The SANS Weekly Security News Overview
Volume 4, Number 29 July 17, 2002
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Eugene Schultz
TOP OF THE NEWS
16 July 2002 Government and Industry Agree On Minimum Security
15 July 2002 OMB Establishes Security Measurements for Agencies
12 July 2002 Will Home Appliances Be the Next Target For Viruses?
10 July 2002 British ISPs Have Two Weeks to Set Up Tracking Systems
11 July 2002 Congressional Committee Adds Cybersecurity Program to
Homeland Security Bill
THE REST OF THE WEEK'S NEWS
15 July 2002 Elcomsoft Posts More Adobe Vulnerabilities
15 July 2002 Frethem Variant Making the Rounds
15 July 2002 House Overwhelmingly Approves CSEA
15 July 2002 Operation Dark Screen To Test US Response To Cyber Attack
10 & 15 July 2002 Consulting Firms Lobby For Federal Insurance
15 July 2002 IT Professionals Enumerate Their Security Gripes
12 July 2002 Chemical Industry is Developing Cyber Security Strategy
12 July 2002 Microsoft SQL Labs is Not Using its Own Security Product
11 July 2002 Telecom Hacker Charged
11 & 15 July 2002 Liberty Alliance Releases Identity Authentication
12 July 2002 Study Finds Attacks On Open Source Increasing; Windows
12 July 2002 USA Today Web Site Hacked
11 July 2002 Vulnerabilities in CDE ToolTalk
11 July 2002 Datom.A Windows Virus/Worm Masquerades as Microsoft
11 July 2002 PGP Flaw Puts Outlook Users At Risk
11 July 2002 Security Flaw in Outlook Exposed Before Patch Was
10 July 2002 Two Men Arrested in Brazil for ATM Hack
10 July 2002 Al Qaeda Uses Internet for Communications
9 July 2002 Phone Service Web Log Exposes Student Data
9 July 2002 W32.Liac.A Worm
8 July 2002 Reporter Says Survey Says Users Want Vulnerabilities
8 July 2002 Critical Infrastructure Protection Exercise
8 July 2002 Copyright Hack Back Law Not a Good Idea
8 July 2002 Security Researcher Claims Apple Update Vulnerable
8 July 2002 Proposed XML Security Standards
9 July 2002 Philippine Internet Service Group To Fight Back Against
5 July 2002 Virus Traced to Temp Worker
1 July 2002 Where's The Money in Security
TOP OF THE NEWS
--16/17 July 2002 Government/Industry Alliance Announces Minimum
Security Configuration Benchmarks
In a high-tech, high-powered version of a neighborhood watch,
a group of government agencies and industry leaders announce
today a common set of standards and software to fight computer
hacking. The initial security benchmark applies to Microsoft
Windows 2000 Professional. Benchmarks for other operating systems,
including Cisco IOS, Solaris, and other Microsoft products are being
developed. Government agencies involved include the National Institutes
of Standards and Technology, the National Security Agency, The General
Services Administration and the Defense Information Systems Agency.
The Center for Internet Security, which published the benchmark, also
released a free tool that tests systems, scores them on compliance
with the benchmark, and guides users to the corrections needed to
raise the score.
--15 July 2002 OMB Establishes Security Measurements for Agencies
The Office of Management and Budget released new regulations providing
specific measures to evaluate performance of federal security managers
The regulations: http://www.whitehouse.gov/omb/memoranda/m02-09.pdf
[Editor's Note (Paller): An important element is missing from the
regulation, but could be easily added. NASA and other organizations
have provided proof that safe configuration of systems can be measured
and does reduce attacks. And the benchmarks announced today provide
additional measurement tools. OMB could ask agencies to measure the
safety of their systems' configuration as an essential part of their
security report card.]
--12 July 2002 Will Home Appliances Be the Next Target For Viruses?
Virus expert Eugene Kaspersky warns that embedded computers in home
appliances provide an appealing target for virus writers because they
will have a common operating system and millions of potential victims.
[Editor's Note (Schultz): Kaspersky might well be correct.
