SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume V - Issue #12
March 26, 2003
New Salary Data for Security Professionals and SysAdmins
Please invest 20 minutes to help make sure you and others are getting
the pay you deserve. You'll receive the data if you complete the form.
https://registration.sans.org/cgi-bin/salsur
More data about the survey may be found at the end of this issue.
Nearly 400 people have already registered for SANS Inner Harbor
starting in two weeks (April 7 - 12) and the hotel has extended
the early registration hotel discount until this Friday (March
28). Seven immersion training tracks plus an Audit and Security
Controls workshop and a great exposition. More information at
http://www.sans.org/innerharbor03/
Alan
TOP OF THE NEWS
Conflict in Iraq Sparks Hundreds of Web DefacementsEmail Viruses Spreading: Claim To Have Iraq News and Pictures
CERT/CC Quarterly Summary Shows Top 10 Current Attack Threats
Survey Indicates Human Error is Perceived to Be Cause of Most Security Incidents
THE REST OF THE WEEK'S NEWS
Microsoft Pulls Advertisement Implying Hacker ExtinctionCalifornia State University Computer System Flaw Exposes Student and Employee Data
Federal Court Ruling Restricting Junk Faxes May Help Curb Spam Emails
Microsoft Will Help Universities Establish Hands-On Security Courses
Antivirus Industry Finds Problems with XML in Office 2003 Beta
State Agencies Not Keeping Pace with Federal Agencies' Cybersecurity Measures
OIS to Release Vulnerability Disclosure Plan
Thornberry to Head House Cybersecurity Subcommittee
Army Denies its Systems Were Compromised by Zero-Day Vulnerability
ISA Server 2000 DNS Vulnerability
IIS 5.0 on Windows 2000 Patch Freezes Some Systems
Buffer Overflow Flaw in Windows Script Engine
CERT/CC Advance Notices Posted on Security Mailing List
Linux Kernel Vulnerability
Online Scheme Bilks $230 Million From Customers Of Pornography Sites
Integer Overflow Flaw in Sun RPC XDR Library Routines
Federal Judge Rules Hacker Was a Police Informant
Australian Bank Customers Targeted by E-Mail Scam
Opinion: Open Source Software is More Secure, Less Expensive
NIST Rates Facial Recognition Systems
************** This Issue Sponsored by Tripwire, Inc. ****************
ASSURE INTEGRITY WITH TRIPWIRE. GET A FREE POSTER.
Tripwire integrity assurance solutions pinpoint changes to your servers
and network devices, accelerating discovery and increasing uptime,
making you the hero of your IT organization. Click here to get a FREE
copy of our Security Exploit and Vulnerability Matrix Poster.
http://www.tripwire.com/literature/poster/index .cfm?djinn=986
***********************************************************************
TOP OF THE NEWS
Conflict in Iraq Sparks Hundreds of Web Defacements (21 March, 2003)
Hundreds of web sites have been defaced by proponents and opponents of the war in Iraq. In addition, a worm purporting to show US spy satellite pictures of Iraq was spreading in Europe. The worm actually tries to disable antivirus and other security tools.-http://www.vnunet.com/News/1139641
-http://msnbc.com/news/888816.asp?0si=-
[Editor's Note (Northcutt): Be cautious taking these stories at face value. Both the articles listed are based on statements from the Finnish Anti-Virus company F-Secure. The URL can be found:
-https://www.europe.f-secure.com/virus-info/iraq.shtml
The F-Secure article is troubling since it claims a number of things it does not support including a statement the White House web server was defaced: "One hacker group claims that they have defaced www.whitehouse.gov successfully. The site was apparently restored very quickly and independent observers were not able to confirm this defacement." ]
Email Viruses Spreading: Claim To Have Iraq News and Pictures
Virus writers have created malicious software that claims to have pictures and news from Iraq. In at least one case the wife of a soldier had her computer damaged by such a worm.-http://go.hotwired.com/news/infostruc
ture/0,1377,58143,00.html/wn_ascii
CERT/CC Quarterly Summary Shows Top 10 Current Attack Threats
CERT/CC released its quarterly update to draw attention to the types of attacks reported to its incident response team, as well as other noteworthy incident and vulnerability information.-http://www.cert.org/summaries/CS-2003-01.html
">
-http://www.cert.org/summaries/CS-2003-01.html
WebDAV (ntdll.dll), sendmail and Windows shares top the list.
