Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IV - Issue #19

May 08, 2002


SANS annual security salary survey was launched yesterday with a new
question on career tracks for security professionals. More than 7,000
people participated last time. To get a copy of the results, fill out
the questionnaire before May 20. http://www.sans.org/salary2002.htm
The Center for Internet Security released five new security benchmarks
and tools this week:


1. An updated Level-I Benchmark for Windows 2000 (v1.1.7)
2. A new Level-II Benchmark for Windows 2000 Professional (v1.0.4)
3. A new Level-I Benchmark for Windows NT (v1.0.3)
4. An updated Windows NT/2000 Scoring Tool (v2.4.0) to evaluate your host systems relative to these benchmarks
5. An updated Implementation Guide with instructions for using the new Scoring Tool


Download them free from http://www.cisecurity.org
The early registration deadline for SANSFire - SANS big summer training
conference in Boston - is next Wednesday, May 15.

TOP OF THE NEWS

4 May 2002 Port 1433 is Being Scanned
3 May 2002 Ashcroft Wants Harsher Penalties for Identity Thieves
1 & 2 May 2002 Legislation Would Put Biometrics on Drivers' Licenses
1, 2 & 3 May 2002 Best Buy Shuts Off Wireless Registers Over Security Concerns

THE REST OF THE WEEK'S NEWS

6 May 2002 Code Red is Still Out There
6 May 2002 AIM Hole is Much Like Earlier One
4 May 2002 Cute.exe Trojan Horse
3 May 2002 Kournikova Author Appeals Sentence
3 May 2002 Vivendi May Proceed with Independent Investigation into Vote Hacking Allegation
3 May 2002 Macromedia Flash ActiveX Vulnerability
3 May 2002 Reverse Engineering Competition
3 May 2002 Mobile Phone Hacking Penalty Could be Prison
2 & 3 May 2002 Member of Software Piracy Group Receives Prison Sentence
2 & 3 May 2002 Solaris Vulnerability
2 May 2002 Interior Security Still Problematic
2 & 6 May 2002 Klez Takes on New Passengers
29 April 2002 Klez Hits New York Times
2 May 2002 Two Guilty of Attempt to Buy Encryption Devices
2 May 2002 RSA Says 1024-bit Encryption is Still Secure
1, 2 & 3 May 2002 Melissa Author Sentenced
30 April & 1 May 2002 Buffer Overflow Vulnerability in Netscape and Mozilla
1 May 2002 NASA Hacker Pleads Guilty
30 April & 1 May 2002 WinAmp Vulnerability
29 April & 2 & 6 May 2002 Deceptive Duo Continue Their Defacement Crusade
29 April 2002 Nimda Downs Hitachi Site
22 April 2002 Extremetech/Syscheck Information Site


************************ Sponsored by NetIQ **************************
FREE Security eBook from NetIQ!!
Need solid advice on securing Microsoft Windows .NET Server? Register
now for "The Tips and Tricks Guide to Securing .NET Server." You'll
gain real-world information on securely managing .NET.
Register for the FREE eBook now!
http://www.netiq.com/offers/securityebook/register.asp?origin=sans508
**********************************************************************

TOP OF THE NEWS

4 May 2002 Port 1433 is Being Scanned

SANS has received a number of reports of widespread scanning of port 1433, commonly used by Microsoft's SQL server. So far, there is no connection between the scanning and any exploit.
-http://www.incidents.org/diary/diary.php?id=152

3 May 2002 Ashcroft Wants Harsher Penalties for Identity Thieves

Attorney General John Ashcroft wants increased penalties for identity thieves. There are an estimated 500,000 - 700,000 cases of identity theft every year.
-http://www.washingtonpost.com/wp-dyn/articles/A24368-2002May2.html
[Editor's (Schultz) Note: I am glad to see some serious attention paid to the growing threat of identity theft. The problem is not only becoming more prevalent, but the consequences for victims are considerably more severe than people imagine. ]

