SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume V - Issue #4

January 29, 2003

TOP OF THE NEWS

SQL Slammer Worm
CIO Council Approves Single Authentication Policy Proposal
Judge: Verizon Must Disclose Customer's Identity to RIAA
Cyber Security Leadership Act Designed to Make Government a Model

THE REST OF THE WEEK'S NEWS

Network Solutions Exposed Customer E-Mail Addresses
British WHOIS Temporarily Suspended Due to Data Mining Attempts
Double Free Vulnerability in CVS
Sprint DSL Customers Vulnerable to Login Data Theft
AOL Not Liable for Hostile Code Sent Over its Service
International Students' Data Stolen From University of Kansas Computer
Microsoft Issues Security Bulletins for Locator, Content Management
Server 2001 and Outlook 2002
New e-Zine Publishes Virus Source Code
RealNetworks Releases Third Portion of Helix DNA Code
Good Disaster Recovery Plan Saves Observatory Data
AOL Web-based E-Mail Vulnerability Fixed
FTC Report Says Identity Theft is On the Rise
Sun Will Release Patch for Solaris Vulnerability
Russian Mobile Phone Company Customer Database was Pirated
RIAA Web Site Under Attack and Unavailable - Again
Plaintiffs to Appeal Verdict in Johansen DeCSS Case
PeopleSoft Application Messaging Gateway Servlet Flaw
Boulder Campus Now Requires SSL e-Mail Encryption
W32/Sahay Worm Tries to Get Rid of Yaha
1,700 Receive FunLove Along with Computer Security Newsletter
GameSpy Network Serv Could be Used in Denial of Service Attacks
Swiss Town had On Line Voting Option
Hewlett-Packard Wireless Keyboards are Not Secure
Los Alamos Lab Hard Drive May be Missing

---

*************** This Issue Sponsored by Qualys, Inc ******************
Bulletproof Your Network: FREE Guide
Existing security products firewalls, anti-virus and IDS
are simply no longer enough to ensure your networks are safe against
sophisticated attacks and worms such as Code Red and Nimda. FREE Guide
shows you how to ensure TOTAL security for your network.
Get it now. https://www.qualys.com/forms/nsguideh_488.php
***********************************************************************

---

TOP OF THE NEWS

SQL Slammer Worm (25/26/27 January 2003)

The W32/SQL Slammer worm exploits a known buffer overflow vulnerability in Microsoft SQL Server 2000 web servers and other systems using MSDE and has infected between 150,000 and 200,000 servers around the world. South Korea was among the countries hardest hit by Slammer, which caused packet loss rates of between 20% and 33%; regular packet loss rates are under 1%. The problem was fixed quickly; ten hours after the attack had begun, packet loss rates were down to 5%. Webcast of White House, ISS, Symantec and SANS technical experts discussing the worm:
-http://www.sans.org/webcasts/012703.php
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,77898,0
0.html
-http://www.washingtonpost.com/wp-dyn/articles/A46928-2003Jan26.html
-http://www.cnn.com/2003/TECH/internet/01/27/internet.attack.ap/index.html
-http://www.cnn.com/2003/TECH/internet/01/27/worm.why/index.html
-http://news.com.com/2100-1001-982284.html
-http://www.govexec.com/dailyfed/0103/012703h1.htm
-http://www.theregister.co.uk/content/56/29040.html
-http://www.cert.org/advisories/CA-2003-04.html
Microsoft itself was apparently infected with the Slammer worm.
-http://news.com.com/2100-1001-982305.html
[Editor's Note (Paller): Damage from this worm was reduced much more quickly than for other worms because systems infected by SQL Slammer immediately flooded their own networks and created local outages. People fixed their systems quickly because there was no other way to stop the pain. (Schultz): The response team for the lab at which I work (CIAC) really threw us and others a curve in that it issued a severity rating of less than critical when this vulnerability was first reported. And I notice that nothing has been done to upgrade the severity rating, even after all that has occurred. ]

CIO Council Approves Single Authentication Policy Proposal (27 January 2003)

The CIO Council approved a proposal that would create a single authentication policy for all agencies. The policy would apply to e-mail, documents and users. The single policy should make it easier for agencies to implement PKI, because policy development is a major cost and major hurdle in such implementations.
-http://www.fcw.com/fcw/articles/2003/0127/news-policy-01-27-03.asp

Judge: Verizon Must Disclose Customer's Identity to RIAA (21/22 January 2003)

A federal judge has ruled that under the Digital Millennium Copyright Act (DMCA), Verizon Communications must disclose the identity of KaZaA users to the Recording Industry Association of America (RIAA). Verizon maintains that the DMCA does not apply in cases where customers' identities are sought by copyright holders, and plans to appeal the decision.
-http://www.pcworld.com/news/article/0,aid,108889,00.asp
-http://zdnet.com.com/2100-1106-981449.html
-http://www.cnn.com/2003/TECH/internet/01/22/downloading.music.ap/

