Results 1 to 2 of 2

Thread: NEWS: This weeks security news. 10/9/02

  1. #1
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    South Florida

    NEWS: This weeks security news. 10/9/02

    Brought to you by our friends at the SANS Institute.

    Here are the main thing of interest in this issure, highlighted in the article.

    • Feds, SANS, and Vendors Announce New Top 20 Vulnerabilities Plus Testing Tools
    • Slapper Variants On the Loose
    • Upgrades Available for Apache Vulnerabilities
    • Microsoft Issues Bulletins for Bevy of Flaws in Windows, SQL (what else is new)
    • Bugbear worm still spreading
    • Virus Masquerades As Microsoft Patch
    • Security Contractor Certification

    SANS NewsBites October 9, 2002 Vol. 4, Num. 41

    7 October 2002 Feds, SANS, and Vendors Announce New Top 20
    Vulnerabilities Plus Testing Tools

    4 October 2002 Slapper Variants On the Loose
    4 October 2002 Upgrades Available for Apache Vulnerabilities
    3 October 2002 Microsoft Issues Bulletins for Bevy of Flaws in
    Windows, SQL

    2 & 4 October 2002 Bugbear Worm Spreading
    2 October 2002 Bugbear Infection Account

    7 October 2002 IP, DNS and BGP Security
    4 & 5 October 2002 Russian Hacker Sentenced
    4 October 2002 P2P Security Advice
    2 & 4 October 2002 Opaserv Worm
    4 October 2002 State Dept. Site Defaced
    3 & 4 October 2002 GAO Report Outlines Satellite Vulnerabilities
    2 & 3 October 2002 Quantum Cryptography Advances
    3 October 2002 CIS Benchmark Tools Available To Federal Agencies
    3 October 2002 Hong Kong Online Paper Suffers Redirect Attack
    3 October 2002 Man Pleads Guilty to Identity Fraud
    3 October 2002 FedCIRC Offers Free Dissemination Patch Service
    2 October 2002 N.C. CIO Consolidating Servers
    2 October 2002 California State Government Server Breached
    2 October 2002 CD-ROMs for UN Inspectors Contained Viruses
    2 October 2002 Word Flaw Allows File Stealing
    1 & 2 October 2002 DoD Continues Wireless Moratorium
    1 October 2002 Klez Tops Lists for September
    1 October 2002 What Does a FIPS Encryption Compliance Seal Mean?
    30 September 2002 Virus Masquerades As Microsoft Patch
    30 September 2002 Security Contractor Certification
    12 September 2002 CIO Survey Shows 7-8% of IT Budget Goes to Security

    * Network Security 2002 in Washington DC, October 18-25 - Last Chance
    to register for SANS largest conference and exposition.
    * SANS Cyber Defense Initiative in San Francisco - Dec. 15-20
    Featuring 8 hands-on SANS immersion training tracks. San Francisco
    is often warmer and less crowded in December than in August.
    * Advanced security training in fifteen additional cities, plus Local
    Mentor programs in 35 cities.
    See: http://www.sans.org for all these programs


    --7 October 2002 Feds, SANS Announce New Top 20 Vulnerabilities;
    Vendors Release Testing Tools

    The US General Services Administration, the FBI's National
    Infrastructure Protection Center and SANS announced a new set of
    the twenty most commonly exploited vulnerabilities on Windows and
    UNIX systems. ISS, Foundstone, and Qualys simultaneously announced
    upgrades to their scanning products and services that specifically
    test for the Top 20.
    The Top 20 list and remediation techniques: http://www.sans.org/top20/
    [Editor's note (Paller) on vulnerability remediation: An initiative
    is being launched to teach consumers not to share their credit card
    information with organizations that have not fixed at least all of the
    Top 20 - because their credit card information will be at extreme risk.
    Similarly businesses will be encouraged to require B2B partners to
    prove that they have, at a minimum eliminated the top 20 on their
    systems, because otherwise they will be creating an easy path for
    hackers. The tools and services that scan your systems may be found
    at http://www.sans.org/top20/tools.pdf]

    --4 October 2002 Slapper Variants On the Loose
    At least four variants of the Slapper worm are presently circulating
    on the Internet, attacking Linux systems using an unpatched version of
    OpenSSL in the Apache web server software. A variant called "Mighty"
    has infected a number of machines, allowing them to be remotely
    controlled through certain IRC channels. The worm could be used
    to steal or corrupt data or to launch distributed denial of service
    (DDoS) attacks.
    [Editor's Note (Paller): 339 Slapper-infected Linux machines launched a
    DDoS attack on a US government agency on Friday and Saturday, flooding
    it with more than 1,000,000 packets per second, disabling its web
    presence down for more than 24 hours. Many more such attacks and much
    larger attacks could be launched at any time. The Internet Storm
    Center (ISC) analysis at www.incidents.org will give you a genealogy
    of the worm and what to do to protect your systems. Readers who want
    fewer technical details will find a page compiled by the folks at
    F-Secure to be an excellent resource: http://www.f-secure.com/slapper/]

    --4 October 2002 Upgrades Available for Apache Vulnerabilities
    Apache users are encouraged to update their software to new versions
    (1.3.27 or 2.0.43) that fix a number of security vulnerabilities.

