SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume III - Issue #33
August 15, 2001
TOP OF THE NEWS14 August 2001 FBI Arrests British Man in Leaves Worm Case
13 August 2001 Microsoft Training Faulted For Contributing To Spread Of Worms
13 August 2001 CIS Releases Solaris Security Benchmark
10 August 2001 Security Salaries Still Rising Sharply; Certifications Pay Bonuses
9 August 2001 Code Red Hits Cisco Routers, Hotmail Servers
9 August 2001 UK IT Professionals Balk at Licensing Requirement
1 August 2001 When a Managed Services Provider Goes Bust
THE REST OF THE WEEK'S NEWS9 & 11 August 2001 Wireless LAN Vulnerability
9 August 2001 Former Employee Sentenced for Malicious Intrusion
9 August 2001 Judges Don't Like to be Monitored On Line
9 August 2001 Code Red Cleanup Tool
9 August 2001 Patch Doesn't Stop Scanning
9 August 2001 AT&T Blocks Access to Customers' Servers
5 August 2001 Code Red a Portent of Worms to Come
9 August 2001 Searching for Worm Authors
9 August 2001 Code Red Hype
8 August 2001 ColdFusion Server Software Vulnerability
8 August 2001 Was DCMA Used Appropriately in Sklyarov's Case?
7, 8 & 9 August 2001 DoJ Must Reveal Keystroke Gathering Methods
7 & 8 August 2001 Peachy PDF Worm
6 August 2001 FedCIRC Aims for Automated Patch Distribution System
6 August 2001 Security Manager's Journal: Former Dot-Com Employees Aid Security
***************** Sponsored By Check Point Software ******************
Special Promotion--Next Generation Internet Security
Check Point Software, VPN and Firewall market leader, is offering 4
limited time product promotions:
- -The enterprise management COMMAND CENTER
- -More performance with the NEXT GENERATION POWER BOOST
- -Remote Access VPN technology with the SECURECLIENT EDGE
- -The PROVIDER-1 ADVANTAGE for effective, multi-policy security
TOP OF THE NEWS
14 August 2001 FBI Arrests British Man in Leaves Worm CaseJust 60 days after the Leaves worm infected thousands of systems, the FBI arrested a British man for writing and distributing the worm.
[Editor's (Paller) Note: The Leaves author(s) had real-time control of tens of thousands of systems. He used that control to force those victims to visit specific web sites and perform other tasks. He also had the capability to launch massive DDoS attacks. Weaknesses in their data gathering and assessment systems caused at least two antivirus companies to underestimate Leaves danger. ]
13 August 2001 Microsoft Training Faulted For Contributing To Spread Of WormsMCSE students and trainers confirmed that MCSE certification does not require sufficient security mastery to provide minimum levels of protection. Said one employer, "Most
have to be trained in even the most basic of security principles. It costs us time and money."
13 August 2001 CIS Releases Solaris Security BenchmarkThe Center for Internet Security (CIS) has released minimum security configuration benchmarks for Solaris.
10 August 2001 Security Salaries Still Rising Sharply; Certifications Pay BonusesSecurity salaries are rising faster than nearly any other category of IT workers. Employees with CISA (auditors) and GIAC (technical) certifications earned the highest "certification" bonuses in salaries over other security employees.
9 August 2001 Code Red Hits Cisco Routers, Hotmail ServersCode Red II has knocked some of Qwest's Cisco routers off-line, inconveniencing DSL customers and infected two of Microsoft's Hotmail servers, which were shut down and patched. Qwest:
9 August 2001 UK IT Professionals Balk at Licensing RequirementWorkers are objecting to a plan that would require IT security workers to be licensed as are physical security workers, such as bouncers and private investigators.
