Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IV - Issue #20

May 15, 2002


Update on Port 1433: Last week we reported on widespread scanning of
port 1433, commonly used by Microsoft's SQL server. We noted that we
had had no reports at Incidents.Org of exploits connected with the
scanning. A few hours later we received the following note from the


CISO of a large research organization:
[Our organization] has been hit at least twice in the last 2 weeks with
Web defacements based on the exploit Port 1433/ms-sql, CAN-2002-0154.
We were kind of shocked that within 1-2 weeks of Microsoft announcing
the vulnerability, we were already hit by the exploit. Doesn't
give much time to clean up. However, I haven't heard of widespread
exploits yet. Also, I would hope most sites block external access
to SQL Server. We happened to have a few servers that needed outside
access for special purposes.


Alan

TOP OF THE NEWS

10 May 2002 DHCP Server Vulnerability
9 & 13 May 2002 Teen Sentenced for Defacements
7 May 2002 EDS Bans IM Products For Security's Sake
6 May 2002 Code Red and Nimda Still Pose a Threat

THE REST OF THE WEEK'S NEWS

13 May 2002 Man Sentenced for Abusing FBI Computer System
12 May 2002 Personal Data Available On Line
13 May 2002 Pilot Program Puts Criminal Court Documents On Line
10 May 2002 Xbox Emulator is Really a Trojan Horse
9 May 2002 Florida's Juvenile Justice Department System is Not Secure
9 May 2002 ElcomSoft Case Will Go to Trial
8, 9 & 10 May 2002 Patch Available for Microsoft Messenger Vulnerabilities
8 & 9 May 2002 Cloning SIM Cards
8 May 2002 House Judiciary Committee Approves Cyber Crime Bill
8 May 2002 CSIS Report Warns Cyber Terrorists Threaten Critical Infrastructure
7 May 2002 GAO's Keith Rhodes on Security
7 May 2002 Old Software Creates "Leaky" Documents
7 May 2002 Hacker Parodies Deceptive Duo
7 May 2002 Argentine Supreme Court Wants Cyber Crime Law
7 May 2002 JDBGMGR.EXE Virus Hoax
9 May 2002 Even Without Payloads, Hoaxes Can Cause Problems
7 May 2002 Anti-Trust Remedy Threatens Security, says Microsoft Exec
7 May 2002 Another MSN Messenger Problem
6 May 2002 Sun cachefsd Buffer Overflow
6 May 2002 Intrusion Detection Systems Use Behavior Monitoring and Anomaly Detection
6 May 2002 Lack of Virus Rating Standards can be Confusing
8 March 2002 NSA Adds Universities to its Academic Excellence Program


********************** Sponsored by PentaSafe ************************
Need information security policies? Don't start from scratch...
Get INFORMATION SECURITY POLICIES MADE EASY V8! Now only $595! A
"must have" for every security professional, with 1100+ pre-written
policies on CD that can be easily customized for your company. Also:
Information Security Roles & Responsibilities Made Easy, offering
pre-written job descriptions and more.
Download a sample email policy: http://www.pentasafe.com/publications
**********************************************************************

TOP OF THE NEWS

10 May 2002 DHCP Server Vulnerability

A CERT security alert warns that ISC's DHCP server could allow an attacker to run code with DHCP privileges. The problem affects versions 3 - 3.0.1 rc8. CERT recommends applying patches, disabling DHCP if it is not necessary, or applying ingress-filtering techniques.
-http://www.cnn.com/2002/TECH/internet/05/10/dhcp.bug.idg/index.html
-http://www.cert.org/advisories/CA-2002-12.html

9 & 13 May 2002 Teen Sentenced for Defacements

Matthew T. Kroeker, a Kansas teenager has pleaded guilty to felony charges of hacking a variety of government and commercial web sites. Kroeker will serve two years under probation and pay restitution of at least $18,000.
-http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8061
-http://online.securityfocus.com/news/404

