SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IV - Issue #25
June 19, 2002
If you are thinking about attending a security conference this
fall, a great choice is SANS Network Security 2002 in Washington
October 18-25 (http://www.sans.org/NS2002/).It's by far the largest
security training conference, and offers multi-day training programs
in everything from security basics to security management to hacker
exploits, from firewalls to intrusion detection, from auditing to
honeypots to forensics, plus a wealth of special networking and bonus
programs and an enormous exhibition. This year, all five branches
of the US military are co-hosting the National Information Assurance
Leadership Conference for their information security officers as an
integral part of SANS Network Security 2002. More intimate programs
are available in Boston, New York, Denver (http://www.sans/org) and
several other cities, but the Washington conference combines it all
in the major event of the year.
For those who cannot take the time away for a full week of classes,
SANS Mentor-Led Security Essentials training programs start in August
and early September in 40 cities from Calgary, CA to Mexico City.
The Cities are listed, along with the mentors, at the end of this
issue.
Alan
TOP OF THE NEWS
17 June 2002 Push for Software Manufacturing Liability14 & 16 June 2002 FoxNews.com Hit With Denial of Service Attacks
14 June 2002 Three Men Arrested for Cyber Extortion
12 & 13 June 2002 Four More Microsoft Holes and Patches
10 June 2002 Forcing Private Industry's Hand to Protect Critical Infrastructure
THE REST OF THE WEEK'S NEWS
17 June 2002 Dueling Apache Security Alerts17 June 2002 Password Not Hidden from Earthlink Support Staff
17 June 2002 Scalpers Hack World Cup Reservation System
17 June 2002 eMap Site Defaced
14 June 2002 Korean Microsoft Developer Tool Carries Nimda-Infected File
14 June 2002 Best Buy Beefs Up Security and Uses Wireless LANs Again
10 June 2002 Companies Not Employing LAN Security
14 June 2002 Internet Piracy Ring Members Face Charges
14 June 2002 Austrian Teen Allegedly Broke Into Pentagon Sites
13 June 2002 Spy Plane Surveillance Photos Exposed
14 June 2002 Spanish Legislature to Vote on Data retention Law
13 & 14 June 2002 Perrun Virus Infects JPEG Files
13 June 2002 Former Employee Allegedly Broke Into Boss's Computer Account
13 June 2002 Texas Library Suffers Computer Intrusion
12 June 2002 Gopher Hole Bigger Than Originally Thought
12 June 2002 A Model for Cyber Incident Cost Assessment
12 June 2002 KPNQwest Loses Data
12 June 2002 Phony Press Release Generates Increased Trading
10 June 2002 DoD Purchasing Bound by Common Criteria Standard
10 June 2002 Audit Finds Army Web Sites Display Sensitive Information
10 June 2002 Chief Information Security Officers Face Job Uncertainty
3 June 2002 Surreptitious Back Door Installations May be Related
1 June 2002 Disgruntled (Former) Employees Cause Problems
************************* Sponsored by McAfee ************************
SAFEGUARD DATA TRANSFER AND STORAGE WITH E-BUSINESS SERVER.
Protect sensitive data with the power of 128-bit PGP encryption. McAfee
Security's E-Business Server automates the encryption process. It
works on Windows to mainframes with any business application. It
requires no programming skills. Easy for users, fast for IT.
Visit http://click.atdmt.com/HNY/go/snsnknwk00300031hny/direct/01/
for a free info kit.
**********************************************************************
TOP OF THE NEWS
17 June 2002 Push for Software Manufacturing Liability
Support is growing for software companies to be held to the same liability standards as other manufacturing businesses. Microsoft, with its plethora of software holes and "deep pocket[s ]
" is a likely target for a liability suit. Air Force CIO John Gilligan says patches and fixes for the Microsoft products they use have cost more than the software itself.
