SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IV - Issue #32
August 07, 2002
TOP OF THE NEWS
1 & 2 August 2002 OpenSSH Contaminated with Trojan1 & 2 August 2002 HP Won't Invoke DMCA Against SnoSoft
1 August 2002 Clarke Urges Companies to Stop Selling Buggy Software
31 July & 1 August 2002 Keep Finding Holes but Report Them Responsibly, Says Clarke
THE REST OF THE WEEK'S NEWS
5 August 2002 National Strategy to Secure Cyberspace Will Address Wireless Security31 July, 1,2 & 5 August 2002 DoD to Restrict Use of Wireless Devices
31 July 2002 AT&T and Time Warner Push For Improved Wireless Security
29 July & 5 August 2002 Cyber Attack Victims Should Have Recourse
5 August 2002 Platform Allows Pursuit of Cyber Attackers
5 August 2002 Security Manager's Journal: Great Intrusion Detection
5 August 2002 Two Cyber Corps Programs
2 August 2002 Italian Police Arrest Hackers Who Attacked DoD
2 August 2002 Collaborative Effort On New Security Vulnerabilities
2 August 2002 Honeypot Liability Risks
1 August 2002 Cisco TFTP Buffer Overflow
31 July & 1 August 2002 Virus Count Down; Klez Still on Top
31 July 2002 Surnova-B Worm Targets Kazaa Users
30 July 2002 Time to Update Internet Protocols
30 July 2002 Web Operator Nabs al Qaeda Site, But to No Avail
29 July 2002 Hacker Says Activity was Unethical, Not Illegal
TRAINING
3 August 200231 July 2002
5 August 2002
SECURITY TRAINING NEWS
*************** Sponsored by Internet Security Systems ****************
Complete Desktop Protection: FREE 30-Day Trial from Internet Security
Systems
RealSecure(tm) Desktop Protector is an advanced desktop/laptop
protection system with full-featured intrusion detection and
response. Designed to work with popular virtual private network (VPN)
products, Desktop Protector is an ideal remote end-point security
solution for protecting teleworkers, mobile employees, and individuals
using PCs inside a traditional office environment.
Download your FREE 30 Day Trial: http://www.iss.net/ad/dp_sans080702
***********************************************************************
TOP OF THE NEWS
1 & 2 August 2002 OpenSSH Contaminated with Trojan
The Computer Emergency Response Team Coordination Center (CERT/CC) has issued an advisory warning that certain versions of OpenSSH contain a Trojan horse, which could allow an attacker to gain control of vulnerable systems. Anyone who downloaded OpenSSH versions 3.2.2p1, 3.4p1 or 3.4 on of after July 30 should verify the integrity of that software.-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,73159,0
0.html
-http://www.theregister.co.uk/content/55/26492.html
CERT/CC Advisory:
-http://www.cert.org/advisories/CA-2002-24.html
OpenSSH Advisory:
-http://www.openssh.com/txt/trojan.adv
1 & 2 August 2002 HP Won't Invoke DMCA Against SnoSoft
Hewlett Packard has backed off of threats it made to invoke the Digital Millennium Copyright Act (DMCA) and the Computer Fraud and Abuse Act against a security research team called SnoSoft. Members of the group had been threatened with large fines and prison time. A member of SnoSoft apparently posted an exploit for a buffer overflow vulnerability in Hewlett Packard's Tru64 Unix OS. In a statement, the company asserts its commitment to security, acknowledges the vulnerability - promising a patch within two days, and indicating that it will not use the DMCA to "stifle research or impede the flow of information."-http://news.com.com/2100-1023-947745.html
-http://zdnet.com.com/2100-1106-947740.html
-http://www.theregister.co.uk/content/55/26508.html
[Editor's Note (Schultz): I've always had a lot of respect for HP and I am glad they came to their senses with respect to the DCMA issue. I fear, however, that more cases of this nature are going to emerge. DMCA has not proven to be a good thing for the security community; it enables vendors angry over discovery of vulnerabilities in their products to threaten or taken legal action against those who have discovered the vulnerabilities. (Murray) It is not as though the security community did not complain about this law while it was under consideration. We were simply no match for the publishers' lobby. At the time they dismissed our concerns as "alarmist." (Same with UCITA). Now we find them using the literal language of the law for exactly the purposes that they disavowed while it was being debated. ]
1 August 2002 Clarke Urges Companies to Stop Selling Buggy Software
