SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IV - Issue #33
August 14, 2002
TOP OF THE NEWS12 August 2002 Hacker Claims He Stole NASA Documents
11 August 2002 Hackers Face Stiffer Penalties
8, 9 & 12 August 2002 New OECD Security Guidelines
8 August 2002 Microsoft and FTC Reach Passport Privacy and Security Settlement
7 & 8 August 2002 Researcher Claims Win32 Messaging System is Irreparably Flawed
THE REST OF THE WEEK'S NEWS12 August 2002 Macromedia Flash Buffer Overflow Flaw
12 August 2002 CDE ToolTalk Flaw
12 August 2002 CMU to Help Other Schools Develop Cyber Security Programs
12 August 2002 PGP Flaw
9 August 2002 Money for Bugs
9 August 2002 University Reactor Access to be Secured with Face Recognition Technology
6 August 2002 Iowa College to Use Thumbprints for Computer Access
9 August 2002 CAIDA's Network Telescope
8 August 2002 US Military Laptops Unaccounted For
8 August 2002 Google Toolbar Flaws Patched
7 & 8 August 2002 Microsoft Issues Patch for Content Management Server 2001
7 August 2002 Australian Students Pay to Have Grades Deleted
7 August 2002 DeCSS Author Trial Date Set
7 August 2002 Dutch ISP Exposes Customer Banking Info
6 & 7 August 2002 Sun XDR Library Flaw
2 & 7 August 2002 Other Backbone Providers Could Manage UUNet Traffic if Necessary
6 August 2002 Israeli Teens Charged in Goner Case
6 August 2002 Setiri Trojan Eludes Firewalls
6 August 2002 Information About Japanese Defense Agency Network Leaked
6 August 2002 Indonesian Student Charged with Using Stolen Credit Card On Line
6 August 2002 Warning of Impending Cyber Attacks Doesn't Play Out
5 & 6 August 2002 400 Laptops Missing at DoJ
5 August 2002 Former DEA Agent Pleads Guilty in Data Selling Case
5 August 2002 Japanese Mandatory ID System Irks Privacy Advocates
7 August 2002 Japanese ID System Exposes Personal Data
SECURITY TRAINING NEWS15 August 2002
12 July 2002
**************** This Issue Sponsored by Qualys, Inc. ****************
Bulletproof Your Network: FREE Guide
Existing security products -- firewalls, anti-virus and IDS --
are simply no longer enough to ensure your networks are safe against
sophisticated attacks and worms such as Code Red and Nimda. FREE Guide
shows you how to ensure TOTAL security for your network. Get it now.
TOP OF THE NEWS
12 August 2002 Hacker Claims He Stole NASA DocumentsA Latin American-based hacker allegedly stole restricted NASA documents that deal with next generation reusable spacecraft; he has allegedly broken into other NASA computer systems. He also provided Computerworld with evidence of his intrusion into NASA's White Sands Test facility; he claims to have exploited an FTP vulnerability to gain access to the systems. A NASA spokesman said the documents contained sensitive military information. NASA is investigating.
11 August 2002 Hackers Face Stiffer PenaltiesThe US judicial system has become more aggressive in prosecuting cyber criminals. The passage of the Patriot Act increased the maximum sentence for breaking into a computer from five to ten years in prison, and the Cyber Security Enhancement Act could bring a hacker life in prison for recklessly causing or attempting to cause death.
[Editor's Note (Ranum): It doesn't matter what the maximum is, when the minimum is the slap on the wrist that hackers usually get. (Murray) Most hackers are never caught. Most that are caught never see a court room. After being threatened with the maximum if they go to trial, they cop plea. (I have one client serving four years for the moral equivalent of joy riding. When he gets out of Federal prison he will be deported to his country of origin, Panama, a country he left at the age of two and has not seen since.) Often they do not see a courtroom because the state does not have a very good case. The sentence is often more a function of the quality of the state's case than of the offense. Welcome to modern justice. ]
8, 9 & 12 August 2002 New OECD Security GuidelinesThe Organisation for Economic Cooperation and Development (OECD), which is comprised of 30 member nations, has updated its guidelines for information security. Titled "Guidelines for the Security of Information Systems and Networks," the document advocates such principles as awareness, responsibility, ethics, risk assessment and security design and implementation. This is the first time in a decade the OECD has updated its cybersecurity guidelines. Although the guidelines are non-binding, OECD hopes member nations will use them as a basis for forming cyber security initiatives. The US Department of State has endorsed the guidelines.
