Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: III, Issue: 52
December 31, 2004

SANS Newsletters Home

This week's @RISK contains news about in-the-wild exploits of an unpatched Windows vulnerability (Item #1). Please note: Part II, the complete list of all newly discovered vulnerabilities will reappear in next week's @RISK. Because we have a short issue this week, we are adding a bonus that will be useful for readers who also are responsible for security awareness: the Security Awareness Tool of the Month. Normally this goes only to organizations using SANS Awareness training program, but we thought it would be a useful holiday present for you. Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

*********************** Sponsored by NetIQ ******************************

Win the Spam Battle! Get a handle on your information security issues with the FREE eBook, "Content Security in the Enterprise-Spam and Beyond." Industry veteran Daniel Chenault provides the battleplan on how you can reduce or eliminate spam, protect corporate information assets and ensure that your vital resources are secure and available for authorized business purposes. Download this free eBook now. http://www.netiq.com/f/form/form.asp?id=2395&origin=NS_SANS_122704

*************************************************************************

************************** SPONSORED LINKS ******************************

Privacy notice: Sponsored links redirect to non-SANS web pages. #1 Industry experts and regulatory organizations define best practices for managing log data - FREE whitepaper: http://www.sans.org/info.php?id=696

*************************************************************************

Highlighted Security Training Program of the Week: SANS Orlando - the largest Security Training Program - February 3-9, 2005 Fourteen immersion training tracks for managers, auditors, sysadmins, security professionals and for those seeking to pass the ISC2 CISSP exam. The best teachers in security, in Florida, when it is cold in the north and Europe. Plan to bring the family along for a weekend at Disney World. Conference and registration details: http://www.sans.org/orlando05

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (http://www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
Other Software
  • (3) HIGH: Multiple Vendor PHP Remote File Include Vulnerabilities
  • Affected:
    • PHProjekt version 4.x
    • Help Center Live versions 1.x

  • Description: The following software packages reportedly contain PHP remote file include vulnerabilities: PHProjekt and Help Center Live. These flaws can be exploited by a remote attacker to run arbitrary PHP code on the webserver hosting the vulnerable software packages. The postings show how to craft the malicious HTTP requests to exploit the flaws. Note that the vulnerabilities can be exploited only if the server's "register_globals" PHP configuration parameter is turned "On". The default setting for this parameter is "Off" for PHP versions 4.2.0 or higher.

  • Status: PHProjekt confirmed, upgrade to version 4.2.3 or apply the patches. Help Center Live: Vendor not confirmed, no patches available. A workaround is to turn the "register_globals" off.

  • Council Site Actions: The affected software is not in production or widespread use, or is not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Exploit Code
  • (4) PhpInclude Worm

  • Description: The Santy worm defacing websites using phpBB software has evolved into a more general worm dubbed PhpInclude worm (a.k.a Perl.Lexac, Santy.E). This worm is targeting websites that are running any PHP software containing "remote file include" vulnerabilities. The worm finds the target websites via Google, Yahoo and AOL search engines. Specifically, the worm searches for webpages that are using PHP "require()" or "include()" functions. These functions are used to include and evaluate the specified file. If the input to these functions is not properly sanitized, by passing an arbitrary file an attacker can execute arbitrary PHP code on the server. To prevent the worm: (a) Ensure that any scripts containing the "require()" or "include()" functions properly sanitize the user input. (b) Turn "register_globals" off. For many PHP packages, the vulnerabilities can be exploited only when "register_globals" is on. (c) Configure Apache mod_security, Apache mod_rewrite or PHP filters to prevent the worm attacks.

  • Council Site Actions: Council sites running the affected software have very limited deployments and have checked the PHP code to ensure it does not contain the vulnerable configuration.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 52, 2004

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2004. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.

============================================

Bonus or the holidays: The Tool of the Month is distributed to organizations using SANS Security Awareness training program. For more information on our awareness training program, see http://www.sans.org/awareness/

Security Awareness Tool of the Month: December 2004 By Kristy Westphal

Email: Is it safe?

Just when you thought it was safe to open your email again....ZAP! Yet another strange request from your Credit Card Company or bank, looking for your PIN, perhaps a credit card number, or some other personal information. It's even gone so far as to touch other companies like telecommunication provider Verizon. The facts are in: phishing scams are continually on the rise and they are getting harder to detect as they take advantage of vulnerabilities in the software that we use every day, such as our mail clients and our browsers.

As a security professional, you realize that you need to get the information out to your company's employees about what they should do when they get a phishing email. The problem is, how do you explain to your average, non-computer savvy user what to look for? Sure, you can describe it in words, but it really helps to see examples. Here is the tool for you!

http://survey.mailfrontier.com/survey/quiztest.html

It's the MailFrontier Phishing Quiz, currently up to version 2. (Version 1 is available here: http://survey.mailfrontier.com/survey/quiztest.cgi?/themailfrontierphishingiqtes
t )

It has ten samples of real phishing emails, and authentic emails. For example, message 9 is from 'Capitol One' and there are three possible selections. They are:

  • - Legitimate
  • - Phishing Fraud
  • - No Answer

You can click on the link to see what the email looks like ( http://www.mailfrontier.com/quiztest2/S2html/Q9.html ) and then select your answer. When you are done, you can see how well you did by clicking on the "Get your score" button.

While there aren't a lot of details as to what to look for in a phishing email, it is a simple way to show your users that it isn't easy to identify phishing ploys. If they ever have any doubt about an email, they should call the provider in question to verify authenticity. Many of the most heavily hit companies actually have fraud phone lines or email addresses where you can report suspicious emails.

Still not convinced this is a good tool? Well, I have used this tool to help educate the security analysts where I work. We took part of the quiz altogether aloud, and not even they could tell by just looking at the email. They actually missed quite a few ones that were real, calling them fakes, and vice versa. It did show that even security analysts can find it difficult to determine the real versus fake.

In another case, a network manager put some samples from the quiz in a user broadcast message. A user notified him that when they had received a suspicious email, they called the company to confirm it rather than click on the link, all because of the examples that had been sent out.

Furthermore, a consultant has commented that he was able to use the examples in his awareness classes. Feedback on the examples reflected very positive responses, including one that too little time was spent on the examples in the first class where the consultant used them. The consultant commented: "it helped me create a break from 'talking at' the group and get a little audience participation going."

While not a definitive tool, it can be very effective. Combined with tips like the following, from the Anti-Phishing Working Group, the MailFrontier quiz can be another effective tool in your awareness arsenal:

1) Be suspicious of any email with urgent requests for personal information.

2) Don't be fooled by emails with upsetting or exciting (but false) statements that try to get you to react immediately.

3) If you suspect the message might not be authentic, don't use the links within the email to get to a webpage.

4) Don't fill out forms in email messages that ask for personal financial information

5) Communicate information such as credit card numbers only via a secure website or the telephone.

6) To make sure you're on a secure Web server, check the beginning of the URL in your browser address bar. It should be "https" rather than "http". The "s" stands for secure.

7) Consider installing a Web browser toolbar such as EarthLink's Scamblocker to alert you before you visit known phishing fraud websites (eBay also has a similar tool).

8) If an email message is not personalized, assume it's not a valid message.

9) Log in to your online accounts regularly, and check bank, credit and debit card statements to ensure that all transactions are legitimate.

10) Ensure that your operating system and browser is up-to-date and security patches have been applied.

More information on phishing:

http://antiphishing.org http://www.bbbonline.org/idtheft/phishing.asp

Copyright 2004, The SANS Institute. Redistribution is allowed only to individuals within your own employer's organization.

SANS provides the most exhaustive, comprehensive security source available. Bring your hardhat, you're going to work!
-Richard Williams, Symark Software

Healthcare Cyber Security Summit - San Francisco

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County