SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume III - Issue #23

June 06, 2001

From time to time a "must read" document is published. Steve Gibson,
author of ShieldsUp! and one of the gurus of Windows security lived
through a major distributed denial of service attack and traced the
attackers. He wrote an extremely readable tutorial on it. It's long,
and worth every minute. Just one of his many interesting tidbits:
Windows 2000 and XP, unlike their predecessors, have enormous capacity
to generate malicious Internet traffic with spoofed IP addresses.
http://grc.com/dos/grcdos.htm

While we are talking about great tutorials, SANS has created a must-
attend program for information security officers. It provides essential
skills that every ISO must master if he or she wants to excel in the
world of the Internet and distributed computing. It will be one of seven
immersion tracks at SANS Network Security (San Diego, October 15- 22).
If you are an ISO or CISO, mark your calendar today. October is a superb
time to visit San Diego.

---

TOP OF THE NEWS

31 May 2001 SULFNBK.EXE Worm Hoax
30 May 2001 Judge Rules FBI Acted Properly in Russian Hacker Case
29 & 31 May 2001 Open Source Sites Attacked
29 May 2001 Insider Attacks System and is Caught
26 May 2001 Russian Police Arrest Crackers
23 May 2001 Microsoft Word Flaw: RTF Files and Macros

THE REST OF THE WEEK'S NEWS

1 June 2001 Denial-of-Service Attacks' Potential for Increased Damage
1 June 2001 University Systems Vulnerable
1 June 2001 Hotmail and Yahoo E-mail Vulnerability
1 June 2001 Gartner Analysts Point to Complacency as Root of Increased Infections
1 June 2001 Fighting Internet Fraud with Software
31 May 2001 New Worm Variant Makes Use of Social Engineering Tactics
31 May 2001 Former Employees Hack for Revenge
30 May 2001 Hackers Pilfer SETI@home Volunteers' E-Mail Addresses
30 May 2001 OpenPGP Alliance
29 May 2001 Hacker Helps Excite@Home With Security
29 May 2001 Echelon's Reach Exceeds its Grasp, Says EU Committee
29 May 2001 Researcher Says Education is Key to Halting Viruses
29 May 2001 The Costs of CyberCrime
24 May 2001 Weather.com Hit By Denial of Service Attack
19 May 2001 Cracker Compromises Customer Credit Card Data

---

*********************** Sponsored by SurfControl *********************
MONITOR & MANAGE INTERNET USE - FREE TRIAL!
If you're not managing Internet access, you're asking for trouble.
SurfControl, the #1 market leader in Internet filtering, improves
security & frees up network traffic. Find out exactly WHO is doing WHAT,
WHEN, & WHERE on the 'Net.
FREE 30-day SuperScout Web Filter trial:
http://www.surfcontrol.com/promo/SNB0606
**********************************************************************

---

TOP OF THE NEWS

31 May 2001 SULFNBK.EXE Worm Hoax

A hoax e-mail may have convinced many people to delete SULFNBK.EXE, a Windows utility, from their hard drives. While the e-mail may have begun with good intentions - there have been reports of e-mails containing copies of the file infected with W32.Magistr.24876@mm - the hoax e-mail uses social engineering to get people to do the work of a malicious worm.
A Symantec site offers information about the hoax e-mail and instructions for restoring the deleted file.
-http://www.zdnet.com/zdnn/stories/news/0,4586,5091958,00.html?chkpt=zdhpnews01
-http://www.symantec.com/avcenter/venc/data/sulfnbk.exe.warning.html
[Editor's (Paller) Note: The Magistr virus is sometimes delivered inside a file called sulfnbk.exe. This story has two morals: (1) "Do it yourself" virus cleaning is dangerous. (2) People who pass along unverified virus warnings can be a major part of the virus problem. If your organization's AUP (appropriate use policy) allows these two behaviors, you might want to change the policy. ]

30 May 2001 Judge Rules FBI Acted Properly in Russian Hacker Case

A federal judge has ruled that the FBI did not violate the rights of two alleged cyber-criminals when it tricked the Russian pair into divulging passwords and account numbers and downloaded evidence from machines in Russia using that information. In his ruling, the judge wrote that the suspects had no expectations of privacy when they were asked to demonstrate their skills, that computers and data are not subject to Fourth Amendment protection, and that the FBI obtained a warrant before examining the data they downloaded from the Russians' computers. The suspects allegedly stole financial information from two banks and they have been linked to credit card thefts from CD Universe and Western Union.
-http://www.msnbc.com/news/563379.asp?0nm=C21D
[Editor's (Murray) Note: Bad cases make bad law. We will all live to regret this decision. ]

[Editor's (Paller) Assessment of Murray's Note: Nonsense. Our courts do an incredibly good job of protecting alleged criminals against overzealous law enforcement. This ruling is balanced. It provides protection for both the alleged criminals and the public. ]

29 & 31 May 2001 Open Source Sites Attacked

At least two open-source web sites - the Sourceforge.net development site and the Apache Software Foundation's public server - were targeted by crackers. Sourceforge had to reset all users' passwords. Tucows.com and themes.org may also have been victims.
-http://news.cnet.com/news/0-1003-200-6077471.html?tag=prntfr
-http://www.zdnet.com/zdnn/stories/news/0,4586,5091936,00.html
-http://it.mycareer.com.au/breaking/2001/05/31/FFXQ0QREDNC.html

29 May 2001 Insider Attacks System and is Caught

This story details the case of Abdelkader Smires who used insider knowledge to launch attacks against Internet Trading Technologies (ITTI), a brokerage. Smires was caught because he failed to mask the IP addresses he used and had read his e-mail while launching the attacks; he received an 8-month prison term.
-http://www.techtv.com/cybercrime/internetfraud/story/0,23008,3013872,00.html

26 May 2001 Russian Police Arrest Crackers

Russian police have arrested members of a cracker group behind an on- line credit card fraud scheme. The five men are not thrill-seeking crackers, but professional criminals out to make money. The ringleader, a 63-year-old grandfather, could face a 10-year jail sentence.
-http://news.bbc.co.uk/hi/english/world/europe/newsid_1353000/1353092.stm

23 May 2001 Microsoft Word Flaw: RTF Files and Macros

Microsoft has warned of a flaw in Word that could allow macros to run without warnings. If users of Word 97 and higher open a Rich Text Format (RTF) file that references a template with an embedded macro, that macro can be run without any warnings, and could be constructed to disable Word security settings. Microsoft has issued a patch for the flaw.
-http://www.infoworld.com/articles/hn/xml/01/05/23/010523hnwordflaw.xml
-http://www.microsoft.com/technet/security/bulletin/ms01-028.asp
[Editor's (Murray) Note: code is now riddled with escape mechanisms. Ken Thompson's warning has come true; there is no longer a useful distinction between programs and data. ]

[Editor's (Cowan) Note: For those wondering what this is about, this brief article from the SANS Reading Room explains how to use RTF instead of Word's native .doc format to avoid most macro virus problems. The bug and fix described above relate to the RTF approach to macro virus defense.
-http://www.sans.org/newlook/resources/macro.htm]

---

THE REST OF THE WEEK'S NEWS

1 June 2001 Denial-of-Service Attacks' Potential for Increased Damage

The author of a recent study on denial-of-service attacks says they are on the rise and are becoming more serious; the potential for damage increases as more elements of critical infrastructure are placed on line. Steve Gibson, a security consultant whose GRC.com web site has been the victim of attacks, suggests that ISPs should filter outgoing packets for invalid addresses.
-http://www.zdnet.com/zdnn/stories/news/0,4586,5092020,00.html

1 June 2001 University Systems Vulnerable

University computers are desirable targets for crackers due to their ubiquitous vulnerabilities and weak protection. In addition, the systems offer storage space for illegal software, fast Internet connections for launching denial-of-service attacks, and access to a plethora of sensitive data. Crackers have been known to trade addresses of compromised .edu computers on the "digital black market."
-http://www.cnn.com/2001/TECH/internet/06/01/hacking.colleges.ap/index.html
[Editor's (Murray) Note: Universities should segregate and isolate student-managed systems, enforce origin addressing, and enforce their acceptable use policies. ]

[Editor's (Paller) Question: If your university has found a solution to the student computer problem - one that effectively protects the rest of the Internet from all of your student computers without crushing creativity and openness - please share it with us at info@sans.org with subject "Academic excellence in security." ]

1 June 2001 Hotmail and Yahoo E-mail Vulnerability

A vulnerability in Hotmail and Yahoo e-mail programs allows a deliberately composed e-mail containing an HTML link to behave like a worm and flood Internet mail servers. Microsoft had the flaw fixed by Friday afternoon, and Yahoo was working on a fix.
-http://news.cnet.com/news/0-1003-200-6162983.html?tag=prntfr
[Editor's (Grefer) Note: Though these two well-known email services have corrected the problem, one must wonder whether the many smaller email services have done anything about it. ]

1 June 2001 Gartner Analysts Point to Complacency as Root of Increased Infections

Gartner analysts say the rise in e-mail worm infestations is due to complacency, and advise IS organizations to continuously educate about guarding against e-mail-borne infections, to establish and enforce strong security policies, and to strip .vbs files from messages.
-http://news.cnet.com/news/0-1003-201-6157094-0.html?tag=prntfr
[Editor's (Murray) Note: While we must expect new viruses to contaminate some systems, vigilance and timeliness can prevent them from using the internet to spread. It now appears that if as few as twenty percent of our systems and networks are resistant to a virus, it will die out. However, in order to achieve this level it is essential that all desktop and laptop systems update frequently and that enterprise gateways, our first line of defense, be updated at least weekly. My preference is for these gateways to scan both inbound and outbound traffic. ]

