Taken from SANS E-mail NewsBytes
The SANS Weekly Security News Overview
Volume 4, Number 21 May 22, 2002
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Eugene Schultz
SANS Alert! A Worm Is Attacking Microsoft SQL Server 7 Users
Microsoft shipped SQL Server 7 so it was automatically configured to
run without an administrator password. If you are running SQL Server
7, and are connected to the Internet, set an administrator password
right away to block the new worm. If the worm infects your system, it
will steal your account and password file, and force your machine to
scan for additional targets using as many as 100 threads. The attacker
can use the stolen account names and passwords to log back in and steal
other private data. Thousands of systems have already been taken over.
Kudos to Congress
The Senate Commerce Committee has reported out a bill, unanimously,
that implements the only effective defense against worms like the
SQL Worm (above), Code Red and other mass attacks. Senate Bill
2182 requires government agencies to make sure their computers are
configured using best security practices appropriate for their use
(like having a password on every administrator account on SQL Server),
before the systems are connected to the Internet. The bill implements
for government the techniques used in-house by computer companies like
Microsoft and Sun Microsystems, and by many other large organizations
including most large banks. Extending the practice to all federal
systems and developing benchmarks agencies can use (and extend),
will be an enormous contribution to government Internet safety.
TOP OF THE NEWS
20 May 2002 Hackers' Club May be Aiming to Launch Cyber Attack
17 May 2002 Second Sentencing in Piracy Ring.
16 & 17 May 2002 Phony Fingerprints Fool Biometric Readers
16 May 2002 Facial Recognition Technology Not Highly Accurate
15, 16 & 17 May 2002 FBI Confiscates Deceptive Duo Equipment; One
Under House Arrest
THE REST OF THE WEEK'S NEWS
20 May 2002 Benjamin Virus Infects Kazaa Network
20 May 2002 Benjamin's Authors Defend Action
20 May 2002 State Dept. Sends Klez to Mailing List
13, 15 & 20 May 2002 Critical Infrastructure Protection Project
19 May 2002 Falun Gong TV Hackers Sentenced
17 May 2002 ID Thieves Stole Credit Reports Using Ford's Authorization
16 & 17 May 2002 Sustainable Computing Consortium
16 May 2002 Supermarket Tests Pay-by-Fingerprint System
16 May 2002 DISA Security Cameras on Unsecured WLAN
16 May 2002 DoD Must Purchase Only NIAP Certified Products
16 May 2002 JS.Fortnight Worm
15 & 16 May 2002 Microsoft Issues Patch for IE Vulnerabilities
16 May 2002 Media Player Vulnerability Also Addressed by Patch
16 & 17 May 2002 Researchers Say Microsoft Patch Doesn't Do Its Job
17 May 2002 Microsoft Says Patch May Illuminate New Vulnerability
15 May 2002 JDBGMGR.exe Hoax Has Some Basis in Fact
15 May 2002 Klez Information Site
17 May 2002 Klez Still Spreading
15 May 2002 Linux Defacements on the Rise
15 May 2002 Australia Budgets $25 Million for Cyber Security
14 May 2002 Border Security Bill Mandates Biometric Data in Visitors'
14 May 2002 Flowgo Pop-up Ad Leads to Surreptitious Downloads
14 May 2002 Phony Xbox Emulator Not a Trojan, Says Author
TOP OF THE NEWS
--20 May 2002 Hackers' Club May be Aiming to Launch Cyber Attack
The Muslim Hackers Club website offers tutorials on viruses, hacking
and other sorts of cyber attacks. The FBI and the DIA believe the
group aims to develop software tools that can be used to launch cyber
attacks on Western targets.
--17 May 2002 Second Sentencing in Piracy Ring.
John Sankus, Jr., the ringleader of the software piracy group known
as DrinkOrDie, was sentenced to 46 months in prison. Another member
of the group, Barry Erickson, received a 33-month sentence several
--16 & 17 May 2002 Phony Fingerprints Fool Biometric Readers
Fake fingerprints fashioned from gelatin were able to fool biometric
fingerprint readers 80% of the time, according to research performed
by Japanese researchers. The researchers also devised a way to create
fake fingerprints from fingerprints left on glass surfaces.
[Editor's (Ranum) Note: It is probably worth mentioning that under
$10 worth of stuff was needed to pull this off - no rocket science
(Murray) This attack is a classic replay (or forgery) attack. Nothing
impressive about it. Replays are not unique to fingerprints.
Replays are a fundamental vulnerability of all biometrics. That is
why we insist upon strong authentication, that is, at least two forms
of evidence (something only one person has, knows, is, or can do) at
least one of which is implemented in such a way as to resist replay.