-http://www.usatoday.com/life/cyber/tech/2002/06/17/microsoft-security.htm
[Editor's Note: In an interview in CIO Magazine this week, Presidential Cyber Security Advisor Richard A. Clarke says, "We're in favor of holding vendors accountable. When a product fails, the vendor has a responsibility to quickly identify a way of fixing it and getting that patch out, and the patch not only should fix the problem, it should not interact badly with other widely utilized applications. But we don't think it's terribly valuable to litigate such problems. We'd like to try to find solutions that are quicker than long, multiyear litigation. (
-http://www.cio.com/archive/061502/safer.html)]
14 & 16 June 2002 FoxNews.com Hit With Denial of Service Attacks
Denial-of-service (DoS) attacks aimed at FoxNew.com began on Thursday, June 13 and continued until the site restored normal services the following evening. The attacks also affected ABCNews.com, the weatherchannel.com and ESPN.com. Federal law enforcement officials have been notified and the incidents are under investigation.-http://news.com.com/2100-1023-936084.html
-http://www.foxnews.com/story/0,2933,55380,00.html
14 June 2002 Three Men Arrested for Cyber Extortion
Three men have been arrested for extorting money from people who visited a child pornography web site. The men allegedly visited chat rooms and offered what appeared to be a link to a web site. When people clicked on it, they received an e-mail message that said "Going to Jail." The message said the group was going to report their activity to the police, but they would keep the information private for payment. If convicted of conspiracy and extortion through interstate commerce, the men could face sentences of up to seven years and fines of up to $500,000.-http://www.usatoday.com/life/cyber/tech/2002/06/14/extortion-internet.htm
[Editor's (Schultz) Note: What next? This represents a new low as far as cybercrime goes. ]
12 & 13 June 2002 Four More Microsoft Holes and Patches
Microsoft issued advisories and patches for a quartet of security vulnerabilities. A buffer overflow vulnerability in the phone book of the Remote Access Service (RAS) of Windows NT, 2000 and XP could allow an attacker to gain control of the machine. A flaw in IIS 4.0 and 5.0 and a pair of holes in SQL Server 2000 could let an attacker run code on a targeted machine.-http://www.wired.com/news/technology/0,1282,53173,00.html
-http://www.searchsecurity.com/originalContent/0,289142,sid14_gci832915,00.html
-http://www.usatoday.com/life/cyber/tech/2002/06/13/microsoft-flaw.htm
-http://zdnet.com.com/2100-1105-935563.html
-http://microsoft.com/technet/security/bulletin/MS02-029.asp
-http://microsoft.com/technet/security/bulletin/MS02-028.asp
-http://microsoft.com/technet/security/bulletin/MS02-030.asp
10 June 2002 Forcing Private Industry's Hand to Protect Critical Infrastructure
The Bush administration may consider using "unorthodox" tactics to encourage the private sector to bolster cyber security on the portions of the nation's critical infrastructure it controls. For instance, the administration has been discussing with insurance industry the possibility of writing insurance policies only for those companies whose security meets certain standards.-http://www.washingtonpost.com/wp-dyn/articles/A27682-2002Jun10.html
*************************** SPONSORED LINKS **************************
Privacy notice: These links redirect to non-SANS web pages.
(1) A Cost-Benefit Analysis of Managed Security Services
http://www.sans.org/cgi-bin/sanspromo/NB43
(2) Stop Hackers Dead. How? See Top Layer @ SANSFire, Free White
Paper/Web Casts
http://www.sans.org/cgi-bin/sanspromo/NB44
(3) NO FALSE POSITIVES. Free white paper shows you how!
http://www.sans.org/cgi-bin/sanspromo/NB45
**********************************************************************
THE REST OF THE WEEK'S NEWS
- 17 June 2002 Dueling Apache Security Alerts
The Apache Server Project team and ISS issued competing security alerts for a DDoS vulnerability in Apache web servers. The Apache team claimed the ISS patch did not correct the problem.-http://computerworld.com/securitytopics/security/story/0,10801,72074,00.html
-http://www.usatoday.com/advertising/orbitz/orbitz-window.htm
[Editor's (Paller) Note: This story raises issues that several thoughtful members of the security community have been debating all day (Tuesday). Who is responsible for patching open source software? If a third party provides a source code patch, what can people who have embedded versions (without source) do to protect themselves? If a flaw in open source code is discovered by a third party, should it be shared with the entire open source project team? Is the whole team trustworthy? Is there any way to tell? Does it matter? I am not requesting answers, just sharing with you the questions being raised. ]
17 June 2002 Password Not Hidden from Earthlink Support Staff
Earthlink grants its support staff complete access to customer passwords. While this approach may help with the common problem of forgotten passwords, unethical employees could abuse the privilege. Other ISPs' help staff do not have access to passwords; instead, they issue temporary new passwords over the phone and instruct customers to change them as soon as possible.-http://www.wired.com/news/privacy/0,1848,53208,00.html
17 June 2002 Scalpers Hack World Cup Reservation System
Scalpers are hacking the World Cup soccer tournament phone reservation system to place themselves at the front of the virtual line for tickets to the matches; they are asking up to 150,000 yen (US$1200) for the tickets.-http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8341
17 June 2002 eMap Site Defaced
