052302td1.htm
23 May 2002 Paucity Of PDA Protection Policies
According to a recent survey, two out of three companies do not have policies regarding personal digital assistants (PDAs). 25% of corporate PDA users don't protect their devices with passwords, and more than 70% don't use encryption.-http://www.vnunet.com/News/1132042
23 May 2002 Bloomberg Cyber Extortionists Extradited
Two men from Kazakhstan have been extradited to the US to face charged for allegedly breaking into a Bloomberg L.P company database and attempting to extort $200,000 in return for information about how they breached security. The two face charges that could put them in prison for up to 28 years.-http://www.newsbytes.com/news/02/176742.html
23 May 2002 Government Uses Open Source Products Despite Microsoft's Protests
Though Microsoft has been pressuring the Pentagon to use its products, a study conducted by Mitre Corp. for the Department of Defense says that open source software is often more secure than proprietary products. Microsoft has also complained about the government's funding of research to secure open source software.-http://www.washingtonpost.com/wp-dyn/articles/A60050-2002May22.html
23 May 2002 SJC Approves $10 Million for National Cybersecurity Defense Team
The Senate Judiciary Committee approved a bill (S.1989) that allocates $10 million for the National Cybersecurity Defense Team. The group's responsibilities include identifying Internet vulnerabilities and recommending ameliorative measures.-http://www.govexec.com/dailyfed/0502/052302njns2.htm
22 May 2002 Senate Committee Approves Dept. of Homeland Security Bill
The Senate Governmental Affairs Committee voted 7-3 on a bill that would incorporate a number of agencies into the Department of National Homeland Security. Member of the committee who opposed the bill expressed concerns that no matter how many agencies are incorporated into the new cabinet-level department, other agencies and departments will still be a part of homeland defense.-http://www.govexec.com/dailyfed/0502/052202td1.htm
21 & 27 May 2002 Cybersecurity Research and Development Act Gets Committee Approval; Software Industry Lobby Opposes Configuration Standards
The Senate Commerce, Science and Transportation Committee approved the Cyber Security Research and Development Act (S. 2182) which allocates $900 million for cyber security research, training, education and grants. The bill would also establish the Office of Information Security Programs at the National Institutes of Standards and Technology (NIST) and would have NIST create benchmarks for "a baseline minimum security configuration" for government departments and agencies. The bill's sponsors will work with private industry groups who are opposed to the idea of standards.-http://news.com.com/2100-1023-919377.html
-http://www.fcw.com/fcw/articles/2002/0520/web-cyber-05-21-02.asp
-http://www.govexec.com/dailyfed/0502/052102njns2.htm
-http://www.fcw.com/fcw/articles/2002/0527/pol-nist-05-27-02.asp
[Editor's (Paller) Note: Next time a major software company sales person calls on your company or agency, ask him or her why his marketing department is paying big bucks to lobby against the use of safe configurations (the settings that keep those systems from being taken over by worms and other automated attacks) in federal agencies. The software companies' own security departments require all their users to comply with minimum configuration standards, because there is no other antidote to worms. They should be applauding the senate's efforts to enable the government to lead by example. What are the software company executives thinking? ]
23 May 2002 UK Cyber Law Under Review
UK government officials are reviewing the Computer Misuse Act, which was enacted before the advent of the Internet. Specifically, there are concerns that the law's provisions do not make it easy enough to prosecute people who launch denial of service attacks.-http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8181
22 May 2002 Virus Exhibit The Museum for Applied Art in Frankfurt, Germany has opened an exhibit
on the aesthetics of computer viruses, presenting the virus code as a form of modern art. The displays are mostly on PCs, iMacs and Sun Ray Linux workstations.-http://www.wired.com/news/culture/0,1284,52687,00.html
15 May 2002 Museum Takes Down Hacking Piece
A piece in the Open Source Art Hack show at the New Museum of Contemporary Art in New York was taken down because it was scanning sites for vulnerabilities; the museum's ISP does not allow that kind of activity.-http://www.wired.com/news/culture/0,1284,52546,00.html
22 May 2002 Biometrics Fizzle
German technology magazine c't reviewed 11 biometric products and was able to fool many of them with replay attacks, reactivation of latent images and phony fingerprints. A face scanner was fooled by holding up a notebook computer running a video clip of an approved person.-http://www.theregister.co.uk/content/55/25400.html
21 May 2002 State Dept. Klez Incident Exposes Mailing List Flaw
The State Department's recent experience with the Klez virus - several Klez-infected e-mail messages were sent in its name to a State Department-sponsored travel advisory mailing list - exposed a security problem with the mailing list itself. Apparently, the list's security settings had been changed to allow any e-mail message with the State Department's return address to be automatically distributed without being reviewed by the list's monitor. The list has been reconfigured to eliminate the problem.-http://www.msnbc.com/news/754879.asp?0dm=L1EQT
21 May 2002 Anonymizer Offers Free Service to Bug Finders
Unlike other companies that don't want their security problems made public, Anonymizer president Lance Cottrell will offer three years of the company's service to anyone who finds security holes in the Internet privacy service.-http://www.wired.com/news/technology/0,1282,52681,00.html
21 May 2002 DoD Smart Cards
The Air Force is using smart cards for entry at more than 100 Air Force bases and for computer access. The Department of Defense (DoD) plans to issue 4 million smart cards to enlisted forces and their families by the end of next year. The cards will contain photographs, digital certificates and encryption keys.-http://www.gcn.com/vol1_no1/daily-updates/18719-1.html
[Editor's (Murray) Note: While not immune to forgery, these cards will be much more resistant than the IDs the government has used for the last fifty years. They will have the advantage that they can be reconciled both locally and remotely, manually and automatically. They can be used with a secret value to in a strong authentication scheme. ]
21 May 2002 Wireless Voting Devices Not Very Secure
The wireless voting devices used at Vivendi's annual shareholders' meeting last month are easy to hijack; several devices are being inspected in the case of alleged vote tampering at that meeting.-http://online.securityfocus.com/news/430
20 May 2002 Date Set for ElcomSoft DMCA Trial
A suit brought against Russian software company ElcomSoft for violating the 1998 Digital Millennium Copyright Act (DMCA) will begin August 26. ElcomSoft could face a fine of up to $500,000 if found guilty of selling software that circumvents copy restrictions in violation of the DMCA. It is the first case brought under the DMCA.-http://www.siliconvalley.com/mld/siliconvalley/3303774.htm
20 May 2002 Telecoms, Secure Thyselves
Major telecommunications companies like Sprint and WorldCom are looking to get into managed security services. Some customers and security specialists say the companies should take a good look at their own security first. Many do not have protections against distributed denial of service (DDoS) attacks in place.-http://www.eweek.com/article/0,3658,s=712&a=27096,00.asp
==end==
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites
Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Eugene Schultz
