SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IV - Issue #38
September 17, 2002
Note: Two SANS Alerts are inserted as the first items in the issue.
ALERTS
13 & 14 September 2002 Apache/mod_ssl Worm10 & 11 September 2002 SP1 Quietly Addresses Serious XP Vulnerability
TOP OF THE NEWS
13 September 2002 Victoria, Australia Legislation Ups Cybercrime Penalties12 & 13 September 2002 Hole in Word Allows File Theft
10 September 2002 Security Budgets on the Rise
THE REST OF THE WEEK'S NEWS
13 September 2002 Thieves Use e-Merchant's Account to Check Validity of Stolen Credit Cards12 & 13 September 2002 Outlook Express MFR Vulnerability
12 August 2002 DNA Fingerprint Developer Doesn't Like Storage Practices
12 September 2002 Taiwan Government to Hold Cyber Intrusion Challenge
11 September 2002 W32/Chet-A Worm
11 & 12 September 2002 Conflict with Iraq Likely to Increase Cyber Incidents
11 September 2002 Modified Electronic Devices Could Interfere with Plane Controls
11 September 2002 Disaster Recovery Plans Should Include Current Configuration Settings
10 & 12 September 2002 What The NSSC Won't Include
10 September 2002 Cisco VPN 3000 Series Vulnerabilities
10 September 2002 New Version of SQL Server Will be More Secure
10 August 2002 San Antonio Runs Cyber Attack Drill
9 September 2002 Schmidt Says Develop IT Security Systems for SCADA
10 September 2002 TVA Enhances Security
10 September 2002 Emergency Alert System Vulnerability
9 September 2002 H1-B Visa Applicants Not Adequately Investigated
9 September 2002 MS Seeks Engineer to Examine Xbox Chip Modifications
8 September 2002 Addressing Computer Intrusions
WEB BROADCAST ON THE NEW GOLD STANDARDS FOR SECURING WINDOWS 2000
Thursday at 1 pm (1700 UTC)SECURITY TRAINING NEWS
*SANS Network Security 2002 in OctoberALERTS
13 & 14 September 2002 Apache/mod_ssl Worm
CERT/CC has issued an advisory warning of a self-replicating worm dubbed Apache/mod_ssl that exploits a vulnerability in OpenSSL to create a distributed network that could be used to launch a denial of service attack. It is also known as linux.slapper.worm and bugtraq.c worm.-http://news.com.com/2100-1001-957987.html
-http://www.cert.org/advisories/CA-2002-27.html
[Editor's Note (Paller): Well over 10,000 systems have been taken over and are "collected" in controlled attack groups which could launch DDOS attacks with substantial power. More systems are falling every minute. If you have not fixed this problem, please do it now. Guidance is at the CERT site above. More skilled security professionals will find additional details at the Internet Storm Center site:
-http://isc.incidents.org/analysis.html?id=167]
10 & 11 September 2002 SP1 Quietly Addresses Serious XP Vulnerability
A specially crafted URL could make Windows XP delete entire directories from vulnerable machines. Though Microsoft has known about the problem since June, it is only in the recently released Windows XP Service Pack 1 that the vulnerability is addressed.-http://www.pcworld.com/news/article/0,aid,104810,00.asp
-http://www.theregister.co.uk/content/4/27074.html
-http://www.jmu.edu/computing/security/info/xphelp.shtml
-http://www.security.nnov.ru/search/document.asp?docid=3370
">
-http://www.security.nnov.ru/search/document.asp?docid=3370
-http://www.security.nnov.ru/search/document.asp?docid=3370
">
-http://www.security.nnov.ru/search/document.asp?docid=3370
[Editor's Note (Northcutt): This is a serious flaw. You should probably run Windows Update and install Service 1 as soon as possible. The Microsoft update web page said it would take 3 - 5 minutes on DSL, but it took me 90 minutes. (Paller) If your employer is not allowing you to run XP1 (because it has not been fully tested) run Steve Gibson's quick fix at
-http://grc.com/xpdite/xpdite.htm.
