The SANS Weekly Security News Overview
Volume 4, Number 23 June 5, 2002
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Eugene Schultz
We received two remarkable notes this week.
The first came from Larry Lidz, Network Security Officer at the
University of Chicago. It provides from-the-trenches insight into the
only method available (to most users) to defend themselves against
fast-moving worms. I've included it at the end of this issue.
The second came from Randy Marchany, the security guru at Virginia
Tech. He writes, "All the smug Linux types (including me) can quit
The Simile virus attacks both Windows and Linux
systems. Fortunately, *this* variant seems to be non-malignant.... for
now." (See the first story below.)
Most Newsbites subscribers will be mailed a new poster showing security
career tracks, satisfaction levels, and salary range information
for the principal security and audit jobs, based on the news survey.
Please verify your surface mail address (before June 10) using your
private url that you can get at http://www.sans.org/sansurl.
send it to you only if we have the correct surface mail address.
TOP OF THE NEWS
3 June 2002 Simile is Cross-Platform Virus
31 May 2002 Biometric Technologies Don't Stand Up to Testing
29 & 30 May 2002 Euro Parliament Passes Data Retention Directive
29 & 30 May 2002 Cyber Security Ranks Third on FBI's Top Ten List
23 May 2002 PKI Never Caught On
THE REST OF THE WEEK'S NEWS
31 May 2002 Three NEC Toshiba Employees Arrested for Hacking
31 May 2002 UK's Inland Revenue On-Line Filing System Taken Down
Over Security Concerns
31 May 2002 Congressional Office Employs Iris Scanning
30 May 2002 Smiling Faces are Easier to Match
31 May 2002 Paper Says Open Source Software is Not Secure
30 May 2002 News Site Vulnerability Could be Used to Send Spam or
Phony News Stories
30 May 2002 Tactical Database and Web Page Used in War
29 & 30 May 2002 Exchange 2000 Flaw
29 May 2002 California Will Hold Hearing on Employee Database Breach
29 May 2002 Carnivore Bites Off More Than It's Supposed to Chew
29 May 2002 Hacker Steals Data from TheNerds.net
29 May 2002 M-o-o-t Aims to Circumvent UK's RIP Encryption Key
29 May 2002 Macromedia JRun Buffer Overflow Vulnerability
29 May 2002 Congress Wants More Info from OMB on Agency Security Plans
28, 29 & 30 May 2002 Fidelity Data Exposed
28 May 2002 Excel Vulnerability
28 May 2002 Yahoo Offers Patch for Messenger Holes
28 May 2002 Credit Card Fraud On Line Museum May Be Too Explicit
27 May 2002 Cyber Attacks are Up In Australia
27 May 2002 FAA to Pilot Smart Card Program
27 May 2002 Homeland Security Generates Tech Proposals
TOP OF THE NEWS
--3 June 2002 Simile is Cross-Platform Virus
The Simile virus infects Portable Executable (PE) and ELF files on
both Windows and Linux operating systems. The virus does not carry
a malicious payload, although infected files could display messages
on certain dates.
--31 May 2002 Biometric Technologies Don't Stand Up to Testing
A number of recent tests of biometric security technologies have
underscored their weaknesses. A pilot face recognition system at
Palm Beach (FL) International Airport had an accuracy rate of less
that 50%; airport authorities decided against making the technology
a part of their security procedure. A German technology magazine's
tests of facial recognition systems and fingerprint readers showed the
technologies were easily fooled. And finally, a Japanese engineering
professor demonstrated techniques to create phony fingerprints that
fool fingerprint readers.
[Editor's (Murray) Note: Biometric systems are not as good as one
might hope. They are fundamentally vulnerable to forgery and replay
attacks. However, they are a very useful second or third form of
evidence in strong authentication schemes.]
--29 & 30 May 2002 Euro Parliament Passes Data Retention Directive
The European Parliament has passed the Communications Data Protection
Directive under which member countries could make telecommunications
companies retain customers' data records available for perusal by
law enforcement. The directive now goes before member countries
for approval. Civil liberties groups oppose the legislation.
--29 & 30 May 2002 Cyber Security Ranks Third on FBI's Top Ten List
FBI Director Robert Mueller has placed cyber security third on the
agency's top ten list of agency priorities, behind terrorism and
espionage. Mueller remarked that the FBI's technology is "years
behind" what it should be, and said he plans to upgrade technology,
educate employees and recruit IT specialists. He also hopes to be
more connected to the rest of the government.
--23 May 2002 PKI Never Caught On
Calling PKI (Public Key Infrastructure) "terminally promising"
the author enumerates the reasons the technology hasn't caught on.
Vendors never established standards, which made interoperability a
big problem. They also required a lot of money up front, which was
fine until security budgets started getting tighter. One company that
saw their PKI business drop to nothing has refocused their energy on
[Editor's (Schultz) Note: The fact that the PKI movement is essentially
dead should come as no surprise. The more interesting question now is
what will rise out of the proverbial rubble of PKI's ruins to replace
it and when. Whoever provides a good alternative solution has a lot
(Murray): Infrastructure has scale; e.g., application, system,
network, enterprise, cross-enterprise, industry, national, and global.
