SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume III - Issue #26
June 27, 2001
The best new security initiative of 2001 is the early warning system
created by Incidents.Org. It is called Internet Storm Center and has
been surprisingly effective in discovering new worms as they are
launched. It is like the weather service where sensors (more than 2,000
in 45 countries) feed data to analysis centers. Individuals with Zone
Alarm and McAfee and PIX and IPChains and Snort and several other
systems all send log data that provides a real-time map of attacks on
the Internet. Go see it in operation at www.incidents.org,
www.dshield.org (the movie is interesting) and www.mynetwatchman.com.
One of the best features is that they aggregate attack data and "fight
back" by pushing ISPs to inform people whose machine are being used in
attacks. They've had phenomenal success in fixing these sites.
If you want to be part of the program, go to one of the sites, download
a client for your IDS or firewall, and you can be operating today and
getting feedback on who is attacking you and who else they are
Congratulations to Lawrence Baldwin of MyNetWatchamn and Johannes
Ullrich of dshield.org for creating this extraordinary service to the
TOP OF THE NEWS22 June 2001 Microsoft Sites Running IIS Defaced
21 June 2001 Oracle Security Hole Allows DoS Attacks
20 June 2001 Money Bugs Send Credit Card Data to Thieves
19 & 20 June 2001 Social Worker Recommends Jail Time For Canadian Teen
19 June 2001 Former Employee Sentenced to Jail for Revenge Cracking
18 & 19 June 2001 IIS Vulnerability
THE REST OF THE WEEK'S NEWS22 June 2001 Consumers' Association Chastised for Security Problem
22 June 2001 An Important Application for Encryption
21 June 2001 Cracker Penetrates Credit Card Database
21 June 2001 Kournikova Author to be Tried in Dutch Police Court
21 June 2001 Phone Phreaking Bill Dispute
20 June 2001 On Line World Bank Conference May Face Cyber Attacks
20 June 2001 Lufthansa Defends Against DoS Attack
20 June 2001 Russian Cracker Could Face Prison Sentence
20 June 2001 Jail Time for Satellite TV Access Card Cracker
20 June 2001 Instant Messaging Archiving Privacy Issues
20 June 2001 Financial Institutions, Consumers Urged to Pay Attention to Security
20 June 2001 Customer Service E-Mail Mistakenly Forwarded to Other Customers
19 June 2001 Incident Response Plans
18 June 2001 Elements of a Good Security Awareness Program
18 June 2001 ComputerHQ.com Exposed Customer Data
16 June 2001 TVA Employees Violated Policy by Downloading SETI Program
*********************** Sponsored by Websense ************************
WHAT DO CISCO, MICROSOFT AND CHECK POINT HAVE IN COMMON?
They are all integrated with Websense, the leading Internet filtering
software solution. Transparently monitor, manage and report on traffic
from your internal networks to the Internet. Maximize your network
bandwidth, increase productivity and reduce legal liability.
Try Websense free for 30-days.
TOP OF THE NEWS
22 June 2001 Microsoft Sites Running IIS DefacedA cracker has defaced four Microsoft web sites, all of which were running IIS on a Windows platform. Another group subsequently defaced one of the sites; the other three were inaccessible as of late last week.
21 June 2001 Oracle Security Hole Allows DoS AttacksA security hole in Oracle's database software running on Windows NT could cause a denial of service because the server allocates resources to the request. The problem was discovered by Internet Security Systems (ISS) which also identified a number of similar vulnerabilities affecting Oracle software running on Unix.
20 June 2001 Money Bugs Send Credit Card Data to ThievesSmall devices can be planted inside retail terminals where they skim credit card information and automatically send it to labs where people make phony credit cards.
[Editor's (Murray) Note: This is a fundamental vulnerability that results from the ability to insert an untrusted device. Visa and MC may protest all they like, but the cost of such devices has fallen to the tens of dollars, and any merchant and most of their employees can insert one. The answer is smart cards, and Visa and MC both know it. We can only hope that they will start to use them before permanent damage is done to public trust and confidence. Time is critical and it is not obvious that they have enough. ]
19 & 20 June 2001 Social Worker Recommends Jail Time For Canadian TeenA court-appointed social worker said that the Canadian teenager responsible for major denial-of-service attacks in February 2000 should spend at least five months in detention. The boy has shown no remorse for his actions, needs more discipline, and is likely to commit more cyber crimes, according to the social worker.
19 June 2001 Former Employee Sentenced to Jail for Revenge CrackingA man who broke into his former employers computer system, deleted files, altered records and sent phony e-mails was sentenced to six months in prison. Patrick McKenna was also ordered to pay more than $13,000 in restitution, and will be under supervision for two years following his release.
18 & 19 June 2001 IIS VulnerabilityA security flaw in Microsoft Internet Information Service (IIS) software on running on Windows 2000, NT or XP beta could allow attackers to gain system level access. Nearly six million sites are estimated to be vulnerable to the flaw, and users have been urged to apply a patch that Microsoft released when it announced the security hole. The problem lies in the fact that the Indexing Service ISAPI Filter module does not check for buffer overflows.
********************* Also sponsored by Symantec *********************
Who Gets In? Who Stays Out? Who Decides?
The dilemma every company faces. Symantec(tm) has a solution. With
Managed Intrusion Prevention, security experts assess, monitor and
maintain your company's perimeter security, around the clock. Using
world-class technology, we keep your organization's networked assets
secure and protected.
Find out how at http://www.symantec.com/ses5
THE REST OF THE WEEK'S NEWS
22 June 2001 Consumers' Association Chastised for Security ProblemThe Consumers' Association (CA) exposed customer credit card information on its TaxCalc web site. CA has arranged for an independent assessment of the web site, which will remain down until the security problem has been addressed. Experts have been vocally critical of the blunder.
22 June 2001 An Important Application for EncryptionWhile credit card numbers may also be exposed in the network, attacks against the merchant's server are usually more efficient. Such attacks yield more value for successful attacks as compared to the cost of such attacks. Merchants store credit card numbers because it makes subsequent purchases easier for the consumer. Where merchants elect to save credit card numbers they should do so on a back-end database server. If credit card numbers are stored on the front-end server, they should be encrypted.
21 June 2001 Cracker Penetrates Credit Card DatabaseA cracker accessed the credit card database of Anacom Communications Inc., an independent subsidiary of ZixIt Corp. The FBI is investigating.
21 June 2001 Kournikova Author to be Tried in Dutch Police CourtJan de Witt, the Dutch man who unleashed the Kournikova worm in February of this year, will be tried in police court, which limits the maximum possible jail sentence to six months; a fine could go as high as $38,000.
21 June 2001 Phone Phreaking Bill DisputeCrackers took advantage of a Georgia realty firm's 800 number to make nearly $90,000 in overseas calls; as no culprits have been caught, the small company disagrees with AT&T about who should foot the bill. Businesses can protect themselves from such attacks by using arcane passwords, changing them habitually, keeping passwords secret, and blocking international phone service if it is never used.
[Editor's (Murray) Note: In the olden days Ma Bell simply treated such losses as a cost of doing business. In the modern world AT&T owes other carriers cash for such losses. In the modern world, the customer manages and configures the APBX. While AT&T and other carriers will manage it for a fee, it is a little much to ask them to absorb losses associated with the customers' election to do it themselves. ]
20 June 2001 On Line World Bank Conference May Face Cyber AttacksIn an effort to avoid demonstrations, the World Bank has announced that it will hold its scheduled conference on line instead of in Barcelona. However, computer-savvy protesters could prove every bit as disruptive as flesh and blood demonstrators.
20 June 2001 Lufthansa Defends Against DoS AttackLufthansa claims to have successfully defended against a denial of service attack launched as a protest. The German airline apparently learned of plans for the attack beforehand, allowing them time to prepare.
[Editor's (Murray) Note: The time one is most likely to learn of such plans is after they are already in motion. Systems cannot unilaterally protect themselves from DoS attacks; this requires upstream controls, for example at the ISP. However, the time to put those controls in place is now, not when one learns of plans. ]
20 June 2001 Russian Cracker Could Face Prison SentenceA Russian cracker charged with sending out a virus that destroyed data on at least one hard drive could receive a prison sentence of up to three years.
20 June 2001 Jail Time for Satellite TV Access Card CrackerVictor Donell Mason received a 15-month jail sentence for modifying and selling DirecTV access cards.
20 June 2001 Instant Messaging Archiving Privacy IssuesSome instant messaging programs incorporate archiving features which do not require the consent of both participants; most programs also allow users to save their real-time on line conversations as text files.
20 June 2001 Financial Institutions, Consumers Urged to Pay Attention to SecurityThe Financial Services Authority (FSA) urged on line financial institutions not to forget security while they ready new products. The UK watchdog group also cautioned consumers to be attentive to security matters while doing business on line; consumers should use obscure passwords, change them often, and check for encryption when sending data, suggests an FSA team manager.
[Editor's (Murray) Note: The most important and effective security measure for consumers is timely reconciliation of confirmation and statements from their financial institutions. ]
20 June 2001 Customer Service E-Mail Mistakenly Forwarded to Other CustomersPrivate e-mail sent to the Network Solutions' customer service department has been sent on to others who have e-mailed for help. A company representative called the problem a "human error."
19 June 2001 Incident Response PlansThe recent security breach at Cal-ISO underscores the importance of having an incident response plan in place. This article lists some guidelines for such a plan, including recording all actions, preserving all evidence, and reviewing and revising the plan after each incident.
18 June 2001 Elements of a Good Security Awareness ProgramA good security awareness program will address social engineering, passwords, insider threats, and cyber ethics.
16 June 2001 TVA Employees Violated Policy by Downloading SETI ProgramTennessee Valley Authority (TVA) employees violated policy and compromised computer security when they downloaded the SETIhome distributed computing program, according to a report from the inspector general. There is no evidence of unauthorized system access, and the program has been removed from the computers.
[Editor's (Murray) Note: The use of any program involves some risk. It is clearly the right of the owner and operator of that system to decide what risk to take. However, such owners and operators had best be sure that their decisions are effectively communicated to all of their employees, surrogates, and agents. Wide spread abuse such as this suggests ineffective communication. It is likely that this ineffective communication is not limited to this one issue. ]
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail email@example.com with the subject: Subscribe NewsBites
Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
Stephen Northcutt, Alan Paller, Eugene Schultz