Those who continue to search for the perfect authenticator (easy
to use, can be reconciled at a distance, easy to enroll, cannot be
forgotten, lost, stolen or copied) are looking for magic.]
--16 May 2002 Facial Recognition Technology Not Highly Accurate
The American Civil Liberties Union (ACLU) says that tests of
facial recognition technology at the Palm Beach (FL) International
Airport fail to correctly identify faces more than half of the time.
The recognition rate went down when people wore glasses, turned their
heads, or were moving.
--15, 16 & 17 May 2002 FBI Confiscates Deceptive Duo Equipment;
One Under House Arrest
The FBI has confiscated computer equipment from two men believed to be
responsible for defacing at least 52 US federal and business web sites.
Calling themselves "the Deceptive Duo," the two maintain they were
trying to demonstrate the poor state of security on the web sites.
One of the men, Robert Lyttle, is under house arrest for violating
his parole; he had been convicted of defacing sites with pro-Napster
propaganda. Lyttle can use computers only at school and may leave
home only to attend classes. No charges have been filed yet.
THE REST OF THE WEEK'S NEWS
--20 May 2002 Benjamin Virus Infects Kazaa Network
Members of Kazaa's peer-to-peer file-sharing network have found their
computers infected with a virus called Benjamin. The virus creates a
directory on infected machines and copies itself into that directory
many times with a variety of names. It also manages to vary its size.
These copies are open to Kazaa members; if a member downloads the file,
their machine will become infected. Benjamin takes up a lot of file
space and consumes resources. The worm also opens an anonymous web
site containing banner ads.
--20 May 2002 Benjamin's Authors Defend Action
The worm's creators say they wrote it to thwart the efforts of people
seeking pirated software and child pornography.
[Editor's (Schultz) Note: The ends do not justify the means. It is
truly sad that people who write code that does things without proper
authorization can justify their actions so smugly.
(Murray) Nice people do not soil their own sandbox.]
--20 May 2002 State Dept. Sends Klez to Mailing List
The State Department unwittingly sent the Klez virus to a travel
advisory mailing list over the weekend, then sent an apology on
Monday morning. The list software has been reconfigured not to send
on attachments. The State Department says a third-party vendor bears
responsibility for the incident.
--13, 15 & 20 May 2002 Critical Infrastructure Protection Project
George Mason University and James Madison University will establish
the Critical Infrastructure Protection (CIP) Project, to be housed at
GMU's School of Law. Funded by a $6.5 million grant from the National
Institute of Standards and Technology (NIST), the CIP Project aims
to centralize and organize cyber security research. The program will
take a three-pronged approach to cyber security, focusing not just
on technology, but on law and public policy as well. The program
will also sponsor research and provide training for businesses and
--19 May 2002 Falun Gong TV Hackers Sentenced
Four Falun Gong followers received prison sentences of between seven
and sixteen years for their roles in hacking into a cable television
network to broadcast information about their group.
--17 May 2002 ID Thieves Stole Credit Reports Using Ford's
Ford Motor Credit Company authorization codes were fraudulently used
to obtain 13,000 credit reports from Experian. Information on the
reports, which were stolen over a ten-month period, includes names,
addresses, social security numbers and bank and credit card account
information. Ford has sent certified letters to all the people
affected by the security breach, advising them to get copies of
their credit reports and check them for unauthorized inquiries or
incorrect information. The FBI is investigating.
(Note: This site requires free registration.)
--16 & 17 May 2002 Sustainable Computing Consortium
Government agencies, technology companies and academic researchers have
come together to establish the Sustainable Computing Consortium at
Carnegie Mellon University in Pittsburgh. The group plans to create
engineering standards for software and create tools to test software
for security and reliability prior to its release. The group also
plans to address issues in public policy and law.
--16 May 2002 Supermarket Tests Pay-by-Fingerprint System
Kroger supermarkets in Houston, TX are testing a "biometric electronic
financial transaction processing system," otherwise described as a
pay-by-fingerprint shopping system.
[Editor's (Murray) Note: This is a tuning issue. However, in this
application too many false negatives are better than too many false
--16 May 2002 DISA Security Cameras on Unsecured WLAN
The CTO of an intrusion detection services company found that the
closed circuit security cameras at the Defense Information Systems
Agency (DISA) in Arlington, VA were connected to an unsecured wireless
LAN; the network was not using the WEP protocol. A DISA said the
camera system was not connected to other DISA systems, and that
encryption would be in place soon.
