SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IV - Issue #8

February 20, 2002

Note for users of Cisco routers concerned about security: A router
security audit tool will be announced today, the result of cooperative
efforts by experts at the US National Security Agency, UUNET, and
Cable & Wireless, and tested and validated by many of the 170 member
organizations of the Center for Internet Security. The Router Audit
Tool performs an impressively comprehensive check of Cisco router
security, gives an overall score, and points the user to the specific
corrections for problems found. The tool's authors will conduct a web
briefing today at 1:00 PM (1800 UTC). Both the tool and the briefing
are free. Register in advance at: http://www.sans.org/webcasts


Alan

---

TOP OF THE NEWS

15 February 2002 SNMP Vulnerability Is Widespread and Important
14 February 2002 OMB Releases Report Detailing Federal Security Problems
14 February 2002 Hacking at Japan's Space Agency
14 February 2002 Cyberattack Could Provoke Military Attack
11 & 13 February 2002 Info on Web Sites Could Pose Security Risk
11 & 12 February 2002 Microsoft Issues Cumulative Patch

THE REST OF THE WEEK'S NEWS

17 February 2002 Application Security "In Grim State"
15 February 2002 Hacker's Claims Compel Morningstar to Conduct Audit
14 & 15 February 2002 Messenger Worm
14 February 2002 Cloud Nine Hackers Probably Won't be Caught
14 February 2002 C++ .Net Compiler Buffer Overflow Problems
12 & 14 February 2002 Anonymous Surfing Technology has Holes
13 February 2002 ISP Protection Legislation Introduced
12 February 2002 WYX Virus Found on IBM Memory Keys
12 February 2002 Chair Named for ICANN Security Committee
12 February 2002 Sandia is Testing Wireless LANs
11 February 2002 Global Crossings Former Employee Exposes Data
11 February 2002 Hotmail Password Reset Vulnerability
11 February 2002 BlackIce Patches

---

***************** Sponsored by Websense, Inc. ***********************
Choosing Internet filtering software is never easy, is it?
Guess again. With Websense Enterprise, the leading solution, you get
installation and administration that's a breeze. Combine that with
integrations like Microsoft and Cisco.
You'll see why 15,000+ organizations use Websense. If only ALL our
decisions were this simple.
Try a free, fully-functional 30-day trial.
http://www.websense.com?id=10209
**********************************************************************

---

TOP OF THE NEWS

15 February 2002 SNMP Vulnerability Is Widespread and Important

A vulnerability in the Simple Network Management Protocol means the infrastructure of the Internet is at risk according to the CERT Coordination Center at Carnegie Mellon University. A free tool can help you find your systems that are running SNMP, so you know where patches must be installed.
-http://www.govexec.com/dailyfed/0202/021502j1.htm
Tool requests: email snmptool@sans.org

14 February 2002 OMB Releases Report Detailing Federal Security Problems

In a report providing detailed reviews of every major Federal agency, the US Office of Management and Budget has laid out a scathing review of the security status and efforts of Federal government agencies. The report is the first annual submission required under the Government Information Systems Reform Act (GISRA), and provides detailed information on each major agency.
-http://www.gcn.com/vol1_no1/security/17955-1.html
Download the complete report from:
-http://www.whitehouse.gov/omb/pubpress/2002-05.html
[Editor's (Paller) Note: GISRA was effective because it woke up senior federal managers to the role they must play in fostering effective security. That job is done; they are awake. Today, the law is being reconsidered. To avoid wasting $100 million or more, the new law should be refocused on supporting programs that actually improve security at the technical level, measure that improvement, and compare it across agencies. Perhaps such testing wasn't feasible a year ago; today it is. ]

14 February 2002 Hacking at Japan's Space Agency

An employee at one of two Japanese firms working on a satellite project with the National Space Development Agency of Japan (NASDA) hacked into a NASDA computer to access sensitive data belonging to the other company; he was discovered when he bragged about his transgression to a mailing list that included a NASDA employee. The employee will likely be transferred to another position within his company which is barred from submitting bid to NASDA for one month.
-http://dailynews.yahoo.com/h/nm/20020214/sc/japan_space_computer_dc_1.html
[Editor's (Schultz) Note: The punishment, both for the unethical employee and the employee's company, seems like a proverbial "slap on the wrist." What kind of message does this send to the cracker community? Unless computer crime is dealt with in a serious and responsible manner, we're never going to make progress in combating it. ]

14 February 2002 Cyberattack Could Provoke Military Attack

White House technology adviser Richard Clarke said that a cyberattack launched by foreign countries or terrorist groups could prompt a retaliatory military attack from the US. Clarke also indicated he believes that many critical infrastructure systems have already been broken into.
-http://www.usatoday.com/life/cyber/tech/2002/02/14/cyberterrorism.htm

11 & 13 February 2002 Info on Web Sites Could Pose Security Risk

Corporate websites contain floor plans and back-up facility locations, telecommunications sites include locations of routers and major network nodes, and DOE websites provide sensitive information about plutonium storage and nuclear reactor locations. Richard Clarke says there is evidence that al-Qaeda used the Internet to gather information about US facilities, and that other groups may be doing the same thing.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO68181,00.html
-http://www.computerworld.com/storyba/0,4125,NAV47_STO68182,00.html
-http://www.computerworld.com/storyba/0,4125,NAV47_STO68183,00.html
-http://www.computerworld.com/storyba/0,4125,NAV47_STO68281,00.html

11 & 12 February 2002 Microsoft Issues Cumulative Patch

Microsoft has issued bundled fixes for vulnerabilities in Internet Explorer versions 5.01, 5.5 and 6.0.
-http://news.com.com/2100-1001-834826.html
-http://www.computerworld.com/storyba/0,4125,NAV47_STO68224,00.html
patch:
-http://www.microsoft.com/technet/security/bulletin/MS02-005.asp