[Editor's (Schultz) Note: I wonder why information security professionals are resisting becoming licensed. Pharmacists, dentists, doctors, and even chauffeurs are licensed. The public places more trust in professionals who are licensed. Information security is about trust, so practicing information security and licensing go together. My only concern is that the licensing process is fair and valid. (Murray) If we do not do a better job, we can expect attempts to license us. Unfortunately, such efforts are not likely to help and will end up diverting a lot of energy, skill, and talent. It is interesting that the focus of this effort is not on qualifications but on background. While we are all concerned about the rogues trying to rehabilitate themselves by becoming "security experts," that is not what is causing the problems that we are fighting. ]
1 August 2001 When a Managed Services Provider Goes BustWhen a managed security services company suddenly goes out of business, its clients are forced to make weighty decisions. Companies need to understand that outsourcing security still requires a significant measure of in-house resources and to have contingency plans in place in the event their managed services provider closes shop.
[Editor's (Paller) Note: The other managed service providers have honed their offerings. SANS will be producing a new poster showing who does what in MSS. If you know of an MSS provider that was not on the original poster, please email email@example.com. Also, at www.sans.org/mssp.htm, several leading MSS vendors have posted useful "white papers." And at www.sans.org/tools.htm other security tools vendors have provided their research reports as well. All free. ]
****** Also sponsored by VeriSign - The Internet Trust Company *******
Upgrade your server security to 128-bit SSL encryption!
Get VeriSign's FREE guide, "Securing Your Web Site for Business." You
will learn everything you need to know about using 128-bit SSL to
encrypt your e-commerce transactions for serious online security.
Click here! http://www.verisign.com/cgi-bin/go.cgi?a=n046642310008000
THE REST OF THE WEEK'S NEWS
9 & 11 August 2001 Wireless LAN VulnerabilityResearchers from Rice University and AT&T Laboratories have published a paper describing an attack on a 128-bit WEP RC4 encryption algorithm used to protect 802.11 wireless LANs; a different group published a paper describing the attack technique the week before. The exploit is apparently easy to initiate, and allows attackers to listen to network traffic passively.
[Editor's (Murray) Note: WEP was only ever intended to take you off the soft target list; it does that. Since most users have not even turned WEP on, it may even get you off the target of opportunity list. For sensitive applications use end-to-end encryption, e.g., SSL or VPN. ]
9 August 2001 Former Employee Sentenced for Malicious IntrusionA man who broke into his former employer's web site, posted derogatory comments, deleted files, and redirected some users to an offensive site has received a 6 month prison sentence and has been ordered to pay the company $38,000 in restitution.
9 August 2001 Judges Don't Like to be Monitored On LineSome judges on the west coast are upset that their Internet activity is being monitored by a federal agency; they even went so far as to disable the monitoring system for a week. While the Electronic Communications Privacy Act of 1986 allows such oversight, one judge maintains the monitoring violates the federal wiretap statute.
9 August 2001 Code Red Cleanup ToolMicrosoft has released a tool called Code Red Cleanup which gets rid of malicious files and "mappings" deposited by Code Red, reboots the system, and offers the option of permanently disabling IIS software. The tool does not install the patch that protects machines from becoming infected, nor does it address any other malicious code that may have crept in courtesy of the backdoor installed by Code Red II.
[Editor's (Schultz) Note: It's great that Microsoft has released a cleanup tool for Code Red, but the real underlying problem to be solved is the fundamental security weaknesses in the IIS Web server. Patching IIS over and over again and cleaning up compromised Web servers is tedious, resource-intensive, and (in many respects) futile. What the public needs is a Web server that is reasonably secure right after a default installation. Until Microsoft and other vendors supply the public with Web servers of this nature, we'll continue to be plagued not only with worms such as PoisonBOx and Code Red, but also a plethora of Web defacements. ]
9 August 2001 Patch Doesn't Stop ScanningWhile a Microsoft patch can prevent machines from becoming infected with the Code Red worms, it cannot stop port scanning attacks from other infected servers.
9 August 2001 AT&T Blocks Access to Customers' ServersAT&T has blocked incoming traffic to web servers running behind cable modems in an effort to thwart the Code Red worm.
[Editor' (Murray) Note: While this should not be too disruptive, it is a shame that the vandals have so contaminated the network that we are forced to reduce function broadly to defend ourselves. When it comes to this, they have won. ]
5 August 2001 Code Red a Portent of Worms to ComeCode Red combined a self-propagating worm with automated denial of service attack tools. Experts predict that worms will become more virulent. The article also provides a brief history of worms.
9 August 2001 Searching for Worm AuthorsWhile the authors of the Code Red and SirCam worms remain unknown, the FBI's National Infrastructure Protection Center (NIPC) is set on finding them and is confident that its efforts will prove successful. NIPC relies on help from people who are familiar with the cyber underground to track down worms' origins.
9 August 2001 Code Red HypeThe Register observes that the attention the media paid to Red Code overshadowed both the SirCam worm and the Baltimore tunnel fire. The overwhelming publicity storm accorded the Code Red worm raises a number of questions about motives of publicity seekers.
[Editor's (Murray) Note: Plenty of shame to go around but let's reserve blame for the authors who are the ones that really deserve it. ]
8 August 2001 ColdFusion Server Software VulnerabilityColdFusion server software users are being warned to remove example applications from their servers because attackers could manipulate them to gain control of machines. The vulnerability is found in ColdFusion Server releases 4 and lower and applies to a variety of operating systems, including Windows, Linux, and Solaris. The sample applications are not default installations.
[Editor's (Murray) Note: ColdFusion is not the only vendor that has been guilty of including gratuitous functionality. While removing theirs is necessary, it is not sufficient. We must remove all gratuitous functionality from systems attached to the public net. This includes shells and command processors. (Grefer) Note: Sample applications of other applications and servers, including IIS, pose similar risks. ]
8 August 2001 Was DCMA Used Appropriately in Sklyarov's Case?The author believes Dmitry Sklyarov should be allowed to go home, and wonders if he is being "detained" for writing software that defeats copy protection, or merely for talking about it. He maintains that the Digital Millennium Copyright Act (DMCA) was applied unnecessarily in Sklyarov's case and is concerned that it could be used to go after "white hat" hackers.
7, 8 & 9 August 2001 DoJ Must Reveal Keystroke Gathering MethodsA federal judge has ordered the Department of Justice (DoJ) to reveal details about the technology agents used to collect keystrokes on a computer belonging to an alleged crime family member. The FBI used the technology to obtain a key for an encrypted file. While the defense hopes to have the legality of the technique called into question and the evidence suppressed, the Government maintains that revealing the technique would be hazardous to national security.
7 & 8 August 2001 Peachy PDF WormPeachy, a proof-of-concept Visual Basic Script (VBS) worm, is apparently the first worm to spread through a PDF attachment; infected machines will send itself out via Outlook. The worm requires Adobe Acrobat to spread; users who have only Acrobat reader are not at risk because reader does not recognize attachments.
6 August 2001 FedCIRC Aims for Automated Patch Distribution SystemFederal officials are planning an automated vulnerability repair process for Government computer systems. Agencies would give the Federal Computer Incident Response Center (FedCIRC) profiles of the applications and operating systems on their networks; in return, they would receive the necessary patches as they become available.
[Editor's (Murray) Note: I think that such methods have the potential to destabilize target systems and to be maliciously exploited. However, I am impressed by the fact that AOL has been updating its client on the systems of its huge customer base for years without attracting much attention or resistance. ]
6 August 2001 Security Manager's Journal: Former Dot-Com Employees Aid SecurityThe security manager describes how his company is benefiting from the expertise of dot-com refugees who are accustomed to dealing with security issues on a daily basis.
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail firstname.lastname@example.org with the subject: Subscribe NewsBites
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt,
Alan Paller, Marcus Ranum, Howard Schmidt, Eugene Schultz