SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IV - Issue #23
June 05, 2002
We received two remarkable notes this week.
The first came from Larry Lidz, Network Security Officer at the
University of Chicago. It provides from-the-trenches insight into the
only method available (to most users) to defend themselves against
fast-moving worms. I've included it at the end of this issue.
The second came from Randy Marchany, the security guru at Virginia
Tech. He writes, "All the smug Linux types (including me) can quit
smiling now.. ;) The Simile virus attacks both Windows and Linux
systems. Fortunately, this variant seems to be non-malignant.... for
now." (See the first story below.)
Most Newsbites subscribers will be mailed a new poster showing security
career tracks, satisfaction levels, and salary range information
for the principal security and audit jobs, based on the news survey.
Please verify your surface mail address (before June 10) using your
private url that you can get at http://www.sans.org/sansurl. We can
send it to you only if we have the correct surface mail address.
Alan
TOP OF THE NEWS
3 June 2002 Simile is Cross-Platform Virus31 May 2002 Biometric Technologies Don't Stand Up to Testing
29 & 30 May 2002 Euro Parliament Passes Data Retention Directive
29 & 30 May 2002 Cyber Security Ranks Third on FBI's Top Ten List
23 May 2002 PKI Never Caught On
THE REST OF THE WEEK'S NEWS
31 May 2002 Three NEC Toshiba Employees Arrested for Hacking31 May 2002 UK's Inland Revenue On-Line Filing System Taken Down Over Security Concerns
31 May 2002 Congressional Office Employs Iris Scanning
30 May 2002 Smiling Faces are Easier to Match
31 May 2002 Paper Says Open Source Software is Not Secure
30 May 2002 News Site Vulnerability Could be Used to Send Spam or Phony News Stories
30 May 2002 Tactical Database and Web Page Used in War
29 & 30 May 2002 Exchange 2000 Flaw
29 May 2002 California Will Hold Hearing on Employee Database Breach
29 May 2002 Carnivore Bites Off More Than It's Supposed to Chew
29 May 2002 Hacker Steals Data from TheNerds.net
29 May 2002 M-o-o-t Aims to Circumvent UK's RIP Encryption Key Requirement
29 May 2002 Macromedia JRun Buffer Overflow Vulnerability
29 May 2002 Congress Wants More Info from OMB on Agency Security Plans
28, 29 & 30 May 2002 Fidelity Data Exposed
28 May 2002 Excel Vulnerability
28 May 2002 Yahoo Offers Patch for Messenger Holes
28 May 2002 Credit Card Fraud On Line Museum May Be Too Explicit
27 May 2002 Cyber Attacks are Up In Australia
27 May 2002 FAA to Pilot Smart Card Program
27 May 2002 Homeland Security Generates Tech Proposals
******** Sponsored by Internet Security Systems **********************
Take 10% Off an Internet Security Systems Class!
Learn the nuances of WLAN security, and establish valid defensive
techniques for this increasingly popular protocol, from the ISS
X-Force. The course includes an anatomy of a wireless hack and live
demonstrations that examine all elements of wireless technology, such
as encryption and circumvention, emerging technologies, standards
and protocols.
Reserve your seat now by going to
http://www.iss.net/education/course_descriptions/new_classes/wireless_security.p
hp
and mention this newsletter for your 10% discount.
**********************************************************************
TOP OF THE NEWS
3 June 2002 Simile is Cross-Platform Virus
The Simile virus infects Portable Executable (PE) and ELF files on both Windows and Linux operating systems. The virus does not carry a malicious payload, although infected files could display messages on certain dates.-http://www.smh.com.au/articles/2002/06/03/1022982662974.html
-http://www.symantec.com/avcenter/venc/data/linux.simile.html
31 May 2002 Biometric Technologies Don't Stand Up to Testing
A number of recent tests of biometric security technologies have underscored their weaknesses. A pilot face recognition system at Palm Beach (FL) International Airport had an accuracy rate of less that 50%; airport authorities decided against making the technology a part of their security procedure. A German technology magazine's tests of facial recognition systems and fingerprint readers showed the technologies were easily fooled. And finally, a Japanese engineering professor demonstrated techniques to create phony fingerprints that fool fingerprint readers.-http://news.bbc.co.uk/hi/english/sci/tech/newsid_2016000/2016788.stm
[Editor's (Murray) Note: Biometric systems are not as good as one might hope. They are fundamentally vulnerable to forgery and replay attacks. However, they are a very useful second or third form of evidence in strong authentication schemes. ]
29 & 30 May 2002 Euro Parliament Passes Data Retention Directive
The European Parliament has passed the Communications Data Protection Directive under which member countries could make telecommunications companies retain customers' data records available for perusal by law enforcement. The directive now goes before member countries for approval. Civil liberties groups oppose the legislation.-http://www.wired.com/news/politics/0,1283,52829,00.html
-http://www.wired.com/news/politics/0,1283,52882,00.html
29 & 30 May 2002 Cyber Security Ranks Third on FBI's Top Ten List
