SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IV - Issue #40

October 02, 2002

TOP OF THE NEWS

30 September 2002 Top 20 Vulnerabilities List Out This Week With Testing Tools
30 September 2002 DISA Database Exposed Confidential Information
25 & 27 September 2002 Inter-University Research Project Aims to Build Resilient Internet System
23 September 2002 Oregon's DHS Computer System Plagued by Vulnerabilities

THE REST OF THE WEEK'S NEWS

30 September 2002 Secret Service Agents are Wardriving
30 September 2002 Bugbear Worm
30 September 2002 Proprietary Info is at Greater Risk From Insiders than from Hackers
27 September 2002 Coalition Will Publish Disclosure Guidelines
27 September 2002 Military Action Could Prompt Cyberattacks
27 September 2002 Security Firm Warns of Microsoft VPN Vulnerability
26 September 2002 Security Firm Says Number of Cyberattacks is Higher than Ever
26 September 2002 Integrating Security Products
26 September 2002 Only You Can Prevent DDoS Attacks
26 September 2002 Congress Holds Hearings on Berman Bill
25 & 26 September 2002 FrontPage Vulnerabilities
25 September 2002 China Denies Responsibility or Dalai Lama Site Attacks
25 September 2002 Slapper Variants on the Loose
24 & 25 September 2002 Falun Gong Activists Hijack TV Again
30 September 2002 Suspected Falun Gong TV Hacker Arrested for April Event
24 September 2002 State Dept. Employees to Get Smart Cards
24 September 2002 Arrest of T0rn Rootkit Author Raises Concerns
24 September 2002 UCLA Researchers Developing Program to Prevent DDoS Attacks
24 September 2002 Survey Says CEOs Don't Put Security First
24 September 2002 NIPC Warns of Possible Hacktivism During World Bank/IMF Meetings
23 September 2002 FERC Wants to Restrict Access to Some Data

FREE WEB BROADCAST

October 2, 1:00 PM EDT (1700 UTC)

SECURITY TRAINING NEWS

*SANS Network Security 2002 in October

---

******************* This Issue Sponsored by Nokia ********************
Considering deploying an IDS system?
Nokia and ISS make it simple. Introducing the Nokia IP380 - a sleek
1-RU intrusion detection appliance that tightly integrates Internet
Security Systems' RealSecure (R) Network Sensor and SiteProtector
Management. This cost effective and easy to deploy solution provides
anomaly and signature-based analysis, stateful packet inspection and
protocol analysis for complete network intrusion protection.
Learn about special bundles available through Westcon and GE Access
Visit http://www.nokia.com/internet/na
**********************************************************************

---

TOP OF THE NEWS

30 September 2002 Top 20 Vulnerabilities List Out This Week With Testing Tools

The US General Services Administration (GSA), FBI's NIPC, and the SANS Institute announced a new list of the top 20 Internet security vulnerabilities on Wednesday, October 2nd. Five network vulnerability assessment companies announced tools to mitigate these problems at the same time. A companion free email service will identify the most critical new vulnerabilities and tell what to do about them, every week. The Top Twenty and Tool Announcements:
-http://www.sans.org/top20
Critical Vulnerability Analysis Service:
-http://www.sans.org/top20
/CVA.pdf
-http://www.washingtonpost.com/wp-dyn/articles/A28403-2002Oct1.html
-http://www.computerworld.com/securitytopics/security/story/0,10801,74750,00.html
-http://news.com.com/2100-1001-960215.html
[Editor's Note (Paller): These announcements are particularly important because they are accompanied by a case study of a federal agency that has actually turned the tide - radically reducing the number of compromises despite substantial growth in attacks. The resources being announced allow all organizations to follow in that agency's footsteps. The case study is the second half of the report posted at
-http://www.sans.org/top20
/GISRA_NASA.pdf. ]

[Note from SANS: This week's Top Twenty announcement are wonderful, but cover only Windows and UNIX. The definitive, 86-page step-by-step guide to securing Cisco routers was also released this week and may be ordered from
-http://store.sans.org
under "Consensus Guides" on paper or as a PDF file. ]

