Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume V - Issue #14

April 09, 2003


Free Resources from the "Audit and Security Controls that Work" Conference


Co-chairs Michele Guel from Cisco and Gene Kim from Tripwire did a
wonderful job on this conference, and the participants contributed more
than papers they also shared the most effective control tools they
had created (like a tool for documenting risks for Gramm-Leech-Bliley
compliance). If you missed the conference, take a look at the summary
of presentations and download the presentations and whitepapers that
look interesting http://www.sans.org/rr/audittech/


Alan

TOP OF THE NEWS

Web Site That Was to Post Local Election Results Crashes After Virus Attack
SETI@home Software Vulnerabilities
ISS Study Shows Security Incidents Increased Significantly in First Quarter of 2003
Apache HTTP Server Vulnerability
Study Says Incident Recovery in 2002 Takes Longer and Costs More than in 2001

THE REST OF THE WEEK'S NEWS

Nevada Hospital System Hack Traced to Russia
RIAA Files Piracy Suits Against Four Students
Texas Teen to be Arraigned on Charges of Alleged Yale Computer Systems Hacks
Agencies Not Addressing Security Concerns, Says GAO Report
Unauthorized WLAN Connections Used to Send Spam
WebDAV Protocol Still Widely Enabled
Vulnerabilities in Two Digital Media Players
Navigating IT Security Decision Making
Johansen Appeal Hearing Date Set for December
Georgia Tech Server Security Breached
Al-Jazeera Web Site Bolsters Security
Danish Firm Critical of BugTraq Practices; Starts New Vulnerability Mailing List
Klez is Still a Menace
System Log Analysis Can be Fruitful
California State University Implements Interim Security Measures
OMB Provides Federal Agencies with Compliance Oversight


************************* Sponsored by GuardedNet *********************
Weighed Down by Security Data?
With GuardedNet's neuSECURE(tm), you can transform mountains of raw
security data into what you really need - knowledge to manage your
security environment. neuSECURE is a central monitoring system for
log aggregation, event correlation, threat analysis, response and
forensics of events from firewalls, IDS', hosts and routers.
Sign up to receive a free white paper on improving the relevancy of
your raw security data at http://www.guarded.net/logdataoverload.html
***********************************************************************

TOP OF THE NEWS

Web Site That Was to Post Local Election Results Crashes After Virus Attack (7 April 2003)

A web site designed to tally and publish the results of a local election in Will County, Illinois was unable to perform as expected because it was deluged with phony requests. The Will County Director of Information Systems has informed the FBI.
-http://www.theage.com.au/articles/2003/04/07/1049567599656.html
[Editor's Note (Schultz): Although this news item might superficially appear to not be all that important, it is really quite significant. There is considerable apprehension concerning computerized voting systems, and incidents such as this one will only increase the level of concern. ]

SETI@home Software Vulnerabilities (7 April 2003)

The SETI@home distributed computing project is encouraging users to download the latest version of its software, which addresses buffer overflow and information-leaking vulnerabilities in earlier versions. The SETI project allows users to donate processing time to search for extraterrestrials.
-http://news.com.com/2100-1002-995801.html
-http://www.theregister.co.uk/content/55/30124.html

ISS Study Shows Security Incidents Increased Significantly in First Quarter of 2003 (3/4/7 April 2003)

A report from Internet Security Systems (ISS) says that the number of security incidents reported in the first quarter of 2003 was almost 84% higher than the number reported in the last quarter of 2002. The reason for the significant change is the increase in worms and automated attack software like the Slammer worm, according to the report. The data were collected from about 400 ISS clients around the world. The rise in incidents could be attributed in part to the fact that hackers are turning more often to databases as targets; database administrators often don't want to install patches until they've been tested in a production environment.
-http://news.com.com/2100-1009-995380.html
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,80049,0
0.html

-http://www.eweek.com/article2/0,3959,1007007,00.asp

Apache HTTP Server Vulnerability (2/3 April 2003)

The Apache Software Foundation issued an advisory urging all users of Apache 2.0 HTTP Server to upgrade to version 2.0.45, which addresses a denial-of-service vulnerability in 2.0.44. All operating systems are vulnerable to the flaw, and the upgrade still does not address the vulnerability on OS/2. Details of the vulnerability will be released on April 8.
-http://www.internetnews.com/dev-news/article.php/2174351
-http://news.com.com/2100-1009-995309.html

Study Says Incident Recovery in 2002 Takes Longer and Costs More than in 2001 (31 March 2003)

A survey from Icsa labs found that it is took companies longer and cost them more to recover from cyber disasters in 2002 than in 2001. The companies surveyed had more than 500 PCs. Disasters, which were defined as attacks on 25 or more PCs, cost companies an average of £52,000 (approximately $80,000) in 2002, up from £45,000 (approximately $70,000) in 2001. The average recovery time grew from 20 days in 2001 to 23 days in 2002. The survey also found that instead of suffering from a major attack, companies are more likely to sustain a series of smaller attacks.
-http://www.vnunet.com/News/1139852