Speaking at the Black Hat computer security conference in Las Vegas, White House cybersecurity advisor Richard Clarke said that software companies need to stop selling unsecure software, and that users should refuse to buy products that don't provide adequate security. It's possible that with the release of the national cyber security plan to be released in September, all federal agencies will be required to purchase only those IT products on a list of independently certified products; only the DoD is presently bound by such a requirement.-http://www.computerworld.com/securitytopics/security/story/0,10801,73140,00.html
31 July & 1 August 2002 Keep Finding Holes but Report them Responsibly, Says Clarke
White House cyber security advisor Richard Clarke said that security professionals and hackers should continue to find security holes in software because the manufacturers are not going to find them all. Those who find the vulnerabilities should report them responsibly, first alerting the manufacturer and then the government. Exploits should not be published without first giving the companies a chance to address them with an update or a patch.-http://www.washingtonpost.com/wp-dyn/articles/A26698-2002Jul31.html
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,73146,0
0.html
[Editor's Note (Schultz): Richard Clarke is right on track about this issue--it's good to hear him speak out. ]
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) STOP chasing alerts & AVOID detailed firewall log analysis. Learn
How! http://www.sans.org/cgi-bin/sanspromo/NB60
(2) Aberdeen Alert! FREE Research Report on Web App Attacks
http://www.sans.org/cgi-bin/sanspromo/NB61
(3) TRUSTWORTHY COMPUTING? Learn to Stop 7 Deadly Classes of IIS
Attacks Free Whitepaper: http://www.sans.org/cgi-bin/sanspromo/NB62
***********************************************************************
THE REST OF THE WEEK'S NEWS
5 August 2002 National Strategy to Secure Cyberspace Will Address Wireless Security
The National Strategy to Secure Cyberspace is almost complete and will address such topics as wireless security and the related Internet instability due to wireless interconnectivity. The report will recommend that the government provide funding for research and development on wireless security issues.-http://www.fcw.com/fcw/articles/2002/0805/news-wire1-08-05-02.asp
[Editor's Note (Murray): Low-cost, low-power, digitally encoded, relay wireless promises to be the solution for persistent broadband connectivity over the last mile. While I prefer end-to-end security for applications, it is still essential that we address the potential of this technology to punch holes in the network. The price of this technology is dropping as fast as that of storage; it is urgent that we address security before it proliferates. ]
31 July, 1,2 & 5 August 2002 DoD to Restrict Use of Wireless Devices
Pentagon CIO John Stenbit says he will release new policy guidelines that drastically curtail the use of wireless devices at military installations. Pentagon officials are concerned that the basic insecurity of wireless devices could pose a threat to classified meetings; specifically, the new generation of wireless phones could be used to eavesdrop on conferences. The new policy extends beyond normally secured conference rooms to anywhere confidential and sensitive information may be discussed. In May, a security expert using his laptop and a wireless LAN card was able to scan the Defense Information Systems Agency's (DISA's) wireless network while sitting in a parking lot across the street from the DISA. The National Institute of Standards and Technology (NIST) has also released a draft guide outlining basic steps to take to secure such wireless devices.-http://www.computerworld.com/mobiletopics/mobile/story/0,10801,73150,00.html
-http://www.fcw.com/fcw/articles/2002/0805/news-wire-08-05-02.asp
-http://www.govexec.com/dailyfed/0702/073002tdpm.htm
-http://www.gcn.com/vol1_no1/daily-updates/19509-1.html
-http://www.msnbc.com/news/788080.asp?0dm=T12PT
31 July 2002 AT&T and Time Warner Push For Improved Wireless Security
Someone living next door to an AT&T Broadband subscriber was able to access that subscriber's wireless network to send a pirated movie out to the Internet. AT&T Broadband is now asking its customers to turn on Wi-Fi encryption. Time Warner Cable has gone so far as to send letters to some broadband customers who share their bandwidth on wireless networks suggesting that they could be liable if the bandwidth they contract for is used for unlawful purposes. The National Institute of Standards and Technology (NIST) has called wireless networks "unacceptable risk[s ]
" for government agencies.