Cyber Security Leadership Act Designed to Make Government a Model (20 January 2003)

Senator John Edwards' (D-N.C.) Cyber Security Leadership Act is aimed at making the federal government a model of information security. Among the bill's provisions: agency CIOs would be required to identify vulnerabilities in their systems and establish goals for eliminating them and the National Institute of Standards and Technology (NIST) would develop mandatory guidelines for addressing the vulnerabilities.
-http://www.gcn.com/vol1_no1/daily-updates/20899-1.html
[Editor's Note (Paller): The key provision in the Cyber Security Leadership Act is an important correction to the Federal Information Security Management Act (FISMA), just signed by the President. FISMA required agencies to test only "major" systems. As this weekend's worm proved, unprotected and unimportant systems create havoc and denial of service attacks. If the government is going to demonstrate leadership in cybersecurity, it must demonstrate effective methods for checking and securing huge numbers of systems cost-effectively. There's no doubt in my mind that it can be done in part through procurement innovation and partnerships with vendors. ]

---

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Alert! New attacks coming. Stop email threats, including
spam. Here's how. http://www.sans.org/cgi-bin/sanspromo/NB125
(2) Instantly stop DDoS attacks and port scans.
http://www.sans.org/cgi-bin/sanspromo/NB126
(3) BE OFFENSIVE. Don't react to network intrusions. Actively
prevent them. FREE DEMO. http://www.sans.org/cgi-bin/sanspromo/NB127
***********************************************************************
SANS National Information Assurance Leadership Conference (March
5-6 in San Diego) is the only conference to attend for CISO's
and other security managers and team leaders. The highest rated
speakers in the security field - no vendor marketing fluff. And it
is not too technical for managers. You can even attend it and then
attend SANS immersion training in the same hotel right after the
conference. http://www.sans.org/SANS2003/ (Click on NIAL in "Select
a Course")
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Network Solutions Exposed Customer E-Mail Addresses (24 January 2003)

The Internet domain registrar Network Solutions inadvertently sent out messages containing customer e-mail addresses to some of its customers who purchased .org addresses; about 85,000 e-mail addresses were exposed. Those affected fear they will be targeted by spammers. The e-mail information is available through the Whois databases, but potential spammers would have to look them up one at a time.
-http://www.washingtonpost.com/wp-dyn/articles/A35318-2003Jan23.html
[Editor's Note (Grefer): This is not a very big issue because scripting WHOIS queries enumerating names is not very difficult. ]

British WHOIS Temporarily Suspended Due to Data Mining Attempts (24 January 2003)

Nominet UK suspended its WHOIS service for nearly nine hours after it became apparent someone was attempting to copy the entire database. Service has been started again, but will be suspended if the attacks resume.
-http://www.theregister.co.uk/content/6/29022.html

Double Free Vulnerability in CVS (23/24 January 2003)

The Computer Emergency Response Team Coordination Center (CERT/CC) has issued an advisory warning of a double-free vulnerability in the Concurrent Versions System (CVS) that could allow attackers to take over CVS servers and alter source code.
-http://zdnet.com.com/2100-1104-981801.html
-http://www.theregister.co.uk/content/56/29019.html
-http://www.cert.org/advisories/CA-2003-02.html
vendor status information:
-http://www.kb.cert.org/vuls/id/650937#systems

Sprint DSL Customers Vulnerable to Login Data Theft (23 January 2003)

Weak security controls on ZyXel Communications DSL modems issued to Sprint FastConnect DSL customers could allow attackers to steal passwords and e-mail addresses; the vulnerabilities can exist even when computers are powered down, because the modems, which store login data, are often still on. Remote access to the modems' administrative software is protected by a default password of "1234." Sprint does not provide instructions for resetting the password in its customer documentation, but plans to post information on its website about disabling the remote administration feature; modems without the feature will be shipped starting in February.
-http://www.wired.com/news/infostructure/0,1377,57342,00.html

AOL Not Liable for Hostile Code Sent Over its Service (23 January 2003)

The U.S. Court of Appeals for the Third Circuit upheld a ruling that AOL is not liable for hostile code sent by a subscriber through its service. The original suit was brought by a man who alleged AOL failed to enforce its terms of service because he received hostile code designed to kick him off the service from an AOL subscriber.
-http://news.com.com/2100-1023-981800.html
[Editor's Note (Schultz): So far ISP's, most of whom who have a long way to go when it comes to security, have been getting off pretty light when it comes to legal rulings related to security problems and incidents, as this and other recent rulings have shown. ]

International Students' Data Stolen From University of Kansas Computer (23/25 January 2003)

