SANS NewsBites October 2, 2002 Vol. 4, Num. 40
TOP OF THE NEWS
30 September 2002 Top 20 Vulnerabilities List Out This Week With
30 September 2002 DISA Database Exposed Confidential Information
25 & 27 September 2002 Inter-University Research Project Aims to
Build Resilient Internet System
23 September 2002 Oregon's DHS Computer System Plagued by
THE REST OF THE WEEK'S NEWS
30 September 2002 Secret Service Agents are Wardriving
30 September 2002 Bugbear Worm
30 September 2002 Proprietary Info is at Greater Risk From Insiders
than from Hackers
27 September 2002 Coalition Will Publish Disclosure Guidelines
27 September 2002 Military Action Could Prompt Cyberattacks
27 September 2002 Security Firm Warns of Microsoft VPN Vulnerability
26 September 2002 Security Firm Says Number of Cyberattacks is Higher
26 September 2002 Integrating Security Products
26 September 2002 Only You Can Prevent DDoS Attacks
26 September 2002 Congress Holds Hearings on Berman Bill
25 & 26 September 2002 FrontPage Vulnerabilities
25 September 2002 China Denies Responsibility or Dalai Lama Site
25 September 2002 Slapper Variants on the Loose
24 & 25 September 2002 Falun Gong Activists Hijack TV Again
30 September 2002 Suspected Falun Gong TV Hacker Arrested for
24 September 2002 State Dept. Employees to Get Smart Cards
24 September 2002 Arrest of T0rn Rootkit Author Raises Concerns
24 September 2002 UCLA Researchers Developing Program to Prevent
24 September 2002 Survey Says CEOs Don't Put Security First
24 September 2002 NIPC Warns of Possible Hacktivism During World
23 September 2002 FERC Wants to Restrict Access to Some Data
FREE WEB BROADCAST: October 2, 1:00 PM EDT (1700 UTC).
Dustin Childs covers the basics of event logs in Windows NT
and 2000, the managing of logs, and when you can and cannot
completely trust those logs. Listen live and ask questions, or,
once you have an access code, sign on later to listen to the web
cast at your leisure. Register in advance to get the handouts:
SECURITY TRAINING NEWS
*SANS Network Security 2002 in October: Largest security conference &
*SANS Cyber Defense Initiative in San Francisco - Dec. 15-20
Featuring 8 hands-on SANS immersion training tracks. San Francisco
is often warmer in December than it is in August.
*Advanced security training in fifty additional cities, plus Local
Mentor programs in 35 cities. See: http://www.sans.org
TOP OF THE NEWS
--30 September 2002 Top 20 Vulnerabilities List Out This Week With
The US General Services Administration (GSA), FBI's NIPC, and the
SANS Institute announced a new list of the top 20 Internet security
vulnerabilities on Wednesday, October 2nd. Five network vulnerability
assessment companies announced tools to mitigate these problems at
the same time. A companion free email service will identify the
most critical new vulnerabilities and tell what to do about them,
The Top Twenty and Tool Announcements:
Critical Vulnerability Analysis Service:
[Editor's Note (Paller): These announcements are particularly important
because they are accompanied by a case study of a federal agency
that has actually turned the tide - radically reducing the number of
compromises despite substantial growth in attacks. The resources
being announced allow all organizations to follow in that agency's
footsteps. The case study is the second half of the report posted
[Note from SANS: This week's Top Twenty announcement are wonderful,
but cover only Windows and UNIX. The definitive, 86-page step-by-step
guide to securing Cisco routers was also released this week and
may be ordered from http://store.sans.org
under "Consensus Guides"
on paper or as a PDF file.]
--30 September 2002 DISA Database Exposed Confidential Information
The US Defense Information System Agency's (DISA) Requirements
Identification and Tracking System (RITS) website was apparently
running an unsecured version of Lotus Domino database; visitors to the
site could view requisition documents that contained names, addresses,
phone numbers and in some instances social security numbers belonging
to contractors and military personnel. The site has reportedly been
[Editor's Note (Ranum) This illustrates the problem of government
systems being hacked. Data like names, addresses, social security
numbers - logistical information - is often "sensitive but
unclassified." That's often the kind of data that is exposed when
the government sites get hacked.
