SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume III - Issue #14
April 04, 2001
Two requests came in this week for help in justifying attendance at SANS
2001 in Baltimore. The most effective justification often is proof that
the time spent in the classes will actually help improve security
measurably. At the end of this digest, I have attached signed comments
from a number of folks who attended the most recent major SANS
conference. Their words confirm the immediate value they got from
New Worm: The third in a series of Linux worms appeared on Monday.
Adore worm is described in the first item under TOP OF THE NEWS.
TOP OF THE NEWS3 April 2001 Adore Worm Infects Linux Systems; Discovery Program Released
30 March 2001 VeriSign Victim of Social Engineering
29 March 2001 Microsoft Update Recognizes Fraudulent Digital Certificates
29 March 2001 Credit Card Thief Pleads Guilty
27 & 28 March 2001 Winux is First Cross-Platform Virus
26 March 2001 Former Employee Pleads Guilty to Data Damage
THE REST OF THE WEEK'S NEWS2 April 2001 Vierika Virus
30 March 2001 IE Security Hole
30 March 2001 Author Removes Worm Kit From Sites
30 March 2001 Worms' Increasing Popularity Among Crackers
30 March 2001 Security Conference Attendees' Behavior Highlights Need for Security
30 March 2001 British Foreign Secretary Describes Cyber Attack Threat
30 March 2001 TiVo Web Site Vulnerability
30 March 2001 PitBull Cracking Contest
29 March 2001 Report Says DoD Cannot Share Airwaves
28 & 29 March 2001 Microsoft Exchange 2000 & IE Vulnerability
28 March 2001 Digital Hospital Security Concerns
27 March 2001 Security in the Animation Industry
27 March 2001 Journal of a Cyber Criminal
26 March 2001 Firewalls for Remote Employee Computers
26 March 2001 Security and Performance: Security Manager's Journal
15 March 2001 Wireless Glossary
******************* Sponsored by SurfControl, Inc. *******************
WARNING: Networks bottleneck & costs climb. as workers squander hours
online, casual surfing, downloading MP3s & other bandwidth hogs.
Install SurfControl on your network & in 20 minutes you'll know exactly
WHO is doing WHAT, WHEN & WHERE. SurfControl monitors, records & manages
all TCP/IP protocols.
FREE 30-day trial.
TOP OF THE NEWS
3 April 2001 Adore Worm Infects Linux Systems; Discovery Program ReleasedA worm that follows in the footsteps of Ramen and Lion began infecting systems on or before April 1. It is called the Adore Worm. GIAC created a program to help you determine whether your systems have been infected.
30 March 2001 VeriSign Victim of Social EngineeringVeriSign's mistaken issuing of two digital certificates to someone posing as a Microsoft employee underscores the threat of human error in the chain of security. Security procedures can sometimes contain vague elements; for example, it may be unclear who within an organization is responsible for employee identity verification.
29 March 2001 Microsoft Update Recognizes Fraudulent Digital CertificatesMicrosoft has released an update for all versions of Windows from 95 onward to protect users from two erroneously issued digital certificates.
29 March 2001 Credit Card Thief Pleads GuiltyRaphael Gray, the Welsh teenager who stole credit card numbers from e- commerce sites and posted them on the Internet, pleaded guilty to obtaining services by deception and intentionally accessing sites containing credit card details; he faces jail time. Mr. Gray contends he posted the credit card information to draw attention to poor security practices.
[Editor's (Murray) Note: Perhaps a few years in jail with give him time to contemplate alternative legal ways to call attention to conditions that offend him. ]
27 & 28 March 2001 Winux is First Cross-Platform VirusThe Winux virus, written in assembly language, can infect machines running either Windows or Linux operating systems. Winux is triggered when users open an infected program or e-mail attachment. It then works its way into the computer's file tree, contaminating executable files. While Winux neither mails itself out nor destroys data, its background activity could degrade the infected machine's performance.