Hackers exploited a hole in Microsoft IIS 4.0 server to deface www.emap.co.il, an Israeli mapping company web site.[Editor's (Murray) Note: The (only) interesting thing about this defacement is that it is the third time that it has happened to the same site. Security is difficult but this abuses the excuse. ]
14 June 2002 Korean Microsoft Developer Tool Carries Nimda-Infected File
About 50,000 copies of Microsoft's Korean language version of Visual Studio .Net carried a Nimda-infected file; it sneaked in when a third party company was translating the help system into Korean. Though MS usually scans all files in its software that come from a third party, this time it scanned only files on a certain list; because it was not expecting the file infected with Nimda to be there, that file wasn't scanned. In order to run, the file would need to be decompiled and moved. Microsoft has notified all its affected customers and has posted a patch for the problem on its website. It will send replacement CDs to all registered customers, and is trying to contact people who may have bought the software but not registered it.-http://www.msnbc.com/news/766054.asp?0dm=T21FT
-http://www.computerworld.com/securitytopics/security/virus/story/0,10801,72021,0
0.html
-http://zdnet.com.com/2100-1105-935998.html
14 June 2002 Best Buy Beefs Up Security and Uses Wireless LANs Again
Best Buy has again started using wireless LAN cash registers; the company had stopped using them about a month ago when they learned that their networks were not secure and could be tapped into by anyone with some relatively inexpensive hardware and the desire. The company says it has improved the security of its wireless LAN systems, but would not elucidate. Shortly after the Best Buy announcement, a posting appeared on SecurityFocus.com's vuln-dev list: a war driver claims he was again able to sniff Best Buy's wireless LANs.-http://www.computerworld.com/mobiletopics/mobile/story/0,10801,72024,00.html
10 June 2002 Companies Not Employing LAN Security
Though there are security measures available for wireless LANs, many companies are not using them, leaving sensitive customer information open to "war drivers."-http://wirelessnewsfactor.com/perl/story/18134.html
14 June 2002 Internet Piracy Ring Members Face Charges
Twenty-one people face charges for their roles in a piracy ring that dealt in software, computer games and movies. If found guilty of conspiracy to commit copyright infringement, the people could each face a five-year prison sentence and be required to pay a fine of up to $250,000.-http://www.usatoday.com/life/cyber/tech/2002/06/14/piracy.htm
14 June 2002 Austrian Teen Allegedly Broke Into Pentagon Sites
Seventeen-year-old Markus Hirsch of Austria allegedly hacked his way into classified Pentagon sites, including one that contains information about the location of multi-megaton warhead missile silos.-http://www.thisislondon.com/dynamic/news/story.html?in_review_id=613066&in_r
eview_text_id=582545
13 June 2002 Spy Plane Surveillance Photos Exposed
A UK man found that satellite television receivers can pick up unencrypted US spy plane surveillance pictures taken while flying over the Balkans. A more thorough analysis is provided in the second URL.-http://www.newscientist.com/news/news.jsp?id=ns99992405
-http://story.news.yahoo.com/news?tmpl=story&cid=581&ncid=738&e=3&
;u=/nm/20020613/tc_nm/nato_surveillance_dc_7
14 June 2002 Spanish Legislature to Vote on Data retention Law
The Spanish Senate will vote next week on a measure which would require Internet service providers (ISPs) to keep records of customers' Internet activities for one year; if passed, the legislation would bring the country's laws in compliance with a European Parliament directive aimed at foiling terrorist activity. Spanish ISP trade groups say the requirement would be expensive, and a lawyer says the legislation could run afoul of constitutional rights.-http://www.wired.com/news/business/0,1367,53195,00.html
13 & 14 June 2002 Perrun Virus Infects JPEG Files
Perrun, a proof-of-concept virus that infects JPEG files, claims to be the first known virus to infect data files. Though it does not carry a malicious payload, anti-virus researchers are concerned that future incarnations could harbor destructive payloads.-http://news.com.com/2100-1001-935746.html
-http://www.cnn.com/2002/TECH/internet/06/13/picture.virus.ap/index.html
-http://www.msnbc.com/news/766434.asp?0dm=C23FT
-http://online.securityfocus.com/news/482
[Editor's (Murray) Note: Before the content of the JPG can be executed, the target must also be infected with an interpreter or "helper." If one can get the interpreter installed, one does not need the JPG. (Schultz) Also, I do not believe that the claim in this one is correct. There have been true data viruses before. What appears to be new here is that there are viruses that purportedly infect image files ]
13 June 2002 Former Employee Allegedly Broke Into Boss's Computer Account
Wendy Sholds has been charged with two counts of unauthorized access to a computer system. The Massachusetts woman allegedly broke into her former boss's computer and forwarded confidential e-mail to other employees. Sholds also allegedly used the boss's username and password to view private information on the company web site. The charges are currently designated misdemeanors and carry a 30-day sentence. Pending legislation would increase the penalties considerably.-http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,71
972,00.html
13 June 2002 Texas Library Suffers Computer Intrusion
Waco Police Department computer crimes section detectives are investigating a computer intrusion at the Waco-McLennan county library's automated card catalog and check-out system. The attack, which may have been launched as a means of accessing something else, took down the system, which isn't expected to be up for several days.-http://www.wacotrib.com/auto/feed/news/2002/06/13/1024027108.08594.5903.1674.htm
l.