************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) PREVENT INTRUSIONS FOR GOOD. Identify attackers. Block them with
countermeasures! FREE WP. http://www.sans.org/cgi-bin/sanspromo/NB155
(2) ALERT: How a Hacker Launches a SQL Injection Attack Step-by-Step- White
Paper http://www.sans.org/cgi-bin/sanspromo/NB156
(3) Instantly stop DDoS attacks and port scans. Hands-on, online demo
--launch
and mitigate live attacks. http://www.sans.org/cgi-bin/sanspromo/NB157
***********************************************************************

THE REST OF THE WEEK'S NEWS

Nevada Hospital System Hack Traced to Russia (7 April 2003)

The security of a small Nevada hospital's computer system was breached by a hacker who has been traced back to Russia. The hacker routed the attack through the al-Jazeera web site to make it look as if the attack came from the Middle East. The hacker may have accessed employees' social security numbers and bank account information. A Trojan horse program embedded in a game some employees had downloaded allowed the attackers access. The hospital's payroll system has been removed from the network and employees have been instructed never to install software or sign on to streaming Internet services.
-http://www.usatoday.com/tech/webguide/internetlife/2003-04-07-hospital-hack_x.ht
m

[Editor's Note (Schultz): Employees installing software or signing on to streaming Internet services may have been a problem, but I wonder whether the hospital's failing to set requirements for and failing to enforce a baseline level of security may have had a lot to do with what happened here. ]

RIAA Files Piracy Suits Against Four Students (4/5 April 2003)

The Recording Industry Association of America (RIAA) has filed suits against four students at three universities across the country. The suits allege that the students set up file sharing networks on their university computer systems, and ask for permanent injunctions to shut down those sites as well as a fine of $150,000 per copyright infringement. The RIAA said the suits would not be dropped if the students shut down the sites themselves. The music industry blames Internet music piracy for declining revenues.
-http://www.washingtonpost.com/wp-dyn/articles/A23933-2003Apr3.html
-http://news.bbc.co.uk/1/hi/technology/2917779.stm
-http://www.wired.com/news/digiwood/0,1412,58351,00.html

Texas Teen to be Arraigned on Charges of Alleged Yale Computer Systems Hacks (3/4 April 2003)

A Texas teenager will be arraigned on six counts of computer crimes in connection with alleged intrusions into computer systems at Yale University. Jason Jarrell allegedly broke into the university's computer systems from his home, created user accounts and installed software to gather passwords and gained root access to a number of computers. Damages were estimated to be at least $150,000. The Connecticut Computer Crimes Task Force was able to track Jarrell down through his ISP because he allegedly had connected to the Internet by dialing from his home phone.
-http://www.newhavenregister.com/site/news.cfm?newsid=7603021&BRD=1281&PA
G=461&dept_id=7573&rfi=6

-http://www.yaledailynews.com/article.asp?AID=22379

Agencies Not Addressing Security Concerns, Says GAO Report (2/3 April 2003)

According to a recently released General Accounting Office (GAO) report, several government offices have failed to comply with all the requirements of Presidential Decision Directive 63. Specifically, the Environmental Protection Agency, the Department of Health and Human Services, and the Energy and Commerce Departments have not adequately assessed their computers and networks to determine which require the most protection.
-http://www.washingtonpost.com/wp-dyn/articles/A13552-2003Apr2.html
-http://www.wired.com/news/politics/0,1283,58327,00.html
-http://www.gao.gov/new.items/d03233.pdf

Unauthorized WLAN Connections Used to Send Spam (2 April 2003)

Data gathered from a wireless LAN (WLAN) honeypot showed that nearly 75% of intentional unauthorized connections made were used to send spam.
-http://www.newsfactor.com/perl/story/21168.html

WebDAV Protocol Still Widely Enabled (2 April 2003)

A Netcraft survey found that 75% of polled web servers running Microsoft's Internet Information Server (IIS) 5.0 have WebDAV enabled, making them potentially vulnerable to a buffer overflow attack as announced in a Microsoft security alert in March.
-http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?database=
JanY.db&command=viewone&id=67&op=t

-http://news.netcraft.com/archives/2003/03/18/three_quarters_of_microsoftiis
_sites_have_webdav_enabled.html
-http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-0
07.asp

Vulnerabilities in Two Digital Media Players (2/4 April 2003)

