OnDemand SME Support = Get Your Questions Answered! Get an iPad mini, Surface Go 2, of $300 Off Now

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume III - Issue #31

August 01, 2001

Kudos to the whole SANS community. You did a fantastic job in finding
the Code Red worm, in getting the word out, in patching your systems
and teaching others how to patch theirs, and in monitoring the
worm's spread.

Hour-by-hour infection data (from SANS Internet Storm
Center - the Internet's early warning system) is posted at

We didn't post it at our site because several hundred thousand visitors
an hour was too much for us to handle and because we wanted to give
the whole Windows community a free class on how to patch the current
problem and how to change the ISAPI mapping of IIS web servers so that
the Code Red vulnerability and future similar vulnerabilities cannot
hurt them. If you have any interest in this area, it's a great class
by Jason Fossen, takes only 30 minutes, and is free. And please tell
MCSEs you know about the short course. One of the saddest dimensions
of information security is that hundreds of thousands of people
earned MCSE certifications without being required to demonstrate any
competence in security. You'll find the short course at the same site
as the worm infection data: www.digitalisland.net/codered/


Code Red Worm
25 July 2001 New Case of ID Theft Involves SSNs
24 & 26 July 2001 Sircam Infestation Slows
25 July 2001 NIPC Falls Prey to Sircam


27 July 2001 Indian Cracker Alleges Police Brutality
26 & 27 July 2001 Privacy Groups File Complaint with FTC Over Windows XP
26 July 2001 Teen Publishes "Ethical" Hacker Manual
26 July 2001 Google Removes Links to Threatening Pages
26 July 2001 NIPC Not Living Up to Potential, Says GAO Report
25 July 2001 The Worm That Wouldn't Leave
25 July 2001 Hacker Documentary
23 & 24 July 2001 Adobe Recommends Russian's Release
23 & 24 July 2001 Trojan Steals Big Pond Users' Data
23 & 24 July 2001 SSH Remote Access Software Flaw
23 July 2001 Financial Institutions Need Stronger Information Safeguards
23 July 2001 Yahoo Server IP Change Keeps Messages From Reaching AOL Members

*************** Sponsored by Check Point Software ********************
Special Promotion--Next Generation Internet Security
Check Point Software, VPN and Firewall market leader, is offering 4
limited time product promotions:
- -The enterprise management COMMAND CENTER
- -More performance with the NEXT GENERATION POWER BOOST
- -Remote Access VPN technology with the SECURECLIENT EDGE
- -The PROVIDER-1 ADVANTAGE for effective, multi-policy security


01 August 2001 Code Red Worm

Coordinated efforts of the entire security community, the press, and individual IIS owners appear to have been sufficient to reduce the number of vulnerable systems below the level at which the current version of the Code Red worm goes into hypergrowth. Although huge numbers of systems were infected (more than 100,000) and significant damage has been done to sites that were taken offline because of routers and systems being halted or overloaded by the worm, much more damage may have been avoided. The watchers are maintaining vigilance, but they seem hopeful.

25 July 2001 New Case of ID Theft Involves SSNs

Social security numbers (SSNs), credit card information, drivers license numbers and other personal data belonging to hundreds of people began appearing in an Internet chat room in mid-July. The common link between the victims may be the on-line purchase of a cellular phone. What distinguishes this occurrence of "identity theft" from others is the involvement of such immutable details as SSNs and birth date information; unlike credit cards, these data cannot be canceled and re- issued. Many victims have reported fraudulent charges on their credit cards.
[Editor's (Murray) Note: The author is confusing "theft of identity" with "theft of identifiers." He may enjoy poetic license. We as security professionals have a responsibility to insist upon the distinction. ]

[(Schultz) What is so scary about incidents such as these is that so many organizations store sensitive customer information, but there are so few safeguards in the US and many other countries regarding the protection of this information. Worse yet, many organizations are downright sloppy in their protection of consumer information. Remember, too, that once a social security number is compromised, the person who has that number is now faced with a set of undesirable alternatives---to either stick with the same number (which is risky), or to obtain a new one (which is an incredible hassle). ]

24 & 26 July 2001 Sircam Infestation Slows

The spread of the destructive Sircam worm has slowed significantly, but antivirus companies still consider it a serious threat. However, variants will likely be slow in coming as Sircam is written in compiled code and is thus unavailable for script kiddie modification.
Sircam FAQ:

25 July 2001 NIPC Falls Prey to Sircam

A researcher at the FBI's National Infrastructure Protection Center (NIPC) opened a Sircam-infected e-mail attachment; a number of documents were then sent, courtesy of the worm, to outsiders.

******************* Also Sponsored by Trend Micro ********************
If you are worried about email viruses, you need Trend Micro ScanMail
for Exchange. ScanMail is the first antivirus solution that seamlessly
integrates with the Microsoft Exchange 2000 virus-scanning API 2.0.
ScanMail ensures 100% inbound and outbound email virus scanning and
provides remote software management.
Download a FREE 30-day trial copy of ScanMail and find out why it is
the best:


27 July 2001 Indian Cracker Alleges Police Brutality

Anand Khare, a cracker arrested in India for defacing ccicmumbai.com, a Mumbai police cyber crime web site, has alleged police broke his hand during interrogation. While police deny the incident, they make no bones about the fact that they are sometimes faced with "tough situations." One hacker essentially called Khare a script kiddie and accused him of casting aspersions on "a cerebral activity."

26 & 27 July 2001 Privacy Groups File Complaint with FTC Over Windows XP

A consortium of privacy groups has filed a complaint with the Federal Trade Commission (FTC) asking that the planned October release of the Windows XP operating system be postponed because of security and privacy concerns. Among the issues raised is that of the enormous database of consumer information Microsoft will store on central servers; such a trove of personal data would be irresistible to crackers.
The text of the complaint is available as a .pdf file. (20 pages)
The Register observes that the real issue here is .NET, not the new operating system.
[Editor's (Schultz) Note: Given all the security-related incidents that have been reported at Microsoft, this concern appears to be well-justified. ]

26 July 2001 Teen Publishes "Ethical" Hacker Manual

An Indian teenager has written a book titled "The Unofficial Guide to Ethical Hacking," which includes information about a variety of hacker tools as well as advice on writing and dealing with viruses.
[Editor's (Ranum) Note: "Writing viruses" and "ethical" anything do not mix. ]

26 July 2001 Google Removes Links to Threatening Pages

Google has removed pages from its website that allowed people to search for and exploit e-commerce sites running DCShop, a shopping cart software system in beta production with a known vulnerability.

26 July 2001 NIPC Not Living Up to Potential, Says GAO Report

Hindered by staff shortages and companies unwilling to share security incident information, the FBI's National Infrastructure Protection Center (NIPC) has not fulfilled its potential, according to a General Accounting Office (GAO) report. The center has been helpful with computer crime investigations.
[Editor's (Murray) Note: One cannot put investigation for purposes of prosecution in the same mission as the collection and dissemination of intelligence, and expect a good result. If the mission is placed inside a police agency, it is predictable in advance which task will suffer. ]

25 July 2001 The Worm That Wouldn't Leave

A forehead-slapping anecdote about a state agency's recurring Outlook e-mail worm infection.

25 July 2001 Hacker Documentary

Hackers: Computer Outlaws, a documentary that premiered on The Learning Channel (TLC) last week, presents hackers as misunderstood people who are largely responsible for the ubiquitous state of technology today. The film profiles John Draper, Steve Wozniak, and Kevin Mitnick.
[Editors' (multiple) Note: It's difficult to understand the motivation for a recruiting video that increase the number of outlaws. ]

23 July 2001 Financial Institutions Need Stronger Information Safeguards

Some major financial institutions are not using passwords or codes to ensure customer account security; instead, they are relying on the old standbys of such readily available information as Social Security numbers (SSNs) and mothers' maiden names as identifiers. As a result, the banks can easily fall prey to social engineering ploys and release sensitive data to identity thieves.

23 & 24 July 2001 Adobe Recommends Russian's Release

After a meeting with Electronic Frontier Foundation (EFF) board members, Adobe's general counsel offered the following statement: "
[T ]
he prosecution of
[Dmitry Sklyarov ]
is not conducive to the best interests of any of the parties involved or the industry." Sklyarov authored a program, legal in his home country of Russia, that breaks the copy protection on Adobe's eBook; he was arrested after a presentation at a security meeting. Demonstrators calling for Sklyarov's release have turned to federal targets as his fate now rests in the hands of the U.S. Attorney's Office.

23 & 24 July 2001 Trojan Steals Big Pond Users' Data

Telstra Big Pond customers were advised to change their passwords after the account details of 69 customers were posted on a website. Rejecting allegations that the system was hacked, a Telstra spokesman said a SubSevenTrojan on the systems of affected clients mined the data which a cracker then posted on the Internet. (The second article also contains brief stories on the CERT warning to home users, the Code Red worm, and the SSH Secure Shell vulnerability.)

23 & 24 July 2001 SSH Remote Access Software Flaw

A password authentication vulnerability in SSH Secure Shell 3.0.0 could permit unauthorized people to gain control of servers running a variety of Linux versions, including Red Hat, SuSE, and Debian.
[Editor's (Murray) Note: Not all flaws are vulnerabilities, not all vulnerabilities are problems, not all problems are material. This vulnerability is a problem only in combination with practice so bad that one can hardly visualize it in the context of SSH. The occurrence of the problem is likely to be so sparse that an attacker is as likely to be struck by lightening and bitten by a snake before he finds an instance of it to exploit. ]

23 July 2001 Yahoo Server IP Change Keeps Messages From Reaching AOL Members

An AOL filtering system designed to protect members from unsolicited e- mail actually kept legitimate Yahoo Groups messages from getting through for several days. Yahoo has changed some server IP addresses as part of routine maintenance and had not informed AOL of the shift.
[Editor's (Murray) Note: Not only is security a difficult problem, it is also thankless. Yahoo and AOL are the villains for misconfiguring a control that would not even have to exist were it not for the spammers and those ISPs that host, not to say support, them. ]

Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites

Editorial Team:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt,
Alan Paller, Marcus Ranum, Howard Schmidt, Eugene Schultz