SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume V - Issue #8
February 26, 2003
TOP OF THE NEWS
Lovgate.C Worm Affects Outlook and Outlook ExpressCERT/CC Warns of Multiple SIP Vulnerabilities
HIPAA Security Standards Rule Published
Source of Credit Card Security Breach Disclosed
Banks Cancel Cards After Security Breach
Oracle Releases Patches for Six Vulnerabilities
THE REST OF THE WEEK'S NEWS
Mafiaboy Brought Need for Cybercrime Legislation to Canadian Government's AttentionJury Acquits Man of Unlawful Wireless Intrusion
Student Arrested for School District Computer System Intrusion
Researchers Discover ATM PIN Vulnerability
SSL Vulnerability Not a High Risk
Paper Argues Cyber Crime Sentences Too Harsh
Directed-Energy Weapons Could Target Digital Communications
Former Administrator Arrested for Hacking Company Network
Hacker Tricked into Revealing Identity
Universities Interested in Digital Fingerprint Monitoring to Reduce Bandwidth Consumption
Triple Extension Vulnerability in Outlook Express
Symantec Clarifies Slammer Detection Claim
Patches Available for Lotus Domino Server 6.0 Vulnerabilities
Interstate ISAC
Slammer Spread Rapidly via UDP
Few Firms Comply with UK Security Standard
TUTORIAL
Secure MySQL Installation************* This Issue Sponsored by Tripwire, Inc. *************
ASSURE INTEGRITY WITH TRIPWIRE. GET A FREE POSTER.
Tripwire integrity assurance solutions pinpoint changes to your servers
and network devices, accelerating discovery and increasing uptime,
making you the hero of your IT organization. Click here to get a FREE
copy of our Security Exploit and Vulnerability Matrix Poster.
http://www.tripwire.com/literature/poster/index.cfm?djinn=942
***********************************************************************
TOP OF THE NEWS
Lovgate.C Worm Affects Outlook and Outlook Express (24 February 2003)
The Lovgate.C worm spreads by replying to messages computers' in-boxes. Machines become infected either by users clicking on an attachment or through shared files and folders. Lovgate.C also Trojan that will allow files on the infected computer to be accessed and modified remotely. The worm affects Outlook and Outlook Express e-mail programs.-http://www.computerworld.com/securitytopics/security/virus/story/0,10801,78765,0
0.html
-http://www.gcn.com/vol1_no1/daily-updates/21248-1.html
-http://news.com.com/2100-1001-985742.html
CERT/CC Warns of Multiple SIP Vulnerabilities (21 February 2003)
The Computer Emergency Response Team Coordination Center (CERT/CC) has released an advisory warning of multiple vulnerabilities in Session Initiation Protocol (SIP) implementations from a variety of vendors. The vulnerabilities could be exploited to launch denial-of-service attacks, gain unauthorized access to systems or cause system instability. Vendors are offering patched for the problems.-http://www.cert.org/advisories/CA-2003-06.html
[Editor's Note (Northcutt): This is a well written CERT advisory and it is still early, the exploits and worms might be along in a few weeks. You will recall the PROTOS test suite from OSLO and the hullabaloo over SNMP Feb. 2002. This is the same kind of thing. A PROTOS test suite has been run against a number of SIP implementations, and the results indicate it is possible to build buffer overflows and such. If you start seeing lots of inexplicable traffic to UDP/TCP 5060 or TCP 5061 it would be a very good idea to report it to CERT, your CIRT or isc@sans.org ]
HIPAA Security Standards Rule Published (20/21 February 2003)
The Department of Health and Human Services (HHS) has published the final version of health care information security standards under the Health Insurance Portability and Accountability Act (HIPAA). While affected entities must comply with HIPAA privacy standards by April 14, 2003, they have until April 21, 2005 to comply with the security rule. The standards include conducting a risk analysis, developing policies and procedures and contingency plans in the event of an attack, and ensuring that everyone is aware of the policies. The standards do not dictate specific technology, but instead allow health care organizations tailor their policies and procedures to their specific needs. There is some concern that the rules will invite litigation.-http://www.nwfusion.com/news/2003/0220goverpubli.html
-http://www.fcw.com/fcw/articles/2003/0217/web-hippaa-02-21-03.asp
-http://www.computerworld.com/governmenttopics/government/policy/story/
0,10801,78684,00.html
[Editor's Note (Northcutt): The best HIPAA summary we have seen is the one by Steve Weil:
-http://www.sans.org/projects/hipaa.php]
