SANS NewsBites August 14, 2002 Vol. 4, Num. 33
TOP OF THE NEWS
12 August 2002 Hacker Claims He Stole NASA Documents
11 August 2002 Hackers Face Stiffer Penalties
8, 9 & 12 August 2002 New OECD Security Guidelines
8 August 2002 Microsoft and FTC Reach Passport Privacy and Security
7 & 8 August 2002 Researcher Claims Win32 Messaging System is
THE REST OF THE WEEK'S NEWS
12 August 2002 Macromedia Flash Buffer Overflow Flaw
12 August 2002 CDE ToolTalk Flaw
12 August 2002 CMU to Help Other Schools Develop Cyber Security
12 August 2002 PGP Flaw
9 August 2002 Money for Bugs
9 August 2002 University Reactor Access to be Secured with Face
6 August 2002 Iowa College to Use Thumbprints for Computer Access
9 August 2002 CAIDA's Network Telescope
8 August 2002 US Military Laptops Unaccounted For
8 August 2002 Google Toolbar Flaws Patched
7 & 8 August 2002 Microsoft Issues Patch for Content Management
7 August 2002 Australian Students Pay to Have Grades Deleted
7 August 2002 DeCSS Author Trial Date Set
7 August 2002 Dutch ISP Exposes Customer Banking Info
6 & 7 August 2002 Sun XDR Library Flaw
2 & 7 August 2002 Other Backbone Providers Could Manage UUNet Traffic
6 August 2002 Israeli Teens Charged in Goner Case
6 August 2002 Setiri Trojan Eludes Firewalls
6 August 2002 Information About Japanese Defense Agency Network Leaked
6 August 2002 Indonesian Student Charged with Using Stolen Credit
Card On Line
6 August 2002 Warning of Impending Cyber Attacks Doesn't Play Out
5 & 6 August 2002 400 Laptops Missing at DoJ
5 August 2002 Former DEA Agent Pleads Guilty in Data Selling Case
5 August 2002 Japanese Mandatory ID System Irks Privacy Advocates
7 August 2002 Japanese ID System Exposes Personal Data
TOP OF THE NEWS
--12 August 2002 Hacker Claims He Stole NASA Documents
A Latin American-based hacker allegedly stole restricted NASA
documents that deal with next generation reusable spacecraft; he has
allegedly broken into other NASA computer systems. He also provided
Computerworld with evidence of his intrusion into NASA's White Sands
Test facility; he claims to have exploited an FTP vulnerability to
gain access to the systems. A NASA spokesman said the documents
contained sensitive military information. NASA is investigating.
--11 August 2002 Hackers Face Stiffer Penalties
The US judicial system has become more aggressive in prosecuting
cyber criminals. The passage of the Patriot Act increased the maximum
sentence for breaking into a computer from five to ten years in prison,
and the Cyber Security Enhancement Act could bring a hacker life in
prison for recklessly causing or attempting to cause death.
[Editor's Note (Ranum): It doesn't matter what the maximum is, when
the minimum is the slap on the wrist that hackers usually get.
(Murray) Most hackers are never caught. Most that are caught never see
a court room. After being threatened with the maximum if they go to
trial, they cop plea. (I have one client serving four years for the
moral equivalent of joy riding. When he gets out of Federal prison
he will be deported to his country of origin, Panama, a country he
left at the age of two and has not seen since.) Often they do not
see a courtroom because the state does not have a very good case.
The sentence is often more a function of the quality of the state's
case than of the offense. Welcome to modern justice.]
--8, 9 & 12 August 2002 New OECD Security Guidelines
The Organisation for Economic Cooperation and Development (OECD),
which is comprised of 30 member nations, has updated its guidelines
for information security. Titled "Guidelines for the Security
of Information Systems and Networks," the document advocates such
principles as awareness, responsibility, ethics, risk assessment
and security design and implementation. This is the first time
in a decade the OECD has updated its cybersecurity guidelines.
Although the guidelines are non-binding, OECD hopes member nations
will use them as a basis for forming cyber security initiatives.
The US Department of State has endorsed the guidelines.
