SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IV - Issue #41
October 09, 2002
TOP OF THE NEWSTOP OF THE NEWS - FOCUSING ON VULNERABILITY REMEDIATION AND THREATS
7 October 2002 Feds, SANS, and Vendors Announce New Top 20 Vulnerabilities Plus Testing Tools
4 October 2002 Slapper Variants On the Loose
4 October 2002 Upgrades Available for Apache Vulnerabilities
3 October 2002 Microsoft Issues Bulletins for Bevy of Flaws in Windows, SQL
2 & 4 October 2002 Bugbear Worm Spreading
2 October 2002 Bugbear Infection Account
THE REST OF THE WEEK'S NEWS7 October 2002 IP, DNS and BGP Security
4 & 5 October 2002 Russian Hacker Sentenced
4 October 2002 P2P Security Advice
2 & 4 October 2002 Opaserv Worm
4 October 2002 State Dept. Site Defaced
3 & 4 October 2002 GAO Report Outlines Satellite Vulnerabilities
2 & 3 October 2002 Quantum Cryptography Advances
3 October 2002 CIS Benchmark Tools Available To Federal Agencies
3 October 2002 Hong Kong Online Paper Suffers Redirect Attack
3 October 2002 Man Pleads Guilty to Identity Fraud
3 October 2002 FedCIRC Offers Free Dissemination Patch Service
2 October 2002 N.C. CIO Consolidating Servers
2 October 2002 California State Government Server Breached
2 October 2002 CD-ROMs for UN Inspectors Contained Viruses
2 October 2002 Word Flaw Allows File Stealing
1 & 2 October 2002 DoD Continues Wireless Moratorium
1 October 2002 Klez Tops Lists for September
1 October 2002 What Does a FIPS Encryption Compliance Seal Mean?
30 September 2002 Virus Masquerades As Microsoft Patch
30 September 2002 Security Contractor Certification
12 September 2002 CIO Survey Shows 7-8% of IT Budget Goes to Security
SECURITY TRAINING NEWS* Network Security 2002 in Washington DC, October 18-25
* SANS Cyber Defense Initiative in San Francisco - Dec. 15-20
Advanced security training in fifteen additional cities
******* This Issue Sponsored by The Human Firewall Council ************
How do your security management practices measure up to ISO17799? FREE
SURVEY Find out how your security management practices measure up to
ISO17799 standards using the new Security Management Index. Sponsored
PentaSafe and other industry leaders, this new free online tool covers
the 9 major sections of ISO17799 and provides each participant with
a score. Results are confidential. Aggregate data will be used to
create an industry-wide report to be released in January 2003.
TOP OF THE NEWS
7 October 2002 Feds, SANS Announce New Top 20 Vulnerabilities; Vendors Release Testing ToolsThe US General Services Administration, the FBI's National Infrastructure Protection Center and SANS announced a new set of the twenty most commonly exploited vulnerabilities on Windows and UNIX systems. ISS, Foundstone, and Qualys simultaneously announced upgrades to their scanning products and services that specifically test for the Top 20. The Top 20 list and remediation techniques:
[Editor's note (Paller) on vulnerability remediation: An initiative is being launched to teach consumers not to share their credit card information with organizations that have not fixed at least all of the Top 20 - because their credit card information will be at extreme risk. Similarly businesses will be encouraged to require B2B partners to prove that they have, at a minimum eliminated the top 20 on their systems, because otherwise they will be creating an easy path for hackers. The tools and services that scan your systems may be found at
4 October 2002 Slapper Variants On the LooseAt least four variants of the Slapper worm are presently circulating on the Internet, attacking Linux systems using an unpatched version of OpenSSL in the Apache web server software. A variant called "Mighty" has infected a number of machines, allowing them to be remotely controlled through certain IRC channels. The worm could be used to steal or corrupt data or to launch distributed denial of service (DDoS) attacks.