FBI Director Robert Mueller has placed cyber security third on the agency's top ten list of agency priorities, behind terrorism and espionage. Mueller remarked that the FBI's technology is "years behind" what it should be, and said he plans to upgrade technology, educate employees and recruit IT specialists. He also hopes to be more connected to the rest of the government.-http://zdnet.com.com/2100-1105-927933.html
-http://www.gcn.com/vol1_no1/daily-updates/18800-1.html
-http://www.wired.com/news/politics/0,1283,52853,00.html
-http://www.computerworld.com/securitytopics/security/story/0,10801,71533,00.html
23 May 2002 PKI Never Caught On
Calling PKI (Public Key Infrastructure) "terminally promising" the author enumerates the reasons the technology hasn't caught on. Vendors never established standards, which made interoperability a big problem. They also required a lot of money up front, which was fine until security budgets started getting tighter. One company that saw their PKI business drop to nothing has refocused their energy on smaller projects.-http://www2.cio.com/research/security/edit/a05232002.html
[Editor's (Schultz) Note: The fact that the PKI movement is essentially dead should come as no surprise. The more interesting question now is what will rise out of the proverbial rubble of PKI's ruins to replace it and when. Whoever provides a good alternative solution has a lot to gain. (Murray): Infrastructure has scale; e.g., application, system, network, enterprise, cross-enterprise, industry, national, and global. We design it top-down but we implement it bottoms up, one application at a time. We are doing successful applications but it is naive to believe that we will build the national or global infrastructure in less time than it took us to build the phone system, the highway system, or the internet. ]
********************* Sponsored Link *********************************
NEUTRALIZE perimeter attacks and stop false alarms. FREE whitepaper
shows you how! http://www.sans.org/cgi-bin/sanspromo/NB40
**********************************************************************
THE REST OF THE WEEK'S NEWS
31 May 2002 Three NEC Toshiba Employees Arrested for Hacking
Three employees of Japan's NEC Toshiba Space Systems Co. have been arrested for allegedly hacking into a computer at Japan's National Space Development Agency (NASDA), and accessing a competitor's designs for a high-speed Internet satellite antenna. The breach took place in December 2001 but was not discovered until February 2002, when one of the employees bragged about the exploit to an e-mail list. His company was banned from bidding for NASDA contracts for one month.-http://www.cnn.com/2002/TECH/internet/05/31/japan.space.hackers.ap/index.html
31 May 2002 UK's Inland Revenue On-Line Filing System Taken Down Over Security Concerns
The UK's Inland Revenue (IR) has taken down its on-line tax filing system after people complained that they could view others' tax documents. An Ernst & Young review of the IR's on line system two years ago revealed some security concerns.-http://www.theregister.co.uk/content/23/25522.html
-http://www.idg.net/ic_869764_1794_9-10000.html
31 May 2002 Congressional Office Employs Iris Scanning
The Office of Legislative Counsel for the House of Representatives has begun using iris-scanning technology to authenticate users for access to confidential files and working documents. The office is the first on Capitol Hill to employ biometric technology for this purpose.-http://www.fcw.com/fcw/articles/2002/0527/web-house-05-31-02.asp
30 May 2002 Smiling Faces are Easier to Match
Facial recognition systems have an easier time matching smiling or grimacing faces than they do expressionless mugshots, according to research conducted by University of Maryland professors.-http://www.smh.com.au/articles/2002/05/30/1022569804486.html
31 May 2002 Paper Says Open Source Software is Not Secure
A white paper from the Alexis De Tocqueville Institution maintains that open source software opens the door for attacks and warns the government not to use it for matters of national security.-http://zdnet.com.com/2100-1104-929669.html
[Editor's (Schultz) Note: Hopefully this "think tank" has in intellectual fairness also considered the reason for the presence of an unparalleled number of security-related bugs over the years in the highly proprietary Microsoft product line! ]
30 May 2002 News Site Vulnerability Could be Used to Send Spam or Phony News Stories
Hackers could potentially use the "e-mail a friend" function found on some news sites to send spam or even send phony news stories. By examining the source code to the pages created when someone e-mails an article to a friend, people could find out how to send e-mail through the news sites' servers.-http://online.securityfocus.com/news/454
30 May 2002 Tactical Database and Web Page Used in War
American commanders at Bagram airbase in Afghanistan and in the United States are using the Tactical Web Page and underlying database to communicate and make military decisions. The site is used to transmit field information and orders, and is protected with intrusion detection systems and firewalls.-http://www.cnn.com/2002/TECH/internet/05/30/afghan.war.web.page.ap/index.html
29 & 30 May 2002 Exchange 2000 Flaw
