SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IV - Issue #45

November 06, 2002

SANS has added new classes for the end of 2002 offering penetration
testing, three new Flight School opportunities, and a rich assortment
of our classic certification tracks. Details at http://www.sans.org

Alan

---

TOP OF THE NEWS

31 October & 1 November 2002 Clarke: Government Should Fund Internet Protocol R&D
31 October 2002 Three More Microsoft Security Bulletins
31 October 2002 WPA is New Wireless Standard
30 October 2002 T0rnkit Author Case Will Set Precedent
29 October & 1 November 2002 Open Source Software Instrumental to DOD Security

THE REST OF THE WEEK'S NEWS

4 & 5 November 2002 W32/Braid
4 November 2002 Microsoft Judgment Found Prior to Official Release
4 November 2002 Fraudulent Job Posting Used for Identity Theft
4 October 2002 More Root Servers Planned
4 November 2002 East Palo Alto Phone Phreaking
3 & 4 November 2002 SBC Communications to Establish Laboratory
1 November 2002 Manitoba Government Web Site Intrusion
1 November 2002 IG Report Says State Dep. Security Still Weak
1 November 2002 Linksys Router Vulnerable to DoS
1 November 2002 W32.HLLW.Merkur
31 October, 1 & 4 November 2002 Mueller Promises Secrecy To Encourage Private Sector Sharing
31 October 2002 e-Commerce Site Doesn't Encrypt Credit Card Data
31 October 2002 Wireless Keyboard Writes on Neighbor's Computer
31 October & 3 November 2002 Horse Racing's Computerized Wagering Systems to be Examined
30 October 2002 NIST and NSA Release Five Protection Profiles
29 & 30 October 2002 Windows 2000 Receives Common Criteria Certification
29 & 30 October 2002 CIA Warns of Cyberthreats from Extremist Groups
29 October 2002 Don't Put Security in the Hands of Home Users
29 October 2002 Security Flaws in Half of Crypto Modules Submitted for FIPS Validation
29 October 2002 Chinese Government Thwarted May 2002 Cyberattacks
29 October 2002 DoD's Defense Procurement Payment System has Security Flaws
29 October 2002 IP Smart Spoofing
28 October 2002 Global Cyber Security Center Possible
28 October 2002 Cyber Attacks Up at Air Force Base
23 October 2002 Reverse Engineering Malware

SECURITY TRAINING NEWS

*SANS Cyber Defense Initiative conference in San Francisco - Dec. 15-20

---

*************** This Issue Sponsored by Websense **********************
Did the Nimda worm cost you $2.6 billion in clean-up?
Use Websense Premium Group III to protect your network. Stop malicious
code at its source, block potentially harmful security-risk sites
and add protection against malicious code at the Internet gateway.
Try a free, 30-day trial of Websense Enterprise and start spending
those clean-up dollars somewhere else.
http://www.websense.com/?id=NL10109
***********************************************************************

---

TOP OF THE NEWS

31 October & 1 November 2002 Clarke: Government Should Fund Internet Protocol R&D

Presidential cybersecurity advisor Richard Clarke says the government should fund the research and development in Internet protocols because commercial interests do not have sufficient incentive to do the job effectively. Protocols like BGP and the Domain Name System (DNS) present opportunities for attacks or instabilities in the integrity of the Internet. Clarke does not want the government to regulate these protocols.
-http://www.gcn.com/vol1_no1/daily-updates/20382-1.html
-http://www.nwfusion.com/edge/news/2002/1101clarke.html
[Editors' Note (Northcutt and Paller): Let's take a moment as a community to reflect on the enormous success of the Internet Engineering Task Force, and the contributions it has made to our society. The IETF's 55th meeting is in a couple of weeks in Atlanta,
-http://www.ietf.org/meetings/agenda_55.html.
A quick scan of the agenda will demonstrate IETF's interest in security issues. A small amount of government money given to the IETF could be helpful in accelerating the group's security initiatives. ]