We design it top-down but we implement it bottoms up, one application
at a time. We are doing successful applications but it is naive
to believe that we will build the national or global infrastructure
in less time than it took us to build the phone system, the highway
system, or the internet.]
THE REST OF THE WEEK'S NEWS
--31 May 2002 Three NEC Toshiba Employees Arrested for Hacking
Three employees of Japan's NEC Toshiba Space Systems Co. have been
arrested for allegedly hacking into a computer at Japan's National
Space Development Agency (NASDA), and accessing a competitor's designs
for a high-speed Internet satellite antenna. The breach took place
in December 2001 but was not discovered until February 2002, when
one of the employees bragged about the exploit to an e-mail list.
His company was banned from bidding for NASDA contracts for one month.
--31 May 2002 UK's Inland Revenue On-Line Filing System Taken Down
Over Security Concerns
The UK's Inland Revenue (IR) has taken down its on-line tax filing
system after people complained that they could view others' tax
documents. An Ernst & Young review of the IR's on line system two
years ago revealed some security concerns.
--31 May 2002 Congressional Office Employs Iris Scanning
The Office of Legislative Counsel for the House of Representatives has
begun using iris-scanning technology to authenticate users for access
to confidential files and working documents. The office is the first
on Capitol Hill to employ biometric technology for this purpose.
--30 May 2002 Smiling Faces are Easier to Match
Facial recognition systems have an easier time matching smiling or
grimacing faces than they do expressionless mugshots, according to
research conducted by University of Maryland professors.
--31 May 2002 Paper Says Open Source Software is Not Secure
A white paper from the Alexis De Tocqueville Institution maintains
that open source software opens the door for attacks and warns the
government not to use it for matters of national security.
[Editor's (Schultz) Note: Hopefully this "think tank" has in
intellectual fairness also considered the reason for the presence
of an unparalleled number of security-related bugs over the years in
the highly proprietary Microsoft product line!]
--30 May 2002 News Site Vulnerability Could be Used to Send Spam
or Phony News Stories
Hackers could potentially use the "e-mail a friend" function found
on some news sites to send spam or even send phony news stories.
By examining the source code to the pages created when someone
e-mails an article to a friend, people could find out how to send
e-mail through the news sites' servers.
--30 May 2002 Tactical Database and Web Page Used in War
American commanders at Bagram airbase in Afghanistan and in the United
States are using the Tactical Web Page and underlying database to
communicate and make military decisions. The site is used to transmit
field information and orders, and is protected with intrusion detection
systems and firewalls.
--29 & 30 May 2002 Exchange 2000 Flaw
Microsoft has issued an alert and a patch for a security
flaw in its Exchange 2000 e-mail server software that could be
exploited to completely consume processor resources, resulting in a
denial-of-service attack. When Exchange 2000 receives e-mail with
certain malformed attributes, it moves the message to Exchange 2000
Store Service and waits for it to be processed. The problem cannot
be addressed by rebooting the server or restarting the service.
Exploiting the flaw requires knowledge of SMTP.
--29 May 2002 California Will Hold Hearing on Employee Database
California senators will hold a hearing to investigate the security
breach that compromised the personal data of 260,000 state workers.
Specifically, the group wants to know how an attack that took place on
April 5 was not detected until May 7, and why workers were not notified
that their information had been breached until two weeks after that.
--29 May 2002 Carnivore Bites Off More Than It's Supposed to Chew
FBI documents obtained under the Freedom of Information Act (FOIA)
indicate that the agency's Carnivore Internet monitoring system snared
messages from people not under investigation. When Carnivore was
used in 2000 to investigate communications among members of Osama
bin Laden's terrorist network, the FBI e-mail surveillance software
captured other unrelated messages. The technician reportedly destroyed
all the captured messages because capturing the messages unrelated
to the court order violated federal wiretap laws. An FBI spokesman
says the messages were not destroyed but were put under seal.
brief history of Carnivore:
--29 May 2002 Hacker Steals Data from TheNerds.net
A hacker/extortionist breached security at the on line electronics
store TheNerds.net, making off with customer credit card information.
The thief sent e-mails to some of the affected customers; TheNerds.net
is notifying all its customers that their personal data may have been
compromised. The hacker allegedly broke into the site through an SQL
server. The company will not meet any extortion demand and is working
with the FBI and the Secret Service on the case. Someone using the
same hacker handle broke into three other websites over the past eight
months, and has demanded up to $50,000 to keep quiet about the breach.
--29 May 2002 M-o-o-t Aims to Circumvent UK's RIP Encryption Key
An open source cryptography project called m-o-o-t is designed to
undermine a UK law called the Regulation of Investigatory Powers
Act that would require people to surrender encryption keys to law
enforcement officials upon demand. M-o-o-t stores keys and data
overseas, out of national jurisdiction, and the keys expire after
--29 May 2002 Macromedia JRun Buffer Overflow Vulnerability
According to a CERT warning, a buffer overflow vulnerability in
Macromedia's JRun 3.0 and 3.1 could allow an attacker to run code
with system privileges. Users are encouraged to apply a patch or
upgrade to JRun 4.