    --3 October 2002 Microsoft Issues Bulletins for Bevy of Flaws in
    Windows, SQL

    A critical security flaw in Microsoft Windows' HTML-based help function
    could be exploited in a buffer overflow attack. The flaw could be
    exploited by a web site or by HTML e-mail. The flaw affects Windows
    98, Me, NT 4.0, 2000 and XP. Users who have installed Outlook E-mail
    Security Update are protected, as are users of Outlook Express 6 and
    Outlook 2002; users of Internet Explorer 5.01, 5.5 and 6.0 can install
    a patch which also addresses two additional Help flaws. Microsoft also
    released a cumulative patch for SQL Server and SQL Server 2000 that
    addresses four vulnerabilities, including two buffer overflow flaws.

    --2 & 4 October 2002 Bugbear Worm Spreading
    Spreading rapidly, and evading detection by appending multiple
    extensions to the attachment that carries the worm, Bugbear shuts down
    security software, installs a keystroke logger, mass mails itself
    and copies itself onto network shared directories. It also opens a
    backdoor on successfully infected machines. Bugbear does not carry
    a destructive payload; it appears to be designed to steal credit card
    and banking account numbers and other sensitive data.
    [Editor's Note (Paller): This insight comes from Righard
    Zwienenberg, Senior Virus Analyst, Norman Data Defense Systems in
    the Netherlands. Bugbear is spreading particularly fast in Europe
    because it picks a random email subject from the victim's in-box
    to use as the subject when it is sent to other people. That means
    that the email subject is often in the local language - and not in
    English. Europeans appear to be more trusting of emails with subjects
    in their own languages.]

    --2 October 2002 Bugbear Infection Account
    The manager of an Australian business hit by the Bugbear virus says
    it arrived in an e-mail that didn't appear to have an attachment.
    The company knew something was wrong when the printers began spewing
    reams of paper with odd characters and business associates began
    calling the company saying they'd received odd e-mail messages
    from them.


    --7 October 2002 IP, DNS and BGP Security
    The National Strategy to Secure Cyberspace acknowledges that the
    Internet Protocol (IP), Domain Name System (DNS) and Border Gateway
    Protocol (BGP) components of the Internet all lack communication
    authentication mechanisms. The available fixes are too costly and
    complex to install for the majority of ISPs. Some say that even if the
    security problems in these components are addressed, the infrastructure
    of the Internet still has other vulnerabilities.

    --4 & 5 October 2002 Russian Hacker Sentenced
    Vasily Gorshkov, one of the Russian hackers who was lured to the US
    by the FBI under the pretense of a job offer at a fictional company,
    was sentenced to three years in federal prison. He was also ordered
    to pay $690,000 in restitution. Gorshkov and his accomplice, Alexey
    Ivanov, were convicted of stealing credit card numbers from computers.
    The FBI used keystroke logging software to obtain the passwords to
    the pairs' computers in Russia that contained incriminating evidence.
    The special agents involved in the case received the FBI Director's
    Award for Outstanding Criminal Investigation.

    --4 October 2002 P2P Security Advice
    Peer-to-peer (P2P) file sharing programs can be the source of serious
    security breaches; users searching for available files were able to
    access a list of salaries of top executives at a Texas company and
    the Aspen, Colorado police department's computer passwords, to name
    but two instances. Users of P2P programs would be well advised to
    educate themselves about the default settings of the programs and
    pay careful attention to which folders they designate available for
    sharing. They should also let IT people at their work know if they're
    installing this type of program on company computers. Companies should
    implement acceptable use policies and install traffic content monitors.
    [Editor's Note (Murray): Enterprises should be using a restrictive,
    rather than a permissive, policy. Restrictive policies are proactive
    rather than reactive.
    (Shpantzer) The IT department of a major East coast university
    doing battle with the new version of Kazaa says it is "extremely
    adaptive." It is programmed to circumvent bandwidth shaping tools
    used by network operations staff. This has resulted in a doubling of
    network traffic, and network latency to the nearest ISP has increased
    200 times! Aside from the difficult technical issues, there are many
    unresolved legal issues associated with the use of these applications
    to facilitate the distribution of copyrighted material, not to mention
    other illegal material such as child pornography. Civil suits from
    the music industry and law enforcement raids on your facility are
    not good for productivity or reputation.]

