Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume V - Issue #10

March 12, 2003

TOP OF THE NEWS

Sendmail Exploit Code Posted
University of Texas Cyber Security Breach Exposed Information About 55,000 People
Bank Account Access Problem Exposes Princeton University's Accounts
House Homeland Security Committee Creates Cybersecurity Subcommittee
DHS Reorganization Eliminates Critical Infrastructure Protection Board

THE REST OF THE WEEK'S NEWS

Microsoft and Red Hat Earn Security Awards
W/32 Deloder-A Worm
PeopleSoft Remote Command Execution Vulnerability
The Darkest Side Of Identity Theft: Criminal Records
Students Who Altered Grades are Suspended
Men Arrested for Using Keystroke Logger in Bank Theft Scheme
European Internet Registry Back on Track After DoS Attack
Security Doesn't Come in a Box
CIOs Unclear About ISACs' Role
Former CIAO Chief Supports DHS Consolidation of Infrastructure Protection Efforts
GAO Report: Cyber Criminals Will Target Financial Services
CyberCorps Graduates Seeking Placements in Government Jobs
Windows Root Kit Uncovered
Google Searches Can Lead Hackers to Vulnerable Databases
Disaster Recovery Investment Lagging, Says Study
Macromedia Flash Player Vulnerability
New Version of Snort Addresses Buffer Overflow Flaw in Earlier Versions
GSA and Defense Manpower Data Center Join Liberty Alliance
BIND Upgrade Recommendations Cause Confusion
Talking About Security in Business Terms
BGP Router Protocol Dangerously Weak


******** This Issue Sponsored by VeriSign - The Value of Trust ********
Secure all your Web servers now - with a proven 5-part strategy.
The FREE Server Security Guide shows you how:
- - DEPLOY THE LATEST ENCRYPTION and authentication techniques
- - DELIVER TRANSPARENT PROTECTION with the strongest security without
disrupting users. And more.
Get your FREE Guide now:
http://www.verisign.com/cgi-bin/go.cgi?a=n06120113340057000
***********************************************************************

TOP OF THE NEWS

Sendmail Exploit Code Posted (4/5 March 2003)

Exploit code for the recently disclosed sendmail vulnerability had already been posted on the Internet. There is no indication that the code has been used to compromise machines.
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,79021,0
0.html

-http://www.theregister.co.uk/content/55/29596.html
-http://zdnet.com.com/2100-1105-991041.html
More coverage of the vulnerability and public/private response:
-http://www.informationweek.com/story/IWK20030309S0005

University of Texas Cyber Security Breach Exposed Information About 55,000 People (6/7 March 2003)

An administrative data reporting program on the University of Texas (UT) at Austin's computer system was compromised, leading to the exposure of social security numbers, e-mail addresses and other personal information belonging to approximately 55,000 UT faculty, staff and current and former students. UT at Austin is working with the US Attorney's office and the Secret Service to track down the source of the breach; the school is also trying to inform all those affected by the breach. University officials admit they did not have adequate security measures in place. They have also sent out an internal memo urging vigilance about computer systems because the publicity surrounding the breach could lead to more intrusion attempts.
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,79102,0
0.html

-http://www.austin360.com/aas/metro/030603/0306uthack.html
-http://www.chron.com/cs/CDA/story.hts/metropolitan/1808297
[Editor's Note (Schultz): This is further evidence for just how badly privacy protection legislation is needed in the U.S. ]

Bank Account Access Problem Exposes Princeton University's Accounts (6 March 2003)

The financial manager for a Princeton University student publication found that when he tried to access the magazine's bank account online, he obtained access to all of the university's accounts - about $9.9 million. The log-on number for the magazine and the university are the same because it is Princeton's federal taxpayer identification number. University officials are displeased, and the bank says university accounts will no longer be accessible through their web product.
-http://www.cnn.com/2003/TECH/internet/03/06/offbeat.banking.error.ap/index.html

House Homeland Security Committee Creates Cybersecurity Subcommittee (4/5 March 2003)