OECD Guidelines: http://www.oecd.org/pdf/M00033000/M00033182.pdf
[Editor's Note (Paller): The Federal Trade Commission, under
Commissioner Orson Swindle, took the US lead on creating the
Guidelines. FTC is also leading the way in creating new security
guides for home users and in forcing companies to match their security
practices to their security promises as shown in the next story. If
you know of organizations that are making claims about the security
of their sites or of their products, but not meeting the claims, send
an email to firstname.lastname@example.org
with the subject "Unmet security promises."
If the submitted facts can be verified, we'll pass the most egregious
examples along to the government, and we'll publish the others.]
--8 August 2002 Microsoft and FTC Reach Passport Privacy and Security
A Federal Trade Commission (FTC) investigation found that Microsoft
misrepresented both the level of security provided and amount of
data collected by its Passport services. As part of a settlement
with the government, Microsoft will refrain from making false claims
about the information it collects and will submit to an independent
audit of its security program every two years. Microsoft could face
fines of $11,000 a day if it fails to comply with the agreement.
--7 & 8 August 2002 Researcher Claims Win32 Messaging System is
Chris Paget says there is an irreparable hole in Win32.
Any application can send a message to any window on the same
desktop regardless of whether or not the window is owned by the
application, and there is no authentication mechanism to prevent
this from happening. Paget has published a white paper describing a
"shatter attack" which allows an attacker to gain control of a system
by elevating his or her privileges. Microsoft says this does not
fit their criteria/definition of a security vulnerability.
[Editor's Note (Murray): The messaging system works as documented.
What Paget proposes to exploit is a documented feature. One of the
things that makes it "irreparable" is that it is widely used in ways
that do not compensate for its fundamental vulnerability. What Paget
describes is an attack that might permit an otherwise unprivileged,
but identified and authenticated, user in a multi-user system to
assume the privileges and identity of another more privileged user.
However, such a user is not an arbitrary "attacker" as our abstract
might be read to say. And the Messaging System is not one between
users but one between operating system objects.]
THE REST OF THE WEEK'S NEWS
--12 August 2002 Macromedia Flash Buffer Overflow Flaw
A buffer overflow security hole in Macromedia's Flash player could let
attackers run malicious code on vulnerable computers. The flaw affects
all versions of Flash Player older than 22.214.171.124. The problem has been
fixed in a new software update, available on Macromedia's web site.
--12 August 2002 CDE ToolTalk Flaw
CERT/CC has warned of a buffer overflow vulnerability in the CDE
ToolTalk RPC database server that could be exploited to run code or
cause a denial of service on a vulnerable machine. Users of vulnerable
systems should apply patches from vendors as they become available.
Users can also disable the ToolTalk RPC database service.
--12 August 2002 CMU to Help Other Schools Develop Cyber Security
Carnegie Mellon University (CMU) received a $400,000 grant from the
National Science Foundation's Federal Cyber Service program to help
other colleges and universities develop strong information security
programs. The four-week residential program included curriculum
development and interdisciplinary applications of information security.
--12 August 2002 PGP Flaw
A flaw in Pretty Good Privacy (PGP) encryption technology could allow
someone who intercepts a message to manipulate the recipient into
decrypting the text. Here's how it works. The interceptor collects
the message and scrambles it; the recipient may respond and ask for
a resend because the message was gibberish; if the recipient's e-mail
software includes the original message, it will arrived scrambled, but
decrypted, in the interceptor's mailbox. The vulnerability is hard
to exploit; if the message is compressed, the trick may not work.
Also, it requires that the user's e-mail software automatically
[Editor's Note (Murray: This is an attack, not a flaw. It exploits
a fundamental vulnerability that is covered in the documentation.]
--9 August 2002 Money for Bugs
Security company iDefense plans to offer payments of up to $400 in
return for reports of software vulnerabilities. While some people feel
the industry has been making money off bug hunters for a long time,
many others envision scenarios in which the money for bugs system
could be abused. An iDefense spokesman says his company will only
work with ethical bug finders.
--9 August 2002 University Reactor Access to be Secured with Face
Access to a nuclear reactor at the University of Missouri-Rolla will
be secured with face recognition biometric technology. Research has
identified weakness in the technology: some systems have correctly
recognized approved people less than half the time (47%) and another
was fooled by people holding up laptop computers with photos as they
passed by. The face recognition system will not be the only security
measure used at the facility.