30 September 2002 DISA Database Exposed Confidential Information

The US Defense Information System Agency's (DISA) Requirements Identification and Tracking System (RITS) website was apparently running an unsecured version of Lotus Domino database; visitors to the site could view requisition documents that contained names, addresses, phone numbers and in some instances social security numbers belonging to contractors and military personnel. The site has reportedly been locked down.
-http://online.securityfocus.com/news/911
[Editor's Note (Ranum) This illustrates the problem of government systems being hacked. Data like names, addresses, social security numbers - logistical information - is often "sensitive but unclassified." That's often the kind of data that is exposed when the government sites get hacked. (Paller) Lotus Notes, Oracle and other applications are the next frontier for establishing safe configuration benchmarks. Attackers know the flaws and applications often hold the organization's most valuable data. Applications need to be hardened with the same energy and care given to operating systems. ]

25 & 27 September 2002 Inter-University Research Project Aims to Build Resilient Internet System

Researchers at five US universities received a $12 million grant from the National Science Foundation (NSF) to develop a project called Infrastructure for Resilient Internet Systems, or IRIS. The project aims to develop a system that resembles peer-to-peer networking for storing and serving information on the Internet. The researchers at MIT, UC Berkeley, Rice University, NYU and the International Computer Science Institute hope to develop the system within the next five years.
-http://www.infoworld.com/articles/hn/xml/02/09/25/020925hnsecurenet.xml
-http://www.cnn.com/2002/TECH/internet/09/27/iris.internet/index.html

23 September 2002 Oregon's DHS Computer System Plagued by Vulnerabilities

The Oregon Department of Human Services' (DHS) computer system is allegedly rife with security problems that let employees pay themselves public benefits. The DHS has reportedly known about problems for years, but they have not been alleviated. The DHS director says he doesn't have the money needed to address the problems, and won't take money away from needy people to fix computer vulnerabilities. The computers store information on Oregonians receiving aid from the DHS; the information could be used to steal identities. The one employee who understood the system's security reportedly left the department three years ago and cannot be located.
-http://www.oregonlive.com/news/oregonian/index.ssf?/xml/story.ssf/html_standard.
xsl?/
base/front_page/1032782122290112.xml

---

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) DITCH DETECTION. THINK PREVENTION. Neutralize
unknown threats outside the firewall. FREE paper.
http://www.sans.org/cgi-bin/sanspromo/NB81
(2) ALERT: Top 10 SPAM CONTROL techniques for the enterprise ***
FREE White Paper http://www.sans.org/cgi-bin/sanspromo/NB82
(3) A Norwich University Master's Degree in Information Security in
less than 21 months. http://www.sans.org/cgi-bin/sanspromo/NB83
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

30 September 2002 Secret Service Agents are Wardriving

Secret Service agents have taken to wardriving to find vulnerable wireless networks in Washington. Their primary concern is ensuring the security of the President and other dignitaries. Agents will share information about security problems that they discover with the affected businesses.
-http://www.cnn.com/2002/TECH/industry/09/30/bc.wirelesssecurity.ap/index.html

30 September 2002 Bugbear Worm

The Bugbear worm arrives as an attachment to an e-mail with a randomly selected subject line. If the attachment is opened, Bugbear, which is also known as Tanatos, disables antivirus software and installs a Trojan horse, called PWS-Hooker, that logs all keystrokes and saves the information in encrypted form on the infected computer; attackers can come back later to retrieve the information. The worm affects Internet Explorer 5.01 and 5.5 users who have not patched the Incorrect Mime header flaw.
-http://www.msnbc.com/news/815117.asp?0dm=C218T
-http://zdnet.com.com/2100-1105-960139.html

30 September 2002 Proprietary Info is at Greater Risk from Insiders than from Hackers

A study from PricewaterhouseCoopers, the U.S. Chamber of Commerce and the American Society for Industrial Security (ASIS) International found that intellectual property and proprietary information theft was committed more often by insiders, including current and former employees, competitors and on-site trainees, than from hackers.
-http://www.infoworld.com/articles/hn/xml/02/09/30/020930hninsiders.xml
(Editor's Note: (Northcutt): If you leave your money lying around, sooner or later someone will pick it up. The same is true for trade secrets. Three simple questions will help you assess your organization's risk to theft of proprietary information. (1) Does your organization label proprietary information? I am not talking about the silly boilerplate you see on email. Do they label the documents and include who should be able to access the information? (2) Are senior managers, and others in a position of trust, reminded on a regular basis that they have access to critical information they are expected to protect? (3) As an employee, are you aware of and capable of following simple processes to encrypt sensitive information in transit and apply appropriate protections when stored? (Schultz) Hmmm, it looks as if a lot of money was spent to prove the obvious. Does anyone doubt that insider misbehavior poses a greater threat to proprietary information? ]