-http://www.cert.org/summaries/CS-2003-01.html
">
-http://www.cert.org/summaries/CS-2003-01.html
Survey Indicates Human Error is Perceived to Be Cause of Most Security Incidents (18 March 2003)
Respondents to a survey said that 63% of security breaches could be blamed on human error, while only 8% could be blamed on solely technical failures. Only 11% of the 638 respondents said their entire IT staff had security training, while 69% said less than one quarter of their staff had training and 22% had none. There were overwhelming recommendations for increasing training and security certifications for IT staff. Representative Adam Putnam (R-Fla), chair of the House Government Reform Subcommittee on Technology, Information Policy and , said his committee had similar findings.-http://www.computerwor
ld.com/careertopics/careers/training/story/0,10801,79485,00.html
-http://www.govexec.com/dailyfed/0303/031803td2.htm
-http://www.gcn.com/vol1_no1/daily-updates/21439-1.html
[Editor's Note (Pomeranz): I'm dubious about this study - especially the 63% blamed on human error - given the small sample space and the fact that the methodology seems to be simply calling people on the phone and asking their opinions, rather than actual post-mortem research. (Shultz): This finding should come as no shock. I also suspect that many incidents classified as insider attacks are actually cases in which human error has occurred. Information security professionals have for the most part not delved deeply enough into the relationship between human error and incidents. ]
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) BE OFFENSIVE. Don't react to network intrusions. Actively prevent
them. FREE WP.
http://www.sans.org/cgi-bin/sanspromo/NB149
(2) Snort creators hosting FREE "Future of IDS" Sourcefire seminars.
Register Here!
http://www.sans.org/cgi-bin/sanspromo/NB150
(3) SPAM and VIRUSES threatening your network? Find out.
MX Logic's Threat Assessment.
http://www.sans.org/cgi-bin/sanspromo/NB151
***********************************************************************
THE REST OF THE WEEK'S NEWS
Microsoft Pulls Advertisement Implying Hacker Extinction (23 March, 2003)
When South African regulators determined that Microsoft's claims were unsupported, the company stopped using an advertisement implying Windows XP and .NET Server 2003 would render computer hackers as extinct as saber tooth tigers and the dodo bird.-http://story.news.yahoo.com/news?tmpl=story2&cid=562&ncid=738&e=9&am
p;u=/ap/20030
324/ap_on_hi_te/south_africa_microsoft
California State University Computer System Flaw Exposes Student and Employee Data (22 March 2003)
California State University (CSU) officials said they have known about a vulnerability in the CSU computer system that exposes student and employee personal data, including Social Security numbers, for years, but did not plan to fix the problem because it would be too expensive. Instead, employees had been asked to sign confidentiality agreements to protect student and employee privacy. The vulnerability was revealed in a state audit report released last week. A CSU spokesman said they might reconsider their approach to the problem.-http://www.fresnobee.com/local/story/6425479p-737
0408c.html The audit report is available here:
-http://www.bsa.ca.gov/bsa/
CSU's response is available here:
-http://cms.calstate.edu/
Federal Court Ruling Restricting Junk Faxes May Help Curb Spam Emails (21 March, 2003)
The US Eighth Circuit Court of Appeals reversed a lower court ruling and said that a law restricting junk faxes did not violate the First Amendment's guarantee of freedom of expression. This event is significant for information security because it may set a precedent for suppressing spam.-http://news.com.com/2100-1028-993749.html?tag=fd_top
[Editor's Note (Shpantzer): This is a sensible ruling, but we must ask ourselves, "Will extending this decision to spam emails, making them illegal, help at all in curbing spam in our inbox?" Given the low costs of sending international email, as opposed to faxes, which must be billed to the sender, the answer may be 'not much.' When was the last time you got a junk fax from Europe or Asia? ]
Microsoft Will Help Universities Establish Hands-On Security Courses (21 March 2003)
Microsoft is working with a number of universities to establish courses in which students will learn to write secure code by performing security audits on software and fixing the flaws they have exploited. The University of Leeds in the UK is the first school to begin developing a course which will be offered starting next year. Though Microsoft is partially funding the endeavor, its sponsorship does not require the students to work solely on Microsoft products.-http://www.pcworld.com/news/article/0,aid,109935,00.a
