Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume III - Issue #24

June 13, 2001


*** Windows 2000 Security ***
The US National Security Agency (NSA) just released seventeen guides
(several more will be added shortly) to help Department of Defense
organizations secure Windows 2000. Many DoD organizations have adopted
the guides as standards. Sample titles:
Microsoft Windows 2000 Network Architecture Guide (161KB)
Guide to Securing Microsoft Windows 2000 DNS (738KB)
Guide to Securing Microsoft Windows 2000 Active Directory (430KB)
In a major departure from historic precedent, NSA is also making the
documents available to the security community outside DoD. It is a
fantastic gift. You may download them at
http://www.nsa.gov/winsecurity/win2k/download.htm
A caveat: one of the files got "clipped" in conversion to pdf, and it
will take a few days to get fixed. Don't use them as final until the
end of the week.

*** Government Technology Leadership Awards ***
Speaking of good things government is doing, if you know of a government
information technology project that is providing extraordinarily good
service to the public or is exemplary in some other positive way,
nominate the team that did it for one of the Government Technology
Leadership Awards (GTLA). GTLA is the most prestigious of all government
IT awards. (Security projects are welcome, they say, but make sure you
can prove they are extraordinary.)
Nomination forms are posted at www.govexec.com/tech/award/
Deadline: June 30, 2001.

TOP OF THE NEWS

7 June 2001 Web Bug Detecting Software Available
4 June 2001 DoubleClick's Revised Privacy Policy
8 June 2001 DoS.Storm Worm
6 & 7 June 2001 Watermark Cracking Researchers Ask Court to Let Them Present Work

THE REST OF THE WEEK'S NEWS

8 June 2001 Pentagon Will Overwrite Hard Drives on Certain Donated Computers
8 June 2001 Virus Warnings as Detrimental as the Real Thing
8 June 2001 Some Take Joke Warning Seriously
8 June 2001 Teen Who Cracked AF System Gets Probation
8 June 2001 Man Indicted for Internet Extortion
8 June 2001 Report Recommends Eliminating IT Export Controls
7 & 8 June 2001 Exchange 2000 Security Hole; Patch Flawed, Too
7 June 2001 Safer Internet Exchange Site Vulnerabilities Exploited
7 June 2001 South Dakota State Government Opts for Rules Over Filters
6 & 7 June 2001 Microsoft Responds to XP Security Threat Assertions
5 & 6 June 2001 Miss World Worm

TUTORIAL

4 June 2001 Security Manager's Journal: A Visit From the Feds



********** Sponsored by VeriSign -The Internet Trust Company *********
Do you have 128-bit SSL encryption server security? Get VeriSign's FREE
Guide, "Securing Your Web Site for Business" and learn everything you
need to know about using 128-bit SSL to encrypt your e-commerce
transactions, secure your intranets and authenticate your Web site.
128-bit SSL is serious security for your online business.
Get it now! http://www.verisign.com/cgi-bin/go.cgi?a=n094710560008000
***********************************************************************

TOP OF THE NEWS

7 June 2001 Web Bug Detecting Software Available

The Privacy Foundation is offering free software to detect web bugs, or clear GIFs. The bugs are usually used for tracking customer habits, but could be used toward malicious ends, such as grabbing IP addresses or installing files. The software is designed to work only with Microsoft's Internet Explorer; a version for Outlook and Outlook Express is under development.
-http://news.cnet.com/news/0-1005-200-6220048.html?tag=prntfr

4 June 2001 DoubleClick's Revised Privacy Policy

DoubleClick is soliciting input on its revised privacy policy. While the Internet advertising giant has not altered any of its controversial data collection practices, the company hopes to clarify what information it collects and what it does with that information.
-http://news.cnet.com/news/0-1005-200-6187175.html?tag=prntfr
[Editor's (Cowan) Note: Users browsing the web from UNIX workstations can block most DoubleClick banners and cookies by placing this line in their /etc/hosts file: 127.0.0.1 ads.doubleclick.net ]

8 June 2001 DoS.Storm Worm

The DoS.Storm worm takes advantage of a known IIS vulnerability to infect servers, search for other vulnerable servers to infect, and barrage Microsoft's web site with data. A patch for the exploited flaw has been available for several months.
-http://www.zdnet.com/zdnn/stories/news/0,4586,5092411,00.html

6 & 7 June 2001 Watermark Cracking Researchers Ask Court to Let Them Present Work

In April, a team of researchers bowed to pressure from the Secure Digital Music initiative (SDMI) and the Recording Industry Association of America (RIAA) and declined to present a paper that describes how they cracked digital watermarking schemes. Last week, that same group of researchers filed a federal lawsuit asking that they be allowed to present their paper at a technical conference this summer.
-http://www.wired.com/news/politics/0,1283,44344,00.html
-http://www.zdnet.com/zdnn/stories/news/0,4586,2770522,00.html


*********** Also Sponsored by Network-1 Security Solutions ***********
Host Intrusion Prevention for Servers and Desktops
CyberwallPLUS uses an ICSA-certified packet filtering firewall, stateful
packet inspection and active intrusion detection to secure and protect
sensitive Windows servers and workstations operating in "electronically
open" networks.
Now get three levels of host security in one product with CyberwallPLUS
Free 30-day evaluation - http://www.network-1.com/support/download.html
***********************************************************************

THE REST OF THE WEEK'S NEWS

8 June 2001 Pentagon Will Overwrite Hard Drives on Certain Donated Computers

In an effort to give as many usable computers to schools as possible, the Pentagon will overwrite hard drives on unclassified machines. While hard drives from classified machines will still be destroyed, the decision overturns an order to destroy hard drives on unclassified computers.
-http://www.cnn.com/2001/TECH/ptech/06/08/pentagon.computers.ap/index.html
[Editor's (Northcutt) Note: Overwrite programs such as BCWipe or the file Wipe that comes with PGP are considered sufficient for casual protection of deleted data, but not sufficient if your adversary has physical access to the hard disk. Organizations should consider this before surplusing computers if they once held critical information. ]

8 June 2001 Virus Warnings as Detrimental as the Real Thing

This opinion piece enumerates the hazards of passing on virus warning messages.
-http://www.computerworld.com/cwi/community/story/0,3201,NAV65-663_STO61245,00.ht
ml

8 June 2001 Teen Who Cracked AF System Gets Probation

A Connecticut teenager who allegedly broke into an Air Force computer system received two years of probation. He is also required to pay the government $2000, refrain from using a computer unless supervised by an adult, and keep up his grades at school.
-http://dailynews.yahoo.com/h/ap/20010608/us/juvenile_hacker_1.html

8 June 2001 Some Take Joke Warning Seriously

A gag warning on a Joke-A-Day site admonishing people to delete the "insidious" AOL.exe virus was actually taken seriously by some; several users deleted the AOL program from their computers and some forwarded the warning to others.
-http://news.cnet.com/news/0-1003-200-6229168.html?tag=prntfr
[Editor's (Grefer) Note: The URL of Owens' spoof provides an interesting log of how a hoax (or rather, his spoof of a hoax) spreads.
-http://www.jokeaday.com/7aolexe.shtml]

8 June 2001 Man Indicted for Internet Extortion

Nelson Robert Holcomb was indicted on a variety of charges, including attempted extortion and unauthorized access to a protected computer. Holcomb took advantage of a security flaw in a web site that sells digital books to download more than $2,500 worth of material, and threatened to tell a reporter about the vulnerability unless the company met his demands, which included a car and unlimited downloads. Holcomb could face a 20-year prison sentence and $250,000 fine.
-http://washingtonpost.com/wp-dyn/articles/A42521-2001Jun8.html
-http://www.njusao.org/break.html

8 June 2001 Report Recommends Eliminating IT Export Controls

A report produced as part of a Center for Strategic & International Studies (CSIS) policy review concluded that IT export controls should be removed because they do not prevent other countries from acquiring the amount of computing power necessary to pose a threat. In addition, the controls hinder U.S. IT companies' ability to compete in the world market.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO61242,00.html

7 & 8 June 2001 Exchange 2000 Security Hole; Patch Flawed, Too

A flaw in the Outlook Web Access module of Microsoft's Exchange 2000 mail server could allow scripts to execute without warning and could be exploited to gain access to items in a user's mailbox.
-http://news.cnet.com/news/0-1003-200-6217519.html?tag=prntfr
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO61167,00.html
A patch Microsoft released to repair the hole apparently caused significant e-mail problems. Microsoft pulled the fix, promising an updated version.
-http://news.cnet.com/news/0-1003-200-6228459.html?tag=prntfr

7 June 2001 Safer Internet Exchange Site Vulnerabilities Exploited

Crackers took advantage of two security flaws on the European Commission's Safer Internet Exchange web site, gaining administrative privileges though an Index server software vulnerability, and access to an e-mail distribution list through an unspecified flaw.
-http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO61171,00.html

7 June 2001 South Dakota State Government Opts for Rules Over Filters

South Dakota's state government decided against using web filters because they restrict access to information; in addition, the state considers its employees adults capable of following Internet use rules, according to the governor's spokesman. In recent weeks, 20 state employees have been fired or suspended without pay for failing to adhere to policy.
-http://www.wired.com/news/politics/0,1283,44357,00.html

6 & 7 June 2001 Microsoft Responds to XP Security Threat Assertions

In response to Steve Gibson's assertion that the presence of "raw sockets" in Windows 2000 and XP poses a large security threat, Microsoft maintains that it is not a serious problem. The company has included options such as the Internet Connection Firewall and Outlook E-Mail Security Update to help prevent hostile code from running on users' machines.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2770517,00.html?chkpt=hud0004200
-http://www.theregister.co.uk/content/6/19502.html
Microsoft's response:
-http://www.microsoft.com/technet/security/raw_sockets.asp
[Editor's (Grefer) Note: Other sources (i.e.:
-http://www.atstake.com/security_news/arch.html?060501)
have pointed out that raw socket access is possible under other releases of Windows, once a machine has been taken over and capable drivers have been installed. ]

5 & 6 June 2001 Miss World Worm

The Miss World worm carries a malicious payload that tries to overwrite necessary files and format hard disk drives. The worm is launched by opening infected e-mail attachments, and spreads via Outlook.
-http://www.theregister.co.uk/content/8/19518.html
-http://www.zdnet.com/zdhelp/stories/main/0,5594,2766546,00.html

TUTORIAL

4 June 2001 Security Manager's Journal: A Visit From the Feds

The security manager describes the events that unfold when a visit from a government law enforcement agent reveals that an employee's stolen laptop computer was used to crack a financial institution and harvest credit card information.
-http://computerworld.com/nlt/1%2C3590%2CNAV65-663_STO60994_NLTsec%2C00.html