[Editor's Note (Paller): 339 Slapper-infected Linux machines launched a DDoS attack on a US government agency on Friday and Saturday, flooding it with more than 1,000,000 packets per second, disabling its web presence down for more than 24 hours. Many more such attacks and much larger attacks could be launched at any time. The Internet Storm Center (ISC) analysis at www.incidents.org will give you a genealogy of the worm and what to do to protect your systems. Readers who want fewer technical details will find a page compiled by the folks at F-Secure to be an excellent resource:
4 October 2002 Upgrades Available for Apache VulnerabilitiesApache users are encouraged to update their software to new versions (1.3.27 or 2.0.43) that fix a number of security vulnerabilities.
3 October 2002 Microsoft Issues Bulletins for Bevy of Flaws in Windows, SQLA critical security flaw in Microsoft Windows' HTML-based help function could be exploited in a buffer overflow attack. The flaw could be exploited by a web site or by HTML e-mail. The flaw affects Windows 98, Me, NT 4.0, 2000 and XP. Users who have installed Outlook E-mail Security Update are protected, as are users of Outlook Express 6 and Outlook 2002; users of Internet Explorer 5.01, 5.5 and 6.0 can install a patch which also addresses two additional Help flaws. Microsoft also released a cumulative patch for SQL Server and SQL Server 2000 that addresses four vulnerabilities, including two buffer overflow flaws.
2 & 4 October 2002 Bugbear Worm SpreadingSpreading rapidly, and evading detection by appending multiple extensions to the attachment that carries the worm, Bugbear shuts down security software, installs a keystroke logger, mass mails itself and copies itself onto network shared directories. It also opens a backdoor on successfully infected machines. Bugbear does not carry a destructive payload; it appears to be designed to steal credit card and banking account numbers and other sensitive data.
[Editor's Note (Paller): This insight comes from Righard Zwienenberg, Senior Virus Analyst, Norman Data Defense Systems in the Netherlands. Bugbear is spreading particularly fast in Europe because it picks a random email subject from the victim's in-box to use as the subject when it is sent to other people. That means that the email subject is often in the local language - and not in English. Europeans appear to be more trusting of emails with subjects in their own languages. ]
2 October 2002 Bugbear Infection AccountThe manager of an Australian business hit by the Bugbear virus says it arrived in an e-mail that didn't appear to have an attachment. The company knew something was wrong when the printers began spewing reams of paper with odd characters and business associates began calling the company saying they'd received odd e-mail messages from them.
************************** SPONSORED LINKS ****************************
Privacy notice: These links redirect to non-SANS web pages.
(1) STOP FALSE POSITIVES! Free white paper details new level of
intrusion prevention. http://www.sans.org/cgi-bin/sanspromo/NB84
(2) FREE Webinar: Safeguarding Your Microsoft Web Servers from
(3) ALERT! Cross-Site Scripting Attacks on Web Applications
THE REST OF THE WEEK'S NEWS
7 October 2002 IP, DNS and BGP SecurityThe National Strategy to Secure Cyberspace acknowledges that the Internet Protocol (IP), Domain Name System (DNS) and Border Gateway Protocol (BGP) components of the Internet all lack communication authentication mechanisms. The available fixes are too costly and complex to install for the majority of ISPs. Some say that even if the security problems in these components are addressed, the infrastructure of the Internet still has other vulnerabilities.
4 & 5 October 2002 Russian Hacker SentencedVasily Gorshkov, one of the Russian hackers who was lured to the US by the FBI under the pretense of a job offer at a fictional company, was sentenced to three years in federal prison. He was also ordered to pay $690,000 in restitution. Gorshkov and his accomplice, Alexey Ivanov, were convicted of stealing credit card numbers from computers. The FBI used keystroke logging software to obtain the passwords to the pairs' computers in Russia that contained incriminating evidence.
The special agents involved in the case received the FBI Director's Award for Outstanding Criminal Investigation.
4 October 2002 P2P Security AdvicePeer-to-peer (P2P) file sharing programs can be the source of serious security breaches; users searching for available files were able to access a list of salaries of top executives at a Texas company and the Aspen, Colorado police department's computer passwords, to name but two instances. Users of P2P programs would be well advised to educate themselves about the default settings of the programs and pay careful attention to which folders they designate available for sharing. They should also let IT people at their work know if they're installing this type of program on company computers. Companies should implement acceptable use policies and install traffic content monitors.
