Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IV - Issue #26

June 26, 2002


If you are one of the more than 60% of web sites running Apache, patch
it soon. Even if you are running a personal web site with no critical
data, if a worm is launched using the newly discovered vulnerability,
it will undoubtedly find your systems and use them to attack others.
Quote of the week (from CIO Magazine, July 1, 2002) Kevin Turner,
CIO of Walmart, says, "I'd really like to see our technology vendors step up and help us
with these [security] vulnerabilities because the money that we are
pouring into security right now is being pulled away from development
and strategic things that we could be investing in. A lot of the
vulnerabilities that we deal with are preventable and could be avoided
if the technology vendors would do the due diligence to tighten
up [the security configuration of] their products."

Alan

TOP OF THE NEWS

20 June 2002 Apache Exploit Posted
18 June 2002 Apache Users Urged to Upgrade
20 June 2002 Legislation is Asking More of ISPs
19 June 2002 Microsoft Can't Escape Security Woes
18 June 2002 Tannenbaum Begins Jail Sentence

THE REST OF THE WEEK'S NEWS

24 June and 1 July 2002 Microsoft Pushes Palladium
24 June 2002 Questions About Perrun's Threat
19 June 2002 Man Claims to be Perrun Author
24 June 2002 Yaha-E Worm
21 June 2002 Russian Federation Sites Running Vulnerable Versions of Apache
21 June 2002 Homeland Security Dept. Transition Office Established
21 June 2002 DOT Wants Input on Enhancing Their Smart Cards
21 June 2002 KPNQuest Due to Shut Down Network-But Survives
18 & 20 June 2002 University Computers Compromised
20 June 2002 Searching for a Terrorist Web Site
20 June 2002 Web Spamming
20 June 2002 Wyoming State Auditor to Outsource Payroll and Accounting
19 June 2002 Pro-Islamic Groups May Be Banding Together for Cyber Attacks
19 June 2002 Town Hall Meeting on Cyber Security
19 June 2002 Aviation Security Task Force Recommendations
18 June 2002 Apache Vulnerability Raises Standards Questions
18 June 2002 DoD Fixes Some Security Problems and Finds Another
18 June 2002 Virus Count Could be Double Last Year's, says MessageLabs
18 June 2002 2600 IRC Server Hit by DoS, Down Indefinitely
18 June 2002 Frethem.E Worm
June 2002 Consumer Reports: Anti-Virus Software and Firewalls


******** This Issue Sponsored by Internet Security Systems ***********
Reduce Your Risk Exposure Through Instant Messaging and Peer-To-Peer
(P2P) Networks
The popularity of Instant Messaging and peer-to-peer networking
technologies has risen dramatically in recent years. As these services
become increasingly popular, an increased risk emerges as well. Users
of these services are unknowingly putting information about themselves
or their companies at risk.
Download this FREE award-winning whitepaper at
http://www.iss.net/ad/sc_sans062602/ to learn about the dangers of
using these services, their potential for misuse and what steps can
be taken to minimize their inherent risks.
**********************************************************************

TOP OF THE NEWS

20 June 2002 Apache Exploit Posted

Gobbles Security posted an exploit for an Apache server software vulnerability on several mailing lists and on-line libraries. The program exploits a security hole in OpenBSD systems running Apache 1.3.x. In an e-mail interview, Gobbles said they released the code because they were fed up with hearing about how it was an unexploitable hole. A comment line in the code suggests it may have been used in the surreptitious backdoor installations in tools available on Monkey.org.
-http://online.securityfocus.com/news/493

18 June 2002 Apache Users Urged to Upgrade

Everyone running Apache servers should upgrade their software, according to the software's developers. A potentially serious buffer overflow vulnerability could allow hackers to take control of unpatched computers or launch a denial of service attack. CERT/CC has issued an advisory. No attacks exploiting the problem have been reported.
-http://www.computerworld.com/softwaretopics/os/linux/story/0,10801,72089,00.html
-http://www.cert.org/advisories/CA-2002-17.html