The US House Homeland Security Committee has voted to create five subcommittees, including one that will focus on cybersecurity. The subcommittee will oversee "protection of government and private networks and computer systems from domestic and foreign attack (and) prevention of injury to civilian populations and physical infrastructure caused by cyberattack."
-http://news.com.com/2100-1028-991049.html
-http://www.computerworld.com/governmenttopics/government/
policy/story/0,10801,79063,00.html
-http://www.gcn.com/vol1_no1/daily-updates/21333-1.html
[Editors' Note (Multiple): These are lofty goals. Perhaps too lofty. We hope they succeed. ]

DHS Reorganization Eliminates Critical Infrastructure Protection Board (3/4/6 March 2003)

An executive order that addresses reorganization attendant to the formation of the Department of Homeland Security (DHS) eliminates the President's Critical Infrastructure Protection Board. Officials from every government agency worked together on the board to address security issues facing the nation's critical infrastructure; the board also was an impetus for the recently released National Strategy to Secure Cyberspace. Administration officials are considering establishing a special critical infrastructure committee on the President's Homeland Security Advisory Council. Officials at high tech companies are concerned about the void left by the Board's dissolution and are lobbying the administration to make sure there is someone who is in charge of cyber security.
-http://www.fcw.com/fcw/articles/2003/0303/web-order-03-04-03.asp
-http://www.fcw.com/fcw/articles/2003/0303/web-cip-03-06-03.asp
-http://www.govexec.com/dailyfed/0303/030303td1.htm


************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Earn a Norwich University Master's Degree in Information Security
in 24 months.
http://www.sans.org/cgi-bin/sanspromo/NB143
(2) FOIL NETWORK ATTACKS BEFORE THEY'RE LAUNCHED! Automatically prevent
intrusions. FREE White Paper.
http://www.sans.org/cgi-bin/sanspromo/NB144
(3) Read: Fighting the New Face of Spam, a white paper by SurfControl
http://www.sans.org/cgi-bin/sanspromo/NB145
***********************************************************************

THE REST OF THE WEEK'S NEWS

Microsoft and Red Hat Earn Security Awards

Microsoft earned recognition in three categories of SANS 2003 Information Security Leadership Awards, including automated patching and training programmers to write safer code. Red Hat also was recognized for automated patch notification.
-http://www.computerworld.com/securitytopics/security/story/0,10801,79164,00.html
[Editor's Note (Paller): WorldCom and Cisco also were named in the Press Release posted at
-http://www.sans.org/press/isla.php.
There are fifteen categories of awards, and we hope to find winners in the other categories in time for the actual award presentation at the National Information Assurance Leadership (NIAL) conference on July 22 in Washington, DC. If you know of firms that deserve recognition as the leaders in any of these critical areas (posted at
-http://www.sans.org/press/isla_cat.php)
of security please email sansro@sans.org ]

W/32 Deloder-A Worm (10 March 2003)

The W32/Deloder-A worm tries to connect to networked computers via TCP Port 445. When it finds a vulnerable machine, it tries to log on to the administrator account using easy to guess passwords, like "admin" or "password." If the worm gains access to the administrator account, it places a backdoor program on the machine. Deloder attacks machines running Windows 95, 98, NT, 2000, ME and XP.
-http://www.computerworld.com/securitytopics/security/virus/story/0,10801,79220,0
0.html

-http://zdnet.com.com/2100-1105-991712.html
-http://www.theregister.co.uk/content/56/29680.html
-http://www.msnbc.com/news/883415.asp?0dm=V217T

PeopleSoft Remote Command Execution Vulnerability (10 March 2003)

A remote command execution vulnerability in certain releases of PeopleSoft Version 8 could allow attackers to place malicious code on vulnerable web servers. The problem lies in a servlet called ScheduleTransfer that allows files to be uploaded without authentication. PeopleSoft has released patches for the problem.
-http://news.com.com/2100-1009-991907.html
-http://www.eweek.com/article2/0,3959,922755,00.asp

The Darkest Side Of Identity Theft: Criminal Records (9 March 2003)

Losing your clean credit history is one thing; losing your freedom is another. And victims of America's fastest-growing crime -- identity theft -- are discovering they may get arrested and be saddled with a criminal record.
-http://www.msnbc.com/news/877978.asp?0si=-

Students Who Altered Grades are Suspended (6/8 March 2003)

Six Mission San Jose (CA) High School students who used KeyLogger software to gain access to a school computer and change some of their grades have been suspended. The school district has taken steps to improve security of its computer systems; staff members received new passwords for access to the student information database, and the firewall is being improved.
-http://www.siliconvalley.com/mld/siliconvalley/business/special_packages/securit
y/5335721.htm

-http://www.bayarea.com/mld/mercurynews/news/local/5346271.htm

Men Arrested for Using Keystroke Logger in Bank Theft Scheme (6 March 2003)

Two men have been arrested in Tokyo for allegedly using a keystroke logger to obtain bank account passwords and steal $136,000. The pair could face 10-year prison terms.
-http://www.cnn.com/2003/TECH/internet/03/06/internet.theft.ap/index.html
[Editor's Note (Ranum): Unfortunately all the operating systems we use have so many layers of virtual drivers between the user and the keyboard that it would be impossible to prevent keylogging attacks. (Schneier): I'm surprised we're not seeing more of this sort of thing. Illustrates the dangers of using a public terminal for commercial access. ]

European Internet Registry Back on Track After DoS Attack (6 March 2003)

The Rseaux IP Europens (RIPE) Internet registry says its services are back to normal after weathering a February 27 distributed denial of service (DDoS) attack that, at its peak, caused 90% packet loss. The attack lasted two-and-a-half hours and rendered RIPE's DNS, Whois and FTP services unavailable for the duration.
-http://www.theregister.co.uk/content/6/29623.html
[Editor's Note (Grefer): A few weeks ago we saw the attack against the Root Name Servers; now they are attacking RIPE. Is someone spot testing cyber warfare against "developed" nations? ]

Security Doesn't Come in a Box (6 March 2003)

The author of this opinion piece, an IT security consultant, points out that some companies buy the newest and hottest security products and have them installed without establishing security policies and procedures. He also outlines what it takes to establish an IT security program.
-http://www.computerworld.com/securitytopics/security/story/0,10801,79083,00.html
?nas=SEC-79083

[Editor's Note (Ranum): This is something many, many security experts have been pointing out for years. It's such an important, obvious, point that eludes so many customers that it's worth pointing it out again! ]

CIOs Unclear About ISACs' Role (6 March 2003)

After a role-playing exercise in which security experts responded to a fictional disaster involving both physical and cyber attacks, Computerworld polled private sector CIOs and IT managers who observed the scenario. The results revealed that many of them were unclear about the roles of various entities in addressing attacks. 55% assigned blame for the disaster to the Information Sharing and Analysis Centers (ISACs), whose role is information sharing, not regulation.
-http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,7910
4,00.html

Former CIAO Chief Supports DHS Consolidation of Infrastructure Protection Efforts (5 March 2003)

At a government technology conference, Former Critical Infrastructure Assurance Office chief John Tritak spoke in favor of the consolidation of infrastructure protection efforts into the Department of Homeland Security (DHS). He discounted the notion that the dissolution of the Critical Infrastructure Protection Board indicated a lack of concern about cybersecurity on the administration's part, and said that the DHS would take up all of the board's functions. Tritak also said that improving critical infrastructure security depends on disseminating the information gathered by the DHS to the appropriate governmental and private entities.
-http://www.govexec.com/dailyfed/0303/030503td2.htm

GAO Report: Cyber Criminals Will Target Financial Services (5 March 2003)

A report from the General Accounting Office (GAO) says that entities performing financial transactions are more and more likely to be attacked by cyber criminals. As the Internet is increasingly used to handle these transactions, access to the systems also grows, increasing the possibility for cyber attacks.
-http://www.wired.com/news/business/0,1367,57911,00.html
[Editor's Note (Schneier): I made this point back in December 2002 in my "Crime: The Internet's Next Big Thing" essay: <
-http://www.counterpane.com/crypto-gram-0212.html#7>
(Paller): The FBI reported that more than 100 entities involved in online financial transactions had been subjected to extortion nearly 2 years ago. It is an epidemic. ]

CyberCorps Graduates Seeking Placements in Government Jobs (5 March 2003)

The Cyber Corps, the program that offers two year scholarships in computer security-related fields in return for a two year stint working for the government, is looking for placements for the 39 people who will graduate this spring and summer. More than 100 students will be available for summer internships in May.
-http://www.gcn.com/vol1_no1/daily-updates/21334-1.html

Windows Root Kit Uncovered (5 March 2003)