[Editor's Note (Murray): Enterprises should be using a restrictive, rather than a permissive, policy. Restrictive policies are proactive rather than reactive. (Shpantzer) The IT department of a major East coast university doing battle with the new version of Kazaa says it is "extremely adaptive." It is programmed to circumvent bandwidth shaping tools used by network operations staff. This has resulted in a doubling of network traffic, and network latency to the nearest ISP has increased 200 times! Aside from the difficult technical issues, there are many unresolved legal issues associated with the use of these applications to facilitate the distribution of copyrighted material, not to mention other illegal material such as child pornography. Civil suits from the music industry and law enforcement raids on your facility are not good for productivity or reputation. ]
2 & 4 October 2002 Opaserv WormThe Opasoft or Opaserv worm spreads through local area networks (LANs). It is designed to gain remote control of infected machines; it tries to download information from a website that has now been taken down by the webmaster.
[Editors' Note: Unless required, file and printer sharing should be turned off. ]
4 October 2002 State Dept. Site DefacedRussian hackers defaced a State Department web site last week, according to Department officials. www.usinfo.state.gov was down briefly but was back on line as of Friday afternoon.
3 & 4 October 2002 GAO Report Outlines Satellite VulnerabilitiesA report from the General Accounting Office (GAO) warns that commercial satellites, which are used by some federal agencies, may be susceptible to hackers. On some, tracking and control uplinks are not encrypted. The new cyber security plan does not address satellite security. The report recommends changing federal policy regarding satellite security to cover commercial satellites instead of just government owned systems.
2 & 3 October 2002 Quantum Cryptography AdvancesResearchers in the UK and Germany have made large strides in the development of quantum cryptography; they were able to send a cryptographic key by means of a beam of low intensity light 14 miles between two mountains in Germany. Unlike electronically sent keys, if these quantum keys are intercepted, it is readily apparent to the key's recipient. The technology still needs more work before it is feasible for use across the globe.
3 October 2002 CIS Benchmark Tools Available To Federal AgenciesFederal agencies are now free to use and distribute the Center for Internet Security's (CIS) security configuration testing tools, available at www.cisecurity.org/federalcisusers. The tools measure system security against benchmarks for Windows, Linux, AIX, Solaris, Cisco and other operating systems.
3 October 2002 Hong Kong Online Paper Suffers Redirect AttackPeople in mainland China trying to read Mingpao.com, an independent Hong Kong-based online newspaper, found themselves redirected to a site containing information about the Falun Gong movement, which is banned in China. A Falun Gong spokesman in Hong Kong, where the practice is not banned, denied responsibility for the cyber attack.
3 October 2002 Man Pleads Guilty to Identity FraudAbraham Abdallah pleaded guilty to attempting to steal the identities of wealthy Americans and steal money from their bank accounts.
3 October 2002 FedCIRC Offers Free Dissemination Patch ServiceGovernment agencies soon will be able to subscribe to a free patch dissemination service from the General Services Administration's (GSA) Federal Computer Incident Response Center (FedCIRC). The service will also provide information on keeping systems safe from exploits until patches are developed for known vulnerabilities and will test patches before they are delivered to subscribers. There is not yet any provision for agencies to report back that the appropriate patches have been installed.
2 October 2002 N.C. CIO Consolidating ServersNorth Carolina's CIO has begun to consolidate government servers by up to 60% in an effort to improve state cyber security and reduce costs.
[Editor's Note: (Murray): While most enterprises can benefit from some server consolidation, this strategy has clear limitations. One would not want to consolidate all of one's services on one server and then run that server on a vulnerable operating system. (Paller) Good point, Bill. But the combined imperatives of security and budget pressure will lead to consolidation, anyway. One possible solution is for states to buy the consolidation service and systems only from vendors that can prove they can install and maintain systems with secure configurations and with strong perimeter protection. ]
2 October 2002 California State Government Server BreachedCalifornia state agencies were warned that a state server nicknamed Godzilla suffered security breaches; officials asked people at the agencies to check the security of their computer systems. It does not appear that any data on the machine was stolen.
