The SANS Weekly Security News Overview
Volume 4, Number 22 May 29, 2002
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Eugene Schultz
TOP OF THE NEWS
25 May 2002 CA State Personnel Database Security Breach
24 & 27 May 2002 Klez Tops the List
23 May 2002 Qwest Customer Data Exposed
21 & 22 May 2002 SQLSnake Worm
THE REST OF THE WEEK'S NEWS
24 May 2002 Report Warns of Chinese Hacking Threat
24 & 27 May 2002 New Worms Could Wreak Havoc
24 May 2002 Ford Credit Breach Makes case for Ensuring Partners'
22 May 2002 Indiana State University Student Info Exposed
24 May 2002 OMB Site Will Contain Agency Architectures
23 & 24 May 2002 State CIOs Will Offer Guidance on Homeland Security
23 May 2002 Windows Debugger Bug
23 May 2002 Microsoft Security Chief Speaks Out On GovNet
23 May 2002 Paucity Of PDA Protection Policies
23 May 2002 Bloomberg Cyber Extortionists Extradited
23 May 2002 Government Uses Open Source Products Despite Microsoft's
23 May 2002 SJC Approves $10 Million for National Cybersecurity
22 May 2002 Senate Committee Approves Dept. of Homeland Security Bill
21 & 27 May 2002 Cybersecurity Research and Development Act Gets
Committee Approval; Software Industry Lobby Opposes
23 May 2002 UK Cyber Law Under Review
22 May 2002 Virus Exhibit
15 May 2002 Museum Takes Down Hacking Piece
22 May 2002 Biometrics Fizzle
21 May 2002 State Dept. Klez Incident Exposes Mailing List Flaw
21 May 2002 Anonymizer Offers Free Service to Bug Finders
21 May 2002 DoD Smart Cards
21 May 2002 Wireless Voting Devices Not Very Secure
20 May 2002 Date Set for ElcomSoft DMCA Trial
20 May 2002 Telecoms, Secure Thyselves
TOP OF THE NEWS
--25 May 2002 CA State Personnel Database Security Breach
Hackers breached security at California's state personnel database and
were able to see names, social security numbers and payroll information
about all 265,000 state workers. The intrusion took place on April 5,
though it was not detected until May 7.
[Editor's (Schultz) Note: If you go to the URL for this news item,
you'll read a statement by Steve Maviglio, spokesperson for the
California governor's office, which essentially says "our security is
not that bad and besides, this kind of thing happens all the time."
The governor's office should instead take responsibility for what
happened and then investigate ways to improve security instead of
simply glossing it over.]
--24 & 27 May 2002 Klez Tops the List
Klez has passed SirCam to top the charts at anti-virus companies,
and a shockingly high percentage of emails (1 in 300) carries it.
Klez generates extra e-mail traffic due to anti-virus filters that
warn senders they have sent along an infected e-mail; because Klez
spoofs return addresses, the people getting the warnings are not
those whose computers sent out the worm.
[Editor's (Murray) note: In addition to being pervasive, this is
persistent and resistant to attempts stop the messages based on
spoofed return addresses.]
--23 May 2002 Qwest Customer Data Exposed
Personal information belonging to Qwest long-distance customers who
have chosen the paperless billing option was exposed on the Internet
for at least a week. The company's on line bill paying system stopped
checking passwords and allowed anyone entering a valid userid to
gain access to account information. Exposed data includes names,
addresses and credit card information.
[Editor's (Murray) Note: Implementing user identification and
authentication is not trivial. With everyone implementing and
operating their own, these kinds of errors are inevitable. While they
represent an exposure to the institution, most of us will accept our
share of the resultant risk.]
--21 & 22 May 2002 SQLSnake Worm
Machines running Microsoft's SQL Server software version 7.0 (and
other applications with run-time versions of SQL Server) could
Spida.a.worm and DoubleTap) if their administrative accounts are
not protected by passwords. SQLSnake sends password files from the
registry on the infected server to an e-mail account and then scans
for other vulnerable servers to infect. Analysts became aware of
the worm after noticing a spike in port 1433 scans.
THE REST OF THE WEEK'S NEWS
--24 May 2002 Report Warns of Chinese Hacking Threat
A report from the US Army War College's Institute for Strategic
Studies warns that Chinese students may be planning to launch cyber
attacks, including defacements and virus-spreading, this summer.
Chinese hackers have rallied their forces before in reaction to the
NATO bombing of the Chinese embassy in Belgrade.