The monoculture that Microsoft has created has already proverbially
bitten us several times, and Murphy's Law says that matters will only
(Grefer): Kaspersky's warning should serve as a reminder to include
defense mechanism in the appliances' operating system(s), and
preferably design it with security in mind, rather than trying to
apply security as an after-thought.]
--10 July 2002 British ISPs Have Two Weeks to Set Up Tracking Systems
The British Home Office is requiring that Internet Service Providers
(ISPs) in the United Kingdom intercept and store electronic
communications such as faxes, e-mails, and Web surfing information in
an effort to curb organized crime and terrorism. The new Regulation of
Investigatory Powers Act (RIPA), which goes into effect on August 1,
exempts ISPs with fewer than 10,000 customers.
--11 July 2002 Congressional Committee Adds Cybersecurity Program
to Homeland Security Bill
House Energy and Commerce Committee passed a version of HR 5005,
the Homeland Security Bill, after adding a specific cybersecurity
component. The new program will be a resource to other federal agencies
to help identify and correct weaknesses in federal computer systems.
THE REST OF THE WEEK'S NEWS
--15 July 2002 Elcomsoft Posts More Adobe Vulnerabilities
Elcomsoft has posted details of security vulnerabilities in Adobe's
eBook software on the BugTraq and Vuln-dev mailing lists; the company
did not inform Adobe of the problems before the postings. Elcomsoft is
the Russian company at the center of a case brought under the Digital
Millennium Copyright Act (DMCA).
--15 July 2002 Frethem Variant Making the Rounds
The Frethem worm exploits a Microsoft Outlook vulnerability that
executes attachments when e-mail is previewed. Users who have
installed the patch to fix the flaw can still become infected
if they click on the .exe attachment that accompanies the worm.
Apart from bogging down corporate e-mail systems, Frethem does not
appear to carry a malicious payload. The worm is a variant of one
released several weeks ago. Frethem was reported to have already
hit twenty-five organizations, including the National Institute of
Standards and Technology (NIST).
--15 July 2002 House Overwhelmingly Approves CSEA
By a vote of 385-3, the House of representatives approved the Cyber
Security Enhancement Act (CSEA), which provides for life sentences
for people convicted of malicious cyber crimes. The bill now heads
to the Senate.
--15 July 2002 Operation Dark Screen To Test US Response To Cyber
Federal, state and local officials are partnering with utility
companies in a test of the nation's response to cyberattacks. The
University of Texas at San Antonio and the Air Force Air Intelligence
Agency, Lackland Air Force Base, Texas are taking the lead in this
project sponsored by Texas Congressman Ciro Rodriguez.
--10 & 15 July 2002 Consulting Firms Lobby For Federal Insurance
Businesses that plan to manufacture products to be used in homeland
defense want indemnity from liability should their products fail
on the job. Representative Tom Davis (R-Va.) plans to attach such
a provision to the Homeland Security Bill wending its way through
the legislature. The amendment would place the onus of liability on
the government rather than the companies. Companies may be reluctant
to bid on homeland defense contracts if they are required to shoulder
the associated burden of product failure liability.
[Editor's Note (Murray): Microsoft, Sun, and IBM enjoy no such
protection and do not seem to need it.
(Grefer) Without liability, companies could deliver "anything"
at any level of quality, without risking any repercussions.
(Schultz) It's ironic how consulting firms are so apt to point out
the lack of responsibility organizations frequently demonstrate
in securing their own systems and networks, but now try to avoid
responsibility for what they deliver.]
--15 July 2002 IT Professionals Enumerate Their Security Gripes
A survey of more than 1200 security professionals, including system
administrators, consultants and auditors yielded a list of their
security frustrations. Topping the list are bosses who won't provide
an adequate budget and who undermine initiatives, and who ignore
simple precautions by taping passwords to monitors, failing to update
anti-virus software and clicking on attachments of unknown origin.