[Editor's Note (Paller): The Federal Trade Commission, under Commissioner Orson Swindle, took the US lead on creating the Guidelines. FTC is also leading the way in creating new security guides for home users and in forcing companies to match their security practices to their security promises as shown in the next story. If you know of organizations that are making claims about the security of their sites or of their products, but not meeting the claims, send an email to firstname.lastname@example.org with the subject "Unmet security promises." If the submitted facts can be verified, we'll pass the most egregious examples along to the government, and we'll publish the others. ]
8 August 2002 Microsoft and FTC Reach Passport Privacy and Security SettlementA Federal Trade Commission (FTC) investigation found that Microsoft misrepresented both the level of security provided and amount of data collected by its Passport services. As part of a settlement with the government, Microsoft will refrain from making false claims about the information it collects and will submit to an independent audit of its security program every two years. Microsoft could face fines of $11,000 a day if it fails to comply with the agreement.
7 & 8 August 2002 Researcher Claims Win32 Messaging System is Irreparably FlawedChris Paget says there is an irreparable hole in Win32. Any application can send a message to any window on the same desktop regardless of whether or not the window is owned by the application, and there is no authentication mechanism to prevent this from happening. Paget has published a white paper describing a "shatter attack" which allows an attacker to gain control of a system by elevating his or her privileges. Microsoft says this does not fit their criteria/definition of a security vulnerability.
[Editor's Note (Murray): The messaging system works as documented. What Paget proposes to exploit is a documented feature. One of the things that makes it "irreparable" is that it is widely used in ways that do not compensate for its fundamental vulnerability. What Paget describes is an attack that might permit an otherwise unprivileged, but identified and authenticated, user in a multi-user system to assume the privileges and identity of another more privileged user. However, such a user is not an arbitrary "attacker" as our abstract might be read to say. And the Messaging System is not one between users but one between operating system objects. ]
************************ SPONSORED LINKS *****************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Today's security equals swiss cheese. Plug your holes with
Top Layer. White Papers http://www.sans.org/cgi-bin/sanspromo/NB63
(2) BLOCK attacks now & ELIMINATE after-the-fact log analysis. Learn
(3) Annoyed with spam? Angry about losing your time? Eliminate
it with iHateSpam! http://www.sans.org/cgi-bin/sanspromo/NB65
THE REST OF THE WEEK'S NEWS
12 August 2002 Macromedia Flash Buffer Overflow FlawA buffer overflow security hole in Macromedia's Flash player could let attackers run malicious code on vulnerable computers. The flaw affects all versions of Flash Player older than 126.96.36.199. The problem has been fixed in a new software update, available on Macromedia's web site.
12 August 2002 CDE ToolTalk FlawCERT/CC has warned of a buffer overflow vulnerability in the CDE ToolTalk RPC database server that could be exploited to run code or cause a denial of service on a vulnerable machine. Users of vulnerable systems should apply patches from vendors as they become available. Users can also disable the ToolTalk RPC database service.
12 August 2002 CMU to Help Other Schools Develop Cyber Security ProgramsCarnegie Mellon University (CMU) received a $400,000 grant from the National Science Foundation's Federal Cyber Service program to help other colleges and universities develop strong information security programs. The four-week residential program included curriculum development and interdisciplinary applications of information security.
12 August 2002 PGP FlawA flaw in Pretty Good Privacy (PGP) encryption technology could allow someone who intercepts a message to manipulate the recipient into decrypting the text. Here's how it works. The interceptor collects the message and scrambles it; the recipient may respond and ask for a resend because the message was gibberish; if the recipient's e-mail software includes the original message, it will arrived scrambled, but decrypted, in the interceptor's mailbox. The vulnerability is hard to exploit; if the message is compressed, the trick may not work. Also, it requires that the user's e-mail software automatically decrypt messages.
[Editor's Note (Murray: This is an attack, not a flaw. It exploits a fundamental vulnerability that is covered in the documentation. ]
9 August 2002 Money for BugsSecurity company iDefense plans to offer payments of up to $400 in return for reports of software vulnerabilities. While some people feel the industry has been making money off bug hunters for a long time, many others envision scenarios in which the money for bugs system could be abused. An iDefense spokesman says his company will only work with ethical bug finders.