It works instantly and protects you from one of the worst of the XP vulnerabilities- one wfor which exploits are already appearing. ]
TOP OF THE NEWS
13 September 2002 Victoria, Australia Legislation Ups Cybercrime Penalties
Cyber criminals in Victoria, Australia could receive prison sentences of up to ten years for their actions, according to new legislation. The Crimes (Property Damage and Computer Offences) Bill repeals older laws that provide for more lenient sentencing and it also fills in gaps left by the federal Cybercrime Act, which limits its focus to Commonwealth computers and cybercrimes committed with phone devices.-http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=9008
-http://www.heraldsun.news.com.au/common/story_page/0,5478,5085309^2862,00.html
12 & 13 September 2002 Hole in Word Allows File Theft
A security hole in all versions of Microsoft Word can be manipulated to steal files. Though the vulnerability is most severe in Word 97, Microsoft plans to fix it only in the most recent releases. The attacker would need to know the name and location of the file he was trying to steal.-http://news.com.com/2100-1001-957786.html
-http://www.cnn.com/2002/TECH/ptech/09/13/microsoft.word.bug.ap/index.html
-http://www.msnbc.com/local/pisea/86882.asp?0dm=T13IT
10 September 2002 Security Budgets on the Rise
A survey of nearly 300 high level IT managers conducted by Vista Research along with Harris Interactive found that information security budgets increased over the last year. A senior analyst said that increased spending is triggered by security breaches in the short term and by regulations in the long term.-http://news.com.com/2100-1001-957364.html
THE REST OF THE WEEK'S NEWS
13 September 2002 Tool Lets XP Pirates Download SP1
Software pirates have released a tool that will allow people running pirated versions of Windows XP to download the recently released Service Pack 1.-http://www.vnunet.com/News/1135007
13 September 2002 Thieves Use e-Merchant's Account to Check Validity of Stolen Credit Cards
Credit card thieves apparently broke into an on line e-merchant account to test the validity of credit cards that would then be sold on the Internet black market. The system processed 140,000 phony charges of $5.07 apiece; about 62,000 of the charges were approved for a total of more than $300,000, but a large number of those were halted before the money was ever credited to the e-merchant's account.-http://www.msnbc.com/news/807675.asp?0dm=C21BT
12 & 13 September 2002 Outlook Express MFR Vulnerability
The message fragmentation and re-assembly (MFR) feature in Microsoft Outlook Express can be exploited to bypass STMP content filtering software allowing malicious code to get past the filters.-http://www.theregister.co.uk/content/55/27095.html
-http://www.pcworld.com/news/article/0,aid,104924,00.asp
Beyond Security Advisory & Vendor Responses:
-http://www.securiteam.com/securitynews/5YP0A0K8CM.html
12 August 2002 DNA Fingerprint Developer Doesn't Like Storage Practices
Professor Sir Alec Jeffreys, the man who invented DNA fingerprinting, is uncomfortable with the practice of storing the genetic information of crime suspects who have been cleared of wrongdoing; he proposes that all UK citizens have their DNA fingerprints held in a database to be managed by a specially created body. Then everybody would be "in ? the same boat."-http://news.bbc.co.uk/1/hi/in_depth/sci_tech/2002/leicester_2002/2252782.stm
12 September 2002 Taiwan Government to Hold Cyber Intrusion Challenge
After witnessing the nation's most severe cyber attacks ever on government systems, Taiwanese Premier Yu Shyi-kun proposed a plan to allow Taiwan-based computer users to try and break into government systems in order to identify vulnerabilities. Successful intrusions will be rewarded. The plan is not to have a free-for-all, but to give each participant in the exercise a certain amount of time and to designate certain systems to be used as targets.-http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?database=
JanR.db&command=viewone&id=91&op=t
[Editor's Note (Schultz): This plan is completely irresponsible. It not only is likely to result in unanticipated, negative consequences (just like the recent Korean hacking challenge fiasco), but it also amounts to still another "hacker challenge," something that ends up legitimizing the unethical behavior of the black hat community. (Northcutt) While they may gain some benefit from a freestyle hackfest, a controlled, systematic approach to security and penetration testing will garner better results. In 1999 and 2000 China and Taiwan were engaged in a spirited cyberwar primarily going after each other's websites. It is harder to get specific current information other than "leaked" government reports:
-http://www.siliconvalley.com/mld/siliconvalley/3132466.htm
-http://www.cnn.com/2002/WORLD/asiapcf/east/07/13/china.taiwan/
If we have readers in Taiwan and you have additional information on this story, please send what you know to taiwan@sans.org.]