sp
-http://www.reuters.com/newsA
rticle.jhtml?type=technologyNews&storyID=2423804
Antivirus Industry Finds Problems with XML in Office 2003 Beta (21 March 2003)
The antivirus industry has found a problem with the way Microsoft's Office 2003 beta version handles XML; in this latest version, macros can be anywhere in the document, which means scanners have to scan the entire file instead of the locations where macros are known to reside. Antivirus companies want headers placed in the files so scanning engines will know where to look for macros. They would also like to see the Office productivity suite run only those macros identified by the header. Microsoft says the problem is applicable to all XML documents, not just those in Office 2003.-http://news.com.com/2100-1002-993696.html
State Agencies Not Keeping Pace with Federal Agencies' Cybersecurity Measures (21/24 March 2003)
Zeichner Risk Analytics released a study showing that state agencies are lagging behind federal agencies in adopting cybersecurity policies and programs, despite Homeland Security Act mandates.-http://www.washingtonpost.com/wp-dyn/artic
les/A5694-2003Mar21.html
-http://www.fcw.com/geb/articles/2003/0324/w
eb-secure-03-24-03.asp
OIS to Release Vulnerability Disclosure Plan (20 March 2003)
The Organization for Internet Safety (OIS) plans to release its vulnerability disclosure plan in the next month. The document is based on the one submitted to the Internet Engineering Task Force (IETF) two years ago by two OIS members. That proposal called for vendors to work closely with the people who discover the vulnerabilities, with vendors responding to the notice of a vulnerability within ten days and developing a solution to the problem within thirty days.-http://www.eweek.com/article2/0,3959,950860,00.asp
Thornberry to Head House Cybersecurity Subcommittee (20 March 2003)
Representative Mac Thornberry (R-Texas) will lead the House subcommittee on Cybersecurity, Science, Research and Development. The subcommittee will focus on examining computer security policy as it relates to government and private sector systems. The subcommittee also hopes to foster cybersecurity cooperation between government and the private sector.-http://www.washingtonpost.com/wp-dyn/arti
cles/A64074-2003Mar20.html
Army Denies its Systems Were Compromised by Zero-Day Vulnerability (18/19/20 March 2003)
The US Army denies reports that its systems were compromised by an exploit for a buffer overflow vulnerability in the WebDAV protocol in Internet Information Server (IIS) 5.0 running on Windows 2000 systems. Pentagon sources say an attack on a military server is under investigation. The possible attack is an example of a zero-day exploit, meaning attackers took advantage of a vulnerability that was at the time not publicly known and for which there was no patch.-http://www.pcworld.com/news/article/0,aid,109915,00.a
sp
-http://www.fcw.com/fcw/articles/2003/0317/web
-hack-03-18-03.asp
-http://www.gcn.com/vol1_no1/daily-updates/21446-1.html
-http://www.computerw
orld.com/securitytopics/security/hacking/story/0,10801,79478,00.html
ISA Server 2000 DNS Vulnerability (20 March 2003)
Microsoft has issued a warning about a vulnerability in its Internet Security and Acceleration (ISA) Server 2000's Domain Name Service (DNS) intrusion detection application. The vulnerability could be exploited to create a denial of service attack against the ISA server. The vulnerability has been rated "moderate" and a patch is available.-http://www.computerwor
ld.com/securitytopics/security/holes/story/0,10801,79537,00.html
-http://www.microsoft.com/technet/security/bul
letin/MS03-009.asp
IIS 5.0 on Windows 2000 Patch Freezes Some Systems (19/20 March 2003)
A patch for a flaw that affects Windows 2000 machines running Internet Information Server 5.0 apparently makes some systems freeze. The patch was hastily released because the vulnerability had already been exploited. Microsoft has revised the Frequently Asked Questions section of its related security advisory to include information about how to check if the patch will adversely affect your system.-http://www.computerworld.com
/securitytopics/security/story/0,10801,79504,00.html
-http://news.com.com/2100-1002-993515.html
Microsoft's Revised Bulletin:
-http://www.microsoft.com/technet/security/bul
letin/MS03-007.asp
[Editor's Note (Northcutt): If you are running Windows 2000 and IIS and receive hotfixes from PSS this is important. The issue is listed under Frequently Asked Questions where they say: "More information on how to determine if you have installed a hotfix that is incompatible with this patch is available in the Additional Information section under Caveats." Right click on ntoskrnl.exe; Hit properties; Version 5.0.2195.4797 - 5.0.2195.4928 are not compatible with the patch. ]