--12 July 2002 Chemical Industry is Developing Cyber Security
The US chemical industry is developing a plan to improve cyber security
at chemical facilities; the plan will be submitted for inclusion in the
White House's National Strategy for Protecting Cyberspace. The plan
is flexible enough to allow IT managers at various chemical facilities
to select appropriate modules for their individual organizations.
--12 July 2002 Microsoft SQL Labs is Not Using its Own Security
Microsoft's SQL Labs is using a NetScreen security appliance instead
of its own Internet Security and Acceleration (ISA) Server to protect
its systems against Nimda and other worm threats.
--11 July 2002 Telecom Hacker Charged
A 22-year-old Sydney man has been charged with "unauthorised
modification of data with intent to cause impairment to a computer."
The man allegedly accessed the accounts of more than 400,000 Optus
dial-up Internet customers; his arrest is the result of a six-month
--11 & 15 July 2002 Liberty Alliance Releases Identity Authentication
The Liberty Alliance, which includes Sun Microsystems, American
Express and Sony, among other companies, released a standard for
Internet identity authentication. The standard facilitates logging
into a variety of systems. The standard also gives rise to concerns
of on line profiling and data security threats.
[Editor's Note (Murray): It seems likely that the identity of users
in the WWW will be vouched for by trusted third parties. I think
that it is noble of Microsoft to volunteer for this role. However,
the role already belongs to the credit card companies. They also
vouch for payment. Given a choice between MS and AmEx, I choose AmEx.]
--12 July 2002 Study Finds Attacks On Open Source Increasing;
London-based consulting firm mi2g reports 7,630 digital attacks
on Linux systems in the first six months of 2002 vs. 5,736 attacks
on Linux systems for all of 2001. Conversely, attacks on Microsoft
Windows/IIS have fallen by 20 percent in the first six months of 2002
to 9,404 compared to 11,828 in the same period of 2001.
[Editor's Note (Schultz): The credibility of data such as these is at
best questionable. For one thing, can mi2g say unequivocally that
they standardized and applied a consistent definition of "attack?"
Additionally, attacks in and of themselves are commonplace. What about
"successful attacks." Caveat emptor!]
--12 July 2002 USA Today Web Site Hacked
The "USA Today" Website was defaced with six bogus stories late
Thursday July 11, 2002. The site was taken offline for three hours
and was restored at 2 am Friday morning.
--11 July 2002 Vulnerabilities in CDE ToolTalk
CERT/CC released a security bulletin warning of flaws in the ToolTalk
component of the Common Desktop Environment (CDE). The flaws could be
exploited to launch a denial of service attack or to overwrite files.
--11 July 2002 Datom.A Windows Virus/Worm Masquerades as Microsoft
A worm that purports to be "Copyrighted Microsoft Code" is spreading.
It contains three programs, MSVXD.exe, MSVXD16.dll and MSVXD32.dll,
which work together to delete personal firewalls and for other
mischief. The worm uses innovative tricks to hide itself.
--11 July 2002 PGP Flaw Puts Outlook Users At Risk
A buffer overflow flaw in certain versions of the Microsoft Outlook
implementation of Pretty Good Privacy (PGP) allows hackers to send a
special email to gain control of the target system. Network Associates
has posted a patch for the vulnerability.
The Network Associates patch:
--11 July 2002 Security Flaw in Outlook Exposed Before Patch Was
Security Researcher Thor Larholm issued an advisory about a cross
domain scripting flaw in Web Browser ActiveX Control that can
give attackers the ability to read files and execute malicious
code. Microsoft claims it is not an important problem and criticized
Larholm for releasing the advisory before a fix was available.
--10 July 2002 Two Men Arrested in Brazil for ATM Hack
Brazilian police have arrested two men - an electrician and an IT
specialist - who allegedly installed a device inside ATMs to gather
card numbers and placed digital cameras outside the machines to
capture the corresponding PIN numbers.
--10 July 2002 Al Qaeda Uses Internet for Communications
Unnamed officials say Al Qaeda is using the Internet to spread
propaganda, recruit members and solicit donations to fund their cause.
The group also uses web sites to communicate in Arabic, often encrypts
its transmissions, and changes web addresses frequently.