The FBI is investigating a computer security breach at the University of Kansas. A hacker allegedly downloaded personal information belonging to 1,450 international students from a computer at the University's Academic Computing Center. The information was collected as a part of homeland security measures, and included passport and student ID numbers, countries of origin and courses taken. Apparently a patched hole reverted to its unpatched state after a security upgrade was installed. University officials believe the hole has now been fixed.
-http://www.thekansascitychannel.com/education/1930636/detail.html
-http://24hour.startribune.com/24hour/technology/story/734845p-5355931c.html

Microsoft Issues Security Bulletins for Locator, Content Management Server 2001 and Outlook 2002 (23 January 2003)

Microsoft has issued three security bulletins. The first, which received a 'critical" rating, is for a buffer overflow flaw in the Windows Locator service and affects Windows versions NT 4.0, 2000 and XP. The two other bulletins address flaws in Content Management Server 2001 and in Outlook 2002's handling of V1 Exchange Server Security Certificates; these flaws received "important" and "moderate" ratings, respectively.
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,77801,0
0.html
-http://zdnet.com.com/2100-1105-981745.html
-http://www.microsoft.com/technet/security/bulletin/MS03-001.asp
-http://www.microsoft.com/technet/security/bulletin/MS03-002.asp
-http://www.microsoft.com/technet/security/bulletin/MS03-003.asp
-http://www.cert.org/advisories/CA-2003-03.html

New e-Zine Publishes Virus Source Code (23 January 2003)

A group of virus writers has published an e-zine called Mitosis that contains source code for viruses and advice for evading detection by anti-virus software.
-http://www.infosecuritymag.com/2003/jan/digest23.shtml#news4

RealNetworks Releases Third Portion of Helix DNA Code (23 January 2003)

RealNetworks, Inc. is releasing the source code to its Helix DNA Server. The company has already released code to Helix DNA Client and Helix DNA Producer. The company hopes the code's release will produce "the industry's first open-source media delivery system."
-http://www.computerworld.com/developmenttopics/development/webdev/
story/0,10801,77805,00.html
[Editor's Note (Grefer): Releasing/Publishing source code does not automatically make it open-source in the traditional meaning of this expression. ]

Good Disaster Recovery Plan Saves Observatory Data (23 January 2003)

Valuable data collected by the Mt. Stromlo Observatory in Canberra, Australia were not lost in a firestorm that destroyed the facility thanks to a "comprehensive data recovery plan." Data from the telescopes had been being sent to a StorageTek 9310 Powderhorn library at the Canberra campus of the Australian National University (ANU); administrative and research data had been being backed up regularly and stored at two separate remote locations.
-http://www.zdnet.com.au/newstech/enterprise/story/0,2000025001,20271482,00.htm
[Editor's Note (Shpantzer): I love hearing success stories like this. It's not all cyberterrorism and hackers. Plan for natural disasters with remote storage and test the restoration process. Business continuity is not as glamorous as some of the cool technologies out there, but it is essential for the long term existence of the organization. ]

AOL Web-based E-Mail Vulnerability Fixed (22/23 January 2003)

A vulnerability in AOL's international web-based e-mail authentication system allowed access to accounts without first verifying account passwords; all an attacker would need to read someone else's e-mail was the account name. Those exploiting the vulnerability would also be able to access AIM passwords. AOL says only several hundred accounts were affected and has reportedly repaired the hole.
-http://www.eweek.com/article2/0,3959,840980,00.asp

FTC Report Says Identity Theft is On the Rise (22 January 2003)

A Federal Trade Commission (FTC) report says that complaints about identity theft have increased 73% since last year and account for 43% of all the complaints they received in 2002. Problems with Internet auctions generated 13% of complaints.
-http://zdnet.com.com/2100-1105-981489.html
FTC website with information about identity theft:
-http://www.consumer.gov/idtheft/

Sun Will Release Patch for Solaris Vulnerability (22 January 2003)

A vulnerability in the Kodak Color Management System (KCMS) library service daemon in Sun Microsystems' Solaris 2.5.1, 2.6, 7, 8 and 9 running on Sparc- or Intel-based servers could allow remote access to all files and possible root privileges on unprotected systems. Sun Microsystems plans to release a patch sometime in the future.
-http://www.eweek.com/article2/0,3959,840818,00.asp
[Editor's Note (Grefer): Few people use this feature. If you do not use it, remove it by executing a pkgrm pkgname as root. ]

Russian Mobile Phone Company Customer Database was Pirated (22 January 2003)

Russian mobile phone company Mobile Telesystems has acknowledged that it suffered a serious security breach that has resulted in pirated CDs of the company's entire five million customer database appearing for sale in Moscow. A company spokeswoman said they are investigating how the breach took place. Note: this site requires free registration
-http://www.nytimes.com/2003/01/23/business/worldbusiness/23DATA.html

RIAA Web Site Under Attack and Unavailable - Again (27 January 2003)

The RIAA web site is again being targeted by a denial-of service attack; the site has been unavailable since Friday, 24 January. The RIAA is trying to restore the site and the U.S. Secret Service is investigating the incident.
-http://news.com.com/2100-1023-982274.html?tag=fd_top

Plaintiffs to Appeal Verdict in Johansen DeCSS Case (21 January 2003)

Norway's Economic Crime Unit plans to appeal the recent acquittal of Jon Johansen, the teenager in the DeCSS DVD decryption case. Johansen's lawyer is confident they will win any appeals.
-http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=2079046

PeopleSoft Application Messaging Gateway Servlet Flaw (21 January 2003)

A vulnerability in PeopleSoft's Application Messaging Gateway servlet could allow attackers to access confidential information. The flaw affects versions 8.1x of PeopleTools; version 8.4x is not affected. Internet Security Systems (ISS), the network security company that discovered the flaw, recommends that affected users restrict or block access to the vulnerable servlets until PeopleTools 8.19 , which addresses the problems, comes out in early February.
-http://news.zdnet.co.uk/story/0,,t269-s2129044,00.html

Boulder Campus Now Requires SSL e-Mail Encryption (21 January 2003)

As of January 2, 2003, the University of Colorado at Boulder requires the use of Secure Sockets Layer (SSL) encryption for e-mail messages sent between campus e-mail servers and individuals' client software. Users had to reconfigure their e-mail programs in order to communicate with campus servers. The University of Colorado at Boulder also began requiring the use of encrypted links for FTP and telnet functions.
-http://chronicle.com/free/2003/01/2003012101t.htm
[Editor's Note: What a GREAT idea! The fact that it is news is a bit scary. Is it actually so unusual for a campus setting? ]

W32/Sahay Worm Tries to Get Rid of Yaha (21 January 2003)

The W32/Sahay.A mass mailer worm arrives as an attachment, mathmagic.scr, and is designed to detect the Yaha worm and remove it from infected machines. Sahay tries to attach itself to .exe files in the Windows and C:ProgramFilesMircDownload folders, but its buggy code could corrupt files in the folders or even crash the machine.
-http://zdnet.com.com/2100-1105-981336.html

1,700 Receive FunLove Along with Computer Security Newsletter (21 January 2003)

Norway's Data Inspectorate inadvertently sent copies of the FunLove worm to 1,700 of its computer security newsletter subscribers. Evidently, the agency's external e-mail server was infected with FunLove, which allows all users administrative privileges on infected systems.
-http://www.siliconvalley.com/mld/siliconvalley/news/editorial/4998039.htm

GameSpy Network Servers Could be Used in Denial of Service Attacks (21 January 2003)

PivX Solutions has posted an advisory warning that multi-player games with servers supporting the GameSpy network could be manipulated to intensify the effect of denial of service attacks. This is possible because the GameSpy network code does not verify senders' addresses.
-http://zdnet.com.com/2100-1105-981255.html

Swiss Town had On Line Voting Option (20 January 2003)

Residents of Anieres, Switzerland, a suburb of Geneva, were given the opportunity to vote online from their home computers in a recent election. Those who chose to vote on line were required to enter a series of security codes, birthdate and place of birth before casting their votes. The head of the Geneva administration called the system "even more secure than postal voting.
-http://www.cnn.com/2003/TECH/internet/01/20/switzerland.internet.ap/index.html

Hewlett-Packard Wireless Keyboards are Not Secure (20 January 2003)

After another instance of its wireless keyboards transmitting data to computers on other, nearby residences, Hewlett-Packard will no longer guarantee the security of those devices. A spokesman for the company said if users are looking for good security, they should use keyboards with cords.
-http://www.aftenposten.no/english/local/article.jhtml?articleID=474623
[Editor's Note (Grefer) As I have said before, wireless keyboards are NOT secure; a lot has to be done to change that. BTW, the same applies for wireless mice, even though their impact might not always be as disastrous. ]

Los Alamos Lab Hard Drive May be Missing (17 January 2003)

It is possible that a hard drive associated with a computer used for security purposes at the Los Alamos National Laboratory is missing. While conducting an equipment inventory, a worker placed a bar code on a metal carrier that may or may not have held a hard drive at the time; the worker did not check. The carrier is now empty.
-http://www.fcw.com/fcw/articles/2003/0113/web-alamos-01-17-03.asp

---

===end===
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit https://portal.sans.org/preferences.php/
To update your address, visit http://www.sans.org/sansurl and enter
your SD number or email address (from the header of this email.) You
will receive your personal URL via email.