(Paller) Lotus Notes, Oracle and other applications are the next
frontier for establishing safe configuration benchmarks. Attackers
know the flaws and applications often hold the organization's most
valuable data. Applications need to be hardened with the same energy
and care given to operating systems.]
--25 & 27 September 2002 Inter-University Research Project Aims to
Build Resilient Internet System
Researchers at five US universities received a $12 million grant
from the National Science Foundation (NSF) to develop a project
called Infrastructure for Resilient Internet Systems, or IRIS.
The project aims to develop a system that resembles peer-to-peer
networking for storing and serving information on the Internet.
The researchers at MIT, UC Berkeley, Rice University, NYU and the
International Computer Science Institute hope to develop the system
within the next five years.
--23 September 2002 Oregon's DHS Computer System Plagued by
The Oregon Department of Human Services' (DHS) computer system is
allegedly rife with security problems that let employees pay themselves
public benefits. The DHS has reportedly known about problems for
years, but they have not been alleviated. The DHS director says
he doesn't have the money needed to address the problems, and won't
take money away from needy people to fix computer vulnerabilities.
The computers store information on Oregonians receiving aid from the
DHS; the information could be used to steal identities. The one
employee who understood the system's security reportedly left the
department three years ago and cannot be located.
THE REST OF THE WEEK'S NEWS
--30 September 2002 Secret Service Agents are Wardriving
Secret Service agents have taken to wardriving to find vulnerable
wireless networks in Washington. Their primary concern is ensuring
the security of the President and other dignitaries. Agents will
share information about security problems that they discover with
the affected businesses.
--30 September 2002 Bugbear Worm
The Bugbear worm arrives as an attachment to an e-mail with a randomly
selected subject line. If the attachment is opened, Bugbear, which
is also known as Tanatos, disables antivirus software and installs
a Trojan horse, called PWS-Hooker, that logs all keystrokes and
saves the information in encrypted form on the infected computer;
attackers can come back later to retrieve the information. The worm
affects Internet Explorer 5.01 and 5.5 users who have not patched
the Incorrect Mime header flaw.
--30 September 2002 Proprietary Info is at Greater Risk from Insiders
than from Hackers
A study from PricewaterhouseCoopers, the U.S. Chamber of Commerce and
the American Society for Industrial Security (ASIS) International
found that intellectual property and proprietary information theft
was committed more often by insiders, including current and former
employees, competitors and on-site trainees, than from hackers.
(Editor's Note: (Northcutt): If you leave your money lying around,
sooner or later someone will pick it up. The same is true for
trade secrets. Three simple questions will help you assess your
organization's risk to theft of proprietary information. (1) Does
your organization label proprietary information? I am not talking
about the silly boilerplate you see on email. Do they label the
documents and include who should be able to access the information?
(2) Are senior managers, and others in a position of trust, reminded
on a regular basis that they have access to critical information
they are expected to protect? (3) As an employee, are you aware
of and capable of following simple processes to encrypt sensitive
information in transit and apply appropriate protections when stored?
(Schultz) Hmmm, it looks as if a lot of money was spent to prove the
obvious. Does anyone doubt that insider misbehavior poses a greater
threat to proprietary information?]
--27 September 2002 Coalition Will Publish Disclosure Guidelines
The Organization for Internet Safety (OIS), a coalition of software
developers and security firms, plans to publish draft guidelines
for vulnerability disclosure. Among the rules proposed: software
companies would respond to researchers within a week of receiving
information about a vulnerability in one of their products; researchers
would give the companies at least 30 days to develop a fix before
publishing exploits. OIS members would be bound by the honor system;
the group does not plan to enforce the guidelines.
--27 September 2002 Military Action Could Prompt Cyberattacks
If the past is a good indicator, a decision from the Bush
administration to take action in Iraq is likely to invite a maelstrom
of hacking activity on US computer networks and infrastructure.