12 June 2002 Gopher Hole Bigger Than Originally Thought
Microsoft has issued a security alert about the buffer overflow vulnerability in the Gopher protocol in its IE web browser. The vulnerability is more extensive that initially thought: it also exists on computers running Internet Explorer (IE) 5.01. 5.5 and 6.0 and servers running Proxy Server 2.0 and ISA Server 2000. Older versions may be vulnerable as well, but because they are no longer supported, Microsoft did not test them. In the cases of the server software, attackers could attain complete control of the server, allowing for the creation of new accounts or the reformatting of hard drives. While a patch is not yet available, Microsoft recommends blocking access to TCP port 70. IE users need to block gopher access manually.-http://zdnet.com.com/2100-1105-935363.html
Microsoft security bulletin:
-http://microsoft.com/technet/security/bulletin/MS02-027.asp
12 June 2002 A Model for Cyber Incident Cost Assessment
The Incident Cost Analysis Modeling Project (I-CAMP) is a multi-university project conducted in the 1990's; its aim is to provide a means for assessing the costs of cyber security incidents. The formula includes determining who worked on the incident investigation, how many hours they spent investigating, who was unable to work because of the incident, for how long, and the costs associated with that. The model does not take into account such factors as insurance deductibles and loss of revenue and reputation.-http://online.securityfocus.com/infocus/1592
12 June 2002 KPNQwest Loses Data
KPNQwest's fiber optic service loses as much as 5% of the data it delivers, according to Matrix NetSystems. "Healthy" services will lose only 0.1% of their data.-http://news.com.com/2100-1033-935456.html
[Editor's (Murray) Note: What is being measured and reported here is "dropped packets." They are a measure of the health and efficiency of the network. However, dropped packets do not result in data loss. The TCP/IP protocol is designed to tolerate dropped packets. ]
12 June 2002 Phony Press Release Generates Increased Trading
Internet Wire was tricked into publishing a phony press release about a small drug company because an employee did not follow authentication procedures. The false information increased the trading volume of the stock five-fold; it closed up almost 7%.-http://www.usatoday.com/life/cyber/invest/2002/06/12/phony-release.htm
10 June 2002 DoD Purchasing Bound by Common Criteria Standard
The National Security Telecommunications and Information Systems Security Policy 11 requires that as of July 1, 2002, the Defense Department (DoD) will be allowed to purchase only those products that meet the Common Criteria standard. Integration and configuration are areas of concern because the evaluation was not made with those considerations in mind.-http://www.fcw.com/fcw/articles/2002/0610/cov-lock-06-10-02.asp
[Editor's Note (Murray): The issue is not only whether or not a product "meets the Common Criteria" but also whether or not it has even been evaluated against the criteria. Most products are not. Evaluations are very expensive even for products that were developed with evaluation in mind. While it is assumed that evaluated products will be more secure than unevaluated ones, this is less than certain. (Grefer) Be careful what you ask for, you might get it. Evaluation/certification is quite expensive, narrows down the number of competitors. (Paller): It is difficult to prove, in practice, that products meeting the Common Criteria, reliably provide greater security than those that do not. Unsafe configuration negates safe design. For the Common Criteria to meet the goal of improving DoD Internet security, it needs to be complemented with Common Configuration benchmarks like those being developed by NSA, NIST and the Center for Internet Security. ]
10 June 2002 Audit Finds Army Web Sites Display Sensitive Information
A Defense Department inspector general's audit found that many publicly accessible Army web sites contain information not intended for public viewing, including operation plans and documents labeled "For Official Use Only." Suggestions for amending the situation include conducting "periodic policy compliance reviews" and establishing a system to resolve any problems found.-http://www.fcw.com/fcw/articles/2002/0610/web-army-06-10-02.asp
10 June 2002 Chief Information Security Officers Face Job Uncertainty
Many well-known CISOs have lost their jobs. Others are under increasing pressure to prove the value of their programs based on actual security improvements. Technical information security skills are becoming more important for security managers.-http://www.computerworld.com/securitytopics/security/story/0,10801,71866,00.html
3 June 2002 Surreptitious Back Door Installations May be Related
In mid-May, several network security tools available on Monkey.org were contaminated with back doors nearly identical to the one covertly installed in an IRC chat client in March. Nearly 2,000 copies of the Dsniff, Fragroute and Fragrouter tools were downloaded before the problem came to light; affected users are being contacted. Authors of the tainted programs say they will employ new security measures.-http://online.securityfocus.com/news/462
[Editor's (Murray) Note: Will people never learn that free toys from no-name sites are more likely than not to be contaminated? ]
1 June 2002 Disgruntled (Former) Employees Cause Problems
A man planted a logic bomb in his company's computer system when he was demoted; it detonated months after he resigned, destroying part of the program supporting the sales force's handheld computers. The company went after the employee, and he has been sentenced to two years in prison and ordered to pay restitution of $200,000. Other companies are starting to step forward and prosecute saboteurs as well.-http://www.cio.com/archive/060102/doom_content.html
==end==
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites
SANS Security Essentials - Mentor-Led Programs in 40 Cities
Combines self-paced on-line training with twenty hours of meetings with
your class and a mentor who has already achieved GSEC certification.