27 September 2002 Coalition Will Publish Disclosure Guidelines

The Organization for Internet Safety (OIS), a coalition of software developers and security firms, plans to publish draft guidelines for vulnerability disclosure. Among the rules proposed: software companies would respond to researchers within a week of receiving information about a vulnerability in one of their products; researchers would give the companies at least 30 days to develop a fix before publishing exploits. OIS members would be bound by the honor system; the group does not plan to enforce the guidelines.
-http://zdnet.com.com/2100-1104-959860.html
-http://www.theregister.co.uk/content/55/27312.html
-http://www.oisafety.org/about.html

27 September 2002 Military Action Could Prompt Cyberattacks

If the past is a good indicator, a decision from the Bush administration to take action in Iraq is likely to invite a maelstrom of hacking activity on US computer networks and infrastructure.
-http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,74
688,00.html

27 September 2002 Security Firm Warns of Microsoft VPN Vulnerability

A German security company has posted an advisory warning of a buffer overflow vulnerability in the point-to-point tunneling protocol (PPTP) in Microsoft Windows 2000 and XP. The Microsoft Security Response Center is investigating the claim.
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,74697,0
0.html
-http://zdnet.com.com/2100-1105-959849.html

26 September 2002 Security Firm Says Number of Cyberattacks is Higher than Ever

According to statistics from security consultancy Mi2g the instance of cyberattacks is higher than it's ever been. Most attacks are launched against US computers, a trend which Mi2g attributes to increasing anti-American sentiment. The report also notes that Windows machines are targeted more often than are any others. Mi2g has tracked computer attacks since 1995.
-http://www.cnn.com/2002/TECH/biztech/09/26/techweb.cyberattacks/index.html
-http://www.theregus.com/content/55/26448.html

26 September 2002 Integrating Security Products

Three major security software and device makers, Cisco Systems, Nortel Networks and Check Point Software, have announced initiatives to integrate management of their own products. Gartner's John Pescatore observed that there is movement within the network security industry toward offering security management software that can manage and monitor information from security tools from multiple vendors. ]

-http://news.com.com/2100-1001-959721.html

26 September 2002 Only You Can Prevent DDoS Attacks

The Federal Trade Commission (FTC) has launched Dewie the Turtle, the Internet's version of Smokey the Bear. Because many home users don't pay much attention to cyber security, crackers can use their vulnerable machines to launch distributed denial of service attacks; Dewie will offer simple and straightforward computer security advice for home users. The goal of the campaign is to encourage a "Culture of Security." Dewie arrives in the aftermath of a failed attempt to require ISPs to provide security measures, including firewalls, to their customers.
-http://www.washingtonpost.com/wp-dyn/articles/A7643-2002Sep26.html
-http://www.gcn.com/vol1_no1/daily-updates/20121-1.html
Dewie's Site:
-http://www.ftc.gov/bcp/conline/edcams/infosecurity/index.html
[Editor's Note (Shultz): This should be interesting. Will home users be interested in advice from a turtle? Stay tuned! (Northcutt): I have serious reservations that Dewie will ever become a cultural icon, but if you can get past the dry writing style, their business page has a lot of well organized material that anyone responsible for an Internet presence in the U.S. ought to know:
-http://www.ftc.gov/bcp/conline/edcams/infosecurity/businfo.html]