1 & 2 May 2002 Legislation Would Put Biometrics on Drivers' Licenses

Recently introduced legislation would require all states to incorporate biometric identifiers into drivers' licenses within five years. The ACLU has charged that the licenses are basically national ID cards.
-http://www.govexec.com/dailyfed/0502/050102td1.htm
-http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,70721
,00.html

-http://zdnet.com.com/2100-1105-897050.html
[Editor's (Murray) Note: Drivers licenses already contain the most powerful and general purpose biometric reference of all, the photographic image. In the short run, it requires human reconciliation. Within the time contemplated by this proposal it will be possible to routinely and automatically do such reconciliation. ]

1, 2 & 3 May 2002 Best Buy Shuts Off Wireless Registers Over Security Concerns

Best Buy shut off its wireless cash registers last week after they became aware that hackers could sit in the parking lot and intercept the data they transmit, including credit card information. Other stores that transmit without encryption include WalMart and Petsmart.
-http://www.msnbc.com/news/746380.asp?0dm=T22CT
-http://www.silicon.com/public/door?6004REQEVENT=&REQINT1=53089&REQSTR1=s
ilicon.com

-http://news.com.com/2100-1017-898710.html
[Editor's (Ranum) Sarcastic Note: And a big thanks to the media for suggesting where all the war drivers should go hunting for game. ]


************************* Sponsored Links ****************************
(1) WARNING! Your network security is not effective if it's not
available! FREE WHITE PAPER. http://www.resilience.com/newsbites1.html
(2) Recourse ManTrap (r) 3.0 makes honeypots deceptively easy to
manage. Free report: http://www.sans.org/cgi-bin/sanspromo/NB33
**********************************************************************

THE REST OF THE WEEK'S NEWS

6 May 2002 Code Red is Still Out There

Code Red version 2 is still worming its way across the Internet; more than 18,000 systems are apparently infected. Compromised machines could be used to launch a distributed denial of service (DDoS) attack.
-http://zdnet.com.com/2100-1105-899489.html

6 May 2002 AIM Hole is Much Like Earlier One

A security hole in AOL Instant messenger (AIM) which had purportedly been fixed can still be exploited in a new way. When notified of the problem, AOL Time Warner addressed it right away, applying filters on their machines so the fix was immediate. The person who found the flaw says the company is addressing the specific vulnerability but is neglecting the overall security problems that enabled it in the first place.
-http://zdnet.com.com/2100-1105-899485.html

4 May 2002 Cute.exe Trojan Horse

The cute.exe Trojan horse program uses social engineering to spread through e-mail. It changes system files so the program will execute when the infected machine is rebooted. It also contacts an IRC server on a specific channel and can send out information about the infected computer and be used to launch denial of service (DoS) attacks.
-http://www.incidents.org/diary/diary.php?id=151
[Editor's (Murray) Note: That an attacker can always find some people to execute a program is the most fundamental vulnerability of all, it is not necessary to find a flaw. We must have controls in the network that we can use to resist attacks that exploit fundamental vulnerabilities. ]

3 May 2002 Kournikova Author Appeals Sentence

The author of the Kournikova virus is appealing the verdict in his case; he received a sentence of 150 hours of community service.
-http://www.computerworld.com/securitytopics/security/story/0,10801,70752,00.html
[Editor's (Murray) Note: If being "clueless" becomes a defense for overt acts, then the law is mocked. ]

3 May 2002 Vivendi May Proceed with Independent Investigation into Vote Hacking Allegation

A Paris court will allow Vivendi to conduct an independent investigation into the wireless voting system used to tally shareholder votes. The equipment has been under seal since the alleged vote tampering.
-http://www.vnunet.com/News/1131506

3 May 2002 Macromedia Flash ActiveX Vulnerability

A buffer overflow vulnerability in a Macromedia Flash ActiveX component called Flash.ocx could allow malicious code to execute on vulnerable computers. The flaw affects Flash player version 6, revision 23; earlier versions may be vulnerable as well. Macromedia has released a new version of the Flash player (version 6, revision 29).
-http://zdnet.com.com/2100-1105-898517.html
-http://www.computerworld.com/securitytopics/security/story/0,10801,70751,00.html

3 May 2002 Reverse Engineering Competition

The Honeypot Project's Reverse Challenge offers programmers the chance to reverse engineer a piece of malicious code. They will try to discover what the code does, how it can be stopped, and who wrote it.
-http://www.newscientist.com/news/news.jsp?id=ns99992250

3 May 2002 Mobile Phone Hacking Penalty Could be Prison

Altering your mobile GSM phone's ID, also known as "chipping," is not difficult; chipping software is readily available on the Internet. The phone's International Mobile Equipment Identity (IMEI) number determines where the phone can be used. Proposed legislation in the UK would make the sale of chipping kits illegal and provide a five-year prison sentence for those guilty of reprogramming a phone.
-http://news.bbc.co.uk/hi/english/sci/tech/newsid_1966000/1966381.stm
-http://www.vnunet.com/News/1131474

2 & 3 May 2002 Member of Software Piracy Group Receives Prison Sentence

Barry Erickson, a former Symantec software engineer, was sentenced to nearly three years in prison for providing copy protection removal technology to a software piracy group known as DrinkOrDie. As apart of his plea, Erickson agreed that his action caused damages of $2.5 $5 million. Following his prison sentence, Erickson will serve two years of supervised release.

2 & 3 May 2002 Solaris Vulnerability

According to a CERT advisory, a format string vulnerability in the rwall daemon in Sun Solaris versions 2.5.1, 2.6, 2.7 and 2.8 could allow crackers to execute code with elevated privileges. Sun is working on a patch for the problem.
-http://www.computerworld.com/news/2002/story/0,11280,70717,00.html
-http://www.cert.org/advisories/CA-2002-10.html
-http://www.theregister.co.uk/content/55/25153.html

2 May 2002 Interior Security Still Problematic

IBM found security problems at the Interior Department's Minerals Management Service (MMS) which receives mineral royalties for lands held in trust. The entire Interior Department was put off line in December for failing an intrusion test that demonstrated that Indian trust money was at risk of tampering.
-http://www.fcw.com/fcw/articles/2002/0429/web-int-05-02-02.asp

2 & 6 May 2002 Klez Takes on New Passengers

Newer versions of the Klez worm contain strains of old malware like Elkern and more recently, the Chernobyl virus. Chernobyl was not deliberately added to Klez, but has "piggybacked" as Klez has spread.
-http://www.vnunet.com/News/1131458
-http://news.com.com/2100-1001-900050.html

29 April 2002 Klez Hits New York Times

The New York Times is yet another victim of the Klez worm; 250 members of its TimesDigest service received infected e-mails. The company e-mailed its affected customers, advising them to delete e-mail that do not look like the e-mail the Times normally sends.
-http://www.newsbytes.com/news/02/176220.html

2 May 2002 Two Guilty of Attempt to Buy Encryption Devices

Two men have been found guilty of trying to purchase military encryption devices with the intent of shipping them to China. A Customs Service special agent said the devices could have posed a threat to national security had they fallen into the wrong hands.
-http://www.washingtonpost.com/wp-dyn/articles/A18193-2002May1.html

2 May 2002 RSA Says 1024-bit Encryption is Still Secure

RSA refutes assertions that 1024-bit encryption is not secure. Though a Bugtraq mailing list discussion concluded that 1024-bit encryption was "compromised," RSA maintains the paper on which the discussion was based is theoretical, and says the encryption is secure.
-http://www.vnunet.com/News/1131452
[Editor's (Schultz) Note: It is amazing how speculation and conjecture can be interpreted as fact. Just because Bernstein thinks of an architecture that he thinks can break 1024-bit RSA encryption does not in any way mean than 1024-bit RSA encryption is any weaker than it was before. Where is the proof of concept? ]

1, 2 & 3 May 2002 Melissa Author Sentenced

David Smith, the author of the Melissa virus (April 1999) received a 20 month jail sentence, was ordered to pay a $5,000 fine and to stay away from computer networks and the Internet unless authorized by the court. The worm caused more than $80 million in damages. Smith must also complete 100 hours of community service. Smith also received a 10-year prison sentence on state charges, but under the terms of his plea agreement, his state sentence cannot exceed his federal sentence. He will serve the sentences concurrently.
-http://www.computerworld.com/securitytopics/security/story/0,10801,70701,00.html
-http://news.bbc.co.uk/hi/english/world/americas/newsid_1963000/1963371.stm
-http://www.wired.com/news/politics/0,1283,52261-2,00.html
-http://zdnet.com.com/2100-1105-896504.html
-http://zdnet.com.com/2100-1105-898720.html

30 April & 1 May 2002 Buffer Overflow Vulnerability in Netscape and Mozilla

Because XMLHttpRequest in Netscape and Mozilla doesn't adequately check security settings on certain data requests, an attacker could exploit a buffer overflow vulnerability associated with the ID3v2 tag to read files from a targeted computer. The vulnerability affects Mozilla 0.9.7 to 0.9.9 and Netscape versions 6.1 and higher. The problem is a related to a security hole in IE that was patched in February. The company that found the vulnerability, GreyMagic Security, hoped to claim a $1,000 bounty offered by Netscape, but Netscape called the problem "trivial." GreyMagic may rethink its disclosure policies.
-http://www.theregister.co.uk/content/55/25075.html
-http://zdnet.com.com/2100-1104-896099.html
-http://www.theregister.co.uk/content/55/25079.html
-http://www.computerworld.com/securitytopics/security/story/0,10801,70700,00.html
-http://www.newsbytes.com/news/02/176261.html

1 May 2002 NASA Hacker Pleads Guilty

Ruben Candelario has pleaded guilty to accessing a NASA server; he was indicted a year ago. He faces maximum penalties of one year in prison and a $100,000 fine.
-http://www.gcn.com/vol1_no1/daily-updates/18544-1.html

30 April & 1 May 2002 WinAmp Vulnerability

A security hole in WinAmp could allow malicious code implanted in an MP3 file to execute on a user's computer. The newest version of WinAmp (2.80) is not vulnerable to the exploit; other versions can be protected by disabling the software's minibrowser.
-http://news.com.com/2100-1023-895429.html
-http://www.newscientist.com/news/news.jsp?id=ns99992236

29 April & 2 & 6 May 2002 Deceptive Duo Continue Their Defacement Crusade

The list of web sites defaced by the Deceptive Duo continues to grow. The pair of hackers target government and corporate sites, posting screen shots of databases with sensitive information from other sites. They maintain their motives are to raise public awareness of computer security problems in the United States and plan to continue their activities. They have breached the systems through SQL servers that still had default passwords, and through a NetBIOS Brute Force attack. The two say they cooperate with administrators who want help securing their systems.
-http://www.vnunet.com/News/1131344
-http://news.com.com/2100-1001-897952.html
-http://www.computerworld.com/securitytopics/security/story/0,10801,70728,00.html
-http://www.msnbc.com/news/748369.asp?0dm=C12JT
[Editor's (Schultz) Note: It is time to quit paying so much attention to people who engage in illegal actions allegedly for the cause of computer security-related good. The two in question appear to have accomplished little more than to promote themselves. Hopefully, the law enforcement community will investigate what has happened here. ]

29 April 2002 Nimda Downs Hitachi Site

A web server hosting a newly designed site for Hitachi's software security company was infected with the Nimda worm soon after the site came on line. The server's Internet Information Server (IIS) software was unpatched.
-http://www.newsbytes.com/news/02/176217.html

22 April 2002 Extremetech/Syscheck Information Site

This site serves as a "clearinghouse" for tools and information that can be used to check for security vulnerabilities. Categories include Browser Tests, Personal Firewall Tests, System Tests and Port Scanners and Network Performance Tests.
-http://www.extremetech.com/print_article/0,3428,a=25755,00.asp


==end==
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites


Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Eugene Schultz