Microsoft has issued an alert and a patch for a security flaw in its Exchange 2000 e-mail server software that could be exploited to completely consume processor resources, resulting in a denial-of-service attack. When Exchange 2000 receives e-mail with certain malformed attributes, it moves the message to Exchange 2000 Store Service and waits for it to be processed. The problem cannot be addressed by rebooting the server or restarting the service. Exploiting the flaw requires knowledge of SMTP.-http://news.com.com/2100-1001-928055.html
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,71532,0
0.html
alert:
-http://www.microsoft.com/technet/security/bulletin/ms02-025.asp
patch:
-http://www.microsoft.com/Downloads/Release.asp?Releaseclass=38951
29 May 2002 California Will Hold Hearing on Employee Database Breach
California senators will hold a hearing to investigate the security breach that compromised the personal data of 260,000 state workers. Specifically, the group wants to know how an attack that took place on April 5 was not detected until May 7, and why workers were not notified that their information had been breached until two weeks after that.-http://www.cnn.com/2002/TECH/internet/05/29/california.hackers.ap/index.html
29 May 2002 Carnivore Bites Off More Than It's Supposed to Chew
FBI documents obtained under the Freedom of Information Act (FOIA) indicate that the agency's Carnivore Internet monitoring system snared messages from people not under investigation. When Carnivore was used in 2000 to investigate communications among members of Osama bin Laden's terrorist network, the FBI e-mail surveillance software captured other unrelated messages. The technician reportedly destroyed all the captured messages because capturing the messages unrelated to the court order violated federal wiretap laws. An FBI spokesman says the messages were not destroyed but were put under seal.-http://zdnet.com.com/2100-1105-927416.html
-http://www.fcw.com/fcw/articles/2002/0527/web-carn-05-29-02.asp
-http://www.washingtonpost.com/wp-dyn/articles/A24213-2002May28.html
-http://www.wired.com/news/politics/0,1283,52842,00.html
brief history of Carnivore:
-http://www.washingtonpost.com/wp-dyn/articles/A32344-2002May30.html
29 May 2002 Hacker Steals Data from TheNerds.net
A hacker/extortionist breached security at the on line electronics store TheNerds.net, making off with customer credit card information. The thief sent e-mails to some of the affected customers; TheNerds.net is notifying all its customers that their personal data may have been compromised. The hacker allegedly broke into the site through an SQL server. The company will not meet any extortion demand and is working with the FBI and the Secret Service on the case. Someone using the same hacker handle broke into three other websites over the past eight months, and has demanded up to $50,000 to keep quiet about the breach.-http://news.com.com/2100-1017-928085.html
-http://www.msnbc.com/news/759029.asp?0dm=T23AT
29 May 2002 M-o-o-t Aims to Circumvent UK's RIP Encryption Key Requirement
An open source cryptography project called m-o-o-t is designed to undermine a UK law called the Regulation of Investigatory Powers Act that would require people to surrender encryption keys to law enforcement officials upon demand. M-o-o-t stores keys and data overseas, out of national jurisdiction, and the keys expire after each use.-http://www.theregister.co.uk/content/55/25499.html
29 May 2002 Macromedia JRun Buffer Overflow Vulnerability
According to a CERT warning, a buffer overflow vulnerability in Macromedia's JRun 3.0 and 3.1 could allow an attacker to run code with system privileges. Users are encouraged to apply a patch or upgrade to JRun 4.-http://www.cert.org/advisories/CA-2002-14.html
-http://www.idg.net/ic_868503_1794_9-10000.html
Patch:
-http://www.macromedia.com/v1/Handlers/index.cfm?class=22273&Method=Full#down
load
JRun 4:
-http://www.macromedia.com/software/jrun/
29 May 2002 Congress Wants More Info from OMB on Agency Security Plans
In accordance with the Government Information Security Reform Act (GISRA), the Office of Management and Budget (OMB) received computer security reports from government agencies and reported the results to Congress earlier this year. While the OMB was able to describe the agencies' security strengths and weaknesses, they did not tell Congress how the agencies plan to address security shortcomings. Without the information, it will be hard to make funding decisions.-http://www.govexec.com/dailyfed/0502/052902m1.htm
28, 29 & 30 May 2002 Fidelity Data Exposed
Ian Allen, a professor of computer science at Algonquin College in Ottawa, found that by altering digits in the URL of his Fidelity Mutual Fund report, he was able to view others' reports. He was able to view names and account numbers, but could not alter the data or make trades. Fidelity removed the link after Professor Allen informed them of the vulnerability. Logs show that no one else accessed others' data, and the company has offered the affected customers new passwords. The flaw affected only Canadian account holders.-http://www.nationalpost.com/financialpost/cadbusiness/story.html?f=/stories/
20020528/362795.html
-http://www.msnbc.com/news/758979.asp?0dm=C25AT
-http://www.computerworld.com/managementtopics/management/financial/
story/0,10801,71545,00.html
28 May 2002 Excel Vulnerability
Georgi Guninski has found a security hole in Windows XP Excel. If users of the application view spreadsheets with an XML stylesheet that contains code, the computer will try to run that code.-http://zdnet.com.com/2100-1104-923263.html