--24 & 27 May 2002 New Worms Could Wreak Havoc
Research suggests that new developments in worm writing could produce
"uberworms." Among the possibilities are worms capable of compromising
10 million hosts, and worms that spread with alarming rapidity.
The authors of the paper argue for the creation of a cyber equivalent
of the Centers for Disease Control and Prevention.
[Editor's (Shultz) Note: The term "uberworm" is catchy, but I wonder
whether the authors of the paper cited here are acting responsibly.
What they are in effect doing is "raising the bar" for worm writers.
(Murray) While there is interesting arithmetic in this work, it
is not sufficient to justify otherwise gratuitous speculation in
(Paller) I disagree, Bill. The paper's analyses (found at
and extend less formal research completed last Fall, when Nimda's
rate of propagation exceeded what we had seen before. The paper also
offers a sensible set of tasks for a formal Center chartered to deal
with these worms: identifying outbreaks, rapidly analyzing pathogens,
fighting infections, anticipating new vectors, proactively devising
detectors for new vectors, resisting future threats. CERT/CC,
Incidents.Org's Storm Center, SANS, and other security folks are
continuously working with government agencies to meet these goals,
but more help would most definitely be appreciated and would add
--24 May 2002 Ford Credit Breach Makes case for Ensuring Partners'
The fact that thieves stole an authorization code from Ford Motor
Credit to obtain credit reports on 13,000 individuals underscores
the importance of making sure business partners are employing
good security practices. Suggestions include requiring audits and
vulnerability assessments of partners' systems, and making sure that
external log-ins are disabled by default. The cost of (employing)
the measures is a more palatable alternative than failing to have
exercised "due diligence."
--22 May 2002 Indiana State University Student Info Exposed
Indiana State University inadvertently posted the names and social
security numbers of 10,000 of its students on line. The information
has been removed, but had been available for about two weeks.
The University has apologized and notified the affected students.
--24 May 2002 OMB Site Will Contain Agency Architectures
The Office of Management and Budget (OMB) is working to put the
Enterprise Architecture Management System on line by the end of June.
The web site will hold agency system architecture plans, possibly
including security architectures, and will be accessible to vendors
and government officials.
--23 7 24 May 2002 State CIOs Will Offer Guidance on Homeland
The CIO of the Office of Homeland Security, Steve Cooper, has asked
the National Association of State CIOs to help develop the technology
component of homeland security strategy.
--23 May 2002 Windows Debugger Bug
A flaw in the debugging tools for Windows NT and 2000 could allow
an attacker to take control of systems. In order to exploit the
vulnerability, an attacker would need to be able to log into the
system with privileges that allow him or her to execute code.
[Editor's (Murray) Note: This vulnerability might permit a legitimate
user who knows about it to expand his privileges. Most legitimate
users are fully privileged in any case.]
--23 May 2002 Microsoft Security Chief Speaks Out On GovNet
Microsoft's new chief of security Scott Charney expressed a need to
balance security and effectiveness for GovNet, the proposed closed
federal network. Charney suggests that government resources might
be better spent on long term R & D for security and on educating
people about computer security. The government should also act as a
role model in purchasing, choosing only those products which provide
--23 May 2002 Paucity Of PDA Protection Policies
According to a recent survey, two out of three companies do not
have policies regarding personal digital assistants (PDAs). 25%
of corporate PDA users don't protect their devices with passwords,
and more than 70% don't use encryption.
--23 May 2002 Bloomberg Cyber Extortionists Extradited
Two men from Kazakhstan have been extradited to the US to face charged
for allegedly breaking into a Bloomberg L.P company database and
attempting to extort $200,000 in return for information about how
they breached security. The two face charges that could put them
in prison for up to 28 years.
--23 May 2002 Government Uses Open Source Products Despite
Though Microsoft has been pressuring the Pentagon to use its products,
a study conducted by Mitre Corp. for the Department of Defense says
that open source software is often more secure than proprietary
products. Microsoft has also complained about the government's
funding of research to secure open source software.
--23 May 2002 SJC Approves $10 Million for National Cybersecurity
The Senate Judiciary Committee approved a bill (S.1989) that allocates
$10 million for the National Cybersecurity Defense Team. The group's
responsibilities include identifying Internet vulnerabilities and
recommending ameliorative measures.