-http://zdnet.com.com/2100-1105-947496.html
29 July & 5 August 2002 Cyber Attack Victims Should Have Recourse
Tim Mullen proposes that people be allowed to take action against unsecured computers that are used to launch attacks like Nimda and Code Red. He doesn't agree with the idea that administrators who did not secure machines are victims, and suggests that people take measures to take attacking machines off line without damaging them. Taking such action runs the risk of charges of trespassing or targeting the wrong machine.-http://online.securityfocus.com/columnists/98
-http://www.cnn.com/2002/TECH/industry/08/05/defcon.hack.back.reut/index.html
[Editor's Note (Schultz): I hope that no one will take Mr. Mullen seriously. We've taken a beating as the result of attackers' activity, true, but striking back is in almost all cases not the proper solution. It is unethical to act like a vigilante and furthermore it is in most cases illegal. ]
5 August 2002 Platform Allows Pursuit of Cyber Attackers
A systems architect and two colleagues at PRC, a division of defense contractor Northrop Grumman, have received a patent for a computer platform that allows people to pursue cyber attackers as the attack is taking place. (Note: This site requires free registration)-http://www.nytimes.com/2002/08/05/technology/05TRAP.html?ex=1029124800&en=20
f303c67bb75334&ei=5040&partner=MOREOVER
5 August 2002 Security Manager's Journal: Great Intrusion Detection Training
Computerworld's security manager's journal provides a first person review of SANS's Intrusion Detection In-Depth training class. He lauded the speakers' depth of knowledge, the hands on aspect, and the overall pace of the course. After arriving home, he reconfigured his sensor filters, making his IDS more efficient.-http://www.computerworld.com/securitytopics/security/story/0,10801,73190,00.html
5 August 2002 Two Cyber Corps Programs
There are two Cyber Corps scholarship-for-service programs offered by the US government and participating colleges and universities. One is managed by the National Security Agency (NSA) for the Defense Department (DoD); that program has 36 designated schools, and students must apply first to a defense or intelligence agency which then sponsors their scholarships. The other is managed by the National Science Foundation (NSF) and the Office of Personnel Management; that program has six participating schools across the country. Some students would like government agencies to be made more aware of the NSF's Cyber Corps.-http://www.fcw.com/fcw/articles/2002/0805/mgt-cyber1-08-05-02.asp
-http://www.fcw.com/fcw/articles/2002/0805/mgt-cyber2-08-05-02.asp
2 August 2002 Italian Police Arrest Hackers Who Attacked DoD
Italian police have arrested fourteen people belonging to two different hacking groups. The groups are allegedly responsible for a number of intrusions into US Army, Navy and NASA computer systems. The groups also allegedly broke into some Italian web sites, pirated movies and ran up fraudulent charges on credit cards. The crackers, who include a network security manager and a number of IT consultants, could face eight-year prison sentences. The U.S. Army CID (Criminal Investigation Command), U.S. Navy and the U.S. Secret Service assisted in the investigation.-http://www.smh.com.au/articles/2002/08/02/1028157832175.html
-http://zdnet.com.com/2100-1105-948179.html
2 August 2002 Collaborative Effort On New Security Vulnerabilities
The Internetworked Security Information Service (ISIS) is a collaboration among the Open Source Vulnerability Database, Alldas.de, PacketStorm and VulnWatch. The group will gather and offer information about security vulnerabilities and related tools at no cost.-http://news.com.com/2100-1001-948127.html
2 August 2002 Honeypot Liability Risks
Speaking at the Black Hat Briefings, Justice Department attorney Richard P. Salgado warned that honeypot law is "untested" and that people setting up the servers and networks designed to attract crackers could face such legal issues as liability for an attack launched from a compromised honeypot and charges of entrapment from crackers "charged with illegal activities."-http://www.gcn.com/vol1_no1/daily-updates/19506-1.html
[Editor's Note (Murray): "Entrapment," as a legal offense, is one that can only be committed by law-enforcement. A honeypot, like any other system connected to the Internet can be compromised. However, it is probably less likely to be so than most systems and the liability issues are the same. That said, counter-intelligence is not an activity for amateurs. ]
1 August 2002 Cisco TFTP Buffer Overflow
A buffer overflow security hole in Cisco's Trivial File Transfer Protocol (TFTP) could allow an attacker to crash routers by requesting transfer of a file with too long a name.-http://www.extremetech.com/article2/0,3973,430036,00.asp
