SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume III - Issue #12
March 21, 2001
If you missed today's free web broadcast on Critical Windows Security
Vulnerabilities, you may listen to the recorded version (and get the
detailed data on correcting them) at www.sans.org/audiogate
TOP OF THE NEWSBusboy Masterminds Identity Thefts of CEOs
16 March 2001 Magistr Carries Destructive Payload
14 March 2001 Pirated Version of Office XP Posted
12 March 2001 BIND Security Still an Issue
9 March 2001 USPS to Offer Digital Signatures
THE REST OF THE WEEK'S NEWS16 March 2001 NIPC "Stick" Warning
16 March 2001 GAO Report Cites IRS E-Filing Vulnerabilities
15 March 2001 Opinion: Federal CIO Necessary
14 March 2001 Federal Agencies Need Security Plans to Obtain Funding
16 March 2001 Securing On-Line Checking Account Payments
15 March 2001 Source Code Theft Confirmed
15 March 2001 GAO Critical of Present Export Controls
15 March 2001 Another TCP Vulnerability
13 & 15 March 2001 New Version of SubSeven More Dangerous
13 March 2001 Teen Charged in NASA Site Defacements
12 March 2001 Internal Cyber Crime Strategies
12 March 2001 Worm Writing Tool Updated
12 March 2001 Rethinking Malware Classification
12 March 2001 Securing the Home Office
****************** This issue sponsored by PentaSafe *****************
Introducing PentaSafe's VigilEnt Policy Center.
Put an end to the confusion by automating each step of policy
management: creation, editing, review, distribution, education,
compliance reporting, and maintenance. With VPC you can not only create
a more secure work environment, you can develop a culture of information
Visit http://www.pentasafe.com/products/policyoverview.htm to see an
online demo, or REGISTER FOR A LIVE WEBCAST ON MARCH 28 with to discuss
policy management live with policy guru, Charles Cresson Wood, CISA,
CISSP at www.pentasafe.com/events.
TOP OF THE NEWS
Busboy Masterminds Largest Identity Thefts of CEOsMore than 200 chief executives listed in Forbes magazine were the victims of a 32 year old high-school dropout named Abraham Abdallah.
16 March 2001 Magistr Carries Destructive PayloadMagistr, a sophisticated worm/virus that spreads via e-mail, LANs, or shared disks, carries a highly destructive payload. Machines become infected when users open attachments. Magistr then uses its own internal e-mail program to send itself on to everyone in the infected machine's address book, generating random subject headings and attaching up to five files from the infected machine's hard drive. After lying dormant for one month, Magistr begins destroying files and attacking the CMOS and flash BIOS, rendering the computer inoperable.
14 March 2001 Pirated Version of Office XP PostedDespite a product activation security feature built into the yet-to-be released Windows XP and Office XP, a copy of Office XP has leaked out and has been posted on a Usenet newsgroup. The posted, pirated version has the serial number coded into the program, thereby thwarting the anti-piracy feature.
12 March 2001 BIND Security Still an IssueSerious security holes remain in many domain name servers; there is no tool for verifying whether or not DNS servers running BIND software have had patches applied.
9 March 2001 USPS to Offer Digital SignaturesThe US Postal Service (USPS) plans to provide federal employees with digital signatures, and hopes eventually to sell them to the general public. The USPS would serve as the certification authority, as customers would be required to provide three forms of identification to obtain the digital security.
******************** Also sponsored by Network ICE *******************
Hackers Will Find Your Weakest Link
VPN connections are a common way hackers get into corporate networks.
Network ICE secures home dial-up and VPN users with advanced intrusion
detection technology that blocks out hackers in real-time. This fully
distributed and centrally managed solution can be deployed "silently"
without the user interface, virtually eliminating end-user support and
THE REST OF THE WEEK'S NEWS
16 March 2001 NIPC "Stick" WarningNIPC issued a warning about "Stick", an unreleased hacking tool that disarms intrusion detection systems by simulating a flood of attacks and overwhelming the software. The tool's author gave the code to the National Security Agency (NSA) along with a potential release date of March 15, 2001, but now says he does not plan to release the code until July.
[Editor's (Paller) Note: This article faults the FBI for early release of information when nearly all close observers are aware that delay in information release has been a primary criticism leveled at the FBI over the past two years. The article also appears to support the behavior of a programmer who is threatening to release an attack program that exploits a vulnerability that cannot be effectively corrected. For a more in-depth discussion of these issues, written Newsbites editor Bill Murray, send us an email with the subject "Bill's Commentary." ]
16 March 2001 GAO Report Cites IRS E-Filing VulnerabilitiesA GAO report says that last year the IRS's e-filing system had vulnerabilities that could have allowed unauthorized viewers to see and alter taxpayer information. Among the security concerns listed in the report are the agency's failure to encrypt data, a lack of an adequate intrusion detection system, and network controls that had been shut off to improve processing time.
15 March 2001 Opinion: Federal CIO NecessaryAn information security services director argues for the creation of a CIO post in the US Government. The federal CIO would enforce information security standards and procedures to protect government systems.
14 March 2001 Federal Agencies Need Security Plans to Obtain FundingFederal agencies may find funding requests for new and existing computer systems held up until they can adequately provide evidence they plan to implement security measures or demonstrate their systems are already secure. Under a new policy, agencies must include security plans in their budget requests.
16 March 2001 Securing On-Line Checking Account PaymentsThe National Automated Clearing House Association (NACHA) has established security standards for companies authorized to deduct on- line payments from customers' checking accounts. The standards require companies to install security software, encrypt customers' checking account numbers, and conduct annual audits of security procedures.
15 March 2001 Source Code Theft ConfirmedA US government contractor has confirmed that crackers stole satellite control and missile guidance system source code from a restricted Navy computer system. The FBI says the software is unclassified.
15 March 2001 GAO Critical of Present Export ControlsCiting "militarily significant uses for computers" and the attendant impact on national security, the General Accounting Office (GAO) says that the loosening of computer export controls was not well justified. GAO indicates that there is a need to study alternative methods for determining export controls.
15 March 2001 Another TCP VulnerabilityThe researcher who identified a new vulnerability in TCP maintains that it is different from a similar problem identified in 1985. In the original problem, the Initial Sequence Numbers (ISNs) generated at the beginning of TCP sessions were found to be predictable, allowing an attacker to pretend to be a trusted host. As a fix, vendors began incrementing ISNs by random numbers. However, the researcher says that attackers can extract enough information from TCP sessions to infer ISN values.
[Editor's (Schultz) Note: This article is not entirely accurate. If someone guesses a packet sequence number, this does not allow that person to pretend to be a trusted host. It simply allows an otherwise unallowed TCP connection. You have to do other things to capitalize on trusted host mechanisms. ]
13 & 15 March 2001 New Version of SubSeven More DangerousA new version of the SubSeven backdoor program has emerged. The program allows crackers to perform a variety of activities on targeted computers, including retrieving saved passwords, uploading, downloading and altering files, and modifying the registry so the program runs whenever Windows is rebooted.
13 March 2001 Teen Charged in NASA Site DefacementsA Michigan teenager has been charged with unauthorized access to computers for breaking into NASA systems at the Jet Propulsion Laboratory and Goddard Space Flight Center. A NASA official says the boy never accessed sensitive information.
12 March 2001 Internal Cyber Crime StrategiesSecurity experts told Cybercrime Summit 2001 attendees that establishing internal security policies and computer crime forensic procedures is crucial to the success of court cases involving insider computer abuse. The experts advised that organizations have clear, explicit acceptable use policies and consent to monitor agreements; they also recommended that organizations get forensic training or use computer forensic specialists to preserve evidence so that it will be admissible in court. A sidebar in the article lists some basic computer crime forensics tips.
[Editor's (Murray) Note: "Policy" has become simultaneously routine and ineffective. It fails to specify the level of risk that general management is prepared to take, the level of security it is prepared to pay for, and whom it holds responsible. ]
12 March 2001 Worm Writing Tool UpdatedA Brazilian man has released a new version of his worm writing kit, which a Dutch teenager used earlier this year to create the Anna Kournikova worm. The updated software can now generate worms that carry .exe payloads and use encryption to hide their signatures.
--12 March 2001 Rethinking Malware Classification The author points out that the proliferation of code like ActiveX and Java has blurred the lines of distinction between viruses, worms, and Trojans. He observes that contemporary malware behaves more like a parasite, controlling hosts' behavior and altering environments to suit its needs. Furthermore, signature file anti-virus protection is reactive; in order to do a better job of protecting our systems, he advocates using behavior-based anti-virus programs to stem the tide of parasitic hostile code.
12 March 2001 Securing the Home OfficeWorking at home presents special security concerns. In order to protect machines from intruders, the InfoWorld Test Center recommends that home office users install personal firewalls and SOHO (small office/home office) routers, and that users identify and change all default passwords.
== End ==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail firstname.lastname@example.org with the subject: Subscribe NewsBites
Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
Stephen Northcutt, Alan Paller, Howard Schmidt, Eugene Schultz