--16 May 2002 DoD Must Purchase Only NIAP Certified Products
Starting in July, the Defense Department will be required to purchase
only the information assurance products that have been certified by
the National Information Assurance Partnership (NIAP). NIAP, an NSA
initiative, has certified about two dozen products so far.
[Editor's (Ranum) Note: This is interesting. What about the installed
base? What about enforcing this? What organizations will be able to
get waivers? Excuse me if I am cynical but I remember "C2 by 92!" and
the orange book. I bet this is going to accomplish nothing.]
--16 May 2002 JS.Fortnight Worm
The JS.Fortnight worm places an HTML file into the default signatures
of e-mail sent through Outlook Express; the worm attaches a link to
an adult site to all the outgoing Outlook e-mail. It also changes
the browser's home page, and adds sites to the favorites list.
The worm affects Windows 95, 98, NT, 2000, ME and XP.
--15 & 16 May 2002 Microsoft Issues Patch for IE Vulnerabilities
Microsoft has issued a "critical" patch that addresses six new
security holes, including a cross-site scripting vulnerability, in
Version 6 of its Internet Explorer web browser. The download also
fixes flaws in IE 5.01, 5.5, and it changes the "restricted sites"
zone's default settings to block all frames.
Microsoft security bulletin:
--16 May 2002 Media Player Vulnerability Also Addressed by Patch
Microsoft has thanked a Japanese firm for reporting an Internet
Explorer vulnerability that could allow malicious code to execute
automatically on computers if Windows Media Player is installed.
The problem is addressed in the IE patch Microsoft has released.
--16 & 17 May 2002 Researchers Say Microsoft Patch Doesn't Do Its Job
Research indicates that the patch released for the six holes
in Microsoft's IE browsers 5.01, 5.5 and 6.0 only addresses the
cross-site scripting vulnerability in one of the browser versions,
and leaves another vulnerability unaddressed altogether.
--17 May 2002 Microsoft Says Patch May Illuminate New Vulnerability
Microsoft says the researchers may have found a new vulnerability
that closely resembles the one described in the security bulletin
and for which a patch was issued. They are investigating.
--15 May 2002 JDBGMGR.exe Hoax Has Some Basis in Fact
One reason the jdbgmgr.exe virus warning hoax is not losing steam is
the fact that the Magistr-A virus actually does send infected copies
of the jdbgmer.exe file. If the file is already on your computer,
it's probably not infected, but if you receive one as an attachment, it
probably is infected. As always, delete e-mail containing unexpected
.exe files and don't pass on warnings.
--15 May 2002 Klez Information Site
This site offers a description of the Klez virus, and links to
infection statistics and information about removing it from infected
--17 May 2002 Klez Still Spreading
Klez continues to spread and to generate traffic due to response and
--15 May 2002 Linux Defacements on the Rise
The number of defacements on computers running Linux is on the rise;
the number of incidents this year so far is already almost twice that
of last year's total. The defacements are especially prevalent on
web sites with domain names of German-speaking countries: Germany
(.de), Austria (.at) and Switzerland (.ch); many of the defacements
appear to have been perpetrated by the same group, known as hax0rs lab.
--15 May 2002 Australia Budgets $25 Million for Cyber Security
The Australian government plans to spend $25 million to protect the
country's banks, telecommunications companies and financial concerns
from cyber criminals. The fact that many of these institutions are
privately owned will complicate the effort.
--14 May 2002 Border Security Bill Mandates Biometric Data in
President George W. Bush signed H.B. 3525 into law. The bill allows a
$150 million budget for improving border security. Provisions include
a requirement that all documentation issued to visiting foreigners
contain biometric data. The bill also provides for creating a database
of suspected terrorists.
--14 May 2002 Flowgo Pop-up Ad Leads to Surreptitious Downloads
People who clicked on a certain pop-up ad on the Flowgo site were taken
to another site which appeared to be a digital slot machine and which
actually exploited a flaw in old versions of Internet Explorer's Java
engine to download files onto their computers. Researchers are not
yet entirely sure what the files do; some monitor surfing habits and
others let more files be sent to the computer. An install program
also turns off firewalls.
--14 May 2002 Phony Xbox Emulator Not a Trojan, Says Author
The man who claims to have written the purported Trojan called "Net
BUIE" disguised as an Xbox emulator says it is not a Trojan at all,
but a failed attempt to make money on pay-per-click scheme. He made
six revisions to the program; people who have downloaded the two
most recent versions will get a pop-up window with instructions for
uninstalling the program. The others will continue to get pop-ups,
but their computers will not be harmed.