Source of Credit Card Security Breach Disclosed (18/19 February 2003)
The locus of the massive credit card security breach has been traced to a computer system at Omaha-based Data Processors International, a company that handles credit card transactions for catalogs and direct marketers. It appears the security breach was launched from the outside; information is being analyzed to see if there is a trail that will lead to the hacker. Data Processors International also handles American Express accounts. There have been no reported cases of credit card fraud so far, and it isn't clear if the hacker actually stole any information.-http://www.msnbc.com/news/874307.asp?0dm=C236T
-http://www.msnbc.com/news/874907.asp?0si=-&cp1=1
Banks Cancel Cards After Security Breach (20/21 February 2003)
Pittsburgh's PNC bank has canceled 16,000 Visa cards after being informed that their card were among those exposed in the recent security breach; they are in the process of issuing new cards to their customers. MasterCards issued by Rhode Island-based Citizens' Financial Group were also affected by the breach.-http://www.post-gazette.com/businessnews/20030220pnc0220p4.asp
-http://www.usatoday.com/tech/news/2003-02-21-hack-attack_x.htm
Oracle Releases Patches for Six Vulnerabilities (17/18 February 2003)
Oracle has released patches for six security flaws: four in its database software and two in its Application Server. The most serious is a buffer overflow vulnerability in the Oracle.exe binary of Oracle database 9i Release 2, 9i Release 1, 8i Version 8.1.7 and 8 Version 8.0.6; this flaw could be exploited to take control of the system running the software.-http://www.computerworld.com/securitytopics/security/story/0,10801,78607,00.html
-http://news.com.com/2100-1001-985012.html
-http://www.theregister.co.uk/content/55/29360.html
-http://www.cert.org/advisories/CA-2003-05.html
[Editor's Note (Paller): The weekly Critical Vulnerability Analysis provided in depth analyses of these vulnerabilities and what major organizations did to protect themselves. If you do not get the CVA, you may subscribe at
-http://www.sans.org/newsletters/cva/.
The CVA is nearly equal in value and effectiveness to the commercial services costing $5,000 per year. But the CVA is free. ]
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Stop spam! - Top 10 enterprise techniques to control spam
***white paper***
http://www.sans.org/cgi-bin/sanspromo/NB137
(2) STOP INTRUSIONS with preventive countermeasures. Automatically
block intruders. FREE WP explains how.
http://www.sans.org/cgi-bin/sanspromo/NB138
(3) Weighed Down by Security Data? View our new White Paper at
http://www.sans.org/cgi-bin/sanspromo/NB139
***********************************************************************
THE REST OF THE WEEK'S NEWS
Mafiaboy Brought Need for Cybercrime Legislation to Canadian Government's Attention (23 February 2003)
The case of Mafiaboy, the Canadian teenager who launched distributed denial-of-service (DDoS) attacks on high profile web sites in February 2000, helped alert the Canadian government to the need for legislation regarding cybercrime. A law has been established that lets police get warrants requiring ISPs to provide them with information; pending legislation would require ISPs and businesses to save information like e-mail and contents of hard drives in case the police need it.-http://www.canada.com/montreal/news/story.asp?id=3C1DAA77-791C-4754-858F-CF672F4
7FCE9
Jury Acquits Man of Unlawful Wireless Intrusion (21 February 2003)
A jury took fifteen minutes to acquit a man who was accused of gaining unlawful access to the Harris County (TX) district clerk's computer system. Stephan Puffer had maintained that he was demonstrating a vulnerability in the wireless network to county officials; when he did, he was indicted on fraud charges. The jury found that Mr. Puffer never intended to cause any damage to the system, and the district county clerk admitted he had been embarrassed by the demonstration.-http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?database=
JanX.db&command=viewone&id=25&op=t
-http://www.theregister.co.uk/content/55/29434.html
[Editor's Note (Ranum): Is this sending the right message? Are the courts giving law-breakers an "out" if they get caught? ]
Student Arrested for School District Computer System Intrusion (18 February 2003)
A Turlock, California high school student has been arrested for breaking into the school district's computer system and copying files, usernames and passwords. The student apparently wanted to demonstrate the system's vulnerability; he had told his computer teacher about the flaw, but the system administrator said it couldn't be exploited. The student faces expulsion and criminal charges.-http://www.bayarea.com/mld/mercurynews/news/local/5209779.htm
[Editor's Note (Paller): As sympathetic as this student's plight may seem, especially in light of the acquittal of the Texas man described in the previous NewsBites item, it makes no sense to allow people to demonstrate vulnerabilities by exploiting them. Court decisions of that sort would blur the line between legal and illegal activity and reverse a pattern of lengthening sentences for convicted hackers. Without substantial sentences there is little to deter criminals from hacking and claiming they were "just trying to demonstrate a vulnerability." The student could have had the desired impact if he had fully documented his attack strategy without exploiting it and provided the document to the school board and, if the school board refused to act, then the press. ]
Researchers Discover ATM PIN Vulnerability (21 February 2003)
Researchers in Cambridge, England have published a paper describing a technique for discovering a PIN in 15 guesses. The attack against bank ATM hardware security modules (HSMs) depends on the decimalization tables used for encryption and would have to be conducted by an insider. The researchers say the best way to protect systems from the attack is to ensure the decimalization tables cannot be changed without permission. The researchers have been asked to testify as expert witnesses in a case involving the alleged theft of 50,000 pounds from a bank account via ATMs. The judge in the case has imposed a secrecy order; one of the researchers has observed that some of the information is already public knowledge.-http://www.newscientist.com/news/news.jsp?id=ns99993424
-http://www.theregister.co.uk/content/55/29425.html
-http://www.eweek.com/article2/0,3959,899812,00.asp
-http://www.theage.com.au/articles/2003/02/21/1045638471679.html
-http://zdnet.com.com/2100-1105-985545.html
SSL Vulnerability Not a High Risk (20/21 February 2003)
Researchers in Switzerland say they have developed a technique that allows them to guess passwords send though Secure Sockets Layer (SSL) encryption. The technique, which involves intercepting and altering e- mail to generate error messages, applies only to e-mail; banks and e-commerce web sites use a different sort of SSL technology. The vulnerability is present in OpenSSL versions prior to 0.9.6i and 0.9.7a. Experts say the vulnerability is not serious.-http://www.newscientist.com/news/news.jsp?id=ns99993420
-http://news.bbc.co.uk/2/hi/technology/2785145.stm
-http://www.theregister.co.uk/content/55/29423.html
-http://zdnet.com.com/2100-1105-985460.html
Paper Argues Cyber Crime Sentences Too Harsh (20 February 2003)
A recently published position paper maintains that people convicted of cyber crimes are given harsher sentences than those given to people who commit similar, non-cyber crimes. Jennifer Granick, director of Stanford University's Center for Internet and society, says the sentences are handed down "based on the fear of the worst-case scenario" instead of looking at the cases for what they are.-http://news.com.com/2100-1001-985407.html
[Editor's Note (Ranum): Ms. Granick also represents clients accused of cyber crimes. She may not have an entirely unbiased perspective. ]
Directed-Energy Weapons Could Target Digital Communications (20 February 2003)
In the event of war with Iraq, the United Stated may for the first time use directed energy weapons, which are designed to disrupt and destroy digital communications systems. While terrorists probably do not have the capability to create such weapons now, they may become a part of warfare in the future, and US systems are not hardened against this kind of attack. The weapons are similar to the electromagnetic pulse (EMP) generated by nuclear weapon detonation, but with a closer range and more specifically targeted.-http://www.nytimes.com/2003/02/20/technology/circuits/20warr.html
(please note that this site requires free registration) The Directed Energy Directorate of the Air Force Research Labs site:
-http://www.de.afrl.af.mil/
[Editor's Note (Shpantzer): Here is an example of how directed energy can be used as a less-lethal technology for crowd dispersal:
-http://www.afrlhorizons.com/Briefs/Sept01/DE0101.html
Former Administrator Arrested for Hacking Company Network (20 February 2003)
A man who used to work as a network administrator for a Los Angeles Airport limousine company has been arrested on charges of hacking into the company's computer system and causing damage that cost the company thousands of dollars in lost revenue. The man allegedly changed passwords, deleted the customer database and erased applications.-http://www.securityfocus.com/news/2567
Hacker Tricked into Revealing Identity (20 February 2003)
A hacker tricked a Nottingham, UK teen-aged girl into downloading keystroke-logging software, which he then used to steal her father's credit card information. The girl helped police find the hacker when she contacted him through a chat room a year later and asked him to take a quiz to see if they were compatible. The suspect provided ample information for police to track him down in Scotland. Police seized his computer equipment and found evidence that he had stolen credit card information from other people. He was recently sentenced to 100 hours of community service.-http://www.theregister.co.uk/content/55/29403.html
Universities Interested in Digital Fingerprint Monitoring to Reduce Bandwidth Consumption (20 February 2002)
The University of Wyoming is piloting technology on its computer network that examines every bit of file sharing traffic; the digital fingerprinting technology will eventually block transmissions of files that are determined to be pirated. Universities are interested in the technology because they are concerned about over-consumption of bandwidth.-http://news.com.com/2100-1023-985027.html
Triple Extension Vulnerability in Outlook Express (20 February 2003)
A vulnerability in Outlook Express has been exploited by attackers to send Trojans. By specially crafting triple extension attachments, attackers can send executable files that evade detection. The first extension, which is visible to the recipient of the message, will look like something familiar and safe, for instance .jpg. The second extension is the executable that can contain the malicious code, and the third another safe extension which generates a safe icon. The vulnerability has been exploited to send Trojans.-http://techupdate.zdnet.co.uk/story/0,,t507-s2130783,00.html
Symantec Clarifies Slammer Detection Claim (20 February 2003)
Symantec's Vincent Weafer clarified the company's statement last week that claimed it had detected the Slammer worm hours before it became public knowledge. Actually, Symantec's DeepSight Threat Management System sends automated alerts to customers when firewall sensors picked up increased attempts to access port 1434. At that time the company was aware of a "network anomaly," but not until a few hours later, about the time the first Slammer postings appeared on Bugtraq, did the information coalesce to indicate an actual attack.-http://www.theregister.co.uk/content/56/29406.html
Patches Available for Lotus Domino Server 6.0 Vulnerabilities (19 February 2003)
IBM has released patches for a trio of vulnerabilities in Lotus Domino Server 6.0. The flaws could allow attackers to run malicious code on vulnerable machines. The fixes are available at the Lotus site below.-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78642,0
0.html
-http://www-10.lotus.com/ldd/r5fixlist.nsf/Progress/601?OpenDocument
Interstate ISAC (19 February 2003)
Thirteen states, including New York and Florida, are moving toward creating an interstate information sharing and analysis center (ISAC). During a recent "dry run," states reported suspicious Internet activity of a central location.-http://www.gcn.com/vol1_no1/security/21169-1.html
Slammer Spread Rapidly via UDP (18 February 2003)
The Slammer worm spread across the Internet in a matter of hours, and the majority of infections occurred within the first 15 minutes. The rapid spread can be attributed in part to the fact that Slammer spread via UDP rather than TCP; UDP, an older and less secure protocol, does not require the "three-way handshake" authentication that TCP requires.-http://www.newsfactor.com/perl/story/20776.html
Few Firms Comply with UK Security Standard (17 February 2003)
Although the UK has established BS7799, a standard that offers a framework for establishing a security policy, only 80 companies have received certification. The government may consider making the standard mandatory.-http://www.vnunet.com/News/1138801
TUTORIAL
Secure MySQL Installation (18 February 2003)
Advice for securely installing the MySQL database includes both basic database security and information specific to MySQL.-http://www.securityfocus.com/infocus/1667
===end===
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit https://portal.sans.org/preferences.php/