Save 20%
If you register by August 1, the tuition for this course is $2430.
For registration information, contact Scott Weil, sweil@sans.org.
Locations beginning in August and September:
Alaska Fairbanks, AK
Liam Forbes, University of Alaska at Fairbanks
Arizona Phoenix, AZ
Lois Lehman, Arizona State University
Arizona Tucson, AZ
Mike Fleming, National Optical Astronomy Observatory
California Pleasanton, CA
Potheri Mohan, SanDisk Corporation
California San Jose, CA
(San Jose Statue University) Michele Guel, Cisco
California San Diego, CA
Mel Jackob, US Navy contractor
Colorado Denver, CO
Sanjeev Sood, AmerInfo, Inc.
Connecticut Hartford, CT
Tim Rogers, United Technologies Pratt & Witney
Florida Tampa, FL
Corey Pincock, Network Knowledge Systems (NKS), Inc.
Illinois Chicago area, IL
Patrick Wengert, Discover Financial Services
Kansas Lenexa (Kansas City), KS
John Mallery, Clarence M. Kelly & Associates
Kentucky Lexington, KY
Christopher Hayden, Ashland, Inc.
Massachusetts Boston, MA
Christopher Spirito, EMC Corporation
Maryland Baltimore, MD
Ted Mina, Independent information security consultant
Maryland Gaithersburg, MD
Carolyn Rowland, National Institute of Standards Testing
Michigan Grand Rapids, MI
Darrin Wassom, Spectrum Health
Minnesota Minneapolis, MN
Liz Stanton, Upstream Solutions, Inc.
Missouri Columbia, MO
Liviu Groza, University of Missouri Health Services
North Carolina Asheville, NC
Jim Hurst, Sonopress, Inc.
North Carolina Charlotte, NC
Chris Mahn, Duke Energy
North Carolina Research Triangle, NC
James Born, AT&T
New Jersey Bergen County, NJ
Megan Restuccia, Bergen Regional Academies
New York Albany area, NY
Patrick Nolan, Stormranger Computer Security
New York Rochester, NY
Ralph Durkee, Ralph Durkee Consultants
Ohio Cincinnati, OH
Kevin Van Dixon, Intrieve, Inc.
Ohio Cleveland, OH
Rockie Brockway, Totem Security
Ohio Dayton, OH
Phillip Conrad, Multimax
Oklahoma Tulsa, OK
Lloyd Ardoin, Mazzio's Corporation
Pennsylvania Philadelphia, PA
Bruce Diamond, Computer Helpline, Inc.
Texas College Station, TX
Kent Knudsen, Texas A&M University
Texas Richardson (Dallas area), TX
Brian Levasseur, Aegon USA
Virginia Dahlgren, VA
Paul Ford, Chugash Telecommunications & Computers, Inc.
Virginia Herndon, VA
Wayde York, EDS
Virginia Tysons Corner, VA
Angela Orebaugh, Booz Allen Hamilton
Washington Seattle, WA
David Severski, Lucent Technologies
Canada
Calgary
Kenton Smith, Chartwell Technology
Montreal
Patrick Boismenu, Royal Canadian Mounted Police
Ottawa
Guy Bruneau, Cornerstone Communications
Toronto
Chris Russel, York University
Mexico
Mexico City
Rafael Garcia, Symantec Corporation
Start in August/September in 40+ Locations
For registration information, contact Scott Weil, sweil@sans.org.