31 July & 1 August 2002 Virus Count Down; Klez Still on Top
Central Command, an antivirus company, says its numbers of tracked viruses were lower on July than in June, though the company is not sure what is responsible for the decrease. The Klez virus is still topping the charts at a number of antivirus firms.-http://zdnet.com.com/2100-1105-947608.html
-http://zdnet.com.com/2100-1105-947611.html
-http://www.theregister.co.uk/content/56/26473.html
31 July 2002 Surnova-B Worm Targets Kazaa Users
The Surnova-B worm has appeared on the Kazaa filesharing network as a file purporting to be Star Ward episode two and nude pictures of Britney Spears. The worm creates more false files for other users to download (mistakenly). Infected computers that are running MSN Instant Messenger could also send the virus to their contact list.-http://www.web-user.co.uk/news/article/?afw_source_key={2A4A70CA-A3BB-4B01-8B05-
2BF7925D19B5}
30 July 2002 Time to Update Internet Protocols
White House security advisor Richard Clarke thinks it might be time to revamp Internet protocols to address wireless security concerns.-http://www.washingtonpost.com/wp-dyn/articles/A22535-2002Jul30.html
30 July 2002 Web Operator Nabs al Qaeda Site, But to No Avail
A web operator managed to grab the web address of an al Qaeda communications site when the address registration expired; he quickly filled it with content from a previous version of the site and reportedly presented it to the FBI, hoping they could use the site for spreading false information or gathering information on terrorist sympathizers. The FBI didn't act quickly enough and people eventually became aware that the site was not under al Qaeda control.-http://www.washingtonpost.com/wp-dyn/articles/A21523-2002Jul30.html
29 July 2002 Hacker Says Activity was Unethical, Not Illegal
Robert Starks admits he intercepted sensitive e-mail from his former employer's systems and posted it on his web site. He maintains that he used his access privileges as system administrator to obtain the e-mail and therefore did nothing illegal.-http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8608
UPDATE: The Windows 2000 Professional Gold Standard Training Program Many organizations are moving quickly to implement the NSA/NIST/GSA/DISA and Center for Internet Security Gold Standard for securing and auditing Windows 2000 Professional because they really work. In the new Gold Standard training programs, offered in 38 cities over the next two months, you will get the training needed to build your confidence and skills. Who should attend? System administrators, auditors, security officers, or technically advanced managers responsible for Windows 2000 systems will all benefit from this course. To register:
-http://www.sans.org/Win2KWorldTour/
">
-http://www.sans.org/Win2KWorldTour/
Tools you will learn include: SECEDIT.EXE SECURITY CONFIGURATION & ANALYSIS SECURITY TEMPLATES TOOL HFNETCHK.EXE CIS SCORING TOOL The secedit.exe tool is included as part of the Windows 2000 operating system. It is a command line utility and as such can be called from a batch file or logon script. Secedit.exe is used to Analyze and Configure security on a Windows 2000 machine. It can be used to apply a security template. Security Configuration and Analysis is a GUI snap-in for the MMC that includes functionality of the Secedit.exe tool, plus a lot more. It is not a part of any built-in consoles but can be added to a custom console. The templates tool is also available as an MMC snap-in. It is not a part of any built-in consoles but can be added to a custom console. The templates tool will list all the built-in security templates by default, located in the C:WinntSecurityTemplates directory. The HFNetChk tool was developed by Shavlik Technologies for Microsoft in response to many administrators' complaints about needing a reliable method for determining the exact local and remote service Pack and Hotfix level of target machines. HfNEtChk.exe is freely available from the Microsoft website,
-http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tool
s/tools/hfnetchk.asp
The Center for Internet Security tool is available on
-http://www.cisecurity.org/
To register:
-http://www.sans.org/Win2KWorldTour/
">
-http://www.sans.org/Win2KWorldTour/
TRAINING
3 August 2002
Gold Standard Training for Securing Windows 2000 using the new consensus standards and free testing tools got top ratings in both Melbourne Australia and Washington DC. 38 additional cities are now scheduled for this one-day, hands-on training. Detailed information on the new standards training is provided at the end of this issue. For locations:-http://www.sans.org/Win2KWorldTour/
31 July 2002
SANS announces that Richard Clarke will keynote the Network Security 2002 and the National Information Assurance Leadership Conference in October in Washington.-http://www.sans.org/NS2002