[Editor's Note (Schultz) Something like this happened to the state of California not too long ago, and a spokesperson made it clear that the state would not accept any responsibility for what happened. I wonder if the same kind of evasion of responsibility will surface again, or whether management will accept responsibility and make changes that will lessen the likelihood of this kind of incident occurring again. ]
2 October 2002 CD-ROMs for UN Inspectors Contained VirusesUN inspectors in Vienna were given four CD-ROMs of reports from an Iraqi official; the disks also contained computer viruses. The viruses were fairly common, leading to speculation that their appearance on the disks was not intentional, but the result of inadequate antivirus software. American companies are prohibited from exporting their products to Iraq under the current US embargo.
2 October 2002 Word Flaw Allows File StealingA vulnerability in the field code feature of Microsoft Word could allow an attacker to steal files from hard drives. All versions of Word from 97 running on Windows operating systems from Windows 95 onward are vulnerable to the exploit. The attacker needs to know the names of the files and the full filepath to steal them. An attacker would sent a target a document containing specially crafted field code; when the recipient sends the document back to the sender, the targeted files tag along. The article also includes ways to mitigate the possibility of getting stung by the exploit; Microsoft plans to issue patches for Word 2000 and XP but not for earlier versions.
1 & 2 October 2002 DoD Continues Wireless MoratoriumThe Defense Department (DoD) has extended a moratorium on wireless devices in and around the Pentagon until wireless network security vulnerabilities are adequately assessed. The DoD has asked the National Security Agency (NSA) to develop a database to help with the assessment. In addition, DoD employees are forbidden from using wireless devices like phones and PDAs to access classified data or to communicate about mission-critical operations.
1 October 2002 Klez Tops Lists for SeptemberThe Klez-H worm was found most frequently on the September virus lists at both Sophos and MessageLabs. Bugbear is likely to make the top ten list in October. Klez-E tops September's list at Central Command and Kaspersky Labs places Klez at the top of its list as well, with more than 70% of "registered instances."
1 October 2002 What Does a FIPS Encryption Compliance Seal Mean?Six information technology labs across the country can issue the governmental FIPS (Federal Information Processing Standard) compliance seal for encryption products. Companies wishing to sell their products to the government must hold a FIPS-2 rating. While some experts see the certification as an assurance that "someone with a moderate degree of skill has looked over the design" of the products, others view the seal as nothing more than "a marketing tool." The certification process can take from four to ten weeks and costs between $20,000 and $40,000.
[Editor's Note (Murray): There is an infinity of ways to implement cryptography, most of them wrong. Anyone who wants to widely deploy a crypto product will want it evaluated by a third party. Keep in mind that the certification speaks to the implementation of the crypto and gives no assurance that the code does not introduce other problems. The recent problem with Open-SSL is a case where a crypto implementation introduces a vulnerability, exploited by the Slapper worm, that would not have been there without it. ]
30 September 2002 Virus Masquerades As Microsoft PatchA virus is circulating on the Internet in the guise of a Microsoft security patch. The virus is in an .exe attachment, which the text of the e-mail advises users to run.
[Editor's Note (Shpantzer): User awareness training should include knowledge of tactics that coax people into getting infected with malicious code. Since this is not the first virus that uses this trick, "Microsoft does not email patches" could be a part of that training. ]
30 September 2002 Security Contractor CertificationAccording to the National Strategy to Secure Cyberspace, the Bush administration is planning to look into the possibility of requiring computer security contractors to be certified by the government. Critics of this plan say the cost may keep smaller companies, which often have the most capable employees, from obtaining certification. They also point out that certifying a company is meaningless if its best employees leave; individual certification would be more meaningful.
[Editor's Note (Schultz): I agree with the critics. Certifying individuals is the only viable plan. Certifying security contractor organizations would not only prove nebulous, but it would also deteriorate into an exercise of political gamesmanship. ]
12 September 2002 CIO Survey Shows 7-8% of IT Budget Goes to SecurityAccording to a CIO magazine survey of 279 IT executives, companies spend an average of 7 - 8% of their IT budgets on security. Investment in IT security staff correlated with decreased security breaches and increased understanding among company officers regarding the need to spend money on security. Sixty-three percent of the survey respondents believe they should spend more on security, especially on technology, education and dedicated security staff.