26 September 2002 Congress Holds Hearings on Berman Bill

During congressional hearings on a bill aimed at thwarting peer-to-peer trading of music and movies, supporters of the proposed legislation said concerns about misguided attacks were blowing things out of proportion. The bill would allow copyright holders to use a variety of methods to prevent their property from being pirated on the Internet. Critics of the bill say its wording is vague and could conceivably grant immunity to people who intrude into others' computers and delete files, even if they do so mistakenly. Representative Berman (D-California) refutes that assertion, but conceded that the bill might need to be reworded for clarification.
-http://news.com.com/2100-1023-959774.html
-http://story.news.yahoo.com/news?tmpl=story&u=/usatoday/20020926/tc_usatoday
/4483264
-http://www.siliconvalley.com/mld/siliconvalley/4159160.htm
[Editor's Note (Schultz): You would think that by now Rep. Berman would realize that he is going nowhere with this bill. Its passage would be bad news for the infosec community. Fortunately, there appears to be little support for it in Congress. ]

25 & 26 September 2002 FrontPage Vulnerabilities

A security flaw in the SmartHTML interpreter for Microsoft's FrontPage Server Extensions (FPSE) could be exploited to launch a denial of service (DoS) attack against a vulnerable machine or to run malicious code via a buffer overflow, depending upon the version of FPSE. FPSE 2000 is vulnerable to the DoS attack, while FPSE 2002 is vulnerable to the buffer overflow attack. Earlier versions may be vulnerable as well, but they are no longer supported. Microsoft says that On FrontPage Server Extensions 2002 and SharePoint Team Services 2002, the same type of request could cause a buffer overrun, potentially allowing an attacker to run code of his choice. Users should install a patch for the problem or run the IIS Lockdown Tool.
-http://news.com.com/2100-1001-959577.html
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,74605,0
0.html
-http://www.microsoft.com/technet/security/bulletin/MS02-053.asp

25 September 2002 China Denies Responsibility or Dalai Lama Site Attacks

Jigme Tsering, manager of the Tibetan Computer Resource Centre in Dharmsala, India says the Chinese government has been attempting to hack the Dalai Lama's computer network. According to Tsering, a virus sent to the network is designed to grab data and send it back to China; the virus arrives in an e-mail with a spoofed return address, designed to appear as though it is coming from Tsering's office. The virus has also targeted other organizations that have lobbied on Tibet's behalf. A spokeswoman for the Chinese government says China opposes hacking.
-http://star-techcentral.com/tech/story.asp?file=/2002/9/25/technology/25dalai&am
p;sec=technology
-http://www.theregister.co.uk/content/55/27291.html
-http://www.wired.com/news/politics/0,1283,55382,00.html

25 September 2002 Slapper Variants on the Loose

Two variants of the Slapper worm are circulating on the Internet. Known as Slapper.B or "Cinik" and Slapper.C or "Unlock," the two exploit the same SSL vulnerability in Apache servers that the original worm exploited. The worms also create a peer-to-peer network of infected servers. Reports that a Ukrainian suspect had been arrested in connection with the worm have proven false. This worm is morphing daily. Track the changes under "ISC Analysis" www.incidents.org
-http://www.idg.com.hk/cw/readstory.asp?aid=20020925003
-http://zdnet.com.com/2100-1105-959385.html

24 & 25 September 2002 Falun Gong Activists Hijack TV Again

Falun Gong activists have once again hijacked television broadcasts in China to air footage that supports the movement. Chinese officials maintain the attack emanated from Taiwan and are demanding that Taiwan find those responsible. A Taiwanese official says the allegations are "a bit farfetched."
-http://www.wired.com/news/politics/0,1283,55350,00.html
-http://www.cnn.com/2002/WORLD/asiapcf/east/09/25/taiwan.falungong

30 September 2002 Suspected Falun Gong TV Hacker Arrested for April Event

The South China morning Post reported on September 28th that a man was arrested in Shandong for hacking into a cable television channel and broadcasting footage supportive of Falun Gong on April 20, 2002.
-http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=9147

24 September 2002 State Dept. Employees to Get Smart Cards

State Department employees will soon be receiving smart cards with 32K memory chips that will be used to access buildings and secure areas. The cards presently contain no biometric data, but they may in the future. To gain access to a site, a card holder will swipe the smart card and key in a personal identification number (PIN); the card will be swiped again upon leaving the site.
-http://www.fcw.com/fcw/articles/2002/0923/web-smart-09-24-02.asp