28 May 2002 Yahoo Offers Patch for Messenger Holes
Attackers could exploit a buffer overflow vulnerability in Yahoo messenger to execute malicious code on a vulnerable computer; they could also use Java or VBS to change or create new content tabs and alter Messenger settings. Yahoo has updated version 5.0 of its Messenger service after learning of the problems.-http://www.vnunet.com/News/1132167
-http://www.idg.net/ic_868065_1794_9-10000.html
-http://news.com.com/2100-1023-923638.html
28 May 2002 Credit Card Fraud On Line Museum May Be Too Explicit
An on line credit card fraud museum is drawing criticism because some feel its exhibits essentially provide an instructional manual for would-be card hackers. Exhibits include software used to create phony credit cards and information on finding and compromising vulnerable web sites. The proprietor reportedly charges a $30 initiation fee and $10 a month to view the site; he is the man who, in April, allegedly planted phony credit card numbers on the Internet and offered links to those sites in chat rooms to see how fast the news would spread.-http://www.businessweek.com/technology/content/may2002/tc20020528_8754.htm
27 May 2002 Cyber Attacks are Up In Australia
The incidence of cyber crime, including data and network sabotage and virus infections is higher per capita in Australia than in the US, according to a survey funded by the New South Wales Police, the Australian Computer Emergency Response Team and Deloitte & Touche. 67% of Australian companies have been hacked, 7% more than in US.-http://www.vnunet.com/News/1132138
27 May 2002 FAA to Pilot Smart Card Program
The Federal Aviation Administration (FAA) plans to issue smart cards to its employees in a pilot program for the Transportation department (DOT). The cards will be used to access both facilities and computers. The FAA will put out a request for proposals shortly. If the program is successful, smart cards may be implemented throughout the DOT.-http://www.fcw.com/fcw/articles/2002/0527/news-faa-05-27-02.asp
27 May 2002 Homeland Security Generates Tech Proposals
Money available for homeland security projects has brought forth a veritable smorgasbord of technologies from companies hoping to cash in, including biometric cards, body scanners, and proposals for security procedures, including the creation of a database of travel records. Some fear that the proposed technologies and procedures could violate people's privacy.-http://www.siliconvalley.com/mld/siliconvalley/3349627.htm
The Bush administration says it plans to carefully evaluate proposed homeland security technologies to ensure they do not impinge upon citizens' privacy and civil liberties.
-http://www.washingtonpost.com/wp-dyn/articles/A29017-2002May29.html
Larry Lidz describes how the University of Chicago protects its users against worms.
"Before a major attack there are often small, subtle ones while the attackers try out their methods for carrying out the larger attack. The University of Chicago has about 25,000 people on its network and about 13,000 computers. We are currently averaging about one compromised machine a day (it has been higher than normal recently). We have tons of machines that run MS-SQL, and even more that run the MS Data Engine. Some of these machines are run by vendors, who don't password the 'sa' account. Many of these machines are control machines for scientific equipment which do not work if there is a password on the 'sa' account.
However, when the SQL Snake worm was released we had zero machines infected. This wasn't because of a technical solution -- we have no firewall, no large defensive borders. We were able to stay off the worm by successfully noting an early indicator. In particular, a few months back there was a lesser known worm called CBlade. CBlade, like SQL Snake propagates via MS-SQL servers with no password on the 'sa' account. As a threat, however, it never took off. Why? Because the CBlade worm connected to a web site at the Philadelphia Museum of Art before propagating. The Art Museum took down the offending web site and CBlade was neutralized.
However, our policy allows us to immediately remove from the University's network any machine that is an immediate threat to the network. This includes any machine that is vulnerable to a worm. We recognized that, while the CBlade worm was neutralized, a variant would be easy to write. The next one wouldn't always connect to a single web site, it would connect back to the infecting host. As such, we removed all MS-SQL (including MSDE) machines from the network if they didn't have an 'sa' password.
Writing a fast propagating, effective worm is not, currently, an easy thing to do. It is much more likely that someone will write one that isn't effective before the effective one is let loose. Watching for, and more importantly, acting upon, these early indicators is something that we as a community need to make sure is a priority. There's not a bug that's found that our group here doesn't ask ourselves how likely it will be to be used as a worm and what the largest potential damage from the bug is.
Thanks again, - -Larry
==end==
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites
Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Eugene Schultz