9 August 2002 University Reactor Access to be Secured with Face Recognition TechnologyAccess to a nuclear reactor at the University of Missouri-Rolla will be secured with face recognition biometric technology. Research has identified weakness in the technology: some systems have correctly recognized approved people less than half the time (47%) and another was fooled by people holding up laptop computers with photos as they passed by. The face recognition system will not be the only security measure used at the facility.
[Editor's Note (Murray): While most biometrics can be tuned to produce a lower ratio of false accepts to false positives than can passwords, no authentication technology works as well as any two in combination. Sensitive applications should employ strong authentication; i.e., two or more forms of evidence, at least one of which is resistant to replay. ]
6 August 2002 Iowa College to Use Thumbprints for Computer AccessThe West Des Moines campus of the Des Moines Area Community College plans to use thumbprint scanners for access to college computer systems. Some experts have pointed out that cracking thumbprints can be even easier than cracking passwords; passwords can be changed, but "
etting a replacement thumb is expensive and painful," according to one privacy advocate.
[Editor's Note (Murray) Biometrics do not work because they are secret; they work because they are difficult to forge. The remedy for a forgery is not to change the individual. It is to resist forgeries by having a trusted reader and by collecting complimentary evidence.]
9 August 2002 CAIDA's Network TelescopeThe Cooperative Association for Internet Development and Analysis (CAIDA) in San Diego, CA is using a "network telescope" to monitor approximately 1/256 of the Internet for cyber attacks.
8 August 2002 US Military Laptops Unaccounted ForTwo laptop computers are reportedly missing from a US military command center in Florida; that center is responsible for coordinating US military efforts in Afghanistan. No one is sure if the computers are merely missing or if they have been stolen. One reportedly contains sensitive data.
The two missing laptops have been recovered after a member of the military confessed to having them. The motive for the theft was not espionage, according to a spokesman for the Air Force's Office of Special Investigations.
8 August 2002 Google Toolbar Flaws PatchedA cluster of nine security vulnerabilities in the Google toolbar could have allowed attackers to see what users type into the toolbar search field, to read files or even execute scripts on a vulnerable computer. Google has patched all the holes in an automatic update. The affected version was 1.1.58; Google is now distributing versions 1.1.59 and 1.1.60. Users should check which version of Google's toolbar their computers are running.
7 & 8 August 2002 Microsoft Issues Patch for Content Management Server 2001Microsoft has released a patch for three security vulnerabilities in its Content Management Server 2001. The most critical of the vulnerabilities is in a user authentication function: an attacker could offer malformed data to a web page using the authentication function and gain control of the system.
7 August 2002 Australian Students Pay to Have Grades DeletedThe Independent Commission Against Corruption (ICAC) found that eleven students at the University of Technology, Sydney (UTS) paid a student liaison officer to delete their failing marks from the University's computer system. An ICAC commissioner said a survey of New South Wales's 10 public universities indicated that all were vulnerable to computer record tampering.
[Editor's Note (Ranum: This is really a human problem rather than a technology problem. Someone in a position of trust was untrustworthy. This is nothing new. ]
7 August 2002 DeCSS Author Trial Date SetThe trial of Jon Johansen, the Norwegian man who wrote the DVD descrambling tool DeCSS, will begin on December 9 in Norwegian district court. Though Johansen was indicted in January, the trial was postponed until a judge with adequate technical knowledge could be found.
7 August 2002 Dutch ISP Exposes Customer Banking InfoWhen a man tried to cancel his cable Internet service with a Dutch ISP, he instead received e-mails containing banking information belonging to other ISP customers. The man contacted some of the people and told them of the security breach. A spokesman for the ISP says they do not know how the error occurred.
6 & 7 August 2002 Sun XDR Library FlawA security flaw in some implementations of the External Data representation, or XDR Library derived from Sun Microsystems' SunRPC technology could let attackers run code and possibly take control of vulnerable systems.
MIT Kerberos Development Team Advisory:
2 & 7 August 2002 Other Backbone Providers Could Manage UUNet Traffic if NecessaryAT&T officials have reassured government officials that should UUNet go down due to parent company WorldCom's bankruptcy, other backbone providers could easily absorb the extra traffic. Last week, Federal Communications Commission (FCC) chairman Michael Powell told the Senate Commerce Committee that the FCC does not have the authority to prevent an Internet backbone provider from shutting down its services. WorldCom CEO John Sidgmore doesn't think UUNet will go down in any case.