Buffer Overflow Flaw in Windows Script Engine (19/20 March 2003)
A buffer overflow flaw in the Windows Script Engine could allow attackers to run malicious code from a specially crafted web page or HTML e-mail. Microsoft has posted patches for the flaw, which affects all supported versions of Windows.-http://www.computerwor
ld.com/securitytopics/security/holes/story/0,10801,79521,00.html
-http://www.cnn.com/2003/TECH/ptech/0
3/20/microsoft.warning.ap/index.html
CERT/CC Advance Notices Posted on Security Mailing List (19/20 March 2003)
Someone using the handle Hack4life posted details of three Computer Emergency Response Team Coordination Center (CERT/CC) draft security vulnerabilities to the Full-Disclosure security mailing list before they were intended to be released to the public. CERT/CC provides advance notice of vulnerabilities to members of its Internet Security Alliance, who pay a fee for the privilege, as well as to affected vendors. CERT/CC is asking these organizations to examine their systems for signs of compromises.-http://zdnet.com.com/2100-1105-993375.html
-http://www.wired.com/news/infostructure/0,1377,5
8106,00.html
Linux Kernel Vulnerability (19 March 2003)
A vulnerability in the ptrace component of the 2.2 and 2.4 series of Linux kernels could allow a local user to obtain root privileges. RedHat has posted a patch for the flaw-http://news.com.com/2100-1016-993278.html
-https://rhn.redhat.com/errata/RHSA-2003-098.html?tag=
nl
Online Scheme Bilks $230 Million From Customers Of Pornography Sites (March 19, 2003)
Federal prosecutors charged the head of the company that publishes Playgirl and two others in a scheme that allegedly defrauded thousands of people out of nearly a quarter of a billion dollars. The victims were promised free pornographic images but were allegedly charged $90 per month.-http://www.startribune.com/stories/789/3766250.html
Federal Judge Rules Hacker Was a Police Informant (18 March 2003)
Defense attorneys believe charges against a California Superior Court Judge, for allegedly storing child pornography on his computers at home and in the court, may be thrown out because the evidence used against him was gathered by a hacker who believed he was acting on behalf of the US government.-http://www.bayarea.com/mld/mercurynews/news/loc
al/5417918.htm
Australian Bank Customers Targeted by E-Mail Scam (18 March 2003)
Customers of Australia's Commonwealth Bank received e-mails asking them to log in to a certain web site to reactivate their accounts; the web site was phony. Some customers provided their account numbers and passwords, and there were attempts to remove money from some accounts.-http://www.smh.com.au/articles/2003/03/18/104774
9771323.html
Opinion: Open Source Software is More Secure, Less Expensive (18 March 2003)
Steve Schlesinger argues that because open source software is considerably less expensive than its proprietary counterpart, companies that use open source software will have more resources to devote to security, including broader protection and end-user security education. He also argues that while no software is entirely secure, because open source software is scrutinized by constant peer review, it is less likely to suffer vulnerabilities than is closed source software. Vulnerabilities in open source software are fixed more quickly.-http://www.infosecnews.com/opinion/2003/03/19_01.htm
[Editor's Note (Ranum): The history of security shows that just because people have time and resources to devote to it doesn't mean they will. I think the rates of security bug reports don't bear out his argument. (Multiple) Both sides of this argument can be made effectively. (Paller): The number of vulnerabilities in software is related more to the number of lines of code and the age of the software than other factors. ]
NIST Rates Facial Recognition Systems (17 March, 2003)
The US National Institute of Standards and Technology has tested and rated fifteen different facial recognition programs. Accuracy rates varied widely based on system and age of photographs tested, among other factors.-http://www.gcn.com/vol1_no1/security/21408-1.html
===end===
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editors: Bruce Schneier and Hal Pomeranz
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit https://portal.sans.org/preferences.php/
To update your address, visit http://www.sans.org/sansurl and enter
your SD number (from the header of this email.) You will receive your
personal URL via email.