[Editor's (Cowan) Note: The primary reason Linux systems are not vulnerable to viruses is that common Linux mail clients do not execute scripts attached to incoming e-mail. Winux does not change this basic fact, and thus poses little risk to most Linux users. ]
26 March 2001 Former Employee Pleads Guilty to Data DamageMichael Whitt Ventimiglia pleaded guilty to intentionally damaging protected computers; he faces a $250,000 fine and a prison sentence of up to 10 years. Mr. Ventimiglia deleted information on systems at a Verizon network support center while employed at the facility; he has since been fired, and the company says customer information was not jeopardized.
****************** Also sponsored by Tripwire, Inc. ******************
FREE SEMINAR & FREE GIFT FROM TRIPWIRE!
Tripwire data and network integrity solutions tell you if, when, and
how data or business processes have been changed on your system. To find
out more, attend one of Tripwire's online seminars and receive a FREE
THE REST OF THE WEEK'S NEWS
2 April 2001 Vierika VirusThe Vierika virus arrives as a .jpeg file containing malicious VBS code. It spreads by mailing itself; it also connects infected machines to a web page on an Italian ISP from which it downloads code that reduces Internet Explorer security levels and taxes system resources. Italian authorities have apprehended the virus's author.
30 March 2001 IE Security HoleA vulnerability in Microsoft's Internet Explorer 5.01 and 5.5 could lead to automatic execution of attachments arriving with MIME-encoded HTML e-mail. Crackers could exploit the vulnerability to alter files or reformat the hard drive on targeted computers. A patch for the security hole is available, and the problem is addressed by IE 5.0 Service Pack 2. Users can also protect themselves by disabling downloads in IE's "Security Zone."
30 March 2001 Author Removes Worm Kit From SitesThe Argentinean man who posted the kit used in the creation of the Anna Kournikova worm has removed the kit from his web sites. He says he intended for the kit to be used as a tool for studying worms and viruses and that he became concerned enough to remove it when he discovered it had been used maliciously.
30 March 2001 Worms' Increasing Popularity Among CrackersSpeakers at the CanSecWest conference discussed the increasing prevalence of new worms that infiltrate systems, take over, and continue spreading. Network ICE CTO Robert Graham pointed out that because worms spread exponentially, they could overload Internet resources. Information security and forensics expert David Dittrich expressed concern that worms are evolving and improving, and that the use of worms will increase just as distributed denial-of-service tools did two years ago.
30 March 2001 Security Conference Attendees' Behavior Highlights Need for SecurityCanSecWest conference attendees stole (but did not use) the hotel's phone system password, accidentally crashed the hotel's high-speed Internet system, and tirelessly scanned each other's computers.
30 March 2001 British Foreign Secretary Describes Cyber Attack ThreatBritish Foreign Secretary Robin Cook told the House of Commons the country's critical infrastructure technology has become a terrorist target, and a cyber attack poses a greater threat to the country than does a military strike.
30 March 2001 TiVo Web Site VulnerabilityThe same web master who drew attention to the recent DoubleClick security problems has found that a vulnerability on TiVo's corporate web site exposes the site's source code. The vulnerability has been public knowledge since early last year; the hole has now been patched. TiVo says no customer information is kept on that web site.
30 March 2001 PitBull Cracking ContestA contestant says he cracked Argus' PitBull during a challenge offered at the CeBit conference last week. Argus CEO Randy Sandone concedes the man's success, but says he did not complete his work before the deadline, and adds that the configuration of PitBull's technology rather than the product itself was at fault for the break-in.
[Editor's (Cowan) Note: However, it is the nature of this kind of technology that configuring it correctly is half the battle. (Paller): And software vendors (of operating systems as well as other programs) who fail to design their products in such a way that correct (safe) configuration happens automatically, are just as responsible for opening the doors to attackers as are the system administrators who configure their systems. ]
29 March 2001 Report Says DoD Cannot Share AirwavesThe wireless phone industry wants a spectrum of airwaves presently controlled by the Defense Department. A Commerce Department report says that sharing or relinquishing the airwaves before 2017 would present a national security threat.
28 & 29 March 2001 Microsoft Exchange 2000 & IE VulnerabilityGeorgi Guninski said that if a web surfer using Internet Explorer 5 on a network running Microsoft's Exchange 2000 server visits a malicious web page, a cracker could potentially read the surfer's e-mail and files. Guninski recommends that users disable Active Scripting to protect themselves from the exploit.
28 March 2001 Digital Hospital Security ConcernsHealthSouth and Oracle plan to build a digital hospital that will rely on a wireless network to access and update patient records. Berkeley's Internet Security, Applications, Authentication and Cryptography (ISAAC) group has warned that the Wired Equivalent Privacy (WEP) protocol has some serious security flaws that could allow a cracker to intercept and alter data transmissions and to access wireless network content. HealthSouth's CEO says the hospital plans to use strong encryption and other methods of data protection, but a recent study indicates that many physicians have concerns about using the Internet to store and transmit medical records information.
[Editors' (Murray, Grefer) Note: The convergence of the internet, wireless, and sensitive applications demonstrates the need for end-2- end encryption in general and the urgency of secureIP in particular. WEP was never intended to do more than raise the security of the wireless transport to that low level provided by the wired LAN. Because the desire for connectivity is so much higher than the desire for security, it is not likely to achieve even that. ]
27 March 2001 Security in the Animation IndustryThe animation industry, in which the end-product can be as many as three or four years out, can employ stringent security measures, including restricted phone, e-mail, and Internet access and may even prohibit communication between employees who are working on the same project.
27 March 2001 Journal of a Cyber CriminalThe president of AdCops.com, an on-line community that allows e- commerce merchants to share stories and ideas about Internet fraud, recently paid two cyber criminals to keep logs of their daily activities. Using anonymous e-mail accounts and stolen credit card information, the thieves claim to make thousands of dollars a month from their activities.
[Editor's (Murray) Note: Real hackers work at the application layer. It is a target-rich environment. ]
26 March 2001 Firewalls for Remote Employee ComputersSome of the newer firewall products allow centralized monitoring and policy enforcement for remote users, and some can differentiate between different types of sessions. The chief security officer of a California-based ISP and the associate director of systems security technology at Bell Canada discuss how they made their firewall product choices.
26 March 2001 Security and Performance: Security Manager's JournalThis week, the security manager focuses on initial key generation, an aspect of the Secure Sockets Layer (SSL) protocol that affects performance. He finds technology that off-loads SSL encryption, freeing CPU cycles and improving performance.
[The editors agree that there appears to be an error in the description of SSL in this story. A free SANS t-shirt to the first person who points it out clearly. ]
15 March 2001 Wireless GlossaryCIO magazine offers definitions for wireless terminology. Since wireless is the next frontier for security folks, we thought you might enjoy a guide to the jargon. SANS Network Security 2001 in San Diego in October will be our first conference with a major program on wireless security.
== End ==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail email@example.com with the subject: Subscribe NewsBites
To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the headers.)
You will receive your personal URL via email.
You may also email <firstname.lastname@example.org> with complete instructions and your
SD number for subscribe, unsubscribe, change address, add other digests,
or any other comments.
Justification Materials for people who want to attend SANS conferences
Comments about the entire conference.
"It was great to get practical information from security experts that
can be implemented when I get home."
Jim Fiske, Canada Trust
"I was thrilled with the amount of information I accumulated. I haven't
been this excited about what I have learned in fifteen years."
Ben Hockensmith, EDS
Comments about specific certification tracks and individual courses.
TCP/IP for Intrusion Detection and Firewalls
"This course gets to the meat of TCP/IP and looking at the packets for
Mark Hoefle, Check Point Software
"A dynamic fact-oriented course that gives you the knowledge to feel up
to the tasks waiting for you back at the office."
Normand Thomas, Canada Customs
"In a word ... practical. The course covered the material in great
detail, nice examples and was well presented."
Don Brown, USAF
Incident Response: Scenarios and Tactics
"Practical examples were invaluable. Presentation style EXCELLENT! Any
skill level could understand what was presented. Excellent references."
Nancy Housel, IBM
"Excellent course for responding to attacks and course of action on how
to handle an attack."
Michael J. Citrigno, Worldgate Communications
"Every firewall needs an audit but very few get done. This course gives
you a great outline to follow to perform a full review and audit of a
firewall and security policy."
Jeffrey Litterick, State of South Dakota
"Excellent style of presentation and delivery. If you're new to
firewalls, this is the course for you."
Davi Ottenheimer, Predictive Systems
Intrusion Detection - Shadow Style
"Excellent and in-depth discussion on how to use UNIX tools to minimize
efforts for scanning for your network vulnerabilities."
Peter Veeravalli, BP
"These are real life cases that happen everyday - all security engineers
and administrators need to be trained on this stuff to be able to
effectively do their job."
Henry L. Denis, Multex.com, Inc.
Proven Practices for Managing the Security Function
"The best presentation I ever had on the subject."
Fernand Benedet, SEGI - University Liege
"Great class! I would recommend it to anyone. Loads of content; be
prepared to learn. "
Bryan Casper, Microsoft (WebTV)
"Lots of valuable information for both the novice and the experienced
Rick Bolan, Ford Motor Company
Intrusion Detection and Packet Filtering: How It Works
"This course should be required training for anyone who is even
remotely responsible for any piece of a network's security. Very in-
depth and comprehensive. "
Anthony Eaker, MACESS Corporation
"Not only did this course fill in the gaps for me, it went beyond
discussing possible solutions and showed real world implementations."
Bill Stevenson, New Century Mortgage
"Very practical and 'hands on' - will be able to use this information
Bill Von Elm, Brookhaven National Laboratory
"The analysis of various attacks was excellent - it was really
enlightening to go for a walk through the way we break them down.
Also, the tcpdump filtering section was excellent."
Kick Start Track: Information Security
"This track brings everything together and puts things in perspective."
Christopher Braswell, eSecurityOnline.com
"As a 'new' security officer, this track is a great foundation. A broad
sweep approach gave me the overview I needed to start the security
Jason Smith, Keane, Inc.
"Great breadth of information, well presented. Very good documentation.
Should be a requirement for anyone relatively new to security."
Ray Slepian, Calpers
Advanced Perimeter Protection and Defense In-Depth
"If you can't secure your perimeter after this course, you might want
to consider a career change."
George Stanton, NYS Board of Elections
"When you have this course under your belt you should be able to go back
to your company and design a solid architecture for perimeter network
Jeff Horne, WSRC
"Brought many different things to light that I haven't considered
before. Excellent course -worth nearly the whole week for me."
Paul Hocken, Ceridian
JCSC Conference Evaluation
"I will come back again."
Sandy Milan, Pacific Ball/SBC Communications
"The conference was very informative and invaluable to management and
Michael Hughes, Intel Online Services
"Great overview. Instructors actively encouraged open discussion."
Mike Coogan, Allstate Insurance
"Refreshing - different from other conferences and seminars."
Glenn Walsh, Datacard Group
Intrusion Detection - Shadow Style
"The pace and content of this session was excellent. A good combination
of theory, practical application and examples without getting bogged
down in the minutiae."
Dave Remington, DST Systems. Inc.
"Excellent!!! Very in-depth coverage and explanation. I will
definitely be able to bring this knowledge bak to my work and apply it
successfully. This course is a must, regardless of what IDS you
Anthony Eaker, MACESS Corporation
UNIX Basics for the Security Professional
"For those requiring a solid a solid understanding of UNIX basics, this
course is for you. This is perhaps the best 'UNIX-101' course I've
Jason Frey, Ariba, Inc.
"What a great summary of UNIX basics! Things I do everyday (and take
for granted) are some of the things I need to remind my boss and co-
workers to concentrate on. Knowledge and execution of the 'basics' are
invaluable lines of defense in protecting your systems. The
documentation is amazingly clear and easy to understand."
Karen M. Hall, Nebraska Army National Guard
Tue-2 - How to Audit Web-Based Applications, David Rhoades
"Very good techniques that we can implement immediately. Very
Gary Joslin, McCombs School of Business, UT Austin
"Any company considering e-business needs this course."
Jim Andrison, CITGO Petroleum
VPNs and Remote Access
"Chris delivers the meat. Great bottom-line, practical info based on
experience, and good sense of humor too!"
Jeff Stelzner, ALSTOM ESCA
"Superb! Chris is an excellent presenter. Now I understand how a VPN
really works. The examples were also very good!"
Tomas Alex, Burntsand
"Good step by step process details discussion on how to configure,
execute and verify."
Dan Gaudio, Lockheed Martin/Knolls
"The content of this course covers all aspects of PSEC and
troubleshooting problems. In two hours, you'll learn volumes."
Philip Zaleski, ITT Industries, Inc.
Common Issues and Vulnerabilities in UNIX Security
"Course was great. Lots of good information for novice and advanced
Jim Carey, Sitesmith, Inc.
"What an excellent class! Hal rocks!" This is one of the best
vulnerability classes I've ever attended. Hal is a great communicator
and obviously knows this stuff inside and out."
James Dirsksen, RuleSpace
Incident Handling and Hacker Exploits
"This course is invaluable to anyone who must deal with network security
Lois S. Lehman, Arizona State University
"This is a great course for those looking for a large overview of hacker
exploits. These are tools being used by hackers in the field!"
Nichole M. Alarid, AT&T Broadband
"Knowing the technical aspect of security is good, but without a good
foundation in how to respond and handle incidents when they occur, then
it serves little purpose. This course is a must have for all security
Scott White, City of High Point
Securing Windows NT, Step-by-Step
"This is the best course I've attended at any IT conference. Fast
paced, useful and entertaining."
Dave Nevin, KU Center for Research, Inc.
"All this information has been useful. I have been working in a
security department for about six months and had I had this class six
months ago, I could have saved a lot of time."
Jim Langster, TV Guide, Inc.
"What starts off as a leisurely primer quickly turns the corner into
thought-provoking and awe-inspiring material. Jason Fossen and Jennifer
Kolbe deliver the material in an entertaining, knowledgeable and
professional manner. This is my first SANS but definitely not my last!
Ted Peterson, Bankfirst
Network Design and Performance
"Again, 'real world' examples and analysis brought out a lot of
additional ideas that could be applied to my own network. Several of
the discussions made it obvious how to tackle and better yet, fix
problems I have currently been experiencing."
Tom Coulter, NovAtel, Inc.
"Excellent teacher! Very clear explanations, practical examples,
appropriate technical details, adequate speed. Every question was
repeated loudly and answered properly. Every comment was shared with
all and commented on with explanations and/or recommendations
accordingly. The course content was incredibly valuable, good
refreshment plus new details on network design applicable to real life
environment. Wonderful job!"
"The fact that a firewall track includes a network design course
demonstrates an excellent comprehensive view of network security that
greatly increases my perceived value of GIAC Certification. Good
review, Good discussions."
Alan Moe, ID Certify, Inc.
Firewalls, Perimeter Protection and Virtual Private Networks
"You owe it to your network to attend the firewall sessions."
Dave Otteheimer, Predictive Systems
"This track has been great in tying together all the processes I've been
exposed to prior to getting into network security. It is really what
I needed to take me to the next level quickly."
Pat Malone, LSI Logic, Inc.
"I was thrilled with the amount of information I accumulated. I feel
much more comfortable today than I did Sunday morning! I haven't been
this excited about what I have learned in 15 years! I have been in IT
for 31 years!"
Bob Hockensmith, EDS
"An outstanding opportunity to learn about networks from some of the
best minds in network security."
Ernie Hernandez, NPS
Securing Windows NT: SBS
"The most sane approach to security that I've found. Current, extremely
practical, useable stuff! This is right where I live every day. Now
I've got the tools to get the job done."
Daryl Grove, CCLI
"An excellent summation of all the rumors you always hoped were rumors."
Jeff Shawgo, Bayer Corporation
"This entire course is an excellent tool for the frustrated NT Sys Admin
who has the daunting task of securing NT servers."
Tom Robinette, Systems Design Group
Running UNIX Applications Securely
"Should be required for all DNS and mail admins."
Brett Kopetsky, Motorola
Secure Networking - An Introduction to VPN Architecture and Implementation
in designing our VPN architecture for my clients and know how to
troubleshoot any problems I run in to. The course book is put together
very well and is highly recommended."
Sunit Nangia, Lucent NPS
"This course gave a great overview of the different ways to implement
VPNs for specific business needs. I came away with a variety of means
to implement solutions for several different corporate needs."
Daniel Hester, CADWR
Security Essentials Certification
"John does a great job with Day 1 of Security Essentials. He steps
through the basics of infection types, how they work and how to protect
against them. The details of the IP protocol and how IP works sets up
the fundamentals to understanding attacks. Overall, one of the best
classes I have been to."
Joel Daniels, Sanders
"Anything that raises your skill level and awareness is worth the
investment, and SANS delivers both."
Nan Smith, ORAU/ORISE
"Excellent intro into the mindset required to become an effective
network security analyst."
Ernie Hernandez, NPS
IDS Signatures and Analysis
"Excellent explanations to the signatures and unknown attack methods.
I now have the skills to understand and interpret my IDS TCPdumps for
Faud Khan, NUVO Network Management
"A wonderful eye opening experience to signatures and how to detect them
'in the wild.' Great education from a great instructor."
Coover Chinoy, Ford Motor Company
"This course easily had the highest ROI of any course I've ever taken.
Jack Radigan, Dun & Bradstreet
"Extremely worthwhile instruction - maybe the best technical training
overall that I've taken in my 25 years in IT. The course teaches
concepts and theory, but only as the basis for understanding practical
application in network analysis and intrusion detection. All the
instructors had real-world experience, and they communicated their
'lessons learned' very effectively."
Keith Fowler, Louisville Gas & Electric
Windows NT Security: Advanced
"Excellent course and the instructor is extremely knowledgeable. I
enjoyed learning many of the nitty-gritty details for NT security."
Ryan Gurr, Veridian Info Systems
"Very in-depth coverage by a dynamic speaker. Highly recommended."
Merik Karman, iSecure
"Gene Shultz is a very dynamic speaker who's depth of knowledge and
ability to convey that knowledge makes him a 'not to miss' speaker."
Jeff Stevenson, SAIC
Security Essentials Certification
"Eric is the master of conveying complex technical info in a simple,
logical manner. He is a great instructor and has my highest
Mark Weatherford, Fleet Information Warfare Center
"The encryption section was worth the price of admission all by itself."
Geoff Poer, University of Arizona
Designing and Building Extranets: Step-by-Step
"Really, really helpful. Phil is a superb teacher with a huge wealth
of experience. The 'gotchas' alone will save months of duplication of
SP Standley, YACC
"Fast, concise, detailed, useful, information - did I mention fast?
Take this course the first time your manager speaks the word
Stephen Power, NJ Dept. of Human Services
"Very informative course. Clearly identifies security vulnerabilities
in a typical Linux distribution. A 'must attend' for every Linux
Martin Jeffrey, SYTEX, Inc.
"Good demos and explanations from an expert."
Sanjoy Ray, Whitehead Institute
"There's nothing quite like having the (co-) author of a book teach a
class on the material. Lee is entertaining and relaxed, yet remains
Harry A. Sutton, Compaq Computer Corp.
Securing Internet Information Server 5.0
"I work with IIS daily, and this was an excellent course that I would
highly recommend to any NT/2000 administrator."
Arian S. Evans, JS Central Credit Union
"This class was very helpful and Jason was able to answer and clarify
a lot of issues that the class had."
Mohammed La Zhar, CCH Legal Info Services
UNIX Security Threats and Solutions
"Great breadth and coverage. Excellent examples. Good starting point
for experienced SA's who may be new to security."
Tim Yeager, CSC
"Very well structured (reconnaissance, scanning, covering the tracks)
and extremely valuable content focusing on 'real things.'"
Thierry Grasset, Hewlett Packard
"Great examples of real world exploits. Take this class to learn what
script kiddies use to hack your network and or computers."
Sean Baumann, Celera Genomics
"Wonderful, tour-de-force in hacker methods. Great fast pace to cover
a wealth of information."
John Golden, AT&T
"Outstanding practical step-by-step real world examples of not only
what is going on out there, but not to do it and how to stop it!"
Rob Sills, Scripps Health
DNS and Sendmail
"Everything you need to get off the ground is included. It was great."
Mark Gryparis, Lockheed martin NE&SS
"Hal demystified most of sendmail for me. I feel confident in
installing, adding mx records. I also know what to do when we buy other
companies. Hal taught me what our current sendmail admins don't. Hal
also reinforced DNS principles. Great job."
Kevin Kjosa, Thomson Electronics