---

************************ SPONSORED LINKS *****************************
(1) Learn why Sony calls ManHunt 2.0 Internet security's 'crystal ball!'
http://www.sans.org/cgi-bin/sanspromo/NB4
(2) Add it up and upgrade... StoneGate firewall 50% upgrade promotion.
http://www.sans.org/cgi-bin/sanspromo/NB5
(3) Rainfinity, Inc. Download RainWall High Availability Software for
E-Business FREE 30 DAY TRIAL http://www.sans.org/cgi-bin/sanspromo/NB6
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

17 February 2002 Application Security "In Grim State"

A security research company reports that most e-business applications have serious security flaws.
-http://www.vnunet.com/News/1129340

15 February 2002 Hacker's Claims Compel Morningstar to Conduct Audit

Morningstar Canada is paying for an outside security company to conduct an audit of its investment research website's security after a hacker claimed to have broken into the servers and stolen confidential data. Despite the fact that the site houses no such data, Morningstar felt the audit was necessary to maintain their credibility.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO68375,00.html

14 & 15 February 2002 Messenger Worm

A worm, knows as Menger, Cool Worm, or JS Exploit-Messenger, exploits an Internet Explorer vulnerability to spread through MSN Instant Messenger. A patch has been released for the IE hole (see story 11& 12 February). The worm does not appear to carry a malicious payload beyond spreading itself to other MSN messenger users in infected machines' address books.
-http://zdnet.com.com/2100-1105-837525.html
-http://www.msnbc.com/news/707267.asp?0dm=T217T
-http://www.newsfactor.com/perl/story/16355.html

14 February 2002 Cloud Nine Hackers Probably Won't be Caught

The hackers responsible for taking down the UK ISP Cloud Nine, ultimately resulting in its demise, erased web logs that contained data that might have helped identify them. Cloud Nine was apparently the victim of both hacking and a distributed denial of service attack.
-http://zdnet.com.com/2100-1105-837412.html

14 February 2002 C++ .Net Compiler Buffer Overflow Problems

A feature in Microsoft's Visual C++ .Net compiler called StackGuard, which is supposed to guard against buffer overflows, is itself vulnerable to the attack. The security consultancy that issued the initial warning has been criticized for not giving Microsoft enough time to address the problem.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO68315,00.html
-http://www.msnbc.com/news/707130.asp?0dm=C19NT
-http://news.com.com/2100-1001-837428.html
-http://news.com.com/2100-1001-838096.html
[Editor's (Murray) Note: It is hubris for hackers to believe that they have the right to decide how long a vendor has to fix a vulnerability that was not a problem before the hacker disclosed it. Not all vulnerabilities are problems. Not all problems are of the same magnitude. ]

12 & 14 February 2002 Anonymous Surfing Technology has Holes

Two researchers published a paper describing flaws in SafeWeb's anonymous surfing technology that could allow web sites to gather visitors' Internet addresses and other surfing habit information by using JavaScript. SafeWeb says it will fix the problems.
-http://www.wired.com/news/politics/0,1283,50371,00.html
-http://www.wired.com/news/business/0,1367,50424,00.html

13 February 2002 ISP Protection Legislation Introduced

Rep. Robert Goodlatte (R-Va.) has introduced a bill that would ensure ISPs would not be held liable for illegal content placed on line by third-party users.
-http://news.com.com/2100-1023-837137.html

12 February 2002 WYX Virus Found on IBM Memory Keys

The WYX virus has been found in certain IBM Memory Key removable storage devices; a fix is available from IBM. Affected devices carry a manufacture date earlier than 21 December 2001 or a serial number lower than 2320000.
-http://www.theregister.co.uk/content/55/24035.html
-http://www.pc.ibm.com/qtechinfo/MIGR-40980.html?lang=en_US&page=brand&br
and=IBM+Options&doctype=Hot+news&subtype=Cat

12 February 2002 Chair Named for ICANN Security Committee

The Internet Corporation for Assigned Names and Numbers (ICANN) has appointed Stephen Crocker chairman of the newly formed ICANN Security Committee; there has been some concern that the ICANN system is vulnerable to distributed denial of service attacks because it uses BIND.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO68225,00.html
[Editor's (Murray) Note: Good choice!! ]

12 February 2002 Sandia is Testing Wireless LANs

Sandia National Laboratories is testing wireless LANs outside of secure areas. Other DOE labs are taking a different approach: Lawrence Livermore National Laboratory has issued a ban on wireless LANs and Los Alamos National Laboratory is conducting a security review of wireless LANs which may lead to their removal.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO68235,00.html

11 February 2002 Global Crossings Former Employee Exposes Data

A former employee of the telecommunications company Global Crossing Holdings Ltd. Has been posting personal data belonging to other company employees on the web for the last five months. According to a company attorney, the employee allegedly stole a disk containing the information. Though Global Crossing became aware of the problem in September, it didn't inform its employees until December; former employees were not told of the breach at all. Some former employees say the company failed to in implement adequate controls over who was allowed access to which data.
-http://www.computerworld.com/itresources/rcstory/0,4167,KEY73_STO68168,00.html

11 February 2002 Hotmail Password Reset Vulnerability

A Hotmail vulnerability allows hackers to bypass password resetting security measures and jump right to the secret question prompt; once authenticated, the hacker can also use other Microsoft services, including .Net Passport.
-http://www.newsbytes.com/news/02/174400.html

11 February 2002 BlackIce Patches

There are now patches available for the BlackIce ping flood vulnerability.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO68189,00.html
-http://www.iss.net/support/consumer/BI_downloads.php

---

==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites


Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Howard Schmidt, Eugene Schultz