iPad Air 2, Samsung Galaxy Tab A, or $350 Off with SANS Online Training Right Now!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IV - Issue #18

May 01, 2002


Last chance this spring for security training in Washington DC area:
next week. http://www.sans.org/CapitolHill

TOP OF THE NEWS

24-29 April 2002 Klez Continues to Spread
26 April 2002 Hotmail Cookie Vulnerability
23 April 2002 Scam Artists Use Brute Force to Find Valid Credit Cards
22 April 2002 IM Users Tricked Into Downloading DDoS Software

THE REST OF THE WEEK'S NEWS

29 April 2002 XP Automatic Updating Feature Generates Complaints
29 April 2002 Vivendi Plans Hacking Suit Over Questionable Online Voting
29 April 2002 GAO Undercover Agents Gain Access to Federal Buildings
26 April 2002 Outlook E-mail Editing Vulnerability
29 April 2002 Outlook E-Mail Editing Patch May Not Fix the Whole Problem
26 April 2002 Belgian ISP Sends Out Infected CD
26 April 2002 Hybrid Attacks Gaining Popularity
26 April 2002 Military Academy Cyber Defense Exercise
26 April 2002 Chilean Computer Thieves Caused Traffic Chaos
26 April 2002 Chernobyl Probably Won't Cut a Wide Swath This Year
26 April 2002 FBI to Establish Three New Regional Cyber Forensic Labs
25, 26 & 29 April 2002 CIA Report Describes China Cyber Attack Threat
25 April 2002 File-Sharing Companies Taste the Bitter Brew of Irony
24 April 2002 PKI Vendors Agree to Interoperability
24 April 2002 Finjan Points Out MBSA Flaw
24 April 2002 Microsoft Pulls Office Tools Because of Security Flaws
23 & 24 April 2002 IE6 Privacy Features Have Security Holes
23 April 2002 Moscow ATM Crackers Sentenced
23 April 2002 Kagra Virus
22 April 2002 IT Security Resource List
22 April 2002 Industry Group Concerned That NIST Could Mandate Product Features
22 April 2002 Windows Update Not Reliable, Say Consumers
22 April 2002 Taiwan to Hold Cyber Security Drill


********************** Sponsored by Cisco Systems *********************
One Flexible, Modular and Cost-Effective Way to Make your Network SAFE
Today's sophisticated networks need more than just a "Firewall here,
intrusion detection system there" approach. They need an ironclad
network security solution that will protect their network against
malicious activity. That's why Cisco Systems has created the SAFE
Blueprint, which empowers businesses with best practices and robust
solutions to effectively secure their networks.
For more information, visit http://www.cisco.com/go/safe
***********************************************************************

TOP OF THE NEWS

24 - 29 April 2002 Klez Continues to Spread

The latest versions of Klez have infected more than 7% of PCs around the world, moving past totals accrued by SirCam and Nimda. Variants of the Klez virus continue to spread with such rapidity that some suspect the virus's spread is hastened with the use of "seeding," though there is no evidence to support this. Klez uses a variety of subject lines and can spoof senders' e-mail addresses, making it harder for people to look out for the usual signs of virus-laden e-mails. Klez uses its own SMTP server to mail itself out to e-mail addresses found on infected computers' hard drives. Corporate users are less likely to become infected because they are more vigilant than home users about updating their anti-virus signatures. Klez severely disrupted Internet service in Zimbabwe, disabling mail servers and forcing some ISPs to go off-line to clean up the virus residue. More than 75% of the country's businesses and private citizens were cut off from Internet access. The Czech Republic is reportedly the hardest hit of all European countries.
-http://news.com.com/2100-1001-894706.html
-http://news.com.com/2100-1001-891030.html
-http://www.computerworld.com/storyba/0,4125,NAV47_STO70574,00.html
-http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=7962
-http://www.europemedia.net/shownews.asp?Articleclass=10300
[Editor's (Schultz) Note: Klez's success is, lamentably, not only in the number of computers it has infected. The fact that it spoofs sender identities has created a massive amount of confusion within the user community. ]

26 April 2002 Hotmail Cookie Vulnerability

Because cookies are used for Hotmail account authentication, if crackers get hold of two specific cookies -- which are stored unencrypted in a fixed location -- they can always access the account, even after a password change. Hotmail users are advised not to use the "keep me signed in" option.
-http://www.wired.com/news/technology/0,1282,52115,00.html
[Editor's (Murray) Note: This is the second time that Hotmail has been shown to store privileged state in the clear. It now appears that instead of fixing it the first time, they simply moved it from the URL to the cookie. I always wondered how they had managed to fix it in only 12 hours; now I know. ]

23 April 2002 Scam Artists Use Brute Force to Find Valid Credit Cards

Several groups of credit card scam artists are using brute force to run credit card numbers through Authorize.Net, "a payment gateway system" that requires no password, only a login name. Every transaction is charged a fee, regardless of the credit card number's validity.
-http://www.msnbc.com/news/742677.asp?0dm=C1AMT

22 April 2002 IM Users Tricked Into Downloading DDoS Software

Many IRC and IM users have been tricked into downloading malicious software onto their computers which could then be used to launch a distributed denial of service (DDoS) attack. The users are tricked into downloading the malware. Hackers send messages telling victims that their systems are infected (not true), and instructing the victim to go to a certain website and download the software or risk being banned from the IM system. When the user executes the downloaded software, their systems become infected.
-http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=7929


************************* Sponsored Links ****************************
(1) Plug that perimeter security gap - FREE full-function PestPatrol
evaluation software
http://www.sans.org/cgi-bin/sanspromo/NB31
(2) ALERT! Hackers gain access to backend data via web
applications. FREE WHITE PAPER:
http://www.sans.org/cgi-bin/sanspromo/NB32
**********************************************************************

THE REST OF THE WEEK'S NEWS

29 April 2002 XP Automatic Updating Feature Generates Complaints

Windows XP users get pop up screens informing them of new updates available for their systems. Users have complained that some patches are making their systems unstable.
-http://www.wired.com/news/technology/0,1282,52108,00.html
[Editor's (Murray) Note: One fundamental property of "patch and fix" is that the solution becomes the problem. That said, AOL manages to update their very intrusive client without generating complaints.)

29 April 2002 Vivendi Plans Hacking Suit Over Questionable Online Voting

Vivendi Chief Executive Jean-Marie Messier says hackers sabotaged on line voting during the media company's recent shareholders' meeting; votes cast by certain shareholders did not correlate with records. Some think the allegations are dubious. The board plans to call a new shareholders' meeting for June.
-http://story.news.yahoo.com/news?tmpl=story&cid=528&ncid=528&e=1&
;u=/ap/20020429/ap_on_hi_te/vivendi_voting_2

-http://www.wired.com/news/business/0,1367,52162,00.html
-http://europe.cnn.com/2002/BUSINESS/04/29/vivendi.hacker/index.html

29 April 2002 GAO Undercover Agents Gain Access to Federal Buildings

Undercover investigators from the General Accounting Office (GAO) were able to gain access to and move freely about through four federal buildings in Atlanta. They were also able to obtain building passes and after hours access codes, and made copies of the credentials on computers.
-http://www.msnbc.com/news/745303.asp

26 April 2002 Outlook E-mail Editing Vulnerability

When Outlook users view their e-mail, scripts often cannot run because the IE security is set to block them. However, if they use MS Word as their e-mail editor, the documents are called in unprotected mode, allowing HTML e-mail messages to execute scripts. Microsoft has released a patch for the vulnerability.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO70570,00.html
-http://www.theregister.co.uk/content/55/25033.html
-http://www.microsoft.com/technet/security/bulletin/ms02-021.asp

29 April 2002 Outlook E-Mail Editing Patch May Not Fix the Whole Problem

Microsoft's recently release patch for the Outlook/Word e-mail flaw is only partially effective, according to Georgi Guninski. The exploit path through Excel remains vulnerable.
-http://www.theregister.co.uk/content/55/25064.html
Guninski's description:
-http://www.guninski.com/m$oxp-2.html

26 April 2002 Belgian ISP Sends Out Infected CD

Belgian ISP Skynet sent some of its customers a CD infected with W95.Hybris.gen.
-http://www.europemedia.net/shownews.asp?Articleclass=10308

26 April 2002 26 April 2002 Hybrid Attacks Gaining Popularity

Hybrid attacks, like Code Red and Nimda, have overtaken denial of service (DoS) attacks as the most prevalent security threat, according to Internet Security Systems' X-Force unit's Internet Risk Impact Summary. The group also expressed concern about the PHP and SNMP vulnerabilities.
-http://www.vnunet.com/News/1131294

26 April 2002 Military Academy Cyber Defense Exercise

Military academy students participated in a cyber defense exercise. Six groups of students were pitted against professional military teams comprised of National Security Agency (NSA) employees and soldiers from the U.S. Air Force's 92nd Information Warfare Aggressor Squadron and the Army's Land Information Warfare Activity. For some students, this competition inspired a passion for hands on cyber security.
-http://zdnet.com.com/2100-1105-893418.html

26 April 2002 Chilean Computer Thieves Caused Traffic Chaos

Thieves stole 15 PCs and 2 servers from a roadway traffic control center in Santiago de Chile, throwing traffic signals out of synchronization and causing traffic turmoil.
-http://www.wired.com/news/business/0,1367,52114,00.html

26 April 2002 Chernobyl Probably Won't Cut a Wide Swath This Year

The Chernobyl virus, set to launch its payload on April 26, is viewed as a minor threat because anti-virus signatures would have to be significantly outdated not to detect it. If launched, the virus can cause a great deal of damage, overwriting hard drives. Chernobyl affects only Windows 95, 98 and ME.
-http://www.newsbytes.com/news/02/176177.html

26 April 2002 FBI to Establish Three New Regional Cyber Forensic Labs

The FBI plans to set up three new cyber forensics laboratories in Kansas City, Chicago and San Francisco; the FBI has already established labs in Dallas and San Diego. Half of all cases the FBI opens now involve computers.
-http://www.siliconvalley.com/mld/siliconvalley/news/editorial/3145543.htm

25, 26 & 29 April 2002 CIA Report Describes China Cyber Attack Threat

According to a CIA report, the Chinese military wants to sabotage US computer systems. Though it is believed they do not presently have that capability, independent hackers, possibly students, may increase cyber harassment through viruses, defacements and DoS attacks on the anniversary of the collision between a U.S. spy plane and a Chinese plane.
-http://www.msnbc.com/news/743518.asp?0dm=T22AT
-http://www.latimes.com/news/nationworld/world/la-042502china.story
-http://www.washingtonpost.com/wp-dyn/articles/A50900-2002Apr25.html
-http://www.fcw.com/fcw/articles/2002/0429/news-hack-04-29-02.asp
[Editor's Murray ]
Note: Most nation states develop both offensive and defensive capabilities that they hope never to use. They do not require "sophistication." In any case, whatever US intelligence or reporters may think, while China may be poor, relative to the West and per capita, they are not primitives. The Chinese are sophisticated; we disparage or under-estimate them at our peril. ]

25 April 2002 File-Sharing Companies Taste the Bitter Brew of Irony

A programmer going by the name of Dr. Damn has been releasing file-sharing software stripped of bundled adware and spyware. The companies that developed this software have been the target of complaints from the film and recording industries for contributing to the theft of intellectual property. Now they are crying foul.
-http://news.com.com/2100-1023-891724.html

24 April 2002 PKI Vendors Agree to Interoperability

The British government has convinced public key infrastructure (PKI) vendors to make their products interoperable, which will increase the likelihood that more businesses will adopt the technology.
-http://www.silicon.com/public/door?6004REQEVENT=&REQINT1=52901&REQSTR1
[Editor's (Schultz) Note: This development is a huge step forward; lack of PKI product interoperability is one of the major reasons that PKIs have not been more widely deployed. But it may be too little, too late for PKI. ]

24 April 2002 Finjan Points Out MBSA Flaw

Finjan has issued an alert describing a security vulnerability in Microsoft Baseline Security Analyzer. While the tool offers a good service, it generates a report in plaintext that can be misused by crackers to exploit the vulnerabilities listed.
-http://www.finjan.com/mcrc/alert_show.cfm?attack_release_id=71

24 April 2002 Microsoft Pulls Office Tools Because of Security Flaws

Microsoft has removed the latest version of Office Web Components (OWC) from its site because a security consultancy has reported that the tools could allow malicious e-mails or website to read local files and run scripts even when scripting has been disabled. Until a patch is available, users can disable ActiveX or uninstall OWC.
-http://www.newsbytes.com/news/02/176138.html

23 & 24 April 2002 IE6 Privacy Features Have Security Holes

Thor Larholm has enumerated security flaws in IE6 privacy features. Crackers could exploit the vulnerabilities to launch programs already on a computer's hard drive, send messages to people on MSN Messenger contact lists and steal cookies.
-http://www.newsbytes.com/news/02/176077.html
-http://www.theregister.co.uk/content/55/24997.html

23 April 2002 Moscow ATM Crackers Sentenced

Two ringleaders of a Moscow hacking group that used ATMs to steal nearly $1 million from bank accounts have been sentenced to five years in prison. A third man, who cooperated with the authorities during the investigation, received a 3-year sentence and was then freed under an amnesty law; three others received three-year suspended sentences.
-http://story.news.yahoo.com/news?tmpl=story&cid=562&562&e=14&u=/
ap/20020423/ap_on_hi_te/russia_atm_fraud_3

[Editor's (Murray) Note: This demonstrates the risk of dealing with unknown and unauthenticated clients. It also demonstrates the necessity of slowing responses to repeated failed queries. At some level the credit card companies understand these attacks; the SET protocols respond to them. Like most such exposures, they seem to accept the risk until someone starts to exploit them. Shame. ]

23 April 2002 Kagra Virus

Kagra, a malicious VBS virus, preys on people's prurient interests, delivering a nasty payload instead of the promised pictures. The mass-mailer worm displays a message on May 12 noting that the machine has been hacked and deletes the Windows or WinNT folder on May 13.
-http://www.vnunet.com/News/1131174

22 April 2002 IT Security Resource List

The Washington Post has compiled a list of IT security resources for those who want to know more about cyber security.
-http://www.washingtonpost.com/wp-dyn/articles/A29557-2002Apr22.html

22 April 2002 Industry Group Concerned That NIST Could Mandate Product Features

Pending legislation would significantly increase funding for the National Institute of Standards and Technology's (NIST) Computer Security Division. Industry trade groups and network security vendors are concerned that NIST could mandate product standards that would slow production and increase expense.
-http://www.nwfusion.com/news/2002/0422nist.html
[Editor's (Paller) Note: When you see a reference to an "industry trade group" saying an agency should not mandate standards, you might find it useful to remember that the auto manufacturers' industry trade group spoke out against seat belts for decades using many of the same arguments. A better translation of their comments in this article would have been "our marketing people think this may cost us money so we'll claim it will hurt consumers to try to persuade Congress to kill it."

22 April 2002 Windows Update Not Reliable, Say Consumers

Consumers are complaining that Windows Update is unreliable: it sometimes says systems are adequately patched when they are not, it doesn't report failed patch installations, and it doesn't always display the most current patches.
-http://www.computerworld.com/cwi/community/story/0,3201,NAV65-663_STO70382,00.ht
ml

22 April 2002 Taiwan to Hold Cyber Security Drill

Taiwan will hold a drill in June along with its annual air-raid defense review. The government hopes to better understand the ways hackers could break into and disrupt computer networks. There is concern that China may launch a cyber attack against Taiwan as a prelude to an invasion.
-http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=7925


==end==
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites


Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Eugene Schultz