--9 July 2002 Phone Service Web Log Exposes Student Data
The permission level to access web logs at Resicom,
a telecommunications (company) that provides intra-campus phone
services to colleges, was set too low, allowing people to search for
student names, social security numbers and addresses. The personal
data of about 2,000 students had the security flaw; Resicom says it
has fixed the problem.
--9 July 2002 W32.Liac.A Worm
W32.Liac.A is a worm written in Visual Basic Script (VBS) that
arrives with an attachment purporting to be a video clip. The worm
mails itself out to everyone in the Outlook address book, modifies
the registry and displays this error message: "Error54: Media Player
not installed correctly."
--8 July 2002 Reporter Says Survey Says Users Want Vulnerabilities
A reporter at the Register concludes that a survey conducted by the
Hurwitz group found that end-users are overwhelmingly in favor of
full disclosure for computer vulnerabilities. Thirty-nine percent
of the more than 300 survey participants wanted the vulnerabilities
disclosed immediately upon discovery, while another twenty-eight
percent wanted them disclosed within a week.
[Editor's Note (Denning): The reporter's conclusion is not accurate
if you define "full disclosure" to include publication of exploit
code (which I do). The survey found that only 13% favored posting
"proof of concept" exploit software.]
--8 July 2002 Critical Infrastructure Protection Exercise
The Blue Cascades regional critical infrastructure protection
exercise was held in Portland, Oregon in mid June. The exercise
focused on power outages coupled with natural gas infrastructure and
telecommunications failures, and highlighted the problems that attend
interdependent systems. An action plan based on the results of the
exercise will be released soon.
--8 July 2002 Copyright Hack Back Law Not a Good Idea
Computerworld senior columnist Frank Hayes finds the legislation
proposed by Representative Howard Berman (D-Calif.) - which would
allow copyright holders to launch cyber attacks against peer-to-peer
networks and others suspected digital content piracy - reprehensible.
Hayes observes that the law could be interpreted to justify hacking
back at companies suspected of proprietary information theft and
could be used by crackers who say if the studios can do it, so can we.
[Editor's Note (Schultz): Hays has spoken well--Berman, the apparent
new champion of cybervilaganteeism, is way out of line.]
--8 July 2002 Security Researcher Claims Apple Update Vulnerable
Russell Harding of the University of Colorado claims a vulnerability
in Mac OS 10.1.X and possibly 10.0.X allows hackers to hijack automatic
software updating and install malicious programs on any Mac.
--8 July 2002 Proposed XML Security Standards
This article describes five proposed security-related XML standards:
XML Encryption (Xenc), XML signatures (XML-SIG), XML key management
specification (XKMS), extensible access control markup language
(XACML) and Security assertion markup language (SAML).
--9 July 2002 Philippine Internet Service Group To Fight Back
Members of the Philippine Internet Service Organization (PISO) will
work together to share information on spammers and hackers. Each
participating ISP will promise to cut off access for any uncooperative
user who is a danger to the Internet community. Spammers who do not
cooperate will not only have their service terminated, but their
phone numbers will also be posted on an information exchange provided
[Editor's Note (Murray): We must hold ISPs responsible for some
of the behavior of the users that they connect to the Internet.
AOL sets the example for how it should be done. AOL enforces its
acceptable use policies for the benefit of its users and the rest
of us. PISO is recognizing what other ISPs will have to recognize.]
--5 July 2002 Virus Traced to Temp Worker
A temporary agency worker at the Aberdeen (Scotland) city council
was fired for allegedly allowing the Metrion-B virus to infect the
computer system. The virus infects executables and overwrites batch
and HTML files. An estimated 200 PCs were infected, and the Council
shut down its entire computer system to avoid any further infection.
Police are exploring the possibility that the virus, which does not
spread through e-mail, was deliberately introduced.
--1 July 2002 Where's The Money in Security
Most managed security firms, security consulting firms and security
product firms have seen their hopes of a post-911 surge in business
dashed by the economic recession. But a few organizations, the federal
contractors that already had security practices, are doing very well.