1 June 2001 Fighting Internet Fraud with Software

Forensic data mining, which can be used to fight Internet fraud, searches for patterns that suggest questionable activity and warrant closer examination. Programs can detect unusual activity such as a credit card being swiped twice at the same location, a patient charging services to another family member's account when benefit limits have been reached, and high correlation between physicians who refer patients to one another and overcharge the insurer.
-http://www.wired.com/news/technology/0,1282,44203,00.html
[Editor's (Murray) Note: Real hackers (as opposed to vandals) work at the application layer. Because intent is most obvious at this layer it is also the layer where resistance is most effective. ]

31 May 2001 New Worm Variant Makes Use of Social Engineering Tactics

The Chernobyl worm, which carries a malicious payload capable of overwriting a computer's BIOS information, is making the rounds this time in the guise of an attachment purporting to be pictures of Jennifer Lopez.
-http://news.cnet.com/news/0-1003-200-6135045.html?tag=prntfr
[Editor's (Murray) Note: "Social engineering" is a term that hackers use to put a pleasant face on fraud and deceit. ]

31 May 2001 Former Employees Hack for Revenge

Federal investigators say the incidence of unhappy former employees attacking companies' computer systems is increasing. One man altered customer accounts and deleted databases in his former employer's system; another sent phony e-mails that appeared to come from the management at the company where he had worked as a contract employee. An FBI computer intrusion squad agent points out that it is important to be aware of who has been fired because computer access is not always cut off when employment is terminated.
-http://www.usatoday.com/life/cyber/tech/2001-05-31-revenge-hacking.htm

30 May 2001 Hackers Pilfer SETI@home Volunteers' E-Mail Addresses

Some hackers figured out the method SETI@home uses to exchange work units with volunteers in its distributed computing effort, and took advantage of the knowledge to mine up to 50,000 e-mail addresses which were then used in a spam attack. SETI@home's project director said the server software has been revised.
-http://www.msnbc.com/news/580466.asp?0nm=C21B
[Editor's (Cowan) Note: The article says this hack exposes the pitfalls of distributed computing. More precisely, it exposes the pitfalls of distributed computing with weak authentication. ]

30 May 2001 OpenPGP Alliance

Eleven companies and organizations have formed the OpenPGP Alliance, which will allow them to share information to achieve interoperability between different secure e-mail systems.
-http://news.cnet.com/news/0-1003-200-6112943.html?tag=prntfr

29 May 2001 Hacker Helps Excite@Home With Security

Excite@Home has praised a hacker who came to the company with information about a server vulnerability that could have exposed customer support data. After meeting with the man, Excite@Home bolstered its network security by installing firewalls, implementing a variety of security hardware and programs, and restricting network access.
-http://news.cnet.com/news/0-1003-200-6091589.html?tag=prntfr
[Editor's (Grefer) Note: @Home is a major contributor to the security problem, because of its lax security. Just look at the GRC story described at the beginning of this issue. ]

[Editor's (Paller) Note: We do not recommend the hiring of hackers. However, when hackers come forward to help improve security, without any form of extortion, they are taking a big step toward using their talents in ways that could be the beginning of a valuable career. ]

29 May 2001 Echelon's Reach Exceeds its Grasp, Says EU Committee

A draft report from a European Parliament investigative committee concludes that Echelon, the global electronic eavesdropping network, is not as capable as was previously believed, but the committee still recommends that people use encryption software.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO60923,00.html
Echelon Q&A:
-http://news.bbc.co.uk/hi/english/sci/tech/newsid_1357000/1357513.stm

29 May 2001 Researcher Says Education is Key to Halting Viruses

Sarah Gordon, a researcher studying virus writers and hackers, uses her skills not to track down criminals, but to develop cybercrime deterrents. She believes that education is the key to stemming the tide of malicious cyber activity because there is a "fundamental disconnect" between people's on-line and off-line behavior.
-http://www.wired.com/news/culture/0,1284,43839,00.html

29 May 2001 The Costs of CyberCrime

In 1999 businesses spent over $7 billion to protect themselves from cybercrimes; last year, computer attacks cost businesses over $17 billion, up from more than $12 billion in 1999. Experts say that security risks can be decreased with the use of stringent security measures and internal policies, and of course, vigilant monitoring.
-http://detnews.com/2001/technews/0105/29/b01-229644.htm

24 May 2001 Weather.com Hit By Denial of Service Attack

The Weather Channel's web site was hit by a denial-of-service attack that limited user access and slowed site performance for about seven hours. The director of site operations said that in defense, they shifted to another dedicated router and installed filtering and intrusion detection software. In addition, system administrators are examining the company's server logs to see if the attack was a diversion created to draw attention away from an intrusion.
-http://www.internetwk.com/story/INW20010524S0010

19 May 2001 Cracker Compromises Customer Credit Card Data

A security breach at A&B Sound's web site exposed customer names and credit card data. The site was shut down to allow for investigation. A&B Sound has sent e-mails to potentially affected customers advising them to contact their credit card issuers.
-http://www.vancouversun.com/newsite/business/010519/5020497.html
-http://www.absound.ca/

---

==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites


Editorial Team:
Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
Stephen Northcutt, Alan Paller, Eugene Schultz