20 June 2002 Legislation is Asking More of ISPs

New legislation in Europe and the US is requiring that Internet service providers (ISPs) take a more active role in preventing illegal activity from taking place on its servers. A Finnish judge ordered Jippii, an ISP, to remove a web site that allegedly provided people with activation numbers to use pirated software. The ISP had been refusing to abide by the previous requests of the Business Software Alliance (BSA) until the BSA could prove the site was doing what it has been alleged to be doing. ISPs are usually more willing to cooperate with authorities in hacking or piracy cases than in content cases.
-http://zdnet.com.com/2100-1105-937846.html
[Editor's Note (Schultz: This is a truly encouraging development. Although some ISPs have been extremely responsible, many have been the opposite with respect to being good citizens of the Internet. If ISPs provide access, they should do their fair share in providing and enforcing at least minimum levels of security.]

19 June 2002 Microsoft Can't Escape Security Woes

Despite Microsoft's claims of a renewed focus on security, the vulnerability-beleaguered company has issued 30 advisories for 40 vulnerabilities so far in 2002. While Microsoft's efforts to scour its own code for security problems are commendable, the company is also taking some risks by offering an automated update system and by including new, activated features on update CDs.
-http://www.usatoday.com/life/cyber/tech/2002/06/20/microsoft-security.htm

18 June 2002 Tannenbaum Begins Jail Sentence

Ehud Tannenbaum has begun serving an 18-month jail sentence for his role in a series of intrusions into a variety of computers, including those at the Defense Department. An Israeli high court
-http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8343
[Editor's Note: Stephen Northcutt provides a review of the Tannenbaum case, also known around the US Department of Defense as the Solar Sunrise case, at the end of this issue. ]


************************ SPONSORED LINKS *****************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Stop Spam and Secure Exchange/Notes/GroupWise
FREE Email Security White Paper
http://www.sans.org/cgi-bin/sanspromo/NB46
(2) AUTOMATICALLY protect yourself from unknown attacks and new worms.
FREE WHITE PAPER
http://www.sans.org/cgi-bin/sanspromo/NB47
(3) ALERT: Test and assess your Web Applications
FREE Trial Download of WebInspect
http://www.sans.org/cgi-bin/sanspromo/NB48
**********************************************************************

THE REST OF THE WEEK'S NEWS

24 June and 1 July 2002 Microsoft Pushes Palladium

Microsoft wants to change the architecture of PCs to incorporate hardware that will support a multi-faceted security system called Palladium. The system could be used to protect data from hackers, block worms, do away with spam, and control privacy. It could also be used for digital rights management.
-http://www.msnbc.com/news/770511.asp?0dm=C14MT
-http://www.computerworld.com/securitytopics/security/story/0,10801,72221,00.html
-http://www.theregister.co.uk/content/55/25843.html
[Editor's Note: (Murray): I encourage you to look at all three articles to get a full perspective on Palladium. ]

24 June 2002 Questions About Perrun's Threat

Users are questioning a statement made by a McAfee's Vincent Gullotto that executables could be contained in .jpg files. Data files are opened by applications that don't look for executables. Gullotto says Perrun still raises the specter of a new type of threat.
-http://www.computerworld.com/securitytopics/security/story/0,10801,72220,00.html
[Editor's Note (Grefer): No matter what Gullotto claims, this type of threat is not new. ]

19 June 2002 Man Claims to be Perrun Author

21-year-old Paul Glenerson B. Amurao of the Philippines is claiming to be the author of the Perrun virus that may infect .jpg files. He says he wrote the virus with Microsoft Visual Basic 6.
-http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8364

24 June 2002 Yaha-E Worm

The W32/Yaha-E worm is spreading in the wild. It arrives in an attachment; the accompanying e-mail can have a variety of subject lines. The worm attempts to turn of anti-virus and firewall protection.
-http://www.mcafee.com/anti-virus/viruses/yaha/
-http://www.sophos.com/virusinfo/articles/yahae.html

21 June 2002 Russian Federation Sites Running Vulnerable Versions of Apache

Independent tests indicate that the site and other Russian Federation web sites are running an older version of Apache server software that may be vulnerable to attacks. Netcraft and eEye Digital security both say Putin's website is running Apache version 1.3.20.
-http://www.wired.com/news/technology/0,1282,53412,00.html