6 August 2002 Israeli Teens Charged in Goner CaseFive Israeli teenagers have been charged in Haifa District Court with willfully causing damage to computers for their roles in creating the Goner virus. One of the five is charged with actually writing the virus; the others are charged with spreading it. The Goner virus arrives in the guise of an attached screensaver and shuts down firewalls and anti-virus software running on infected computers.
6 August 2002 Setiri Trojan Eludes FirewallsThree security consultants at DefCon demonstrated Setiri, a Trojan horse that evades firewall detection. The researchers do not plan to release Setiri for use but do want Microsoft to fix the parts of its Internet Explorer that allow Setiri to work. Instead of containing executable commands, Setiri opens an invisible window in IE that connects to a web server through a proxy site. Protective measures include turning off the invisible windows function in IE, but that could erode the performance of some IE operations.
6 August 2002 Information About Japanese Defense Agency Network LeakedFujitsu, the company that created a network for Japan's Defense Agency, says information about the network may have been leaked to outsiders. In June, a group of men attempted to extort money from the company for the return of network diagrams and other information useful to hackers. Fujitsu says outsiders could not have broken into the network because it is not connected to the Internet.
[Editor's Note (Ranum: I think that saying a network can't be broken into because it is not connected to the Internet shows an amazing level of naiveté. ]
6 August 2002 Indonesian Student Charged with Using Stolen Credit Card On LineA 22-year-old Indonesian university student was arrested after he used stolen credit card numbers, which he got from the Internet, to purchase $365.93 worth of motorcycle accessories on line. He faces charges that carry maximum prison sentences of a total of eleven years.
6 August 2002 Warning of Impending Cyber Attacks Doesn't Play OutDespite a warning from the National Infrastructure Protection Center (NIPC) of imminent cyber attacks on US web sites and ISPs (Internet Service Providers), nothing out of the ordinary occurred.
5 & 6 August 2002 400 Laptops Missing at DoJAn investigation conducted by the Office of The Inspector General of the Department of Justice revealed that they have lost track of 400 laptop computers, some of which may contain sensitive law enforcement or national security information. The investigation also showed that close to 800 weapons were unaccounted for. It has been nearly ten years since the FBI's last complete inventory of laptops and weapons; the FBI is responsible for 371 of the missing laptops. Recommendations include using bar codes and scanning devices, implementing more stringent requirements for reporting lost laptops and revising the guidelines that govern getting property back from erstwhile employees.
5 August 2002 Former DEA Agent Pleads Guilty in Data Selling CaseFormer US Drug Enforcement Administration Agent Emilio Calatayud has pleaded guilty to selling DEA information to LA private investigation firms. In a plea agreement, Calatayud admitted to stealing the data from federal databases including the FBI's National Crime Information Center (NCIC), and the California Law Enforcement Telecommunications System (CLETS); he received more than $22,000 in exchange for the information. Calatayud faces between one and two years in custody for his crimes.
[Editor's Note (Ranum: A violation of the public trust in the US: 1-2 years. A $360 stolen credit card transaction in Indonesia: up to 11 years. No wonder we have so many problems like this. ]
5 August 2002 Japanese Mandatory ID System Irks Privacy AdvocatesJapan has instituted a mandatory ID program called "Juki Net" that assigns citizens an 11-digit identification number and links municipal computer systems. The database will store citizens' names, genders, addresses, dates of birth and ID numbers. Critics say the system violates privacy and presents opportunities for hackers to access personal data. Some municipalities are refusing to join the system; others are making participation optional, though the government says non-participation is illegal. Abuse of the system carries a maximum sentence of two years in prison and an $8,300 fine.
7 August 2002 Japanese ID System Exposes Personal DataTwo days after the launch of Juki Net, the new Japanese computerized ID network sent letters containing the personal information of more than 2500 people to the wrong households.
SECURITY TRAINING NEWS
15 August 2002 Gold Standard Training for Securing Windows 2000using the new consensus standards and free testing tools got top ratings in both Melbourne Australia and Washington DC. 38 additional cities are now scheduled for this one-day, hands-on training. For locations:
12 July 2002The US Navy, Army, Air Force, Marines and Coast Guard have announced they will each run their Information Assurance Leadership Conferences immediately after SANS Network Security 2002 in October - so attendees may also attend courses of their choice. Also the largest exposition of advanced security tools and services.