--27 September 2002 Security Firm Warns of Microsoft VPN
A German security company has posted an advisory warning of a buffer
overflow vulnerability in the point-to-point tunneling protocol (PPTP)
in Microsoft Windows 2000 and XP. The Microsoft Security Response
Center is investigating the claim.
--26 September 2002 Security Firm Says Number of Cyberattacks is
Higher than Ever
According to statistics from security consultancy Mi2g the instance
of cyberattacks is higher than it's ever been. Most attacks are
launched against US computers, a trend which Mi2g attributes to
increasing anti-American sentiment. The report also notes that
Windows machines are targeted more often than are any others.
Mi2g has tracked computer attacks since 1995.
--26 September 2002 Integrating Security Products
Three major security software and device makers, Cisco Systems, Nortel
Networks and Check Point Software, have announced initiatives to
integrate management of their own products. Gartner's John Pescatore
observed that there is movement within the network security industry
toward offering security management software that can manage and
monitor information from security tools from multiple vendors.]
--26 September 2002 Only You Can Prevent DDoS Attacks
The Federal Trade Commission (FTC) has launched Dewie the Turtle,
the Internet's version of Smokey the Bear. Because many home users
don't pay much attention to cyber security, crackers can use their
vulnerable machines to launch distributed denial of service attacks;
Dewie will offer simple and straightforward computer security advice
for home users. The goal of the campaign is to encourage a "Culture
of Security." Dewie arrives in the aftermath of a failed attempt
to require ISPs to provide security measures, including firewalls,
to their customers.
[Editor's Note (Shultz): This should be interesting. Will home users
be interested in advice from a turtle? Stay tuned!
(Northcutt): I have serious reservations that Dewie will ever become
a cultural icon, but if you can get past the dry writing style,
their business page has a lot of well organized material that anyone
responsible for an Internet presence in the U.S. ought to know:
--26 September 2002 Congress Holds Hearings on Berman Bill
During congressional hearings on a bill aimed at thwarting peer-to-peer
trading of music and movies, supporters of the proposed legislation
said concerns about misguided attacks were blowing things out
of proportion. The bill would allow copyright holders to use a
variety of methods to prevent their property from being pirated on
the Internet. Critics of the bill say its wording is vague and could
conceivably grant immunity to people who intrude into others' computers
and delete files, even if they do so mistakenly. Representative Berman
(D-California) refutes that assertion, but conceded that the bill
might need to be reworded for clarification.
[Editor's Note (Schultz): You would think that by now Rep. Berman
would realize that he is going nowhere with this bill. Its passage
would be bad news for the infosec community. Fortunately, there
appears to be little support for it in Congress.]
--25 & 26 September 2002 FrontPage Vulnerabilities
A security flaw in the SmartHTML interpreter for Microsoft's
FrontPage Server Extensions (FPSE) could be exploited to launch a
denial of service (DoS) attack against a vulnerable machine or to
run malicious code via a buffer overflow, depending upon the version
of FPSE. FPSE 2000 is vulnerable to the DoS attack, while FPSE 2002
is vulnerable to the buffer overflow attack. Earlier versions may
be vulnerable as well, but they are no longer supported. Microsoft
says that On FrontPage Server Extensions 2002 and SharePoint Team
Services 2002, the same type of request could cause a buffer overrun,
potentially allowing an attacker to run code of his choice. Users
should install a patch for the problem or run the IIS Lockdown Tool.
--25 September 2002 China Denies Responsibility or Dalai Lama
Jigme Tsering, manager of the Tibetan Computer Resource Centre in
Dharmsala, India says the Chinese government has been attempting to
hack the Dalai Lama's computer network. According to Tsering, a virus
sent to the network is designed to grab data and send it back to China;
the virus arrives in an e-mail with a spoofed return address, designed
to appear as though it is coming from Tsering's office. The virus has
also targeted other organizations that have lobbied on Tibet's behalf.
A spokeswoman for the Chinese government says China opposes hacking.
--25 September 2002 Slapper Variants on the Loose
Two variants of the Slapper worm are circulating on the Internet.