31 October 2002 Three More Microsoft Security Bulletins

Microsoft has warned of a "critical" buffer overflow flaw in its Point-to-Point Tunneling Protocol (PPTP), a VPN protocol supported by Windows 2000 and XP; the vulnerability could result in a denial-of-service. Server and client systems are both at risk if PPTP has been enabled. A patch is available for the flaw. A second Microsoft security bulletin warned that default permission settings in the Windows 2000 "everyone" group could allow a Trojan horse attack; Microsoft recommends that administrators change the permissions on the root directory. Microsoft also released a patch for its Internet Information Server (IIS) Web server that addresses four new fixes and a handful of old ones.
-http://www.computerworld.com/securitytopics/security/story/0,10801,75519,00.html
-http://news.com.com/2100-1001-964106.html
-http://www.eweek.com/article2/0,3959,661933,00.asp
-http://www.theregister.co.uk/content/55/27874.html
PPTP Bulletin:
-http://www.microsoft.com/technet/security/bulletin/MS02-063.asp
Windows 2000 Permissions Flaw Bulletin:
-http://www.microsoft.com/technet/security/bulletin/MS02-064.asp
IIS Patch info:
-http://www.microsoft.com/technet/security/bulletin/MS02-062.asp

31 October 2002 WPA is New Wireless Standard

The Wireless Fidelity Alliance has released a new standard called Wi-Fi Protected Access (WPA). The standard will replace the easily broken security presently used by many wireless networks. WPA employs dynamic key encryption in the form of the Temporal Key Integrity Protocol (TKIP); WPA also provides improved network user authentication.
-http://www.usatoday.com/tech/news/computersecurity/2002-10-31-wireless-security_
x.htm
-http://www.pcworld.com/news/article/0,aid,106530,00.asp
-http://www.computerworld.com/securitytopics/security/story/0,10801,75533,00.html
-http://news.com.com/2100-1033-964046.html
[Editor's Note (Shpantzer) Who will go to the trouble of implementing this temporary 'solution' only to replace it when 802.11i comes out? Ted Ipsen, from the Information Risk Management practice at KPMG LLP, says users should skip the WPA purchase altogether. Cisco put TKIP and its own proprietary implementation of EAP (Cisco LEAP) into their hardware about a year ago, and it's still only a stopgap measure. Layer 2 security should still be considered to be broken, even after WEP2 comes out next year. Ted always ask clients: "Do you rely on your CAT5 cable and your Ethernet switches to provide you with confidentiality, integrity and availability?" Use Layers 3 through 7 and architecture to defend your resources. (Ranum): How long will TKIP last? This is basically a layer of re-keying atop a broken cryptosystem. You can't build a castle on foundations of used chewing gum! ]

30 October 2002 T0rnkit Author Case Will Set Precedent

The case in which a UK man is being prosecuted under the 1990 Computer Misuse Act for creating T0rnkit will set a precedent for how authors of such software are to be dealt with. While T0rnkit itself is not a virus and the author has not been charged with computer intrusions, the kit has been used to create the Lion worm. The author is being tried for writing and distributing the kit.
-http://www.viruslist.com/eng/index.html?tnews=1007&id=57660

29 October & 1 November 2002 Open Source Software Instrumental to DOD Security

A study commissioned by the U.S. Defense Department (DOD) concludes that banning the use of open source software would have a devastating effect on the DOD's cybersecurity capabilities. The study, "Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense," conducted by Mitre Corp., recommends creating a list of safe open source software, developing policies to encourage broader use of open source software and encouraging its use to promote diversity and reduce costs and risks of depending on a single product.
-http://www.theregister.co.uk/content/4/27822.html
-http://www.fcw.com/fcw/articles/2002/1028/web-open-11-01-02.asp

---

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Uncover hacks, attacks and system vulnerabilities
utilizing eV3TM technology, CONTINUOUS perimeter monitoring!
http://www.sans.org/cgi-bin/sanspromo/NB96
(2) DITCH DETECTION. THINK PREVENTION. Neutralize unknown threats
outside the firewall. FREE paper.
http://www.sans.org/cgi-bin/sanspromo/NB97
(3) Earn a Norwich University Master's Degree in Information Security
in 24 months. http://www.sans.org/cgi-bin/sanspromo/NB98
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

4 & 5 November 2002 W32/Braid

W32/Braid is a visual basic worm that exploits an incorrect MIME header vulnerability in Internet Explorer to propagate. The worm e-mails every address in the Outlook Express address book and addresses found in .htm and .dbx files; it also overwrites the MSconfig.exe file. It can also slow computer response time or cause a computer to crash.
-http://news.com.com/2100-1001-964476.html
-http://www.smh.com.au/articles/2002/11/05/1036308298493.html