7 May 2002 EDS Bans IM Products For Security's Sake

EDS, the computer branch of the British government, has banned the use of Instant Messenger products as of May 8, 2002. Because the IM services bypass security checkpoints, they could allow viruses and other malware to propagate within the organization's network.
-http://www.theregister.co.uk/content/55/25185.html

6 May 2002 Code Red and Nimda Still Pose a Threat

Code Red and Nimda are still squirming across the Internet, despite the fact that patches for the flaws they exploit have been available for nearly a year. Their continued spread could be attributed to new, unpatched machines being put on the Internet. There is speculation that machines infected with these worms have been compromised by hackers and could be used to launch a denial of service attack.
-http://www.pcworld.com/news/article/0,aid,98504,00.asp


**********************************************************************
(1) Dorian Software Creations: Automate Event Log Archiving, Analysis,
and Detection! http://www.sans.org/cgi-bin/sanspromo/NB34
(2) Recourse ManTrap(r) 3.0 makes deception a snap. FREE white paper:
http://www.sans.org/cgi-bin/sanspromo/NB35
(3) Urgent: Deploy patches across every server in seconds with
BladeLogic. FREE TRIAL. http://www.sans.org/cgi-bin/sanspromo/NB36
**********************************************************************

THE REST OF THE WEEK'S NEWS

13 May 2002 Man Sentenced for Abusing FBI Computer System

Former corrections officer Gary Piedmont has been sentenced to "community confinement," a year of probation and will pay a $5,000 fine for using the FBI's National Crime Information Center's computer system to check on the status of a warrant that had been issued for a friend of his.
-http://www.gcn.com/vol1_no1/daily-updates/18631-1.html

12 May 2002 Personal Data Available On Line

The Internet has proven to be a virtual bazaar for identity thieves; law enforcement web sites publish names, birth dates, social security numbers and even pictures and driver's license numbers of prison inmates and wanted criminals. Court documents available on line can contain much of the same data; bankruptcy cases can even include bank account information. Though some states are passing laws requiring that such sensitive data be edited out of public documents, much will remain to be picked over by data miners.
-http://www.msnbc.com/news/750428.asp?0dm=C23BT
[Editor's (Schultz) Note: How far will invasion and the potential for invasion of privacy through electronic means go in the US? The potential for damage to individuals is now growing way out of control. The US Congress needs to take on electronic privacy protection as a major priority. And if Congress won't do it, states (many of which are way ahead of the US Government in computer security-related legislation) will need to fill the void. ]

13 May 2002 Pilot Program Puts Criminal Court Documents On Line

The Judicial Conference of the United States has approved a pilot program in 11 federal courts allowing public access to criminal case court files on line. Privacy advocates hope to establish limitations on the purposes for which the documents are viewed.
-http://www.fcw.com/fcw/articles/2002/0513/news-court-05-13-02.asp

10 May 2002 Xbox Emulator is Really a Trojan Horse

People are being tricked into downloading malicious code masquerading as an Xbox emulator; what actually gets installed on their PCs is a Trojan horse program called Net BUIE.exe, which subsequently connects to remote servers. The program could be reaping money for someone through pay-per-clicks. It also connects to four servers run by Microsoft. The site from which the Trojan was downloaded has been pulled off the Internet.
-http://www.vnunet.com/News/1131681
-http://www.newsbytes.com/news/02/176472.html

9 May 2002 Florida's Juvenile Justice Department System is Not Secure

The Florida auditor general has found that the state's Juvenile Justice Department has implemented poor access controls on its computer system, exposing the data it contains to the threat of modification or disclosure. Department officials said they would make changes.
-http://www.gcn.com/vol1_no1/daily-updates/18617-1.html

9 May 2002 ElcomSoft Case Will Go to Trial

A federal District Court Judge in California has denied ElcomSoft's motion to dismiss a case against the company. The Russian Software company is charged with violating the Digital Millennium Copyright Act (DMCA) for selling a tool that circumvents copy protection in Adobe eBooks.
-http://zdnet.com.com/2100-1104-903768.html
-http://www.theregister.co.uk/content/55/25211.html
Judge's ruling:
-http://www.eff.org/IP/DMCA/US_v_Elcomsoft/20020508_dismiss_deny_order.pdf