Known as Slapper.B or "Cinik" and Slapper.C or "Unlock," the two
exploit the same SSL vulnerability in Apache servers that the original
worm exploited. The worms also create a peer-to-peer network of
infected servers. Reports that a Ukrainian suspect had been arrested
in connection with the worm have proven false. This worm is morphing
daily. Track the changes under "ISC Analysis" www.incidents.org
--24 & 25 September 2002 Falun Gong Activists Hijack TV Again
Falun Gong activists have once again hijacked television broadcasts
in China to air footage that supports the movement. Chinese officials
maintain the attack emanated from Taiwan and are demanding that Taiwan
find those responsible. A Taiwanese official says the allegations
are "a bit farfetched."
--30 September 2002 Suspected Falun Gong TV Hacker Arrested for
The South China morning Post reported on September 28th that a man
was arrested in Shandong for hacking into a cable television channel
and broadcasting footage supportive of Falun Gong on April 20, 2002.
--24 September 2002 State Dept. Employees to Get Smart Cards
State Department employees will soon be receiving smart cards with
32K memory chips that will be used to access buildings and secure
areas. The cards presently contain no biometric data, but they may
in the future. To gain access to a site, a card holder will swipe
the smart card and key in a personal identification number (PIN);
the card will be swiped again upon leaving the site.
--24 September 2002 Arrest of T0rn Rootkit Author Raises Concerns
The arrest of the suspected T0rn root kit author marks the first
time someone has been arrested under the UK's Computer Misuse Act
for writing code that has the potential to be used maliciously.
Though tools like the T0rn rootkit can be used for malicious purposes,
they also have beneficial uses, like penetration testing. Though the
kit cannot spread by itself, a Scotland Yard spokesman said the
offense is the writing and distribution of the tool.
--24 September 2002 UCLA Researchers Developing Program to Prevent
Scientists at UCLA's Henry Samueli School of Engineering and Applied
Science are developing a program that they say will protect entire
networks from being used as hosts in distributed denial of service
(DDoS) attacks. The program, DDoS netWork Attack Recognition and
Defense or D-WARD, will detect and halt attacks being launched from
computers before they have traveled far enough to become disruptive.
[Editor's Note (Ranum): This basically says they're building an IDS,
and it will have all the same issues as other IDS.]
--24 September 2002 Survey Says CEOs Don't Put Security First
A survey of 250 Canadian companies found that many CEOs do not
consider computer security to be a significant business priority;
they maintain it should be a priority for IT departments, but many
of those departments are not receiving enough funding to adequately
secure company systems. In addition, 80% of the CEOs said their
companies had not been hacked in the last year, but 40% said their
companies did not have intrusion detection systems.
[Editor's Note (Murray): I would certainly hope that all CEOs
put security second to an equitable return to investors, jobs for
their employees, service to their customers, and paying their taxes.
Only security purists, not to say bigots, expect otherwise. That is
why security is a hard problem and we get paid the big bucks.]
--24 September 2002 NIPC Warns of Possible Hacktivism During World
The National Infrastructure Protection Center (NIPC) warned that
protesters may be planning to launch cyber attacks as a way of
demonstrating against the scheduled meeting of the World Bank and
the International Monetary Fund in Washington DC. NIPC urged
administrators to monitor their systems for signs of attacks.
--23 September 2002 FERC Wants to Restrict Access to Some Data
The Federal Energy Regulatory Committee (FERC) plans to restrict
access to certain information on its computer systems, and those
who are permitted to view the information may be required to sign
non-disclosure agreements. Some public interest groups are concerned
that the information being withheld in the interest of homeland
security is information citizens need to access for their own safety.
Even if data is removed from web sites, it still may be accessible
through search engine caches. Comments on the proposal will be accepted
until October 13.
[Editor's Note (Murray) No one with a legitimate need-to-know has
anything to fear. This is simply another case of the press viewing
with alarm. This is merely good security. It is a far cry from the
earlier knee-jerk reaction of the administration that wanted to simply
disconnect everything from the internet.]