A heap corruption vulnerability in RealNetworks' RealPlayer could allow the execution of malicious code; the vulnerability is caused by the use of an older data-compression library in the RealPix component and could be exploited by creating a corrupted Portable Network Graphics (PNG) file. RealNetworks has released an updated version of the data-compression library. An unrelated vulnerability was reported in Apple Computer's QuickTime Player; a buffer overflow vulnerability could be exploited by getting a user to click on a specially crafted URL which would then inject and run code, potentially giving the attacker control of the system. The vulnerability affects versions 5.x and 6.0; version 6.1, in which the vulnerability is addressed, is available for download.
-http://news.com.com/2100-1025-995085.html?tag=fd_top
-http://www.idefense.com/advisory/03.31.03.txt
-http://www.theregister.co.uk/content/55/30107.html
RealPlayer Advisory:
-http://service.real.com/help/faq/security/securityupdate_march2003.html

Navigating IT Security Decision Making (2 April 2003)

Advice for companies maneuvering through the process of implementing IT security includes ignoring vendors' hype, becoming educated about actual risks and building up security by layers, starting with the fundamentals.
-http://www.computerworld.com/securitytopics/security/story/0,10801,79965,00.html
?nas=SEC-79965

Johansen Appeal Hearing Date Set for December (2 April 2003)

Jon Johansen, the Norwegian teenager who in January was acquitted of DVD piracy charges stemming from his involvement in creating and distributing the DeCSS descrambling utility, will be in court again in December for an appeal hearing. Johansen's attorney is confident that his client will prevail against the appeal, which was brought by Norway's special division for white-collar crimes, Økikrim.
-http://www.theregister.co.uk/content/4/30062.html

Georgia Tech Server Security Breached (28 March/1 April 2003)

The Georgia Institute of Technology recently discovered that intruders accessed one of its servers a number of times in the last two months; among the data stolen were the names, addresses and some credit card numbers of about 57,000 patrons of the university's Ferst Center for the Arts. School officials have e-mailed those affected by the breach. The server was not protected by a firewall. The Georgia Bureau of Investigations and the FBI are investigating.
-http://www.accessatlanta.com/ajc/business/0303/28hacker.html
-http://zdnet.com.com/2100-1105-994821.html

Al-Jazeera Web Site Bolsters Security (1 April 2003)

Al-Jazeera's Newsroom coordinator is hopeful that their website will soon be up and running normally. Security barriers have been added to the website, which has recently been targeted by denial of-service (DoS) and redirect attacks.
-http://news.bbc.co.uk/1/hi/technology/2906503.stm

Danish Firm Critical of BugTraq Practices; Starts New Vulnerability Mailing List (26 March/1 April 2003)

Danish security company Secunia Ltd. has started a new vulnerability mailing list meant to take the place of BugTraq, which Secunia claims "delay and partially censor
[s ]
the information" in order to give their customers advance notification. Symantec, which last year acquired SecurityFocus, the outfit that owns BugTraq, denies the allegations.
-http://www.eweek.com/article2/0,3959,990434,00.asp
-http://www.theregister.co.uk/content/55/29941.html

Klez is Still a Menace (31 March 2003)

Klez topped the list of Sophos' most reported viruses in March of this year, indicating that there are numerous machines on which anti-virus signatures have not been updated for more than a year. This marks the fourteenth month in a row that Klez has appeared in the top ten.
-http://www.theregister.co.uk/content/56/30026.html
-http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/03-31
-2003/0001916690&EDATE=

System Log Analysis Can be Fruitful (31 March 2003)

System log analysis in Windows systems can provide good information about what's been happening on your network, but you have to know what a log entry for a legitimate event looks like in order to spot the entries that indicate malicious activity. There are also types of malware that do not show up in logs; it would be wise to examine the win.ini and system.ini files for unexpected executables, and to examine the registry for unexpected .exe or .dll files.
-http://www.computerworld.com/securitytopics/security/story/0,10801,79803,00.html

California State University Implements Interim Security Measures (29 March 2003)

Following the results of an audit showing that California State University new multi-million dollar computer system allowed unauthorized people to view students' personal information, the institution's chancellor announced an interim security measure while the school works with the software developer on a secure search feature. For now, university employees will have access to student social security numbers only if their jobs require it and if they have signed a confidentiality agreement.
-http://www.oaklandtribune.com/Stories/0,1413,82~1726~1280447,00.html

OMB Provides Federal Agencies with Compliance Oversight (28 March 2003)

Federal agencies have the Office of Management and Budget (OMB) oversight to ensure they comply with security guidelines set by GISRA and FISMA. The private sector might benefit from a similar framework. Representative Sherwood Boehlert (R-N.Y.) is concerned about the low level of government spending on cyber security.
-http://www.fcw.com/fcw/articles/2003/0324/web-dhs-03-28-03.asp
-http://www.fcw.com/fcw/articles/2003/0324/web-omb-03-28-03.asp


===end===
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editors: Bruce Schneier and Hal Pomeranz
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit https://portal.sans.org/preferences.php/
To update your address, visit http://www.sans.org/sansurl and enter
your SD number (from the header of this email.) You will receive your
personal URL via email.