11 September 2002 W32/Chet-A Worm
The W32/Chet-A worm infects some Windows systems when the recipient opens the attached .exe file. The worm is capable of infection and self-replication, but the choppy language of the e-mail's body and the fact that it arrives as an .exe attachment reduce the likelihood that people will be fooled into opening the attachment. The worm also has bugs and doesn't work on many systems.-http://www.computerworld.com/securitytopics/security/virus/story/0,10801,74153,0
0.html
-http://news.com.com/2100-1001-957493.html
-http://www.msnbc.com/news/806381.asp
11& 12 September 2002 Conflict with Iraq Likely to Increase Cyber Incidents
Security firm mi2g says that a pro-Islamic hacker group calling itself Unix Security Guard (USG) has launched attacks on three computer systems hosted by AOL TimeWarner. Mi2g believes the incidence of such attacks will escalate as the tensions between the US and Iraq increase.-http://news.bbc.co.uk/2/hi/technology/2250993.stm
-http://www.mi2g.com/cgi/mi2g/press/100902.pdf
-http://www.it-director.com/article.php?id=3191
11 September 2002 Modified Electronic Devices Could Interfere with Plane Controls
A technology expert says that terrorists could modify a variety of personal electronic devices and use them to interfere with aircraft control systems. Speaking at the InfoWar conference in Washington DC, Chet Uber maintained that electronic devices should not be allowed inside commercial airplanes until it is determined that they are safe.-http://www.newscientist.com/news/news.jsp?id=ns99992780
11 September 2002 Disaster Recovery Plans Should Include Current Configuration Settings
Disaster recovery plans often focus on site redundancy and back up storage, but neglect to address the need for keeping current documentation of all IT configuration settings. IT disaster recovery plans need to be updated continuously. Having accurate information about the latest configurations can hasten business restoration in the event of a disaster. The article also describes the five states of a typical disaster recovery.-http://www.net-security.org/article.php?id=174
10 & 12 September 2002 What The NSSC Won't Include
The National Strategy for Securing Cyberspace, which will be released this Wednesday September 18th, will not place any further regulations on software companies to create and sell more secure products. Broadband companies will not be required to provide firewalls for their users, and the NSSC has no enforcement provisions for those who do not abide by its guidelines.-http://www.zdnet.com/anchordesk/stories/story/0,10738,2879777,00.html
-http://www.washingtonpost.com/wp-dyn/articles/A59168-2002Sep9.html
10 September 2002 Cisco VPN 3000 Series Vulnerabilities
Cisco issued an advisory describing 13 vulnerabilities in its VPN 3000 series concentrators; some of the security holes could allow hackers access to secure networks or the ability to launch denial-of-service attacks.-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,74122,0
0.html
Cisco advisory:
-http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml
10 September 2002 New Version of SQL Server Will be More Secure
SQL Server's design architect says the next version of the database management software will have improved security. Among the new features are the ability to install fixes with ease, tighter administrative control over who gets to see what data and the default disabling of public access to tables.-http://zdnet.com.com/2100-1104-957454.html
10 August 2002 San Antonio Runs Cyber Attack Drill
The city of San Antonio, Texas is beginning a three-phase cyber attack disaster drill. As part of Operation Dark Screen, groups of government and business leaders will figure out what plans of action they would need to take in the event of an attack on the city's power grid or financial system. Phase two will involve identifying and addressing security holes. Phase three will be in the form of a white-hat cyber attack-http://news.mysanantonio.com/story.cfm?xla=saen&xlb=180&xlc=808815&x
ld=180
9 September 2002 Schmidt Says Develop IT Security Systems for SCADA