4 November 2002 Microsoft Judgment Found Prior to Official Release

The judgment in the Microsoft anti-trust case was apparently put on the court web site nearly two hours before its scheduled official release. While there was no publicly released link to the documents, they were not password protected, and their URL was easily guessed.
-http://zdnet.com.com/2100-1104-964415.html
[Editor's Note (Schultz): The way the release of the information about this case was handled paralleled the way the Bush Administration handled the case itself. Clearly, the events associated with this case will go down as black marks in U.S. history. ]

4 November 2002 Fraudulent Job Posting Used for Identity Theft

Fraudulent job postings on Monster.com have been used to harvest information that could be used to steal applicants' identities. Monster.com's FAQ section advises applicants not to provide social security credit card or bank account numbers to prospective employers.
-http://www.msnbc.com/news/830411.asp?0dm=B21AT

4 October 2002 More Root Servers Planned

As a precaution against additional attacks on the Internet's root name servers, more servers will be added to each of the 13 root server locations.
-http://www.newsfactor.com/perl/story/19831.html

4 November 2002 East Palo Alto Phone Phreaking

Hackers apparently broke into East Palo Alto (CA) City Hall phone system and used it to make $30,000 worth of calls to the Philippines. AT&T and East Palo Alto are at odds over who is responsible for the bill.
-http://www.bayarea.com/mld/mercurynews/news/local/4439758.htm
[Editor's Note (Murray): It has been quite a while since we have seen one of these. Both carriers and users have done a good job. ]

3 & 4 November 2002 SBC Communications to Establish Laboratory

SBC Communications, Inc., one of the largest Internet service providers in the U.S., plans to create the Internet Assurance and Security Center (IASC), a laboratory for developing technologies to fight malware and cyberattacks. Some see SBC's move as evidence that industry is taking security seriously and doesn't require government regulations.
-http://www.washingtonpost.com/wp-dyn/articles/A62201-2002Nov3.html
-http://news.com.com/2100-1033-964425.html
[Editor's Note (Murray): Security represents a big profit opportunity for ISPs. It had been a great product differentiator for AOL. The bar is going up. ]

1 November 2002 Manitoba Government Web Site Intrusion

A hacker broke into the Manitoba government web site, www.gov.mb.ca, and accessed personal information contained in the online applications for student loans.
-http://www.newwinnipeg.com/news/d02-11-01hacker.htm

1 November 2002 IG Report Says State Dep. Security Still Weak

A report from the State Department Inspector General (IG) found that the State Department's information system security is still weak, despite having been told about serious problems a year ago. While the department has a system certification and accreditation plan, it does not have a schedule for implementing the plan. Overseas posts were also found to be lacking security plans. The IG's office plans to make recommendations to address the security problems.
-http://www.gcn.com/vol1_no1/daily-updates/20398-1.html
[Editor's Note (Ranum): And we are surprised by this? Many people who have not worked with government security seem to think that the feds are ahead of the private sector in securing their systems. The truth is quite the inverse. ]

1 November 2002 Linksys Router Vulnerable to DoS

The Linksys BEFSR41 EtherFast Cable/DSL Router with 4-Port Switch with firmware earlier than version 1.42.7 is vulnerable to an easily launched denial of service (DoS) attack that could crash the router. Firmware 1.43 addresses the vulnerability.
-http://www.eweek.com/article2/0,3959,663801,00.asp

1 November 2002 W32.HLLW.Merkur

The Merkur worm, also known as W32.HLLW.Merkur, pretends to be an anti-virus update e-mail and is spreading through peer-to-peer (p2p) software. Users must click on an attachment called Taskman.exe in order to become infected. Once it has been released into a computer, Merkur sends itself out to everyone in the Outlook address book, deletes multimedia files in p2p sharing directories and copies itself into those directories, usually with an enticing name.
-http://www.zdnet.com.au/newstech/security/story/0,2000024985,20269585,00.htm

