SANS NewsBites September 17, 2002 Vol. 4, Num. 38
13 & 14 September 2002 Apache/mod_ssl Worm
10 & 11 September 2002 SP1 Quietly Addresses Serious XP Vulnerability
TOP OF THE NEWS
13 September 2002 Victoria, Australia Legislation Ups Cybercrime
12 & 13 September 2002 Hole in Word Allows File Theft
10 September 2002 Security Budgets on the Rise
THE REST OF THE WEEK'S NEWS
13 September 2002 Thieves Use e-Merchant's Account to Check Validity
of Stolen Credit Cards
12 & 13 September 2002 Outlook Express MFR Vulnerability
12 August 2002 DNA Fingerprint Developer Doesn't Like Storage
12 September 2002 Taiwan Government to Hold Cyber Intrusion Challenge
11 September 2002 W32/Chet-A Worm
11 & 12 September 2002 Conflict with Iraq Likely to Increase Cyber
11 September 2002 Modified Electronic Devices Could Interfere with
11 September 2002 Disaster Recovery Plans Should Include Current
10 & 12 September 2002 What The NSSC Won't Include
10 September 2002 Cisco VPN 3000 Series Vulnerabilities
10 September 2002 New Version of SQL Server Will be More Secure
10 August 2002 San Antonio Runs Cyber Attack Drill
9 September 2002 Schmidt Says Develop IT Security Systems for SCADA
10 September 2002 TVA Enhances Security
10 September 2002 Emergency Alert System Vulnerability
9 September 2002 H1-B Visa Applicants Not Adequately Investigated
9 September 2002 MS Seeks Engineer to Examine Xbox Chip Modifications
8 September 2002 Addressing Computer Intrusions
--13 & 14 September 2002 Apache/mod_ssl Worm
CERT/CC has issued an advisory warning of a self-replicating worm
dubbed Apache/mod_ssl that exploits a vulnerability in OpenSSL to
create a distributed network that could be used to launch a denial
of service attack. It is also known as linux.slapper.worm and
[Editor's Note (Paller): Well over 10,000 systems have been taken
over and are "collected" in controlled attack groups which could
launch DDOS attacks with substantial power. More systems are falling
every minute. If you have not fixed this problem, please do it now.
Guidance is at the CERT site above. More skilled security professionals
will find additional details at the Internet Storm Center site:
--10 & 11 September 2002 SP1 Quietly Addresses Serious XP
A specially crafted URL could make Windows XP delete entire directories
from vulnerable machines. Though Microsoft has known about the
problem since June, it is only in the recently released Windows XP
Service Pack 1 that the vulnerability is addressed.
[Editor's Note (Northcutt): This is a serious flaw. You should
probably run Windows Update and install Service 1 as soon as possible.
The Microsoft update web page said it would take 3 - 5 minutes on DSL,
but it took me 90 minutes.
(Paller) If your employer is not allowing you to run XP1 (because
it has not been fully tested) run Steve Gibson's quick fix at
http://grc.com/xpdite/xpdite.htm. It works instantly and protects
you from one of the worst of the XP vulnerabilities- one wfor which
exploits are already appearing.]
[xmaddness's note: We actually have a thread by Euclid demonstrating this bug found here:
Crazy XP Sploit!. Thanks goes to Euclid for bringing this up.
TOP OF THE NEWS
--13 September 2002 Victoria, Australia Legislation Ups Cybercrime
Cyber criminals in Victoria, Australia could receive prison sentences
of up to ten years for their actions, according to new legislation. The
Crimes (Property Damage and Computer Offences) Bill repeals older
laws that provide for more lenient sentencing and it also fills in
gaps left by the federal Cybercrime Act, which limits its focus to
Commonwealth computers and cybercrimes committed with phone devices.
--12 & 13 September 2002 Hole in Word Allows File Theft
A security hole in all versions of Microsoft Word can be manipulated
to steal files. Though the vulnerability is most severe in Word
97, Microsoft plans to fix it only in the most recent releases.
The attacker would need to know the name and location of the file he
was trying to steal.