    --2 & 4 October 2002 Opaserv Worm
    The Opasoft or Opaserv worm spreads through local area networks (LANs).
    It is designed to gain remote control of infected machines; it tries
    to download information from a website that has now been taken down
    by the webmaster.
    [Editors' Note: Unless required, file and printer sharing should be
    turned off.]

    --4 October 2002 State Dept. Site Defaced
    Russian hackers defaced a State Department web site last week,
    according to Department officials. www.usinfo.state.gov was down
    briefly but was back on line as of Friday afternoon.

    --3 & 4 October 2002 GAO Report Outlines Satellite Vulnerabilities
    A report from the General Accounting Office (GAO) warns that commercial
    satellites, which are used by some federal agencies, may be susceptible
    to hackers. On some, tracking and control uplinks are not encrypted.
    The new cyber security plan does not address satellite security.
    The report recommends changing federal policy regarding satellite
    security to cover commercial satellites instead of just government
    owned systems.

    --2 & 3 October 2002 Quantum Cryptography Advances
    Researchers in the UK and Germany have made large strides in
    the development of quantum cryptography; they were able to send a
    cryptographic key by means of a beam of low intensity light 14 miles
    between two mountains in Germany. Unlike electronically sent keys,
    if these quantum keys are intercepted, it is readily apparent to the
    key's recipient. The technology still needs more work before it is
    feasible for use across the globe.

    --3 October 2002 CIS Benchmark Tools Available To Federal Agencies
    Federal agencies are now free to use and distribute the Center for
    Internet Security's (CIS) security configuration testing tools,
    available at www.cisecurity.org/federalcisusers. The tools measure
    system security against benchmarks for Windows, Linux, AIX, Solaris,
    Cisco and other operating systems.

    --3 October 2002 Hong Kong Online Paper Suffers Redirect Attack
    People in mainland China trying to read Mingpao.com, an independent
    Hong Kong-based online newspaper, found themselves redirected to
    a site containing information about the Falun Gong movement, which
    is banned in China. A Falun Gong spokesman in Hong Kong, where the
    practice is not banned, denied responsibility for the cyber attack.

    --3 October 2002 Man Pleads Guilty to Identity Fraud
    Abraham Abdallah pleaded guilty to attempting to steal the identities
    of wealthy Americans and steal money from their bank accounts.

    --3 October 2002 FedCIRC Offers Free Dissemination Patch Service
    Government agencies soon will be able to subscribe to a free patch
    dissemination service from the General Services Administration's (GSA)
    Federal Computer Incident Response Center (FedCIRC). The service
    will also provide information on keeping systems safe from exploits
    until patches are developed for known vulnerabilities and will test
    patches before they are delivered to subscribers. There is not yet
    any provision for agencies to report back that the appropriate patches
    have been installed.

    --2 October 2002 N.C. CIO Consolidating Servers
    North Carolina's CIO has begun to consolidate government servers by up
    to 60% in an effort to improve state cyber security and reduce costs.
    [Editor's Note: (Murray): While most enterprises can benefit from some
    server consolidation, this strategy has clear limitations. One would
    not want to consolidate all of one's services on one server and then
    run that server on a vulnerable operating system.
    (Paller) Good point, Bill. But the combined imperatives of security
    and budget pressure will lead to consolidation, anyway. One possible
    solution is for states to buy the consolidation service and systems
    only from vendors that can prove they can install and maintain systems
    with secure configurations and with strong perimeter protection.]

    --2 October 2002 California State Government Server Breached
    California state agencies were warned that a state server nicknamed
    Godzilla suffered security breaches; officials asked people at the
    agencies to check the security of their computer systems. It does
    not appear that any data on the machine was stolen.
    [Editor's Note (Schultz) Something like this happened to the state of
    California not too long ago, and a spokesperson made it clear that the
    state would not accept any responsibility for what happened. I wonder
    if the same kind of evasion of responsibility will surface again, or
    whether management will accept responsibility and make changes that
    will lessen the likelihood of this kind of incident occurring again.]