[Editor's Note (Murray): While most biometrics can be tuned to produce
a lower ratio of false accepts to false positives than can passwords,
no authentication technology works as well as any two in combination.
Sensitive applications should employ strong authentication; i.e.,
two or more forms of evidence, at least one of which is resistant
--6 August 2002 Iowa College to Use Thumbprints for Computer Access
The West Des Moines campus of the Des Moines Area Community College
plans to use thumbprint scanners for access to college computer
systems. Some experts have pointed out that cracking thumbprints can
be even easier than cracking passwords; passwords can be changed, but
"[g]etting a replacement thumb is expensive and painful," according
to one privacy advocate.
[Editor's Note (Murray) Biometrics do not work because they are
secret; they work because they are difficult to forge. The remedy for
a forgery is not to change the individual. It is to resist forgeries
by having a trusted reader and by collecting complimentary evidence. ]
--9 August 2002 CAIDA's Network Telescope
The Cooperative Association for Internet Development and Analysis
(CAIDA) in San Diego, CA is using a "network telescope" to monitor
approximately 1/256 of the Internet for cyber attacks.
--8 August 2002 US Military Laptops Unaccounted For
Two laptop computers are reportedly missing from a US military command
center in Florida; that center is responsible for coordinating US
military efforts in Afghanistan. No one is sure if the computers are
merely missing or if they have been stolen. One reportedly contains
The two missing laptops have been recovered after a member of the
military confessed to having them. The motive for the theft was not
espionage, according to a spokesman for the Air Force's Office of
--8 August 2002 Google Toolbar Flaws Patched
A cluster of nine security vulnerabilities in the Google toolbar
could have allowed attackers to see what users type into the toolbar
search field, to read files or even execute scripts on a vulnerable
computer. Google has patched all the holes in an automatic update.
The affected version was 1.1.58; Google is now distributing versions
1.1.59 and 1.1.60. Users should check which version of Google's
toolbar their computers are running.
--7 & 8 August 2002 Microsoft Issues Patch for Content Management
Microsoft has released a patch for three security vulnerabilities
in its Content Management Server 2001. The most critical of the
vulnerabilities is in a user authentication function: an attacker
could offer malformed data to a web page using the authentication
function and gain control of the system.
--7 August 2002 Australian Students Pay to Have Grades Deleted
The Independent Commission Against Corruption (ICAC) found that eleven
students at the University of Technology, Sydney (UTS) paid a student
liaison officer to delete their failing marks from the University's
computer system. An ICAC commissioner said a survey of New South
Wales's 10 public universities indicated that all were vulnerable to
computer record tampering.
[Editor's Note (Ranum: This is really a human problem rather
than a technology problem. Someone in a position of trust was
untrustworthy. This is nothing new.]
--7 August 2002 DeCSS Author Trial Date Set
The trial of Jon Johansen, the Norwegian man who wrote the DVD
descrambling tool DeCSS, will begin on December 9 in Norwegian
district court. Though Johansen was indicted in January, the trial
was postponed until a judge with adequate technical knowledge could
--7 August 2002 Dutch ISP Exposes Customer Banking Info
When a man tried to cancel his cable Internet service with a Dutch ISP,
he instead received e-mails containing banking information belonging
to other ISP customers. The man contacted some of the people and
told them of the security breach. A spokesman for the ISP says they
do not know how the error occurred.
--6 & 7 August 2002 Sun XDR Library Flaw
A security flaw in some implementations of the External Data
representation, or XDR Library derived from Sun Microsystems' SunRPC
technology could let attackers run code and possibly take control of
CERT Advisory: http://www.cert.org/advisories/CA-2002-25.html
MIT Kerberos Development Team Advisory:
--2 & 7 August 2002 Other Backbone Providers Could Manage UUNet
Traffic if Necessary
AT&T officials have reassured government officials that should UUNet
go down due to parent company WorldCom's bankruptcy, other backbone
providers could easily absorb the extra traffic. Last week, Federal
Communications Commission (FCC) chairman Michael Powell told the
Senate Commerce Committee that the FCC does not have the authority to
prevent an Internet backbone provider from shutting down its services.