8, 9 & 10 May 2002 Patch Available for Microsoft Messenger Vulnerabilities

Microsoft is warning of a critical vulnerability in its MSN Messenger and Exchange Instant Messenger services; a buffer overflow vulnerability in an ActiveX control, known as the MSN Chat OCX Control, could allow malicious code to run on unprotected computers. The vulnerability affects version 4.5 and 4.6 of both programs. Users are encouraged to upgrade to new versions, and MSN Chat users are also encouraged to download a new version of that program. Microsoft has released a patch for the vulnerability.
-http://zdnet.com.com/2100-1105-904203.html
-http://www.washingtonpost.com/wp-dyn/articles/A56332-2002May8.html
-http://www.theregister.co.uk/content/55/25209.html
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,71011,0
0.html

-http://www.cnn.com/2002/TECH/internet/05/10/messenger.hole.idg/index.html
-http://www.microsoft.com/technet/security/bulletin/ms02-022.asp
-http://www.cert.org/advisories/CA-2002-13.html

8 & 9 May 2002 Cloning SIM Cards

IBM researchers have found a way to clone cell phone security identification module (SIM) cards. Called "partitioning," the technique requires having physical possession of the phone, querying its SIM card and analyzing the corresponding power fluctuations and electromagnetic field changes.
-http://zdnet.com.com/2100-1105-902149.html
-http://online.securityfocus.com/news/400

8 May 2002 House Judiciary Committee Approves Cyber Crime Bill

The House Judiciary Committee approves a bill that will make it easier for Internet Service Providers (ISPs) to report potential criminal behavior occurring on their networks; the measure would also increase penalties for those found guilty of cyber crimes. While current legislation assigns punishment based on economic damage caused by cyber crime, the new bill, sponsored by Lamar Smith (R-Texas) would take into consideration such factors as the intent of the attackers and the targets.
-http://www.wired.com/news/politics/0,1283,52388,00.html

8 May 2002 CSIS Report Warns Cyber Terrorists Threaten Critical Infrastructure

A Canadian Security Intelligence Service report (CSIS) says cyber terrorists pose a threat to critical infrastructures in nations around the world. Many of the systems used in critical infrastructures can be controlled with wireless technology; a year ago, a man in Australia used wireless technology to send sewage into water systems.
-http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8051

7 May 2002 GAO's Keith Rhodes on Security

In an interview, US General Accounting Office (GAO) chief technologist Keith Rhodes talks about what companies are doing right and what he sees as the biggest security risks. Rhodes and his team conduct regular penetration tests on government computer systems.
-http://itmanagement.earthweb.com/secu/article/0,,11953_1040041,00.html

7 May 2002 Old Software Creates "Leaky" Documents

Some .doc files available for downloading were created with software that left fragments of deleted data in otherwise unused areas of the files. The data can be seen if the documents are browsed with a hex editor. The affected documents were created with unpatched versions of Microsoft Word 6.0 and 7.0, and version 7.0 of PowerPoint and Excel. The security hole affects some documents on government web sites.
-http://news.com.com/2100-1023-901112.html

7 May 2002 Hacker Parodies Deceptive Duo

A hacker calling herself Evil Angelica has defaced two websites with parodies of the recent defacements by the Deceptive Duo, who have been posting screenshots of databases on a variety of websites in an effort, they claim, to demonstrate the poor state of cyber security in the United States.
-http://www.newsbytes.com/news/02/176429.html

7 May 2002 Argentine Supreme Court Wants Cyber Crime Law

After an Argentine federal court threw out a case against a group of hackers who defaced Argentina's Supreme Court web site because no law existed under which to prosecute them, Argentina's Supreme Court has said it wants legislation that would outlaw hacking. The court has sent a formal request to the legislature asking that such a law be penned.
-http://www.reuters.com/news_article.jhtml?type=internetnews&Storyclass=93077
1