31 October, 1 & 4 November 2002 Mueller Promises Secrecy To Encourage Private Sector Sharing

FBI director Robert Mueller told industry and government officials that the private sector needs to be more cooperative about sharing cybercrime information. Private businesses are usually reluctant to share such information with law enforcement agents because they fear negative publicity. In an effort to encourage the private sector to share cyberattack information with the government, U.S. law enforcement officials have said that they will strive to keep secret the identities of the entities sharing the information. FBI director Robert Mueller said FBI agents arriving to investigate crime will dress discreetly rather than in jackets emblazoned with the agency's logo. They will also use sealed court filings and protective orders.
-http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,75
532,00.html
-http://207.27.3.29/dailyfed/1002/103102h1.htm
-http://www.fcw.com/fcw/articles/2002/1028/web-fbi-11-01-02.asp
-http://www.fcw.com/fcw/articles/2002/1104/news-fbi-11-04-02.asp
-http://www.wired.com/news/politics/0,1283,56139,00.html

31 October 2002 e-Commerce Site Doesn't Encrypt Credit Card Data

SETcom, a credit card gateway company, has suspended the account of a South African e-commerce site, cybergames.co.za, after learning that the site was not encrypting credit card information between customers' browsers and their server. The anonymous tipster had informed Cybergames of the security problem and had given the company a week to address it before bringing it to SETcom's attention.
-http://196.30.226.221/sections/internet/2002/0210311223.asp?A=SEC&S=Security
&T=Section&O=FPSH

31 October 2002 Wireless Keyboard Writes on Neighbor's Computer

A Norwegian man discovered that his neighbor's Hewlett Packard wireless keyboard was transmitting a signal to his neighbor's computer, causing what he was typing to appear on his neighbor's monitor. The signal was traveling 150 meters though a wooden and a concrete wall. HP does not have an explanation for the incident.
-http://www.aftenposten.no/english/local/article.jhtml?articleID=427668
[Editor's Note (Grefer): This is a known vulnerability of wireless keyboards, since they are only using a limited number of channels for transmission. The distance of 150 meters, though, is more typical of a clear signal path, rather than one blocked by wood and concrete walls. ]

31 October & 3 November 2002 Horse Racing's Computerized Wagering Systems to be Examined

The New York State Racing and Wagering Board may use a computer expert to help them determine whether or not computer manipulation was involved in an unusual and lucrative series of winning tickets. The holder of the winning tickets and an employee of Autotote, the company that processed the bets, are known to have been fraternity brothers. The National Thoroughbred Racing Association is planning to examine the industry's computer wagering systems.
-http://www.washingtonpost.com/wp-dyn/articles/A43807-2002Oct30.html
-http://www.sfgate.com/cgi-bin/article.cgi?f=/chronicle/archive/2002/11/03/SP2427
40.DTL
(Please note: The New York Times web site requires free registration)
-http://www.nytimes.com/2002/11/03/sports/othersports/03RACI.html
-http://www.nytimes.com/2002/11/04/sports/othersports/04RACI.html

30 October 2002 NIST and NSA Release Five Protection Profiles

The National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) have established Protection Profiles for operating systems, firewalls, intrusion detection systems, tokens and public-key infrastructures. The profiles will become part of the Common Criteria certification process.
-http://www.gcn.com/vol1_no1/daily-updates/20373-1.html

29 & 30 October 2002 Windows 2000 Receives Common Criteria Certification

Microsoft's Windows 2000 has received Common Criteria certification, making the operating system easier to sell to the governments of 15 countries that recognize the certification. The certification does not guarantee freedom from bugs, but attests to the fact that the development and support of the product meet certain standards. The process took nearly three years and cost Microsoft millions of dollars. Microsoft says the certification is evidence of its commitment to Trustworthy Computing.
-http://news.com.com/2100-1001-963776.html
-http://www.nwfusion.com/auddev/pop/MicrosoftFOC211.html
-http://www.theregister.co.uk/content/55/27845.html
[Editor's Note (Ranum): People who don't understand Common Criteria are sure to be impressed by this. Just as Windows NT was evaluated as "C2," this is not a significant result. (Grefer) "Trustworthy Computing" was introduced by MS this year; how can they claim an evaluation they had performed for easing their government sales efforts to be evidence of their commitment to Trustworthy Computing? ]

29 & 30 October 2002 CIA Warns of Cyberthreats from Extremist Groups

In a report to the Senate Intelligence Committee, the CIA warned of terrorist cyberthreats. Several of the groups named have reportedly put developing cyber skills at the tops of their lists. The FBI is monitoring potential threats. The report also warned of the danger of making sensitive scientific data, like nuclear weapons information, available on the Internet.
-http://news.com.com/2100-1023-963771.html
-http://www.vnunet.com/News/1136404