--22 May 2002 Senate Committee Approves Dept. of Homeland Security
The Senate Governmental Affairs Committee voted 7-3 on a bill that
would incorporate a number of agencies into the Department of National
Homeland Security. Member of the committee who opposed the bill
expressed concerns that no matter how many agencies are incorporated
into the new cabinet-level department, other agencies and departments
will still be a part of homeland defense.
--21 & 27 May 2002 Cybersecurity Research and Development Act Gets
Committee Approval; Software Industry Lobby
Opposes Configuration Standards
The Senate Commerce, Science and Transportation Committee approved
the Cyber Security Research and Development Act (S. 2182) which
allocates $900 million for cyber security research, training,
education and grants. The bill would also establish the Office of
Information Security Programs at the National Institutes of Standards
and Technology (NIST) and would have NIST create benchmarks for "a
baseline minimum security configuration" for government departments
and agencies. The bill's sponsors will work with private industry
groups who are opposed to the idea of standards.
[Editor's (Paller) Note: Next time a major software company sales
person calls on your company or agency, ask him or her why his
marketing department is paying big bucks to lobby against the use
of safe configurations (the settings that keep those systems from
being taken over by worms and other automated attacks) in federal
agencies. The software companies' own security departments require
all their users to comply with minimum configuration standards,
because there is no other antidote to worms. They should be applauding
the senate's efforts to enable the government to lead by example.
What are the software company executives thinking?]
--23 May 2002 UK Cyber Law Under Review
UK government officials are reviewing the Computer Misuse Act, which
was enacted before the advent of the Internet. Specifically, there
are concerns that the law's provisions do not make it easy enough to
prosecute people who launch denial of service attacks.
--22 May 2002 Virus Exhibit
The Museum for Applied Art in Frankfurt, Germany has opened an exhibit
on the aesthetics of computer viruses, presenting the virus code as
a form of modern art. The displays are mostly on PCs, iMacs and Sun
Ray Linux workstations.
--15 May 2002 Museum Takes Down Hacking Piece
A piece in the Open Source Art Hack show at the New Museum of
Contemporary Art in New York was taken down because it was scanning
sites for vulnerabilities; the museum's ISP does not allow that kind
--22 May 2002 Biometrics Fizzle
German technology magazine c't reviewed 11 biometric products and was
able to fool many of them with replay attacks, reactivation of latent
images and phony fingerprints. A face scanner was fooled by holding
up a notebook computer running a video clip of an approved person.
--21 May 2002 State Dept. Klez Incident Exposes Mailing List Flaw
The State Department's recent experience with the Klez virus -
several Klez-infected e-mail messages were sent in its name to a State
Department-sponsored travel advisory mailing list - exposed a security
problem with the mailing list itself. Apparently, the list's security
settings had been changed to allow any e-mail message with the State
Department's return address to be automatically distributed without
being reviewed by the list's monitor. The list has been reconfigured
to eliminate the problem.
--21 May 2002 Anonymizer Offers Free Service to Bug Finders
Unlike other companies that don't want their security problems made
public, Anonymizer president Lance Cottrell will offer three years
of the company's service to anyone who finds security holes in the
Internet privacy service.
--21 May 2002 DoD Smart Cards
The Air Force is using smart cards for entry at more than 100 Air
Force bases and for computer access. The Department of Defense (DoD)
plans to issue 4 million smart cards to enlisted forces and their
families by the end of next year. The cards will contain photographs,
digital certificates and encryption keys.
[Editor's (Murray) Note: While not immune to forgery, these cards
will be much more resistant than the IDs the government has used for
the last fifty years. They will have the advantage that they can be
reconciled both locally and remotely, manually and automatically.
They can be used with a secret value to in a strong authentication
--21 May 2002 Wireless Voting Devices Not Very Secure
The wireless voting devices used at Vivendi's annual shareholders'
meeting last month are easy to hijack; several devices are being
inspected in the case of alleged vote tampering at that meeting.
--20 May 2002 Date Set for ElcomSoft DMCA Trial
A suit brought against Russian software company ElcomSoft for violating
the 1998 Digital Millennium Copyright Act (DMCA) will begin August 26.
ElcomSoft could face a fine of up to $500,000 if found guilty of
selling software that circumvents copy restrictions in violation of
the DMCA. It is the first case brought under the DMCA.
--20 May 2002 Telecoms, Secure Thyselves
Major telecommunications companies like Sprint and WorldCom are looking
to get into managed security services. Some customers and security
specialists say the companies should take a good look at their own
security first. Many do not have protections against distributed
denial of service (DDoS) attacks in place.