Howard Schmidt, co-chairman of the President's Critical Infrastructure Protection Board, maintains research still needs to be done to develop IT security systems capable of supporting the Supervisory Control and Data Acquisition (SCADA) systems which are used to regulate the flow of electricity, natural gas and other elements of the energy industry. This is especially important in light of the fact that a recent security exercise in the Northwest demonstrated that attacks aimed at the area's electric power caused cascading power failures throughout the west, which in turn led to disruption in other elements of critical infrastructure.-http://www.computerworld.com/governmenttopics/government/policy/story/
0,10801,74077,00.html
10 September 2002 TVA Enhances Security
The Tennessee Valley Authority - tbe largest energy producer in the US - - has taken steps to ramp up their IT security. The 700 employees have had education and training, the TVA has learned from other agencies' security efforts, and has staged attacks to test mitigation strategies.-http://www.eweek.com/article2/0,3959,525968,00.asp
10 September 2002 Emergency Alert System Vulnerability
The Emergency Alert System (EAS), which the president can use to take control of US airwaves in the event of a national emergency, is vulnerable to spoofing. The data headers, which precede the alert tone and spoken message, do not include any sort of authentication. Because normal broadcasting doesn't resume until an end-of-message indicator is transmitted, the vulnerability could be manipulated to keep stations off the air for extended periods of time.-http://online.securityfocus.com/news/613
9 September 2002 H1-B Visa Applicants Not Adequately Investigated
A General Accounting Office (GAO) report found that the US government did not take adequate steps to investigate the backgrounds of immigrants applying for H1-B visas; the special visas would allow them to work with sensitive information that could be used by other countries to develop weapons.-http://www.washingtonpost.com/wp-dyn/articles/A57817-2002Sep9.html
9 September 2002 MS Seeks Engineer to Examine Xbox Chip Modifications
Microsoft is seeking to fill a position dubbed "Software Design Engineer;" attendant responsibilities include examining and analyzing Xbox modification chips.-http://www.theregister.co.uk/content/4/27020.html
-http://news.com.com/2100-1040-957160.html
8 September 2002 Addressing Computer Intrusions
Colin Crook, whose former employer, Citigroup, suffered cybertheft that nearly cost them $10 million, spoke at the Systems Approach to Terrorism Conference. Crook, who is now a senior fellow at Wharton's SEI Center for Advanced Studies in Management, said it's important to be able to recognize the signs that your systems are suffering intrusion attempts; he also described cyber attack risk factors including concentration of computing power, interconnectedness and standardization.-http://news.com.com/2009-12-956901.html
[Editor's Note (Paller): Colin sent us a note summarizing his three rules: 1.Never trust a network, 2.Always authenticate the user, 3.The Application must always defend itself, even with both of the above. ]
WEB BROADCAST ON THE NEW GOLD STANDARDS FOR SECURING WINDOWS 2000
Thursday at 1 pm (1700 UTC)
David Rice and Alan Paller will provide a management update on the new standards developed by US government agencies and SANS and the Center for Internet Security. These new benchmarks provide a much-needed "minimum standard of due care" and are already starting to be required for government systems and commercial organizations doing business on the Internet. The web broadcast is free. Register at-http://sans.digisle.tv/audiocast_091902/brief.htm
More details at
-http://www.sans.org/webcasts/september19.php
SECURITY TRAINING NEWS
*SANS Network Security 2002 in October
Largest security conference & expo:-http://www.sans.org
/NS2002">
-http://www.sans.org
/NS2002
*For security managers in military sites: click on the National Information Assurance Leadership Conference. *Advanced security training in fifty additional cities, plus Local Mentor programs in 35 cities. See:
-http://www.sans.org
== end ==
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Bill Murray, Stephen
Northcutt, Alan Paller, Marcus Ranum, and Eugene Schultz
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites