SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume III - Issue #32
August 08, 2001
A very busy week.
1. We are not out of the woods yet on Code Red and more vicious
worms and other automated attack tools are on the horizon. Still,
it is worth taking a moment and thanking the extraordinary people
who gave up their nights and weekends to make it possible for the
community to fight back against Code Red. If they hadn't gone above
and beyond the call, the number of people damaged by these worms,
and the number of e-commerce sites losing customer credit card data,
would have been much, much higher. The people are:
Mark Maiffret and Ryan Rermeh at eEye Digital Security, John Stewart
at Digital Island; Ron Dick, Bob Gerber, Jeff Tricoli, Vince Rowe,
Tom Ervin and the team at the NIPC; Marty Lindner and the CERT/CC
team; Steve Lipner, Scott Culp and the Microsoft team; Elias Levy
and the SecurityFocus team; the CAIDA team; UNIRAS (the UK CERT);
Mark Krause, Chris Morrow, and Jared Allison of UUNET; Marcus Sachs
and the team at JTF-CNO; Margie Gilbert at the NSC; Steve Gibson of
Gibson Research; Tinabeth Burton of ITAA; Chris Rouland, Dennis Treece
and the team at ISS; Jimmy Kuo, Dmitry Gryaznov, Neil Cowie, Chris
Stubbs, and the NAI team; Vicki Irwin, Johannes Ullrich, John Green,
Matt Fearnow and the team at SANS incidents.org, and Ken E. whose
full name and organization are not public.
2. Navy-Wide Information Assurance Leadership Program
The Chief of Naval Operations (CNO) and SANS are conducting a joint
technical conference as an integral part of SANS Network Security 2001
in San Diego October 15-16. All authorized Navy personnel are also
allowed to attend the SANS training and certification classes that
follow the Leadership Program, at significantly reduced costs. The
registration is posted at http://infosec.navy.mil/pubs/docs/training.
Along with the form there, fax a Form 1556 for payment. Details on
where to send it are at the end of this digest.
3. Online Registration Opens for SANS Network Security 2001.
With the Navy's program running at SANS Network Security 2001, some of
SANS most popular certification courses will fill up earlier than usual
(the Certified Information Security Officer Training, for example,
but two or three others will as well.). So please register in the
next two weeks. If you register by August 15, you also get any of
five bonus books.
Conference information at: http://www.sans.org/NS2001/NS2001.htm
Secure online registration form:
TOP OF THE NEWS6 - 8 August 2001 Code Red II Slows Parts of the Net
31 July 2001 Code Red's Presence Underscores Patch Apathy
1 August 2001 Users Ask Software Vendors To Stand Behind Security
THE REST OF THE WEEK'S NEWS3 August 2001 Security Site Traffic Up
2 August 2001 DOD Shuts Down Sites Again
1 August 2001 States Anticipate Code Red Trouble
6 August 2001 Sklyarov Out on Bail
2 August 2001 Sklyarov's Presentation Demonstrates Poor E-Book Encryption
3 August 2001 GAO Finds Poor Security at Commerce Department
3 August 2001 Wireless Vulnerability
3 August 2001 Internet Security Tips
2 August 2001 SirCam Poses Double Infection Threat
1, 2, & 3 August 2001 SirCam Still Spreading; Ukrainian President a Victim
1 August 2001 Postponed Sentencing for Melissa Author Leads to Questions
1 August 2001 Proposed School Hacking Bill Too Broad, Say Critics
31 July 2001 SubSeven Comes to Mac
31 July 2001 Telnet Exploit on Bugtraq Causes a Stir
29 July 2001 Georgia Students' Info Exposed on Google
27 July 2001 Former Employee Arrested for Unauthorized Access, Disruption
27 July 2001 Former IRS Employee Pleads Guilty to Cyber Sabotage
27 July 2001 ITNet Exposes Applicant Data
CORRRECTIONCORRECTION on SSH:
******************** Sponsored by NetIQ Corp. ************************
Free Security Guide from NetIQ.
Keep the bad guys out with NetIQ's security guide, "Jack the Hacker
Tells All: Insights into Security Dos and Don'ts."
Respond to threats before they become major incidents.
Download it now before it's too late.
TOP OF THE NEWS
6-8 August 2001 Code Red II Slows Parts Of The NetThe Code Red II worm is not a variant of the Code Red that recently ran rampant, though it does take advantage of the same vulnerability, uses the same method of attack, and is stopped by the same patch. Code Red II leaves a back door in infected systems which allows attackers to gain control; the back doors are already implicated in denial of service attacks. Code Red II also sets off a reaction in many cable broadband provider networks, that slows service and complete stops service to some subscribers. Most up to date summary:
More solid reporting:
Constant technical updates as the worms evolve:
*****The Debate Begins On What To Do About The Worms*****
31 July 2001 Code Red's Presence Underscores Patch ApathyThe author of this opinion piece says what's really scary about Code Red is the apathy about patches and updates. For those unable to keep up with the constant stream of fixes themselves, he suggests services that will send daily e-mails containing individually tailored security information or will even host a company's security and keep on top of fixes. He also applauds the idea of holding liable someone whose negligence in maintaining security is responsible for infections.
[Editor's (Ranum) Note: I am not a licensed or practicing ethicist, but where I come from, blaming the victim is not an acceptable response to a problem. (Schultz) It is very naive to attribute lack of patch installation to apathy. The real problem here is vendors who supply us with poor quality software. We are told that we must install patch 1, then patch 2, then patch 3, then patch so and so, so that our systems will be secure. But keeping up with all these patches is not realistic. Why can't the vendors just deliver better quality software?
1 August 2001 Users Ask Software Vendors To Stand Behind SecurityCNN reports a growing public cry for manufacturers of software to take more responsibility for correcting security flaws in products they sell. Shipping insecure software and waiting for it to hurt customers is not working. The video news segment also reports that the cyber insurance industry claims it has sold cyber insurance to 5% of American businesses.
[Editor's (Schultz) Note: How many news items of this nature are we going to have to read before we wake up to the fact that software vendors for the most part deliver poor quality software that leads to security problems? One of the unfortunate results of this ill-advised practice of the software industry is a plethora of security vulnerabilities. The only solution is appropriate legislation. (Schmidt) We still have humans developing software. I am sure ALL of the vendors (including the open source Linux developers) would love to reach perfection in coding. If you know of any coders who are perfect, I would be happy to look at hiring them. (Murray) I have to come down with Howard on this. It sounds as though Gene is suggesting that we legislate perfect software. Be careful what you ask for and the words that you use to ask for it. Having spent five years of my career in development, I am impressed that, given the quantity of code that we ship and the number of users and uses that it must satisfy, the quality is as good as it is. I am satisfied that we do a far better job of building code for the market place than we ever did building bespoke code for the enterprise. (Paller) A compromise, perhaps. To avoid reactive legislation, the vendors could take a leadership role by automating the updating and patching process and take responsibility for delivering the latest (completely patched) version to each new customer. The Linux vendors will probably be first because it will demonstrate the security advantage of their software over Microsoft, but one can only hope Microsoft will see the opportunity to better serve its client base, as well. Microsoft managers appeared surprised when I told them last week that many users would gladly pay 20 to 30% of the price of the software each year if Microsoft would take responsibility for patching the code as AOL does for its 20 million users. IBM's updating service is one of the key reasons that large companies feel safe in buying from IBM. If you work for a medium to large company or government agency and use Microsoft products on a large number of computers, please send an email to email@example.com (subject: MS patches) telling us what percentage of the product price you would be willing to pay Microsoft, each year, for active updates of security and hot fixes. ]
3 August 2001 Internet Security TipsAdvice for Internet safety includes updating antivirus software weekly, installing firewalls on broadband connections, being very cautions about opening e-mail attachments, and checking credit reports annually.
[Editor's (multiple) Note: A useful article to share with your users. (Grefer): Firewalls also are recommended for dial-up connections. ]
******* Also Sponsored by VeriSign -The Internet Trust Company *******
Do you have 128-bit SSL encryption server security?
Get VeriSign's FREE Guide, "Securing Your Web Site for Business"
and learn everything you need to know about using 128-bit SSL to
encrypt your e-commerce transactions, secure your intranets and
authenticate your Web site. 128-bit SSL is serious security for your
Get it now! http://www.verisign.com/cgi-bin/go.cgi?a=n094742310014000
THE REST OF THE WEEK'S NEWS
3 August 2001 Security Site Traffic UpConcern over the Code Red and SirCam worms is the likely driving force behind significant surges in antivirus company website traffic.