--10 September 2002 Security Budgets on the Rise
A survey of nearly 300 high level IT managers conducted by Vista
Research along with Harris Interactive found that information security
budgets increased over the last year. A senior analyst said that
increased spending is triggered by security breaches in the short
term and by regulations in the long term.
THE REST OF THE WEEK'S NEWS
--13 September 2002 Tool Lets XP Pirates Download SP1
Software pirates have released a tool that will allow people running
pirated versions of Windows XP to download the recently released
Service Pack 1.
--13 September 2002 Thieves Use e-Merchant's Account to Check
Validity of Stolen Credit Cards
Credit card thieves apparently broke into an on line e-merchant account
to test the validity of credit cards that would then be sold on the
Internet black market. The system processed 140,000 phony charges of
$5.07 apiece; about 62,000 of the charges were approved for a total
of more than $300,000, but a large number of those were halted before
the money was ever credited to the e-merchant's account.
--12 & 13 September 2002 Outlook Express MFR Vulnerability
The message fragmentation and re-assembly (MFR) feature in Microsoft
Outlook Express can be exploited to bypass STMP content filtering
software allowing malicious code to get past the filters.
Beyond Security Advisory & Vendor Responses:
--12 August 2002 DNA Fingerprint Developer Doesn't Like Storage
Professor Sir Alec Jeffreys, the man who invented DNA fingerprinting,
is uncomfortable with the practice of storing the genetic information
of crime suspects who have been cleared of wrongdoing; he proposes
that all UK citizens have their DNA fingerprints held in a database
to be managed by a specially created body. Then everybody would be
"in ? the same boat."
--12 September 2002 Taiwan Government to Hold Cyber Intrusion
After witnessing the nation's most severe cyber attacks ever on
government systems, Taiwanese Premier Yu Shyi-kun proposed a plan to
allow Taiwan-based computer users to try and break into government
systems in order to identify vulnerabilities. Successful intrusions
will be rewarded. The plan is not to have a free-for-all, but to
give each participant in the exercise a certain amount of time and
to designate certain systems to be used as targets.
[Editor's Note (Schultz): This plan is completely irresponsible.
It not only is likely to result in unanticipated, negative consequences
(just like the recent Korean hacking challenge fiasco), but it also
amounts to still another "hacker challenge," something that ends up
legitimizing the unethical behavior of the black hat community.
(Northcutt) While they may gain some benefit from a freestyle hackfest,
a controlled, systematic approach to security and penetration testing
will garner better results. In 1999 and 2000 China and Taiwan were
engaged in a spirited cyberwar primarily going after each other's
websites. It is harder to get specific current information other than
"leaked" government reports:
If we have readers in Taiwan and you have additional information on
this story, please send what you know to email@example.com
--11 September 2002 W32/Chet-A Worm
The W32/Chet-A worm infects some Windows systems when the recipient
opens the attached .exe file. The worm is capable of infection and
self-replication, but the choppy language of the e-mail's body and
the fact that it arrives as an .exe attachment reduce the likelihood
that people will be fooled into opening the attachment. The worm also
has bugs and doesn't work on many systems.
--11& 12 September 2002 Conflict with Iraq Likely to Increase
Security firm mi2g says that a pro-Islamic hacker group calling itself
Unix Security Guard (USG) has launched attacks on three computer
systems hosted by AOL TimeWarner. Mi2g believes the incidence of such
attacks will escalate as the tensions between the US and Iraq increase.
--11 September 2002 Modified Electronic Devices Could Interfere
with Plane Controls
A technology expert says that terrorists could modify a variety of
personal electronic devices and use them to interfere with aircraft
control systems. Speaking at the InfoWar conference in Washington DC,
Chet Uber maintained that electronic devices should not be allowed
inside commercial airplanes until it is determined that they are safe.
[xmaddness's note: This has actually been brought up before. The newer boeing 777 uses radio controls to control the rear stabilzers, airloins, etc. If someone was to get control of that frequency....]
--11 September 2002 Disaster Recovery Plans Should Include Current
Disaster recovery plans often focus on site redundancy and back
up storage, but neglect to address the need for keeping current
documentation of all IT configuration settings. IT disaster recovery
plans need to be updated continuously. Having accurate information
about the latest configurations can hasten business restoration in
the event of a disaster. The article also describes the five states
of a typical disaster recovery.
--10 & 12 September 2002 What The NSSC Won't Include
The National Strategy for Securing Cyberspace, which will be
released this Wednesday September 18th, will not place any further
regulations on software companies to create and sell more secure
products. Broadband companies will not be required to provide firewalls
for their users, and the NSSC has no enforcement provisions for those
who do not abide by its guidelines.
--10 September 2002 Cisco VPN 3000 Series Vulnerabilities
Cisco issued an advisory describing 13 vulnerabilities in its VPN 3000
series concentrators; some of the security holes could allow hackers
access to secure networks or the ability to launch denial-of-service
--10 September 2002 New Version of SQL Server Will be More Secure
SQL Server's design architect says the next version of the database
management software will have improved security. Among the
new features are the ability to install fixes with ease, tighter
administrative control over who gets to see what data and the default
disabling of public access to tables.
--10 August 2002 San Antonio Runs Cyber Attack Drill
The city of San Antonio, Texas is beginning a three-phase cyber
attack disaster drill. As part of Operation Dark Screen, groups of
government and business leaders will figure out what plans of action
they would need to take in the event of an attack on the city's
power grid or financial system. Phase two will involve identifying
and addressing security holes. Phase three will be in the form of
a white-hat cyber attack
--9 September 2002 Schmidt Says Develop IT Security Systems for SCADA
Howard Schmidt, co-chairman of the President's Critical Infrastructure
Protection Board, maintains research still needs to be done to develop
IT security systems capable of supporting the Supervisory Control
and Data Acquisition (SCADA) systems which are used to regulate the
flow of electricity, natural gas and other elements of the energy
industry. This is especially important in light of the fact that a
recent security exercise in the Northwest demonstrated that attacks
aimed at the area's electric power caused cascading power failures
throughout the west, which in turn led to disruption in other elements
of critical infrastructure.
--10 September 2002 TVA Enhances Security
The Tennessee Valley Authority - tbe largest energy producer in the US
- - has taken steps to ramp up their IT security. The 700 employees
had education and training, the TVA has learned from other agencies'
security efforts, and has staged attacks to test mitigation strategies.
--10 September 2002 Emergency Alert System Vulnerability
The Emergency Alert System (EAS), which the president can use to
take control of US airwaves in the event of a national emergency,
is vulnerable to spoofing. The data headers, which precede the alert
tone and spoken message, do not include any sort of authentication.
Because normal broadcasting doesn't resume until an end-of-message
indicator is transmitted, the vulnerability could be manipulated to
keep stations off the air for extended periods of time.
--9 September 2002 H1-B Visa Applicants Not Adequately Investigated
A General Accounting Office (GAO) report found that the US government
did not take adequate steps to investigate the backgrounds of
immigrants applying for H1-B visas; the special visas would allow
them to work with sensitive information that could be used by other
countries to develop weapons.
--9 September 2002 MS Seeks Engineer to Examine Xbox Chip
Microsoft is seeking to fill a position dubbed "Software Design
Engineer;" attendant responsibilities include examining and analyzing
Xbox modification chips.
--8 September 2002 Addressing Computer Intrusions
Colin Crook, whose former employer, Citigroup, suffered cybertheft
that nearly cost them $10 million, spoke at the Systems Approach to
Terrorism Conference. Crook, who is now a senior fellow at Wharton's
SEI Center for Advanced Studies in Management, said it's important
to be able to recognize the signs that your systems are suffering
intrusion attempts; he also described cyber attack risk factors
including concentration of computing power, interconnectedness and
[Editor's Note (Paller): Colin sent us a note summarizing his three
rules: 1.Never trust a network, 2.Always authenticate the user, 3.The
Application must always defend itself, even with both of the above.]