JRun 4: http://www.macromedia.com/software/jrun/
--29 May 2002 Congress Wants More Info from OMB on Agency Security
In accordance with the Government Information Security Reform Act
(GISRA), the Office of Management and Budget (OMB) received computer
security reports from government agencies and reported the results
to Congress earlier this year. While the OMB was able to describe
the agencies' security strengths and weaknesses, they did not tell
Congress how the agencies plan to address security shortcomings.
Without the information, it will be hard to make funding decisions.
--28, 29 & 30 May 2002 Fidelity Data Exposed
Ian Allen, a professor of computer science at Algonquin College in
Ottawa, found that by altering digits in the URL of his Fidelity Mutual
Fund report, he was able to view others' reports. He was able to view
names and account numbers, but could not alter the data or make trades.
Fidelity removed the link after Professor Allen informed them of the
vulnerability. Logs show that no one else accessed others' data,
and the company has offered the affected customers new passwords.
The flaw affected only Canadian account holders.
--28 May 2002 Excel Vulnerability
Georgi Guninski has found a security hole in Windows XP Excel.
If users of the application view spreadsheets with an XML stylesheet
that contains code, the computer will try to run that code.
--28 May 2002 Yahoo Offers Patch for Messenger Holes
Attackers could exploit a buffer overflow vulnerability in Yahoo
messenger to execute malicious code on a vulnerable computer; they
could also use Java or VBS to change or create new content tabs
and alter Messenger settings. Yahoo has updated version 5.0 of its
Messenger service after learning of the problems.
--28 May 2002 Credit Card Fraud On Line Museum May Be Too Explicit
An on line credit card fraud museum is drawing criticism because some
feel its exhibits essentially provide an instructional manual for
would-be card hackers. Exhibits include software used to create phony
credit cards and information on finding and compromising vulnerable
web sites. The proprietor reportedly charges a $30 initiation fee and
$10 a month to view the site; he is the man who, in April, allegedly
planted phony credit card numbers on the Internet and offered links
to those sites in chat rooms to see how fast the news would spread.
--27 May 2002 Cyber Attacks are Up In Australia
The incidence of cyber crime, including data and network sabotage
and virus infections is higher per capita in Australia than in the
US, according to a survey funded by the New South Wales Police, the
Australian Computer Emergency Response Team and Deloitte & Touche.
67% of Australian companies have been hacked, 7% more than in US.
--27 May 2002 FAA to Pilot Smart Card Program
The Federal Aviation Administration (FAA) plans to issue smart cards
to its employees in a pilot program for the Transportation department
(DOT). The cards will be used to access both facilities and computers.
The FAA will put out a request for proposals shortly. If the program
is successful, smart cards may be implemented throughout the DOT.
--27 May 2002 Homeland Security Generates Tech Proposals
Money available for homeland security projects has brought forth a
veritable smorgasbord of technologies from companies hoping to cash in,
including biometric cards, body scanners, and proposals for security
procedures, including the creation of a database of travel records.
Some fear that the proposed technologies and procedures could violate
The Bush administration says it plans to carefully evaluate proposed
homeland security technologies to ensure they do not impinge upon
citizens' privacy and civil liberties.
Larry Lidz describes how the University of Chicago protects its users
"Before a major attack there are often small, subtle ones while the
attackers try out their methods for carrying out the larger attack.
The University of Chicago has about 25,000 people on its network
and about 13,000 computers. We are currently averaging about one
compromised machine a day (it has been higher than normal recently). We
have tons of machines that run MS-SQL, and even more that run the
MS Data Engine. Some of these machines are run by vendors, who don't
password the 'sa' account. Many of these machines are control machines
for scientific equipment which *do not work* if there is a password
on the 'sa' account.
However, when the SQL Snake worm was released we had zero machines
This wasn't because of a technical solution -- we have no firewall,
no large defensive borders. We were able to stay off the worm by
successfully noting an early indicator. In particular, a few months
back there was a lesser known worm called CBlade. CBlade, like SQL
Snake propagates via MS-SQL servers with no password on the 'sa'
account. As a threat, however, it never took off. Why? Because the
CBlade worm connected to a web site at the Philadelphia Museum of
Art before propagating. The Art Museum took down the offending web
site and CBlade was neutralized.
However, our policy allows us to immediately remove from the
University's network any machine that is an immediate threat to the
network. This includes any machine that is vulnerable to a worm. We
recognized that, while the CBlade worm was neutralized, a variant
would be easy to write. The next one wouldn't always connect to a
single web site, it would connect back to the infecting host. As such,
we removed all MS-SQL (including MSDE) machines from the network if
they didn't have an 'sa' password.
Writing a fast propagating, effective worm is not, currently, an easy
thing to do. It is much more likely that someone will write one that
isn't effective before the effective one is let loose.
Watching for, and more importantly, acting upon, these early
indicators is something that we as a community need to make sure is a
priority. There's not a bug that's found that our group here doesn't
ask ourselves how likely it will be to be used as a worm and what
the largest potential damage from the bug is.