    --2 October 2002 CD-ROMs for UN Inspectors Contained Viruses
    UN inspectors in Vienna were given four CD-ROMs of reports from an
    Iraqi official; the disks also contained computer viruses. The viruses
    were fairly common, leading to speculation that their appearance on
    the disks was not intentional, but the result of inadequate antivirus
    software. American companies are prohibited from exporting their
    products to Iraq under the current US embargo.

    --2 October 2002 Word Flaw Allows File Stealing
    A vulnerability in the field code feature of Microsoft Word could
    allow an attacker to steal files from hard drives. All versions of
    Word from 97 running on Windows operating systems from Windows 95
    onward are vulnerable to the exploit. The attacker needs to know the
    names of the files and the full filepath to steal them. An attacker
    would sent a target a document containing specially crafted field
    code; when the recipient sends the document back to the sender, the
    targeted files tag along. The article also includes ways to mitigate
    the possibility of getting stung by the exploit; Microsoft plans to
    issue patches for Word 2000 and XP but not for earlier versions.

    --1 & 2 October 2002 DoD Continues Wireless Moratorium
    The Defense Department (DoD) has extended a moratorium on wireless
    devices in and around the Pentagon until wireless network security
    vulnerabilities are adequately assessed. The DoD has asked the
    National Security Agency (NSA) to develop a database to help with
    the assessment. In addition, DoD employees are forbidden from using
    wireless devices like phones and PDAs to access classified data or
    to communicate about mission-critical operations.

    --1 October 2002 Klez Tops Lists for September
    The Klez-H worm was found most frequently on the September virus lists
    at both Sophos and MessageLabs. Bugbear is likely to make the top
    ten list in October. Klez-E tops September's list at Central Command
    and Kaspersky Labs places Klez at the top of its list as well, with
    more than 70% of "registered instances."

    --1 October 2002 What Does a FIPS Encryption Compliance Seal Mean?
    Six information technology labs across the country can issue the
    governmental FIPS (Federal Information Processing Standard) compliance
    seal for encryption products. Companies wishing to sell their products
    to the government must hold a FIPS-2 rating. While some experts see
    the certification as an assurance that "someone with a moderate degree
    of skill has looked over the design" of the products, others view
    the seal as nothing more than "a marketing tool." The certification
    process can take from four to ten weeks and costs between $20,000
    and $40,000.
    [Editor's Note (Murray): There is an infinity of ways to implement
    cryptography, most of them wrong. Anyone who wants to widely
    deploy a crypto product will want it evaluated by a third party.
    Keep in mind that the certification speaks to the implementation of
    the crypto and gives no assurance that the code does not introduce
    other problems. The recent problem with Open-SSL is a case where
    a crypto implementation introduces a vulnerability, exploited by the
    Slapper worm, that would not have been there without it.]

    --30 September 2002 Virus Masquerades As Microsoft Patch
    A virus is circulating on the Internet in the guise of a Microsoft
    security patch. The virus is in an .exe attachment, which the text
    of the e-mail advises users to run.
    [Editor's Note (Shpantzer): User awareness training should include
    knowledge of tactics that coax people into getting infected with
    malicious code. Since this is not the first virus that uses this
    trick, "Microsoft does not email patches" could be a part of that

    --30 September 2002 Security Contractor Certification
    According to the National Strategy to Secure Cyberspace, the Bush
    administration is planning to look into the possibility of requiring
    computer security contractors to be certified by the government.
    Critics of this plan say the cost may keep smaller companies, which
    often have the most capable employees, from obtaining certification.
    They also point out that certifying a company is meaningless if
    its best employees leave; individual certification would be more
    [Editor's Note (Schultz): I agree with the critics. Certifying
    individuals is the only viable plan. Certifying security contractor
    organizations would not only prove nebulous, but it would also
    deteriorate into an exercise of political gamesmanship.]

    --12 September 2002 CIO Survey Shows 7-8% of IT Budget Goes to
    According to a CIO magazine survey of 279 IT executives, companies
    spend an average of 7 - 8% of their IT budgets on security. Investment
    in IT security staff correlated with decreased security breaches and
    increased understanding among company officers regarding the need to
    spend money on security. Sixty-three percent of the survey respondents
    believe they should spend more on security, especially on technology,
    education and dedicated security staff.

  2. #2
    Join Date
    Oct 2002
    Thanks a lot for the new update! I think the news topic of certifying security contractors is an interesting part of todays news. I am a security contractor and all too often have seen other "security contractors" come in and have no freegin clue what they are talking about. These people sometimes leave the company with more holes then before they came. I totally agree with this new initiative. I hope it is based per individual though and not per company. Company certifications mean nothing.

    What does everyone else think?


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts