SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume V - Issue #11

March 19, 2003

Stephen Northcutt offered this chilling observation about today's
NewsBites: "One of the theories of information warfare is that
you release a number of virus/worms near the front edge of war to
disrupt your enemy. You will notice a number of new worms in this
issue including one directly involved in the India/Pakistan tensions.
Even if these are not related to the current crisis in Iraq, this is
a taste of what to expect on the Internet in the future as countries
prepare for war."


And on a more personal level: If you live near New York, Baltimore,
Washington, Atlanta, San Francisco, London, Colorado Springs, Portland
OR, Raleigh, Monterey CA, Singapore or Melbourne, we will be bringing
a hands-on SANS training program to your area within the next 130
days. If you live elsewhere and can assemble at least 30 students,
we can bring a program to you. See: www.sans.org


Alan

---

TOP OF THE NEWS

Critical Buffer Overflow Vulnerability in IIS 5.0 on Windows 2000
Bot Networks Could Launch Huge Denial of Service Attacks
UT Student Charged in University Security Breach Case
Man Pleads Guilty to Sandia National Labs Breach
New Twist on Password Stealing Scam
Charges Against Second Bloomberg Extortion Defendant Dropped

THE REST OF THE WEEK'S NEWS

Gold Standard Security Benchmarks Released For Cisco IOS and Solaris
Kerberos Vulnerability Details on Mailing List
Former Employees Allegedly Hacked Company System Through Old Accounts
W32/Cult-A Worm
Bibrog-B Worm Hides Behind Game, Alters Browsers
Bush Will Name Two to Top DHS Posts
Yaha Variant Released in Hacker Rivalry
Memory Stick Contained Patient Data
Pakistan Establishes Cybercrime Response Center
Piracy Ringleader Indicted
Man Under House Arrest Stole Personal Data
Qatar News Portal Target of Attack
CodeRed Variant in the Wild
CERT/CC Issues Advisory on Weak Password protection on SMB File Shares
IP Spoofing
The Benefits of Using a Managed Security Services Provider
Worm's Rapid Spread Due in Part to Weak Passwords
Stolen Computer Equipment Contained Personal Data
DOD Commanders Responsible for IT Security
Demo Belies Product's Usefulness
Iraq's ISP Traffic Moves through US and UK Satellite Hookups

---

****************** This Issue Sponsored by Websense ******************

Deadly Internet Sin #1: LUST

Whether it's adult entertainment, gambling or hacking sites, your
company can't afford to ignore the risk. Limit the liability threat
of Internet misuse by using Websense Enterprise.

A superior database, flexible filtering options, comprehensive
reporting and seamless integration have made Websense the preferred
employee Internet management software of the Fortune 500.

Download a free, 30-day trial! http://www.websense.com?id=NL15887
***********************************************************************

---

TOP OF THE NEWS

Critical Buffer Overflow Vulnerability in IIS 5.0 on Windows 2000 (17 March 2003)

Microsoft issued a CRITICAL warning about a buffer overflow flaw in a WebDAV component of Windows exploited through Internet Information Server (IIS) version 5.0 running on Windows 2000. Other versions of Windows are not affected. A tool to exploit the vulnerability is circulating on the Internet, but Microsoft did not learn of the vulnerability until after hackers had exploited it. The exploit was against a US military site. Patches and work-arounds are available.
-http://news.com.com/2100-1002-992920.html
-http://www.theregister.co.uk/content/55/29795.html
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,79441,0
0.html
-http://www.msnbc.com/news/886524.asp?0cv=TA00
-http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
-http://www.cert.org/advisories/CA-2003-09.html
SANS, ISS, and Microsoft ran a wonderful "Ask The Experts" web broadcast Tuesday afternoon answering more than 75 questions about which systems are and are not vulnerable and what needs to be done to protect your organization. It is the first one listed on the webcast archives page at
-http://www.sans.org/webcasts/archive.php
[Editor's Note (Paller): Fix this one right away. Automated attack tools and worms are only days away. ]

Bot Networks Could Launch Huge Denial of Service Attacks (17 March 2003)

At least five large networks of compromised machines that could be used to launch massive denial of service attacks. The machines have had bots placed on them; the bots establish communication with Internet Relay Chat (IRC) servers to receive commands.
-http://www.eweek.com/article2/0,3959,935790,00.asp
[Editor's Note (Paller): These networks have up to 140,000 systems each. Compare that to the 230 (not 230 thousand) machines needed to take down an Internet II site, 330 to take down a major US Intelligence site, and you get an idea how much power is in these networks. They are more than sufficient to cause widespread outages. Many of these systems have been compromised by persuading the users to download a game or picture or other file that must be executed. The games and pictures are real, but they contain the malicious software as an extra surprise. ]

UT Student Charged in University Security Breach Case (14 March 2003)

Christopher Andrew Phillips, a computer science student at the University of Texas (UT) at Austin, has been charged in connection to the security breach of the university's computer system that exposed the personal data of over 55,000 people. A grand jury is investigating the case. If convicted of the charges of unlawful access to a protected computer and unlawful use of identification, Phillips could face five years in prison and be ordered to pay $500,000 in restitution.
-http://www.siliconvalley.com/mld/si
liconvalley/news/editorial/5393600.htm
-http://www.washingtonpost.com/wp-dyn/arti
cles/A27370-2003Mar14.html

Man Pleads Guilty to Sandia National Labs Breach (14 March 2003)

An 18 year-old Pakistani man had pleaded guilty to computer and credit card fraud charges. Adil Yahya Zakaria Shakour breached security at the Sandia National Laboratories' computer network and he defaced an Eglin Air Force Base web site. He also broke into a computer system at a North Carolina-based tax forms company and stole credit card information that he used to buy $7,000 worth of goods. Shakour faces deportation after a possible 15-year prison sentence; he will also have to pay restitution in the amount of $100,000. Sentencing is set for June 12.
-http://www.washingtonpost.com/wp-dyn/arti
cles/A23590-2003Mar14.html

New Twist on Password Stealing Scam (13/14 March 2003)

Discover cardholders are the latest target in password stealing scams. Customers have been receiving e-mail messages telling them their accounts have been put on hold due to inactivity, and that in order to reactivate their accounts, they must log in to the account; responses to the message are sent to a Russian Internet address. Information collected includes plenty of identifiers that would enable identity theft: social security number, mother's maiden name, account number and passwords. PayPal and eBay customers have been targeted by similar scams. The method employed by this scheme is different; the e-mail linked to a real Discover site, but the submission form was wrapped in a hidden submission so the information was sent to the attacker.
-http://www.msnbc.com/news/884810.asp
-http://www.comput
erworld.com/securitytopics/security/cybercrime/story/0,10801,79380,00.html

Charges Against Second Bloomberg Extortion Defendant Dropped (10 March 2003)

Charges against Igor Yarimaka, an alleged accomplice in the Bloomberg extortion case, have been dropped because the evidence against him was weak. Oleg Zezov was recently convicted and faces a prison sentence of up to 20 years. The two allegedly tried to exact a payment of $200,000 in return for keeping quiet about vulnerabilities in the Bloomberg financial company's computer system.
-http://www.theregister.co.uk/content/55/29674.html

---

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) FOIL NETWORK ATTACKS BEFORE THEY'RE LAUNCHED! Automatically
prevent intrusions. FREE DEMO.
http://www.sans.org/cgi-bin/sanspromo/NB146

(2) Delegate root privileges with PowerBroker(r) - described as "sudo
on steroids".
http://www.sans.org/cgi-bin/sanspromo/NB147

(3) 30% of the Global 100 use Permeo to secure their applications.
Do you?
http://www.sans.org/cgi-bin/sanspromo/NB148
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Gold Standard Security Benchmarks Released For Cisco IOS and Solaris

Two additional Gold Standard configurations have been agreed upon by the US General Services Administration (GSA), National Institute of Standards and Technology (NIST), Defense Information Systems Agency (DISA), and National Security Agency (NSA), along with the many corporate and international members of the Center for Internet Security (CIS). These cover the most popular routers (Cisco) and the most popular version of UNIX (Solaris). An updated benchmark for Windows 2000 was also released. The benchmarks and associated automated scoring tools are available for download free of charge from the CIS web site.
-http://www.cisecurity.org
[Editor's Note (Paller): Over the next few months you'll begin to see major system vendors beginning to deliver systems configured in accordance with the Center for Internet Security benchmarks. Buying and deploying safely configured systems is the first step in reducing the danger from massive worms, and will, I believe, quickly become a minimum standard of due care. ]

Kerberos Vulnerability Details on Mailing List (17 March 2003)

Details of a vulnerability in the Kerberos v.4 authentication protocol were leaked to a mailing list; the author of the original paper asked administrators to remove the information, but they refused. The author later posted the details himself. The vulnerability allows attackers to "impersonate any principal in a given realm."
-http://www.eweek.com/article2/0,3959,937380,00.asp

Former Employees Allegedly Hacked Company System Through Old Accounts (15 March 2003)

The computer system at LapLink, a software company, was allegedly hacked by two former employees who used accounts that hadn't been deleted. The attack caused the e-mail system to go down and apparently deleted crucial files. LapLink CEO Mark Eppley reportedly plans to file charges.
-http://seattletimes.nwsour
ce.com/html/businesstechnology/134653561_laplink150.html

W32/Cult-A Worm (14 March 2003)

The W32/Cult-A worm arrives as a .pdf attachment purporting to be a greeting card; it also includes a Trojan horse program. It spreads via random e-mail addresses and through KaZaA peer-to-peer network file sharing. If the attachment is launched, the worm generates a false error message and installs itself as windowsupdate.exe in the Windows System folder to ensure it is run on startup. Cult also connects to an IRC server to listen for more instructions.
-http://www.pcpro.co.uk/?http://ww
w.pcpro.co.uk/news/news_story.php?id=39554

Bibrog-B Worm Hides Behind Game, Alters Browsers (14 March 2003)

The Bibrog-B worm arrives as an attachment. It appears to be a shooting game, but while the game is running, the worm is dropping its payload: it copies itself to the infected machine's hard drive and sends itself out to all addresses in the Outlook address book or through file sharing. In what is probably an attempt to harvest personal information, Bibrog-B also alters browsers on infected machines so that they will display phony versions of real websites.
-http://www.theregister.co.uk/content/56/29768.html
-http://www.sophos.com/virusinfo/analyses/w32bibrogb.
html
[Editor's Note (Paller): If you are responsible for security awareness in your organization, get this story (and the previous one) to all your coworkers and emphasize that their children do not know the difference between safe games and infected games. And if you are using VPNs, an infected PC system is a perfect hacker access point to your most important information systems. Infected machines brought from home to work can infect all your corporate systems. If your coworkers are allowing their children to use their business computers, or if they are downloading games and pictures themselves, they may be putting your entire network at risk. Tens of thousands of systems are being taken over through such ruses every month. Your coworkers will not know about this risk unless you tell them. ]

Bush Will Name Two to Top DHS Posts (13 March 2003)

The Bush administration has announced that it will fill two top positions at the new Department of Homeland Security (DHS). Robert Liscouski, director of information assurance for the Coca-Cola Corporation, will be named assistant secretary of infrastructure protection; Liscouski is presently director of the CIA's Intelligence Science Board. Paul Redmond, who was formerly chief of CIA counterintelligence, will become the assistant secretary for information analysis. To date, no one has been named to head the DHS's Information Analysis and Infrastructure Protection (IAIP) directorate.
-http://www.washingtonpost.com/wp-dyn/arti
cles/A21843-2003Mar13.html
-http://www.fcw.com/fcw/articles/2003/0310/web
-home-03-14-03.asp

Yaha Variant Released in Hacker Rivalry (13 March 2003)

A group of Indian hackers has released a new variant of the Yaha worm that launched denial of service attacks on a handful of prominent Pakistani sites. Yaha-Q arrives as an attachment or through shared network drives. It tries to disable anti-virus software, places a backdoor on systems it infects and sends itself out to addresses in the address book. The worm also stores insulting messages about a rival Pakistani hacking group.
-http://www.reuters.com/newsArticle.
jhtml?type=topNews&storyID=2371420
-http://www.wired.com/news/infostructure/0,1377,5
8026,00.html

Memory Stick Contained Patient Data (13 March 2003)

A woman who bought a portable memory stick that was supposed to be new found that it actually contained personal information about 13 cancer patients from the Royal Bolton Hospital in Lancashire (UK). Hospital officials say they will contact people affected by the information leak and will take steps to ensure that it doesn't happen again.
-http://www.theregister.co.uk/content/55/29752.html
[Editor's Note (Ranum): Making sure sensitive data is deleted off of media is going to be a huge problem in the future. It opens the question of who gets access to what, and how we make sure they do the right thing with the data, following. Browser-enabled applications seldom do the right thing with cached sensitive information that may be exposed on a hard drive. It's amazing what you can find on a hard disk these days. ]

Pakistan Establishes Cybercrime Response Center (13 March 2003)

Pakistan's decision to establish the National Response Center for Cybercrimes was spurred by the fact that US investigators had to be brought in to help find the source of the e-mails sent by journalist Daniel Pearl's kidnappers. The center was established at the headquarters of a Pakistani intelligence agency.
-http://www.cnn.com/2003/TECH/interne
t/03/13/pakistan.cyber.ap/index.html

Piracy Ringleader Indicted (12 March 2003)

An Australian man who is presumed to be the ringleader of an Internet piracy group has been indicted by a federal grand jury in Connecticut. US Attorney Paul McNulty said his office is seeking to extradite Hew Raymond Griffiths, who could face a ten-year prison sentence and a $500,000 fine if convicted of the charges against him.
-http://news.com.com/2100-1028-992373.html

Man Under House Arrest Stole Personal Data (12 March 2003)

A Florida man who was already under house arrest related to fraudulent identification use and drug possession charges was arrested and placed in custody on charges of having stolen personal information belonging to more than 2,000 people. Sirvon Thomas used the information to open lines of credit and purchase goods that he sold on eBay, but never delivered. Thomas is being held without bail.
-http://www.usatoday.com/tech/news/2003-03-12-net
-theft_x.htm

Qatar News Portal Target of Attack (12 March 2003)

Abdulaziz Al Mahmoud, the chief editor of Qatar's first news portal, Al Jazeera Net, says that the website has been under attack. The attack involved blocking bandwidth; Abdulaziz added that the attacker has not been successful. He called the attack "professional," and said an attack of that sophistication could have been launched only by an organization, because one individual could not have the necessary resources.
-http://www.thepeninsulaqatar.com/Display_news.asp?section=Local_News&month=M
arch2003&file=L
ocal_News2003031271650.xml
[Editors' Note (Multiple): Individuals can and do assemble large networks of slave computers. The network can include far more computing resources than can be found in many large organizations. ]

CodeRed Variant in the Wild (11/12 March 2003)

A new version of Code Red, dubbed CodeRed.F, has been spreading across the Internet. It exploits the same Internet Information Server (IIS) vulnerability that the original CodeRed did to create a buffer overflow on unpatched servers and search for more vulnerable servers. This version also installs a Trojan horse program on infected systems, and does not have a shut-off date. CodeRed.F spreads the first 19 days of each month, then launches a daylong attack against the White House domain, and then shuts off. People who have not patched IIS vulnerabilities are strongly urged to do so.
-http://www.eweek.com/article2/0,3959,924269,00.asp
-http://www.computerworld.com
/securitytopics/security/story/0,10801,79267,00.html Relevant Microsoft Bulletins:
-http://www.microsoft.com/technet/security/bul
">
-http://www.microsoft.com/technet/security/bul

letin/MS01-033.asp
-http://www.microsoft.com/technet/security/bul
">
-http://www.microsoft.com/technet/security/bul

letin/MS01-044.asp
[Editor's Note (Shpantzer): There's a background radiation of 60,000 IIS machines scanning on behalf of Code Red, at any given time. That's a sad commentary on the state of IIS server administration, considering that Code Red is almost two years old. (Schultz): With all the information, patches, and tools now available for securing IIS servers, there is really no excuse for anyone's machine becoming infected by this new, relatively unimaginative variant of Code Red. ]

CERT/CC Issues Advisory on Weak Password protection on SMB File Shares (11 March 2003)

The Computer Emergency Response Team Coordination Center (CERT/CC) has released an advisory warning of an increased number of systems running Windows 2000 and XP being exploited due to weak password protection on Server Message Block (SMB) file shares. Tools used in the exploits include W32/Deloder, GT-bot, sdbot and W32/Slackor. Gaining administrator level control could let attackers access, alter and delete files, install malicious software or launch attacks on other sites. The tools' scanning activity could also increase network traffic to a point that performance could deteriorate. Users are urged to disable file sharing, employ strong passwords and keep up to date with anti-virus signatures.
-http://www.cert.org/advisories/CA-2003-08.html
-http://www.nwfusion.com/news/2003/0312windobroad.html

IP Spoofing (11 March 2003)

This article provides an overview of the history of IP spoofing, describes a variety of spoofing attacks and offers ideas on defending against IP spoofing, including router level filtering and encryption and authentication.
-http://www.securityfocus.com/infocus/1674

The Benefits of Using a Managed Security Services Provider (11 March 2003)

Paul Castellano and John McGillick of Allegheny Energy Inc. explain the benefits of using a managed security service provider (MSSP) to monitor intrusion detection systems (IDS). While they had initially tried in-house monitoring of their IDS, they became overwhelmed by the resources they needed and by the volume of false positive alerts. MSSPs provide the resources, knowledge and support necessary for effectively monitoring an IDS.
-http://www.com
puterworld.com/securitytopics/security/story/0,10801,79255,00.html?nas=SEC-79255

Worm's Rapid Spread Due in Part to Weak Passwords (11 March 2003)

The rapid spread of the Deloder worm can be blamed in part on poor security practices, including passwords that are easy to guess. Deloder and another worm, FunLove, both use lists of passwords as a means of breaking into computers. In addition to strengthening passwords, users would be well advised to block file sharing.
-http://zdnet.com.com/2100-1105-991844.html

Stolen Computer Equipment Contained Personal Data (11 March 2003)

Following the theft of computer equipment from the British Columbia (Canada) Ministry of Human Resources, 568 people have received letters cautioning them to keep tabs on their banking and credit card accounts. While the thieves were likely after the equipment rather than the information they hold, the potential exposure of social insurance numbers, birth dates and addresses is cause for concern. Police are investigating. Several weeks ago, a computer hard drive at a company in Regina that contained personal details of more than one million people was stolen. That hardware has been recovered.
-http://www.globetechnology.com/s
ervlet/story/RTGAM.20030311.wdata311/GTStory

DOD Commanders Responsible for IT Security (10 March 2003)

DOD Instruction 8500.2 makes individual commanders responsible for the security of the information that passes through their information systems. The instruction aims to ensure all military and civilian personnel receive appropriate education and training pertinent to their information systems responsibilities. The DOD's information assurance directorate and its CIO will now develop criteria against which to measure compliance.
-http://www.fcw.com/fcw/articles/2003/0310/new
s-dod-03-10-03.asp

Demo Belies Product's Usefulness (10 March 2003)

In the Security Manager's Journal, Vince Tuesday describes a software vendor's revealing presentation. Vince was looking for solutions to two challenges: managing the data generated by intrusion detection systems, firewalls, anti-virus applications and the like, and moving into the arena of anomalous behavior detection. Although the product seemed appealing at first, a demonstration made clear the fact that it created more work instead of streamlining an already cumbersome process.
-http://www.com
puterworld.com/securitytopics/security/story/0,10801,79109,00.html?nas=SEC-79109

Iraq's ISP Traffic Moves through US and UK Satellite Hookups (6 March 2003)

It appears that Iraq's only Internet service provider (ISP) sends and receives nearly all of its traffic through satellite hookups provided by companies in the US and the UK. This may violate a US executive order prohibiting the export of "goods, technology or services" to Iraq, and of a UN embargo that sanctions member nations from conducting business with Iraq. In any case, the US and UK governments could ostensibly ask the companies to halt service to Iraq, thus depriving the country of e-mail and web access.
-http://www.ds-osac.org/view.cfm?KEY=7E4457434756&type=2B170C1E0A3A0F162820