21 June 2002 Homeland Security Dept. Transition Office Established

Bush signed an executive order establishing a Homeland Security Department transition office within the Office of Management and Budget (OMB).
-http://www.gcn.com/vol1_no1/daily-updates/19104-1.html

21 June 2002 DOT Wants Input on Enhancing Their Smart Cards

The Transportation Department (DOT) wants information on methods and technologies for enhancing their smart card system. The DOT will review white papers every three months until June 30, 2003.
-http://www.fcw.com/fcw/articles/2002/0617/web-dot-06-21-02.asp

21 June 2002 KPNQuest Due to Shut Down Network - But Survives

KPNQuest's network was due to shut down Friday night, June 21 after it failed to receive emergency funding. The shutdown could have a noticeable impact on European network traffic as the company's networks carry 40% of European Internet traffic.
-http://www.ananova.com/news/story/sm_612949.html
Last minute support from users and a deferral of a demand for repayment by Alcatel averted the immediate threat.
-http://www.theregister.co.uk/content/6/25795.html

18 & 20 June 2002 University Computers Compromised

The Secret Service is investigating the possibility that students at universities in Texas, Arizona, Florida and California were monitored by surreptitiously installed software designed to capture passwords and credit card numbers. Nearly 20 hard drives were removed from computers at Arizona State University.
-http://news.com.com/2100-1001-938126.html
-http://www.tucsoncitizen.com/local/6_18_02russia_asu.html

20 June 2002 Searching for a Terrorist Web Site

Agents from the FBI and the CIA are scouring the Internet for a web site allegedly used by al Qaeda for communication. The site is registered in Singapore and was taken down earlier this month, but officials expect it to resurface.
-http://www.usatoday.com/life/cyber/tech/2002/06/21/terrorweb.htm

20 June 2002 Web Spamming

Web spammers have developed a more sophisticated technique for tricking search engines into returning their sites as top ranked results. The most recent case involved AOL Search and Inktomi who were tricked into returning results that linked to a Russian-based web site.
-http://zdnet.com.com/2100-1106-937782.html

20 June 2002 Wyoming State Auditor to Outsource Payroll and Accounting

Weaknesses in the state government's own security management (no firewall, for example) led the Wyoming State Auditor's Office to outsource the state's payroll and accounting data management.
-http://www.fcw.com/geb/articles/2002/0617/web-wyo-06-20-02.asp

19 June 2002 Pro-Islamic Groups May Be Banding Together for Cyber Attacks

A British firm claims to have found evidence of an alliance between pro-Islamic hacker groups launching ideologically motivated attacks; the groups have been focusing on the problems in Kashmir, the Middle East conflict and the war on terrorism.
-http://news.bbc.co.uk/hi/english/sci/tech/newsid_2052000/2052320.stm

19 June 2002 Town Hall meeting on Cyber Security

At a town hall meeting on cybersecurity, vice chairman of the Critical Infrastructure Protection Board Howard Schmidt described the National Strategy to Secure Cyberspace, which will be released in September, as a living document, meaning it will be amended and altered as needs dictate. The strategy plans to address home users as well as industry and government. The Bush administration does not plan to regulate private industry with security requirements; instead, it hopes the industry will self-regulate. One insurance executive observed that companies are unlikely to self-regulate until liability litigation starts becoming a reality.
-http://www.computerworld.com/securitytopics/security/story/0,10801,72108,00.html
[Editor's Note (Schultz): With the possible exception of the financial community, industry has in general not done a credible job with respect to self-regulation in the practice of information security so far. One recent study suggested that companies spend more on coffee than information security! The Bush Administration has once again given industry no reason to change. It is well time for the Bush Administration to wake up to the immense threat that industry computers and networks are facing and to do something meaningful to prompt necessary change. ]

19 June 2002 Aviation Security Task Force Recommendations

The Blue Ribbon Task Force on Aviation Security and Technology has issued a report describing how to use existing IT to enhance airport and airline security. Among the group's recommendations are using biometrics to identify airport/airline workers and to allow access to aircraft, and using Global Positioning System (GPS) devices to keep tabs on vehicles within the airport perimeter. The recommendations will be tested at 20 airports across the country.
-http://www.computerworld.com/securitytopics/security/story/0,10801,72098,00.html
[Editor's Note (Murray) The best biometric for this application is the face, the best reference the photograph. Put the photograph on the ticket. Seems outrageous at first but think about it. ]