24 September 2002 Arrest of T0rn Rootkit Author Raises Concerns

The arrest of the suspected T0rn root kit author marks the first time someone has been arrested under the UK's Computer Misuse Act for writing code that has the potential to be used maliciously. Though tools like the T0rn rootkit can be used for malicious purposes, they also have beneficial uses, like penetration testing. Though the kit cannot spread by itself, a Scotland Yard spokesman said the offense is the writing and distribution of the tool.
-http://online.securityfocus.com/news/813

24 September 2002 UCLA Researchers Developing Program to Prevent DDoS Attacks

Scientists at UCLA's Henry Samueli School of Engineering and Applied Science are developing a program that they say will protect entire networks from being used as hosts in distributed denial of service (DDoS) attacks. The program, DDoS netWork Attack Recognition and Defense or D-WARD, will detect and halt attacks being launched from computers before they have traveled far enough to become disruptive.
-http://sanjose.bizjournals.com/sanjose/stories/2002/09/23/daily23.html
[Editor's Note (Ranum): This basically says they're building an IDS, and it will have all the same issues as other IDS. ]

24 September 2002 Survey Says CEOs Don't Put Security First

A survey of 250 Canadian companies found that many CEOs do not consider computer security to be a significant business priority; they maintain it should be a priority for IT departments, but many of those departments are not receiving enough funding to adequately secure company systems. In addition, 80% of the CEOs said their companies had not been hacked in the last year, but 40% said their companies did not have intrusion detection systems.
-http://rtnews.globetechnology.com/servlet/ArticleNews/tech/RTGAM/20020924/
gtceos/Technology/techBN
[Editor's Note (Murray): I would certainly hope that all CEOs put security second to an equitable return to investors, jobs for their employees, service to their customers, and paying their taxes. Only security purists, not to say bigots, expect otherwise. That is why security is a hard problem and we get paid the big bucks. ]

24 September 2002 NIPC Warns of Possible Hacktivism During World Bank/IMF Meetings

The National Infrastructure Protection Center (NIPC) warned that protesters may be planning to launch cyber attacks as a way of demonstrating against the scheduled meeting of the World Bank and the International Monetary Fund in Washington DC. NIPC urged administrators to monitor their systems for signs of attacks.
-http://news.com.com/2100-1023-959118.html
-http://www.washingtonpost.com/wp-dyn/articles/A60954-2002Sep24.html
-http://www.nipc.gov/warnings/assessments/2002/02-002.htm

23 September 2002 FERC Wants to Restrict Access to Some Data

The Federal Energy Regulatory Committee (FERC) plans to restrict access to certain information on its computer systems, and those who are permitted to view the information may be required to sign non-disclosure agreements. Some public interest groups are concerned that the information being withheld in the interest of homeland security is information citizens need to access for their own safety. Even if data is removed from web sites, it still may be accessible through search engine caches. Comments on the proposal will be accepted until October 13.
-http://www.fcw.com/fcw/articles/2002/0923/pol-energy-09-23-02.asp
[Editor's Note (Murray) No one with a legitimate need-to-know has anything to fear. This is simply another case of the press viewing with alarm. This is merely good security. It is a far cry from the earlier knee-jerk reaction of the administration that wanted to simply disconnect everything from the internet. ]

---

FREE WEB BROADCAST

Dustin Childs covers the basics of event logs in Windows NT and 2000

the managing of logs, and when you can and cannot completely trust those logs. Listen live and ask questions, or, once you have an access code, sign on later to listen to the web cast at your leisure. Register in advance to get the handouts:
-http://sans.digisle.tv/audiocast_100202/brief.htm

---

SECURITY TRAINING NEWS

*SANS Network Security 2002 in October

Largest security conference & expo:
-http://www.sans.org
/NS2002">
-http://www.sans.org
/NS2002
*SANS Cyber Defense Initiative in San Francisco - Dec. 15-20 Featuring 8 hands-on SANS immersion training tracks. San Francisco is often warmer in December than it is in August. *Advanced security training in fifty additional cities, plus Local Mentor programs in 35 cities. See:
-http://www.sans.org

---

===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt, Alan
Paller, Marcus Ranum, and Eugene Schultz, Gal Shpantzer
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites