Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IV - Issue #2

January 09, 2002


The National Infrastructure Protection Center just released an 84
page summary of all security vulnerabilities, viruses and Trojans
identified between December 12, 2000 and December 14, 2001. It is a
valuable check list that includes risk level, vendor, operating system,
software and reference to more detailed data in NIPC's CyberNotes.
http://www.nipc.gov/cybernotes/2001/cyberissue2001-26.pdf


Alan

TOP OF THE NEWS

8 January 2002 Virus Found in Macromedia Flash File
8 January 2002 National Research Council Report: US Firms at Risk
2, 3 & 4 January 2002 File Sharing Programs Contain Trojan
2 January 2002 ZaCker Worm
2 January 2002 IT Insurance Policies Exclude On Line Assets, Acts of Terrorism

THE REST OF THE WEEK'S NEWS

4 January 2002 BSA Offers Illegal Software Amnesty Program
4 January 2002 IE Patch Opens up a Hole
4 January 2002 Seeker Trojan Tries to Alter IE Settings
3 & 4 January 2001 Microsoft Encourages Passport Users to Install Patch
3 & 4 January 2002 Nvidia Nettles Suit with Dutch Hackers
4 January 2002 Judge Okays Keystroke Logging Evidence
4 January 2002 College Student Disclosed AIM Vulnerability
2,3 & 4 January 2002 AOL Patches AIM Hole
3 January 2002 Home Computer Users are Vulnerable
3 January 2002 NIPC Revises XP Security Advice
2 & 3 January 2002 Computer Export Limits Relaxed
2 January 2002 AOL Says Harvard E-Mails Were Not Treated as Spam


************** Sponsored by the Security Reading Room *****************
A Quiz
Where can you find more than 2,000 (that's not a typo) original,
unique, peer-reviewed reports on a wide range of security topics?
And where can you find an authoritative summary of the top ten new
security news stories each week day?
The Answer
SANS Security Reading Room has both and gets more than 100 new reports
every month.
It's an extraordinary site. More than 35,000 security professionals use
it every week day to explore new areas of security, to find answers
to tough questions, and to get a quick news update. We invite you
try it; it's free.
http://rr.sans.org/
***********************************************************************

TOP OF THE NEWS

8 January 2002 Virus Found in Macromedia Flash File

Antivirus researchers discovered a virus that infects Macromedia Flash files - putting at future users of the many web sites that rely on Flash files.
-http://news.cnet.com/news/0-1005-200-8410601.html?tag=lh
-http://investor.cnet.com/investor/news/newsitem/0-9900-1028-8410601-0.html?tag=a
ts

8 January 2002 National Research Council Report: US Firms at Risk

Summary: "From an operational standpoint, cybersecurity today is far worse than what known best practices can provide."
-http://www.cnn.com/2002/TECH/industry/01/08/security.reut/index.html

2, 3 & 4 January 2002 File Sharing Programs Contain Trojan

Three file sharing software products, LimeWire, Grokster and KaZaA, have been found to contain W32.DIDer, a Trojan horse program that tracks users' web surfing habits without their permission. The Trojan was evidently part of an advertising program that came bundled with the free software. All three companies have posted new versions of their software.
-http://news.cnet.com/news/0-1005-200-8335745.html?tag=prntfr
-http://www.wired.com/news/technology/0,1282,49430,00.html
-http://www.theregister.co.uk/content/4/23532.html
-http://www.cnn.com/2002/TECH/internet/01/04/spy.software.ap/index.html
[Editor's (Schultz) Note: Programs such as KaZaA are controversial, as they are so often used for Warez, distribution of indecent materials, etc., and, additionally, because they can bypass perimeter security. Where I work these kinds of programs are illegal. I find it ironic that now a Trojan has been found in some of these programs. Is the real problem the Trojan or the use of these programs in the first place? ]

2 January 2002 ZaCker Worm

The ZaCker mass-mailer worm, also known as Maldal.D, arrives as an attachment which , if opened, tries to delete anti virus files, and other files with common extensions such as .exe and .doc. ZaCker self-replicates via Microsoft Outlook, sending itself to all addresses in the infected machine's address book.
-http://www.zdnet.com/zdnn/stories/news/0,4586,5101163,00.html?chkpt=zdhpnews01
-http://www.nwfusion.com/news/2002/0103zacker.html

2 January 2002 IT Insurance Policies Exclude On Line Assets, Acts of Terrorism

Insurance policies are increasingly moving away from covering online assets in their standard policies. Customers who want such coverage will have to purchase more expensive supplemental policies. Policies covering IT were originally designed to protect against physical loss or damage, not denial-of-service attacks and viruses. Some policies offer no coverage at all for damage resulting from terrorist activity.
-http://www.informationweek.com/story/IWK20020102S0004
[Editor's (Murray) Note: How does one distinguish between a rogue hacker and a terrorist? ]

THE REST OF THE WEEK'S NEWS

4 January 2002 BSA Offers Illegal Software Amnesty Program

The Business Software Alliance (BSA) is offering amnesty to businesses using illegally coped software. Users who own up need only pay the necessary licensing fees; they will avoid penalties, which can run as high as $150,000. The BSA provides tools to inventory the companies' software. The program is available to certain cities, including Houston, Norfolk and Richmond VA and the San Francisco Bay area, through the end of January.
-http://news.cnet.com/news/0-1003-200-8354860.html?tag=prntfr

4 January 2002 IE Patch Opens up a Hole

Security bug hunter Georgi Guninski has discovered yet another Internet Explorer (IE) hole, this one apparently the result of an earlier IE patch for versions 5.5 and 6.0. The hole in the GetObject JScript function could allow attackers to execute programs on the affected computer. Guninski recommends disabling active scripting or simply not using IE.
-http://cgi.zdnet.com/slink?166047
[Editor's (Murray) Note: Given that there is a limited amount of change that we can tolerate and given that patches are never applied to all systems and rarely even to most, Microsoft should fix things in the order of their importance rather than in the order of their discovery. (Guninski gets publicity only when MS fails to fix something on his schedule.) ]

4 January 2002 Seeker Trojan Tries to Alter IE Settings

The JS/Seeker-E Trojan exploits a known ActiveX Internet Explorer (IE) hole to try and change IE settings on infected machines. The Trojan can arrive via e-mail can or be acquired by visiting a malicious web page. A patch for the vulnerability has been available since October 2000.
-http://www.zdnet.com/zdnn/stories/news/0,4586,5101254,00.html

3 & 4 January 2001 Microsoft Encourages Passport Users to Install Patch

Microsoft has sent millions of e-mail messages to Passport account holders, urging them to apply an Internet Explorer (IE) patch that has been available for almost two months. The patch addresses an IE vulnerability that could let attackers steal sensitive data from cookies on unprotected machines.
-http://news.cnet.com/news/0-1005-200-8355007.html?tag=prntfr
-http://www.computerworld.com/storyba/0,4125,NAV47_STO66090,00.html

3 & 4 January 2002 Nvidia Nettles Suit with Dutch Hackers

Two Dutch hackers posted intellectual property belonging to graphics chip designer Nvidia on the website M3DZone. The pair allegedly cracked Nvidia's firewall and used social engineering techniques to obtain intellectual property information from the graphics chip designer. The parties have reached an undisclosed settlement of a civil suit the company brought against the hackers.
-http://www.msnbc.com/news/681639.asp
-http://news.cnet.com/news/0-1006-200-8355008.html?tag=prntfr
-http://www.computerworld.com/storyba/0,4125,NAV47_STO66083,00.html

4 January 2002 Judge Okays Keystroke Logging Evidence

A federal judge ruled that evidence the FBI gathered using a keystroke-logging device surreptitiously installed on a computer (under a court-approved search warrant) is admissible in court. The FBI has not released any details about how the device works; last summer prosecutors in the case invoked the Classified Information Protection Act (CIPA), maintaining that details about the technology had to be kept secret to protect national security.
-http://www.wired.com/news/privacy/0,1848,49455,00.html
-http://www.computerworld.com/storyba/0,4125,NAV47_STO66087,00.html

4 January 2002 College Student Disclosed AIM Vulnerability

Matt Conover, the Utah college student who disclosed the AIM security hole, says he did it because AOL ignored his attempts to inform them of the vulnerability. Though some have called Conover's actions "irresponsible," others have defended him, noting that companies dismiss threats as theoretical unless an exploit demonstrates otherwise.
-http://www.zdnet.com/zdnn/stories/news/0,4586,2836272,00.html

2,3 & 4 January 2002 AOL Patches AIM Hole

AOL has fixed a security hole in its AIM application that could have allowed a cracker to exploit a buffer overflow problem to gain control of a targeted machine. The hole affected only those using the AIM on a Windows operating system, not those who use the built-in messaging system. AOL made the fix on its servers; users do not need to install patches.
-http://www.wired.com/news/technology/0,1282,49442,00.html
-http://www.searchsecurity.com/qna/0,289202,sid14_gci788890,00.html
-http://www.zdnet.com/zdnn/stories/news/0,4586,5101170,00.html
-http://news.bbc.co.uk/hi/english/sci/tech/newsid_1741000/1741955.stm
[Editor's (multiple) note: Notice the ease and speed with which AOL fixes its software because it controls the client software. Is that a safer and better supported model for distributing PC software? Should the great majority of people, those without extraordinary security skills and the time to patch Microsoft software, be getting more of their software from AOL where the purchaser gives AOL the responsibility to maintain it? ]

3 January 2002 Home Computer Users are Vulnerable

Home users' computers are increasingly becoming cracker targets for a number of reasons: many home machines are powerful enough to attract the attention of crackers looking at launch denial of service attacks, many home machines maintain high-speed, always-on connections that increase their vulnerability, and home users tend to neglect security measures normally employed by businesses.
-http://www.cnn.com/2002/TECH/ptech/01/04/hacking.home.computers.ap/index.html

3 January 2002 NIPC Revises XP Security Advice

The FBI's National Infrastructure Protection Center (NIPC) has revised its advice regarding a recently disclosed security hole in Windows XP. Initially, NIPC recommended turning off the universal Plug and Play (UPNP) service in addition to applying a patch available from Microsoft; now they are saying that the patch alone is adequate.
-http://www.cnn.com/2002/TECH/industry/01/03/hackers.ap/index.html
-http://www.computerworld.com/storyba/0,4125,NAV47_STO66069,00.html

2 & 3 January 2002 Computer Export Limits Relaxed

The Bush administration has eased restrictions on computers exported to Tier 3 nations, China, India and Pakistan, from 85,000 millions of theoretical operations per second (MTOPS) to 190,000 MTOPS. In addition, Latvia will be moved from Tier 3 to Tier 1, enjoying the looser restrictions enjoyed by Japan, Canada, Mexico and others. Some technology industry representatives say the MTOPS standard is not effective because countries can cluster less-powerful machines.
-http://news.cnet.com/news/0-1003-200-8338468.html?tag=prntfr
-http://www.computerworld.com/storyba/0,4125,NAV47_STO66053,00.html
-http://www.wired.com/news/politics/0,1283,49453,00.html

2 January 2002 AOL Says Harvard E-Mails Were Not Treated as Spam

In a correction to previously released data, an AOL spokesman said the Harvard admissions e-mails that were bounced back were returned not because the ISPs filtering system thought they were spam, but for other reasons such as closed accounts and full mailboxes. Between 3 and 4 percent of the e-mails sent to AOL accounts from Harvard were returned. A Harvard spokeswoman said that regular paper notifications were sent the same day the e-mails went out.
-http://www.computerworld.com/storyba/0,4125,NAV47_STO66046,00.html


==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sans@sans.org with the subject: Subscribe NewsBites
To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.
You may also email <sans@sans.org> with complete instructions and
your SD number for subscribe, unsubscribe, change address, add other
digests, or any other comments.


Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin,
Bill Murray, Stephen Northcutt, Alan Paller,
Marc