Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume III - Issue #13

March 28, 2001


Within about three weeks, there will be no more seats in either the SANS
Security Essentials track or the Firewalls, Perimeter Protection, and
VPNs track at SANS2001 in Baltimore in May. If you were considering
Baltimore for either of those tracks, you could help us balance the
courses, and get to attend smaller classes if you switch sites. Both
tracks will be presented, by the same great instructors, in Orlando at
the end of April (http://www.sans.org/springbreak.htm), in London in
June (http://www.sans.org/london2001/index.htm) and in Washington at
SANSFIRE at the end of July (http://www.sans.org/sansfire/sansfire.html).

AP

TOP OF THE NEWS

23 March 2001 Lion Worm Dangerous
22 & 23 March 2001 Microsoft Warns of Fraudulent Digital Certificates
21 & 22 March 2001 Forensic Challenge Underscores Cost of Intrusion Clean-Up
20 March 2001 Forging Fingerprints

THE REST OF THE WEEK'S NEWS

26 March 2001 DoubleClick Security Breach
23 March 2001 More Babygear.com Credit Card Fraud Stories
23 March 2001 Aprs Ski Le Dluge
23 March 2001 Condoleezza Rice on Cyber Attack Preparedness
22 March 2001 Compaq Site Defacements
21 March 2001 NIST Posts PKI and Mobile Code Security Documents For Comment
21 March 2001 GAO to Investigate Crop Statistics Security
21 March 2001 Andale Reacts to Denial-of-Service Attacks
21 March 2001 PGP Flaw
20 March 2001 AtomicPark.com Security Breach
20 March 2001 UK Judge Rules Against Anonymity of Message Author
20 March 2001 IRS Says Security is Improved
20 March 2001 ID Theft Highlights Security Problems
19 March 2001 Worm Has Political Agenda
19 March 2001 Internal Security Monitoring
19 March 2001 German Official Denies Microsoft Ban

TUTORIAL

Hal Explains How To Find Vulnerable BIND Versions and Gives Tips


********************** Sponsored by Network ICE **********************
Hackers Will Find Your Weakest Link
VPN connections are a common way hackers get into corporate networks.
Network ICE secures home dial-up and VPN users with advanced intrusion
detection technology that blocks out hackers in real-time. This fully
distributed and centrally managed solution can be deployed "silently"
without the user interface. Secure every possible entry point into your
corporate network with Network ICE.
http://www.networkice.com/sans
**********************************************************************

TOP OF THE NEWS

23 March 2001 Lion Worm Dangerous

The Lion worm attacks Linux servers running certain versions of BIND software by stealing password files, eliminating some security measures, installing backdoors, and searching for other vulnerable machines. A patch for the exploited BIND vulnerability has been available for several months. Lion could easily be tweaked to run on other versions of Unix.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2700665,00.html?
chkpt=zdhpnews01
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO58899,00.html
-http://news.cnet.com/news/0-1003-200-5234726.html?tag=prntfr
William Stearns has created the Lionfind program, available at the SANS web site, to help administrators determine whether or not their machines have been infected.
-http://www.sans.org/y2k/lion.htm
[Editor's (Grefer) Note: Given the difficulties involved in "de- worming" infected systems, it seems appropriate to remind our readership once again of the benefits of integrity checkers like Tripwire and AIDE. ]

22 & 23 March 2001 Microsoft Warns of Fraudulent Digital Certificates

Microsoft warned that someone posing as a Microsoft employee tricked VeriSign into issuing two digital certificates that could be used to dupe people into trusting malicious code. VeriSign caught the problem during normal auditing procedures, and has placed the certificates on its "revoked" list. Microsoft intends to release an update that will detect the fraudulent certificates and warn users. Until then, users should not download software bearing certificates dated January 29th, 2001 or January 30, 2001. So far, there seems to be no evidence that these fraudulent certificates have been used.
-http://news.cnet.com/news/0-1003-200-5222484.html?tag=prntfr
-http://news.cnet.com/news/0-1003-200-5226159.html?tag=prntfr
-http://www.usatoday.com/life/cyber/invest/2001-03-22-microsoft.htm
-http://www.msnbc.com/news/548228.asp?0nm=T21A
Microsoft Bulletin:
-http://www.microsoft.com/technet/security/bulletin/MS01-017.asp
[Editors' (multiple) Note: It is interesting that Microsoft is being more forthcoming in this situation than Verisign. Where is the Verisign Bulletin? ]

21 & 22 March 2001 Forensic Challenge Underscores Cost of Intrusion Clean-Up

Competitors in the Honeynet Project's Forensic Challenge were given pieces of an intrusion detection system log and mountable images of a disk drive from an actual attack on one of the Project's decoy machines. The goals were to determine what technique the intruder used to gain access to the machine, what sort of malicious code the intruder used inside the machine, and who the intruder was. The winning entry entailed thirty-five hours of work to determine what a cracker had done in half an hour. An outside consultant hired to do that same work could cost a company more than $20,000.
-http://www.theregister.co.uk/content/8/17751.html
-http://www.zdnet.com/zdnn/stories/news/0,4586,5079958,00.html?
chkpt=zdhpnews01
[Editor's (Cowan) Note: Had the victim machine been running data integrity tools such as Tripwire or AIDE (free tripwire clone
-http://www.cs.tut.fi/~rammer/aide.html
) then the forensic effort would have been trivial. That it was not running such tools makes this, sadly, an accurate emulation of common Internet practice. Lesson: forensic recovery without data integrity tools is very expensive. ]

[Editor's (Grefer) Note: Several competitors ran out of time before they felt they had sufficiently investigated the intrusion incident. ]

20 March 2001 Forging Fingerprints

A biometric consultant presented a paper in which he described how a fingerprint scanner detects matches (it recognizes a pattern of vectors connecting minutiae, or characteristics of ridge line endings) and how to forge fingerprints.
-http://it.mycareer.com.au/industry/20010319/A30359-2001Mar19.html
[Editors' (Cowan, Grefer) Note: all forms of biometric authentication, including fingerprints, are subject to replay attacks when used in a network setting. In this regard, biometrics are no better than passwords. High security applications should use cryptographic smart cards. ]


******************* Also Sponsored by Trend Micro ********************
IS YOUR EXCHANGE SERVER PROTECTED FROM VIRUSES?
If you don't have Trend ScanMail for Exchange, it is not. ScanMail
provides you with the best antivirus solution for Exchange Servers.
ScanMail won the "Best Tool or Utility" award at MEC 2000.
Download a 30-day trial copy NOW
http://www.antivirus.com/banners/tracking.asp?si=19&bi=22&ul=
/products/smex
**********************************************************************

THE REST OF THE WEEK'S NEWS

26 March 2001 DoubleClick Security Breach

DoubleClick admits that intruders broke into its machines twice last week. A French researcher has published a web site enumerating DoubleClick web site security problems.
-http://www.msnbc.com/news/550076.asp?0nm=C21C
[Editor's (Cowan) Note: This web site break-in is news, because DoubleClick collects information on virtually all web surfers. ]

23 March 2001 More Babygear.com Credit Card Fraud Stories

Several people who shopped on-line at the now-defunct Babygear.com have been the victims of credit card fraud. Apparently a cracker in Yugoslavia accessed the data in September. Because there is no cooperative effort between law enforcement in the United States and Yugoslavia, it is unlikely the cracker will be apprehended.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO58902,00.html

23 March 2001 Aprs Ski Le Dluge

A reservations site for several ski resorts appeared to be the target of a denial-of-service attack; the flood of packets turned out to be from someone entering a contest run by one of the internal sites.
-http://www.computerworld.com/cwi/sharktank/0,1130,DAY03-23-2001_
NAV47-68-86-103_STO58876,00.html

23 March 2001 Condoleezza Rice on Cyber Attack Preparedness

US National Security Advisor Condoleezza Rice said the government needs to work with private industry to prevent cyber terrorist attacks on the nation's critical infrastructure. Speaking at the Internet security Policy Forum II, Rice said the country needs to show it is able to confront the problem of cyber terrorism not only by increasing security, but also by preparing for the aftermath of a successful attack. The Register article also quotes an infowar skeptic saying there is no evidence that computer attacks will ever have the destructive power of traditional methods of warfare and terrorism.
-http://www.usatoday.com/life/cyber/tech/2001-03-23-rice-cyberterrorism.htm
-http://www.theregister.co.uk/content/8/17820.html

22 March 2001 Compaq Site Defacements

Two Compaq web sites were defaced last week. Both sub domain servers were running Microsoft IIS 4 on NT, and both have since been patched.
-http://www.vnunet.com/News/1119535

21 March 2001 NIST Posts PKI and Mobile Code Security Documents For Comment

NIST's document on public key technology (PKI) and the Federal PKI reviews the issues, risks and benefits. Document posted at:
-http://csrc.nist.gov/publications/drafts/pki-draft.pdf
Send comments to Rick Kuhn <kuhn@nist.gov>, by April 25, 2001. NIST's guidance on active content and mobile code addresses the security threats, reviews risks drawn from past exploits involving technology-related vulnerabilities, and identifies available countermeasures. Document posted at:
-http://csrc.nist.gov/publications/drafts/PP-ACMCguidance-draft.pdf
Send comments to W. Jansen <wjansen@nist.gov>, by April 25, 2001.

21 March 2001 GAO to Investigate Crop Statistics Security

The General Accounting Office (GAO) will investigate computer security at the National Agricultural Statistics Service (NASS), the agency that prepares crop estimates used by commodity traders. The agency uses passwords instead of the "advanced authentication" called for in its policy. In addition, sensitive data is unencrypted for days at a time, and the agency apparently does not have an intrusion detection system.
-http://www.chicagotribune.com/tech/news/article/0,2669,ART-50584,FF.html
[Editor's (Murray) Note: If we hung out to dry every agency that was not using strong authentication, we hang them all out. ]

21 March 2001 Andale Reacts to Denial-of-Service Attacks

On-line auction site Andale suffered four denial-of-service attacks between March 9th and 21st but didn't make the knowledge public until last week because it feared copycat attacks. The company has put new routers in place to help keep the site up and trace the source of the attacks. In addition, the Rapid Enforcement Allied Computer Team (REACT) in San Jose is gathering evidence connected with the attacks.
-http://news.cnet.com/news/0-1007-200-5209605.html?tag=prntfr

21 March 2001 PGP Flaw

Czech researchers discovered a flaw in OpenPGP that allows someone who breaks into your computer to forge your e-mail signature. PGP inventor Phil Zimmerman says "
[I ]
t's not a realistic attack," because if someone has access to your computer, there are bigger things to worry about.
-http://www.msnbc.com/news/547969.asp?0nm=T22B
-http://www.wired.com/news/politics/0,1283,42553,00.html
[Editors' (multiple) Note: The weakness in PGP that this researcher discovered is very, very small and not of major concern. We need to emphasize this more---otherwise, senior management will just use news items like this one to rationalize not using encryption. ]

20 March 2001 AtomicPark.com Security Breach

After learning of an unauthorized credit card charge made on a customer's card, AtomicPark.com discovered that a cracker had set up a sniffer system which was used to steal credit card information from about 500 of its customers. AtomicPark.com notified the affected customers by e-mail.
-http://news.cnet.com/news/0-1007-200-5192742.html?tag=prntfr

20 March 2001 UK Judge Rules Against Anonymity of Message Author

A UK High Court judge has ruled that two web sites must reveal the identity of a person who allegedly posted defamatory comments about an ISP.
-http://news.bbc.co.uk/hi/english/sci/tech/newsid_1231000/1231419.stm
[Editor's (Murray) Note: It is nice to know that the operators required that the damaged party get a court order and did not gratuitously give up their customer's identity. It is possible that in the case of political speech the UK courts might be willing to preserve anonymity. I think that the US courts will do so. However, that is the best that we can hope for. I think that in all other cases anonymity in the Internet is as good as dead and not reliable even in the case of political speech. ]

20 March 2001 IRS Says Security is Improved

In the wake of a GAO report enumerating security problems with the IRS's e-filing system, the agency's commissioner says the IRS has increased its security program and is working on improving intrusion detection and incident reporting.
-http://www.fcw.com/fcw/articles/2001/0319/web-irs-03-20-01.asp

20 March 2001 ID Theft Highlights Security Problems

Journalist Bob Sullivan says Abraham Abdallah's identity theft scam is a story not about a clever cracker, but about the poor state of security at major financial institutions.
-http://www.msnbc.com/news/547084.asp?0nm=T23A
[Editor's (Murray) Note: With Mr. Sullivan, I hope that this case will result in a tightening of security all around. However, I think that he has rushed to judgement. First, Mr. Sullivan is writing from hearsay; he should know not to believe everything he reads in the papers. Second, the level of security in these systems is a balance between trying to serve the customer and preventing fraud; there will always be some fraud. ]

19 March 2001 Worm Has Political Agenda

A pro-Palestinian worm arrives as a .vbs attachment, sends itself to the first 50 listings in Outlook address books of infected machines, and uses Internet Explorer to open a number of pro-Palestinian web sites.
-http://news.cnet.com/news/0-1003-200-5185169.html?tag=prntfr
-http://www.msnbc.com/news/546769.asp?0nm=T23B

19 March 2001 Internal Security Monitoring

The recent arrest of FBI agent Robert Philip Hanssen underscores the importance of being alert to suspicious insider activity. Several new software tools monitor networks for suspicious internal behavior. A group of psychologists have determined that the culprits in the majority of insider abuse cases fit certain profiles, but they caution that many honest people also fit those same profiles.
-http://www.computerworld.com/cwi/story/0,1199,NAV47_STO58671,00.html
[Editors' (multiple) Note: The high incidence of false positives is one of the problems of assigning suspicion by profiling. They catch many innocents in their drift nets. Another problem is that they reflect the biases of the profiler. ]

19 March 2001 German Official Denies Microsoft Ban

A German Defense Ministry official denied assertions made in Der Spiegel that German officials have ordered a ban on Microsoft operating systems due to concerns about backdoors built in by the United States' National Security Agency.
-http://www.wired.com/news/politics/0,1283,42502,00.html

TUTORIAL

Tutorial

The BIND weaknesses are the number 1 threat on SANS Top Ten List of Internet Security Threats (
-http://www.sans.org/topten.htm).
In SANS NewsBites Vol. 3 Num. 12 a story incorrectly suggested that checking the version/patch-level of a running name server was difficult. Here, in a brief tutorial, Hal Pomeranz of Deer Run Associates corrects that error, shows you how to do it and also offers tips protecting BIND even after you have installed one of the more secure versions. The command dig @<nameserver> version.bind chaos txt will return the version of BIND running on the machine <nameserver>. Current stable versions of BIND include 8.2.3 (current, stable), 9.1.1rc5 (development, additional features), and 4.9.8 (legacy)-- administrators should upgrade any system which is currently being used as a name server to one of these releases immediately. Security holes in earlier releases are actively being exploited. For BIND v8 and later, administrators may hide the BIND version number on their running name servers by setting the "version" option in named.conf. Other good BIND security practices include restricting recursive queries to local hosts only (with the "allow-recursion" option), restricting zone transfers to known slave servers ("allow- transfer"), and configuring your name server to run as a non-privileged user in a chroot()ed environment (see the -u and -t options to named). Some sites may also choose to configure split-horizon (aka "split- brain") DNS, presenting one view of their namespace to the outside world and reserving the bulk of their host information for internal use only.

== End ==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites


Editorial Team:
Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
Stephen Northcutt, Alan Paller, Howard Schmidt, Eugene Schultz