WorldCom CEO John Sidgmore doesn't think UUNet will go down in
--6 August 2002 Israeli Teens Charged in Goner Case
Five Israeli teenagers have been charged in Haifa District Court with
willfully causing damage to computers for their roles in creating
the Goner virus. One of the five is charged with actually writing
the virus; the others are charged with spreading it. The Goner
virus arrives in the guise of an attached screensaver and shuts down
firewalls and anti-virus software running on infected computers.
--6 August 2002 Setiri Trojan Eludes Firewalls
Three security consultants at DefCon demonstrated Setiri, a Trojan
horse that evades firewall detection. The researchers do not plan to
release Setiri for use but do want Microsoft to fix the parts of its
Internet Explorer that allow Setiri to work. Instead of containing
executable commands, Setiri opens an invisible window in IE that
connects to a web server through a proxy site. Protective measures
include turning off the invisible windows function in IE, but that
could erode the performance of some IE operations.
--6 August 2002 Information About Japanese Defense Agency Network
Fujitsu, the company that created a network for Japan's Defense Agency,
says information about the network may have been leaked to outsiders.
In June, a group of men attempted to extort money from the company for
the return of network diagrams and other information useful to hackers.
Fujitsu says outsiders could not have broken into the network because
it is not connected to the Internet.
[Editor's Note (Ranum: I think that saying a network can't be broken
into because it is not connected to the Internet shows an amazing
level of naiveté.]
--6 August 2002 Indonesian Student Charged with Using Stolen Credit
Card On Line
A 22-year-old Indonesian university student was arrested after he
used stolen credit card numbers, which he got from the Internet, to
purchase $365.93 worth of motorcycle accessories on line. He faces
charges that carry maximum prison sentences of a total of eleven years.
--6 August 2002 Warning of Impending Cyber Attacks Doesn't Play Out
Despite a warning from the National Infrastructure Protection Center
(NIPC) of imminent cyber attacks on US web sites and ISPs (Internet
Service Providers), nothing out of the ordinary occurred.
--5 & 6 August 2002 400 Laptops Missing at DoJ
An investigation conducted by the Office of The Inspector General of
the Department of Justice revealed that they have lost track of 400
laptop computers, some of which may contain sensitive law enforcement
or national security information. The investigation also showed that
close to 800 weapons were unaccounted for. It has been nearly ten
years since the FBI's last complete inventory of laptops and weapons;
the FBI is responsible for 371 of the missing laptops. Recommendations
include using bar codes and scanning devices, implementing more
stringent requirements for reporting lost laptops and revising the
guidelines that govern getting property back from erstwhile employees.
DOJ Report: http://www.usdoj.gov/oig/audit/0231/fullpdf.htm
--5 August 2002 Former DEA Agent Pleads Guilty in Data Selling Case
Former US Drug Enforcement Administration Agent Emilio Calatayud has
pleaded guilty to selling DEA information to LA private investigation
firms. In a plea agreement, Calatayud admitted to stealing the data
from federal databases including the FBI's National Crime Information
Center (NCIC), and the California Law Enforcement Telecommunications
System (CLETS); he received more than $22,000 in exchange for the
information. Calatayud faces between one and two years in custody
for his crimes.
[Editor's Note (Ranum: A violation of the public trust in the US:
1-2 years. A $360 stolen credit card transaction in Indonesia: up to
11 years. No wonder we have so many problems like this.]
--5 August 2002 Japanese Mandatory ID System Irks Privacy Advocates
Japan has instituted a mandatory ID program called "Juki Net" that
assigns citizens an 11-digit identification number and links municipal
computer systems. The database will store citizens' names, genders,
addresses, dates of birth and ID numbers. Critics say the system
violates privacy and presents opportunities for hackers to access
personal data. Some municipalities are refusing to join the system;
others are making participation optional, though the government says
non-participation is illegal. Abuse of the system carries a maximum
sentence of two years in prison and an $8,300 fine.
--7 August 2002 Japanese ID System Exposes Personal Data
Two days after the launch of Juki Net, the new Japanese computerized
ID network sent letters containing the personal information of more
than 2500 people to the wrong households.