7 May 2002 JDBGMGR.EXE Virus Hoax

A hoax warning of a virus infection has been circulating around the Internet, apparently telling people to delete the JDBGMGR.EXE file. Several variants have been found, some maintaining that the virus "hibernates" for two weeks before launching its payload. Deleting the file may make Java applets not work properly, but it can be reinstalled.
-http://www.newsbytes.com/news/02/176442.html
-http://securityresponse.symantec.com/avcenter/venc/data/jdbgmgr.exe.file.hoax.ht
ml

[Editor's (Schultz)Note: It is amazing how successful dumb little hoaxes like this one are. Where I work we have sent a message to every employee about this hoax, included information about it in the weekly newsletter, and plastered information about it all over the computer protection home page. Despite all these measures, we get calls and emails almost daily from users who have deleted JDBGMGR.EXE, SULFNBK.EXE, or some other file mentioned in a hoax message. Keeping the user community informed is truly one of the most difficult tasks facing information security professionals.

9 May 2002 Even Without Payloads, Hoaxes Can Cause Problems

While hoax virus warnings may not carry an actual malicious payload, they do carry the threat of bogged down servers and embarrassment of those who've forwarded the message. The columnist suggests that organizations designate one person to be in charge of (finding out) the validity of virus warnings, and all employees should forward the messages to that person rather then sending them on their merry way around the Internet, causing unnecessary worry and resource consumption.
-http://www.vnunet.com/News/1131629

7 May 2002 Anti-Trust Remedy Threatens Security, says Microsoft Exec

Microsoft's senior vice president for Windows Jim Allchin says the proposed anti-trust remedy - which includes making public the source code to Internet Explorer -- would threaten the security of the software; as more technical information about the systems is disclosed, creators of malware would have more insight into how they work. Additionally, copy protections could be circumvented, allowing for the dissemination of pirated movies and music.
-http://zdnet.com.com/2100-1104-901088.html
[Editor's (Schultz) Note: Mr. Allchin certainly has a vivid imagination. If what Allchin says is true, then open operating systems such as OpenBSD must be compromised proportionately far more than are Windows systems, something that is not even close to being true. ]

7 May 2002 Another MSN Messenger Problem

A misformatted font variable in a MSN Messenger header can crash the client.
-http://www.net-security.org/vuln.php?id=1657

6 May 2002 Sun cachefsd Buffer Overflow

The default installation of the NFS/RPC file system cachefs daemon (cachefsd) in Sun Solaris 2.5.1, 2.6, 7, and 8 has a remotely exploitable heap overflow. Attackers could execute code with root level privileges.
-http://www.cert.org/advisories/CA-2002-11.html

6 May 2002 Intrusion Detection Systems Use Behavior Monitoring and Anomaly Detection

Newer intrusion detection systems (IDSes) use anomaly detection and system and application behavior monitoring either instead of or in conjunction with more traditional signature-based detection.
-http://www.eweek.com/article/0,3658,s=712&a=26347,00.asp

6 May 2002 Lack of Virus Rating Standards can be Confusing

Anti-virus firms not only have different names for the same virus, but their rating systems differ from each other's because different types of companies use the various vendors' products. There are no industry standards for rating a virus's risk. McAfee is addressing this problem by changing the way it handles malware risk assignment, including offering risk assessments for home users and for corporate users for each virus.
-http://www.newsfactor.com/perl/story/17603.html
-http://www.pcworld.com/news/article/0,aid,98383,tk,dn050602X,00.asp

8 March 2002 NSA Adds Universities to its Academic Excellence Program

The US National Security Agency has renewed seven universities and designated an additional thirteen universities as Centers of Academic Excellence in Information Assurance Education for academic years 2002 through 2005. The aim of the program is to help protect national critical infrastructure systems through promoting information assurance in higher education and producing knowledgeable and capable IT professionals.
-http://www.nsa.gov/releases/20020308.htm
-http://www.nsa.gov/isso/programs/coeiae/index.htm


==end==
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites


Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Eugene Schultz