SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume III - Issue #20
May 16, 2001
The inaugural showing of the new Forensics class was a huge success at
SANS 2001 in Baltimore this week - by far the highest scores we have
ever seen for a forensics course. If this is an area you want to
master, please join us in Washington for SANS Fire (July 28-August 3).
SANS Fire also has seven complete immersion training and certification
tracks covering the basics all the way up through intrusion detection.
TOP OF THE NEWS14 May 2001 Users Agree on Security Benchmarks
10 & 11 May 2001 Sadmind/IIS Worm
11 May 2001 New Types of DDOoS Attacks Uncovered
8 May 2001 DDoS Attacks Target Real and Phony White House Sites
9 May 2001 NIPC DDoS Warning
THE REST OF THE WEEK'S NEWS14 May 2001 FBI Security Review
14 May 2001 2600's Domain Name Taken
11 May 2001 BGP Vulnerability
11 May 2001 Truce in China-US Hacking
11 May 2001 Visa Security Measures to Include Passwords
11 May 2001 Advice for Protecting Web Sites
10 May 2001 Apple OS X Security
9 May 2001 Homepage Worm
9 & 10 May 2001 Self-Proclaimed Homepage Authors Say it is Viral Marketing
7 & 10 May 2001 Cyber Attacks on Pentagon: Still No Leads
7 May 2001 Exodus Security Site Breached
7 May 2001 The Changing Role of the Security Professional
7 May 2001 Interview With Virus Writer Expert
********* Sponsored by VeriSign -The Internet Trust Company **********
Upgrade your server security to 128-bit SSL encryption! GetVeriSign's
FREE guide, "Securing Your Web Site for Business." You will learn
everything you need to know about using 128-bit SSL to encrypt your e-
commerce transactions for serious online security.
Click here! http://www.verisign.com/cgi-bin/go.cgi?a=n046610560014000
TOP OF THE NEWS
14 May 2001 Users Agree on Security BenchmarksMore than 140 large companies and government agencies from around the world have reached consensus on benchmarks for measuring security on Solaris systems. Windows 2000, Linux and Windows NT are the next operating systems to be released.
[Editor's Note: This week all the members of the Center for Internet Security are receiving a CD containing tools that automatically measure Solaris systems against the benchmarks and report the results. The CD includes both network based and host-based tests. Early users found many systems they thought were safe needed key changes. They also expressed pleasure that the benchmark protected them against the Sadmind/IIS worm described in the next story. CIS web site: www.cisecurity.org ]
10 & 11 May 2001 Sadmind/IIS WormMore than 9,000 servers may have been compromised by the sadmind/IIS worm that gains root access on Solaris servers and then scans for other vulnerable systems to infect and servers to deface. A patch for the IIS flaw has been available for nearly a year, and a sadmind fix was released over two years ago.
11 May 2001 New Types of DDOoS Attacks UncoveredThree new types of denial of service attacks are described by analysts who monitored the Internet2 network for six months.
8 May 2001 DDoS Attacks Target Real and Phony White House Siteswww.Whitehouse.org, a presidential parody site, was the target of a presumably misguided distributed denial of service (DDoS) attack. The real site, www.Whitehouse.gov, was taken off line for a while after suffering a similar attack. The FBI's National Infrastructure Protection Center (NIPC) said several sites were attacked using fragmented large UDP packets (see story below).
9 May 2001 NIPC DDoS WarningThe FBI's National Infrastructure Protection Center (NIPC) has issued a warning that attackers are conducting distributed denial of service (DDoS) attacks by sending large, fragmented User Datagram Protocol (UDP) packets to port 80. Administrators are advised to check for such packets at port 80; outbound packets directed at port 80 could indicate that a machine has been infected with DDoS tools.
********** Also sponsored by Network-1 Security Solutions ************
Host Intrusion Prevention for Servers and Desktops
CyberwallPLUS uses an ICSA-certified packet filtering firewall, stateful
packet inspection and active intrusion prevention to secure and protect
sensitive Windows servers and workstations operating in "electronically
open" networks. CyberwallPLUS- three levels of security in one
Free 30-day evaluation - http://www.network-1.com/support/download.html
THE REST OF THE WEEK'S NEWS
14 May 2001 FBI Security ReviewIn the wake of the Hanssen spy case, the FBI is conducting a review of its computer security practices, policies, and procedures.
14 May 2001 2600's Domain Name TakenA problem at the domain name registrar Network Solutions left 2600.com's domain registration bill unpaid, allowing the domain name to be grabbed by someone else.
11 May 2001 BGP VulnerabilityCisco has issued a security advisory warning that a security weakness in the Border Gateway Protocol (BGP) could be exploited to crash routers. The vulnerability can be exploited only "in configurations that include both BGP and inbound route filtering on affected software."
11 May 2001 Truce in China-US HackingA group of Chinese hackers responsible for a plethora of web site attacks has released a statement claiming its goal of 1,000 attacked sites has been met and has declared a truce. Hackers on both sides of the cyber conflict have defaced numerous sites. There is concern that the Lion worm, written by the founder of the Chinese hacking group, has infiltrated systems and could be used to launch attacks at a later date.
11 May 2001 Visa Security Measures to Include PasswordsVisa U.S.A Inc. plans to implement "payer authentication applications" which will require people shopping on-line with Visa cards to provide passwords. Retailers will install the authentication service on their servers, and the banks that issue the Visa cards will have to install a database application for user passwords.
11 May 2001 Advice for Protecting Web SitesAttackers use automated scanning tools to find vulnerable web sites, paying little heed to the sites' content or purpose. To protect sites, security specialists advise that companies apply all patches and updates, make their web pages read-only, and do away with the cmd.exe DOS prompt on their web servers.
10 May 2001 Apple OS X SecurityApple's new operating system, OS X, utilizes open source software, which could be good for security because problems will be more readily discovered and fixed.
9 May 2001 Homepage WormThe Homepage worm initially spread rapidly, but began to diminish within a day. The worm arrives as a .vbs attachment and affects users of Microsoft's Outlook and Outlook Express e-mail programs. Once activated, the worm mails itself to everyone in the infected machine's address book and then opens one of four certain web pages. Some anti- virus firms are speculating that Homepage is a viral marketing tool, designed to generate traffic the sites. Anti-virus experts have expressed concern that some businesses are still not blocking .vbs attachments.
9 & 10 May 2001 Self-Proclaimed Homepage Authors Say it is Viral MarketingIn an anonymous e-mail received by Wired news, three teenagers in the Netherlands say their intent was to generate traffic for the four web sites that the worm automatically opens on infected computers. Homepage was created with an updated version of the toolkit used by the author of the Kournikova worm.
7 & 10 May 2001 Cyber Attacks on Pentagon: Still No LeadsCyber intruders have infiltrated pentagon computer systems for more than three years, leaving backdoors and rerouting traffic through Russia, writes James Adams, National Security Agency (NSA) advisory board member, in Foreign Affairs magazine. Despite evidence that the attacks appear to originate from Russian addresses, Adams claims the Russian government has been less than accommodating in the investigation.
7 May 2001 Exodus Security Site BreachedExodus Communications, which hosts the likes of Yahoo.com and eBay.com, acknowledged that attackers were able to view firewall logs. The intruders also gained control of two employee computers and posted several Exodus usernames and passwords in an Internet Relay Chat (IRC) room.
[Editor's (Murray) Note: It may be that we will have to write penalties into our agreements with hosting companies. When we do will there be anyone who wants to be in the business. ]
7 May 2001 The Changing Role of the Security ProfessionalAs companies become more aware of the importance of IT security, the role of security professionals is expanding. This article profiles one such director of information security who says that along with solid technical skills, strong communication and business skills are important. He also says that security should be integrated into all aspects of IT instead of being limited to the work of the security specialist.
7 May 2001 Interview With Virus Writer ExpertIn an interview, an expert on virus writers discusses their motivations and ethics. She says that the best way to deter virus writers is not through legislation, but by making it "uncool" to write viruses.
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail firstname.lastname@example.org with the subject: Subscribe NewsBites
Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
Stephen Northcutt, Alan Paller, Eugene Schultz