2 August 2001 DOD Shuts Down Sites AgainThe Defense Department again shut off access to certain web sites as a precaution against the potential menace of a second onslaught of Code Red infestations.
1 August 2001 States Anticipate Code Red TroubleThe state of Rhode Island shut down all state web sites for 12 hours beginning the evening of August 31st to guard against Code Red infections. Michigan and West Virginia kept their web sites up, but also had technical staff on standby should anything serious have transpired.
[Editor's (Murray) Note: Widespread disconnection is the result most to be hoped for by the rogues and vandals and the one to be most feared by the rest of us. It is sad that those with the most resources and who ought to know better are the ones who are disconnecting. Fixing the vulnerability is more efficient than disconnecting. Disconnection is the response of fearful high-level management that has no other controls that it is prepared to rely upon. ]
6 August 2001 Sklyarov Out on BailDmitry Sklyarov, the Russian researcher arrested at DefCon for violating the Digital Millennium Copyright Act (DMCA), has been released on $50,000 bail; he must remain in Northern California.
2 August 2001 Sklyarov's Presentation Demonstrates Poor E-Book EncryptionExamination of Sklyarov's DefCon presentation reveals that encryption software for at least two e-book makers is ridiculously simple to break. The article goes on to argue that the software Sklyarov distributes has a legitimate use.
3 August 2001 GAO Finds Poor Security at Commerce DepartmentA General Accounting Office (GAO) report indicates that computer systems security at the Department of Commerce is sorely lacking. Using readily available tools and techniques, "ethical hackers" employed by the GAO attempted to penetrate Commerce Department networks more than 1,000 times, but were detected only four times. GAO listed weak passwords and inappropriate levels of access, even for former employees, as two of Department's security problems. The report also indicated that an earlier, successful attack by a Russian cracker had gone undetected.
[Editor's (Ranum) Note: "Ethical hackers" is my favorite form of double speak. In addition, this article underscores something that most of us have known for a long time: When a .GOV domain gets studied for security, the GAO condemns them for ineptitude. Few things change. Then the site gets broken into or tested again and the same thing happens. Nobody is held accountable. "Weak passwords" and "inappropriate levels of access for former employees" are not even advanced enough problems to be Security 101: they are kindergarten level issues. As a taxpayer, I am disappointed in my employees and would fire a bunch of them, if I could. (Paller) We've seen the same "weak passwords" and "inappropriate levels of access" in many commercial systems. Marcus may be correct that people should be held accountable for repeated lapses in basic security. However, there is no proof that the problem is limited to government or even worse in government. GAO makes their reports of audits of federal agencies public; the security consultants hide their security audits of commercial organizations, on fear of law suits. ]
3 August 2001 Wireless VulnerabilityResearchers say a vulnerability in the Wi-Fi standard's security system allows attackers to determine the encryption key easily. Companies that use wireless networks are strongly encouraged to augment security with additional tools.
[Editor's (Murray) Note: It is no longer possible for the manager of a network, much less the manager of an application, to know what the connection looks like. That there may be a wireless link in the connection is only one example of the vulnerabilities that the manager is unlikely to know about. Therefore, one should not rely upon the connection for security. Applications should use end-to-end security that is appropriate to the application and that assumes an unreliable connection, not to say a hostile environment. ]
2 August 2001 SirCam Poses Double Infection ThreatThe Register reports that a managed services company has intercepted at least 100 e-mails in which the SirCam worm has randomly chosen a file than happens to be infected with another virus or worm.
1, 2, & 3 August 2001 SirCam Still Spreading; Ukrainian President a VictimThe SirCam worm, which is a danger to home users while Code Red is generally not, is still spreading. The worm managed to send out a file from a victim's disk containing the schedule of the Ukrainian president's planned independence anniversary celebration.
1 August 2001 Postponed Sentencing for Melissa Author Leads to QuestionsThe absence of any scheduled sentencing date for David L. Smith, the author of the Melissa Outlook worm, has led to speculation that Smith may be cooperating with authorities on another case.
1 August 2001 Proposed School Hacking Bill Too Broad, Say CriticsSenator Robert Torricelli (D-NJ) has introduced legislation that would punish any disruption of school computer systems with prison time. Critics, including educators and civil rights advocates, say the bill's sweeping language criminalizes ordinary activity.
[Editor's (Grefer) Note: The author's efforts are laudable. ]
31 July 2001 SubSeven Comes to MacMacintosh users are now susceptible to the SubSeven Trojan; antivirus vendors are releasing signatures to protect against infection.
31 July 2001 Telnet Exploit on Bugtraq Causes a StirThe appearance of the Telnet exploit on Bugtraq has angered the members of the group that authored it; they evidently put a legal warning not to post the code on a public web site at the top of their source code. Bugtraq administrator Elias Levy said that posting the code was an error.
29 July 2001 Georgia Students' Info Exposed on GoogleMore than 3,000 pages of personal data belonging to students at Southern Polytechnic University in Marietta, Georgia were available on Google.com between April and June of this year. Google began deleting the pages as soon as it became aware of the problem which arose when a Georgia Student Finance Commission firewall was inadvertently disabled. The governor has called for an investigation.
27 July 2001 Former Employee Arrested for Unauthorized Access, DisruptionA former employee at a Baltimore web-hosting company has been arrested for allegedly gaining unauthorized access to the company network after his dismissal and shutting down access to a major client for the greater part of a day.
27 July 2001 Former IRS Employee Pleads Guilty to Cyber SabotageA former Internal Revenue Service (IRS) system administrator has pleaded guilty to charges of computer sabotage. The erstwhile employee planted malicious code designed to delete data from three IRS servers after his security clearance was reduced as a disciplinary measure. He faces up to 10 years in jail and a fine of as much as $250,000.
27 July 2001 ITNet Exposes Applicant DataITNet job applicants who filled out on line forms had their personal information exposed on the Internet. The HTML pages generated by the on line forms were stored outside the company firewall and were cached by Google.com. An ITNet manager says Google has been contacted and that changes have been made to security to ensure such a fiasco does not occur again.
CORRECTION on SSH:Our editorial comment last week minimizing the importance of the SSH vulnerability was completely wrong. If you are using SSH Secure Shell for Unix v.3.0.0 and running the sshd2 daemon, please go to
for commercial or ftp://ftp.ssh.com/pub/ssh for non-commercial to download version 3.0.1. ]
Code Red II: Cleaning Up After the Compromise Many people have been asking: "How do I get rid of the Code Red II worm once it has infected a system?" Code Red II installs a backdoor that is open to any attacker. This means that it is impossible to tell what changes may have been made while the Code Red II backdoor was open. We are facing a public health problem. Many people who had unpatched IIS servers had no knowledge that IIS was running on their systems. An administrator can remove the Code Red II worm itself, but any additional backdoors or malicious changes made by follow-on attackers will still remain, undetected, after the worm is removed. The only real solution is to reformat the hard drive and reinstall all the software. For some individuals, this is not an option, the best short cut is probably to update your antivirus signatures to detect any Trojans that might be installed on your system and remove the worm as shown below: It is possible to remove the worm from the system as described here:
Further, the Privacy Software Corporation is providing a free tool that will help you remove the worm from an infected server:
ADDITION TO MANAGED SECURITY SERVICES POSTER Solutionary, Inc. was inadvertently left off the recently distributed SANS Roadmap to Managed Security Services poster. Solutionary is a full-service MSSP dedicated to protecting the electronic assets and information of companies and organizations worldwide. Solutionary's service offerings include: IDS Monitoring, Intelligence Gathering, Vulnerability Assessment, Firewall/VPN Management, Incident Response, Policy Compliance and Virus Scrubbing. Visit
for more information and free white papers.
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail firstname.lastname@example.org with the subject: Subscribe NewsBites
Navy-Wide Information Assurance Leadership Conference Details
To register, use the forms posted at http://infosec.navy.mil/pubs/docs/training
Also include a Form 1556 form for payment using the following vendor information:
The SANS Institute
Bethesda, MD 20816
Fax all information to 301-951-0140 or mail it to the address above.
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt,
Alan Paller, Marcus Ranum, Howard Schmidt, Eugene Schultz