After a group of Windows 2000 servers at an Ontario university began to crash, it was determined that the university's network had been compromised and root kits had been installed. Root kits tie into the operating system's Application Programming Interface (API) and are usually not detectable with anti-virus software. Instances of Windows root kits are rare, though some believe they have been around for a while and are just now being uncovered.
-http://www.securityfocus.com/news/2879

Google Searches Can Lead Hackers to Vulnerable Databases (4 March 2003)

Searching for certain phrases in Google could allow hackers to access unprotected web-based databases. A database containing information about neurosurgical patients at Drexel University College of Medicine was accessible; when university officials learned of the problem, they shut down the database and are taking measures to ensure the same thing does not happen again.
-http://www.wired.com/news/infostructure/0,1377,57897,00.html
Eighteen months ago, News.com had a similar story
-http://news.com.com/2100-1023-276155.html?legacy=cnet
[Editor's Note (Ranum): Bill Cheswick demonstrated this back in 1996, by doing an altavista search for "phf.pl" URLs. This is a well-known technique. ]

Disaster Recovery Investment Lagging, Says Study (4 March 2003)

According to a Dataquest Inc. study, companies are not investing enough in disaster recovery; presently, as many as one third of businesses could lose data in the event of a disaster. Only 52% of the 205 companies surveyed had a plan in place, and 17% said they do not plan to develop plans. Only 10% regularly assess the business continuity of each new initiative they undertake.
-http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,7901
4,00.html

Macromedia Flash Player Vulnerability (4 March 2003)

A critical vulnerability in Version 6 of Macromedia Flash Player could allow an attacker to run malicious code on vulnerable computers. Macromedia Flash Player Version 6.0.79.0 is available on the company's website; it also serves as a cumulative patch.
-http://www.computerworld.com/securitytopics/security/story/0,10801,79003,00.html
-http://www.macromedia.com/devnet/security/security_zone/mpsb03-03.html

New Version of Snort Addresses Buffer Overflow Flaw in Earlier Versions (4 March 2003)

A buffer overflow vulnerability in the remote procedure call (RPC) component of Snort intrusion detection software could be exploited to crash the system or allow malicious code to run. The vulnerability affects Snort versions 1.8 and earlier; version 1.9.1 is now available.
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,79015,0
0.html

-http://zdnet.com.com/2100-1105-990964.html

GSA and Defense Manpower Data Center Join Liberty Alliance (5 March 2003)

The General Services Administration (GSA) and the Defense Department's Defense Manpower Data Center have joined the Liberty Alliance, a consortium of government and private entities focused on establishing electronic identity management standards. One of the GSA's responsibilities is to develop and implement a government-wide infrastructure for authentication services.
-http://www.fcw.com/fcw/articles/2003/0303/web-liberty-03-05-03.asp
[Editors' Note (Multiple): It might be worthwhile to point out to our readers (and the government entities involved) that the "Liberty Alliance" was founded by Sun and Oracle to try to counter Microsoft in this particular market segment. ]

BIND Upgrade Recommendations Cause Confusion (5 March 2003)

Though the Internet Software Consortium (ISC) initially dubbed its recent release of BIND software a "maintenance release," the organization later "strongly recommended" that users upgrade to version 9.2.2 because of the discovery of a buffer overflow vulnerability in the earlier version.
-http://zdnet.com.com/2100-1105-991094.html

Talking About Security in Business Terms (5 March 2003)

As cyber security gains a higher profile in businesses, it behooves security professionals to learn the language of business if they want to get funding. This article offers advice on assessing business risk, return on investment (ROI) and total cost of ownership to justify security projects and purchases to management.
-http://www.networkmagazine.com/article/NMG20030305S0012

BGP Router Protocol Dangerously Weak (3 March 2003)

The router system used to direct internet traffic between the world's major networks needs to be upgraded to prevent major accidental - or deliberate - disruption, warned Stephen Dugan. BGP routes the packets, so disrupting BGP means the packets do not get to the right places. The IETF is working on a more secure version.
-http://www.newscientist.com/news/news.jsp?id=ns99993454


===end===
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit https://portal.sans.org/preferences.php/
To update your address, visit http://www.sans.org/sansurl and enter
your SD number (from the header of this email.) You will receive your
personal URL via email.