18 June 2002 Apache Vulnerability Raises Standards Questions

Internet Security System's decision to publish an advisory about and a patch for the Apache flaw met with criticism because it gave the company less than two hours to respond to the problem. Apache was working with someone else to address the flaw; they were examining how it affected various platforms. The incident again raises the issue of standard for reporting vulnerabilities. While a number of groups are designed to coordinate security information, they do not coordinate with each other. The proposed Homeland Security Department would consolidate those efforts.
-http://www.msnbc.com/news/768762.asp?0dm=T23FT
-http://zdnet.com.com/2100-1105-936949.html
-http://www.theregister.co.uk/content/55/25766.html
[Editor's Note (Ranum): ISS put the Apache user base at risk by jumping the gun on a vulnerability release. ]

18 June 2002 DoD Fixes Some Security Problems and Finds Another

While in the process of closing security holes brought to light in a Defense Department Inspector General's report, the Web Risk Assessment Cell, group for the clean up, found another security problem: "hidden" sites that don't turn up in basic searches but that are still accessible with some finessing.
-http://www.fcw.com/fcw/articles/2002/0617/web-dod-06-18-02.asp
[Editor's (Note (Ranum): If a FORTUNE 500 firm had such lame security, they'd fire their network and security managers and get new ones.)

18 June 2002 Virus Count Could be Double Last Year's, says MessageLabs

MessageLabs says it has intercepted twice as many infected messages so far this year as it did during all of last year. The company screens corporate e-mail accounts. The Klez family of viruses topped the list with SirCam coming in second. The company's marketing director says such worms, which are constantly being tweaked into more virulent forms, are responsible for the rising numbers of viruses. They are also growing more malicious.
-http://news.com.com/2100-1001-937228.html

18 June 2002 2600 IRC Server Hit by DoS, Down Indefinitely

irc.2600.net is now off line due to a denial of service (DoS) attack. The group's provider disconnected the server.
-http://www.2600.com/news/display.shtml?id=1203

18 June 2002 Frethem.E Worm

The Frethem.E worm exploits a MIME vulnerability in Internet Explorer (IE) to execute automatically, spreading itself with the aid of its own STMP engine. The worm hasn't done much damage because a recent Microsoft patch designed to protect computers from the Klez virus also keeps this one out.
-http://www.esecurityplanet.com/trends/article/0,,10751_1367621,00.html

2002 Consumer Reports: Anti-Virus Software and Firewalls

Consumer Reports tested firewalls and anti-virus software. This article describes why the software/hardware is necessary and how it works. Linked articles offers advice on keeping yourself safe from common virus/worm ruses, keeping your data safe, and what to do if your computers have been infected or hacked.
-http://www.consumerreports.org/static/0206com0.html
Background on the Tannenbaum Story from Stephen Northcutt It is amazing just how terse this and previous stories were about Tannenbaum -- the hacker known as Analyzer. To try to recap the history: Recall, this was the rstatd attack "/tmp/bob" that compromised numerous DOD and other government Solaris systems in late 1997 and into the first quarter of 1998. The "Mideast" source (the defenders were not sure which country) of the attacks, stimulates the US government to react in many ways, and the event became known as Solar Sunrise. You can buy a video about the FBI investigation from:
-http://www.ncix.gov/pubs/videos/video_solar.html
Tannenbaum was coaching two California teenagers, and they were caught by the FBI. Their capture led to him.
-http://www.jpost.com/com/Archive/23.Mar.1998/News/Article-7.html
Then Tannenbaum went into the Army, some claim in information warfare.
-http://www.jewishsf.com/bk980403/ibyte.htm
Then he tried to cash in on his infamy as a hacker by becoming an officer in a security company while his case dragged on in the legal system.
-http://www.theregister.co.uk/content/1/14891.html
Now, he is in jail.

==end==
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites


Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Eugene Schultz