29 October 2002 Don't Put Security in the Hands of Home Users

The author of this commentary contends that relying on individuals to help secure cyberspace, as is suggested in the National Strategy to Secure Cyberspace, is not a workable plan because home users are unreliable, often failing to understand the basics of computers and the dangers lurking in unsafe Internet practices. The author suggests that Internet service providers (ISPs) bear a portion of the security burden by implementing measures like egress filtering, which is likely to result in higher costs to users.
-http://zdnet.com.com/2100-1107-963665.html
[Editor's note (Schultz): I'm glad to see this view expressed, and agree with its author 100 percent. Calling on home users to become more secure as part of a strategy to secure the critical infrastructure was and is ludicrous. (Paller) Though I see real value in educating home users about security risks, expecting them to take the principal responsibility for computer safety is not all that different from asking air travelers to buy parachutes and bring them along on airplanes. ]

29 October 2002 Security Flaws in Half of Crypto Modules Submitted for FIPS Validation

The director of the National Institute of Standards and Technology's (NIST's) Cryptographic Module Validation program said that 80 of the 164 modules submitted for Federal Information Processing Standard (FIPS) validation contained security flaws, as did 88 of the 332 validated algorithms. Federal agencies have to use FIPS compliant cryptography products for sensitive, unclassified data.
-http://www.gcn.com/vol1_no1/daily-updates/20344-1.html

29 October 2002 Chinese Government Thwarted May 2002 Cyberattacks

Air Force Maj. Gen. John Bradley, deputy commander of the Pentagon's Joint Task Force on Computer Network Operations, said that the Chinese government asked its citizens not to launch cyberattacks in May 2002. There was a barrage of attacks in April and May 2001, marking the anniversary of the bombing of the Chinese embassy in Belgrade. Bradley says that the Defense Department is its "own worst enemy" when it comes to computer security; 85% of cyberattacks on DOD computers could be prevented if administrators applied patched in a timely manner and used good security procedures.
-http://www.upi.com/view.cfm?StoryID=20021029-121924-5101r
[Editor's Note (Schultz): Bradley's findings are nothing new, but can't the military, with its well-defined chain of command and well-defined consequences for not following orders, fix its vulnerabilities much easier than industry, civilian government, and academia? ]

29 October 2002 DoD's Defense Procurement Payment System has Security Flaws

According to a report from the Pentagon's Inspector General, the Defense Department's Defense Procurement Payment System (DPPS) lacks adequate access controls and a failure contingency plan. The vulnerabilities could delay the system's deployment, which is set for September 2003. The DPPS does not comply with the 2000 Government Information Security Reform Act. (GISRA). DPPS does not presently use adequate encryption or password protection, and it does not adequately test continuity plans.
-http://207.27.3.29/dailyfed/1002/102902a2.htm

29 October 2002 IP Smart Spoofing

This paper describes IP Smart Spoofing, an IP spoofing technique that uses ARP Cache Poisoning, network address translation and routing.
-http://www.althes.fr/ressources/avis/smartspoof-en.pdf

28 October 2002 Global Cyber Security Center Possible

Representatives from US and European business and government discussed the possibility of creating a global IT security center modeled on the international center that helped stave off problems for Y2K.
-http://207.27.3.29/dailyfed/1002/102802tdpm2.htm

28 October 2002 Cyber Attacks Up at Air Force Base

John Gilchrist, chief of information assurance at Hill Air Force Base in Utah, confirms that the number of cyberattacks on base computer networks has shown a steady increase since September 11, 2001. It is hard to tell who is behind the attacks. Gilchrist said the people in his department have warded off every attempted attack. There is no classified data on military systems connected to the Internet, but intruders could shut down systems.
-http://deseretnews.com/dn/view/0,1249,415016145,00.html

23 October 2002 Reverse Engineering Malware

This article describes the tools and procedures involved in reverse engineering Trojans, viruses and other "hostile code."
-http://online.securityfocus.com/infocus/1637

---

SECURITY TRAINING NEWS

*SANS Cyber Defense Initiative conference in San Francisco - Dec. 15-20

---

===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites
To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.