SANS NewsBites October 9, 2002 Vol. 4, Num. 41
TOP OF THE NEWS - FOCUSING ON VULNERABILITY REMEDIATION AND THREATS
7 October 2002 Feds, SANS, and Vendors Announce New Top 20
Vulnerabilities Plus Testing Tools
4 October 2002 Slapper Variants On the Loose
4 October 2002 Upgrades Available for Apache Vulnerabilities
3 October 2002 Microsoft Issues Bulletins for Bevy of Flaws in
2 & 4 October 2002 Bugbear Worm Spreading
2 October 2002 Bugbear Infection Account
THE REST OF THE WEEK'S NEWS
7 October 2002 IP, DNS and BGP Security
4 & 5 October 2002 Russian Hacker Sentenced
4 October 2002 P2P Security Advice
2 & 4 October 2002 Opaserv Worm
4 October 2002 State Dept. Site Defaced
3 & 4 October 2002 GAO Report Outlines Satellite Vulnerabilities
2 & 3 October 2002 Quantum Cryptography Advances
3 October 2002 CIS Benchmark Tools Available To Federal Agencies
3 October 2002 Hong Kong Online Paper Suffers Redirect Attack
3 October 2002 Man Pleads Guilty to Identity Fraud
3 October 2002 FedCIRC Offers Free Dissemination Patch Service
2 October 2002 N.C. CIO Consolidating Servers
2 October 2002 California State Government Server Breached
2 October 2002 CD-ROMs for UN Inspectors Contained Viruses
2 October 2002 Word Flaw Allows File Stealing
1 & 2 October 2002 DoD Continues Wireless Moratorium
1 October 2002 Klez Tops Lists for September
1 October 2002 What Does a FIPS Encryption Compliance Seal Mean?
30 September 2002 Virus Masquerades As Microsoft Patch
30 September 2002 Security Contractor Certification
12 September 2002 CIO Survey Shows 7-8% of IT Budget Goes to Security
SECURITY TRAINING NEWS
* Network Security 2002 in Washington DC, October 18-25 - Last Chance
to register for SANS largest conference and exposition.
* SANS Cyber Defense Initiative in San Francisco - Dec. 15-20
Featuring 8 hands-on SANS immersion training tracks. San Francisco
is often warmer and less crowded in December than in August.
* Advanced security training in fifteen additional cities, plus Local
Mentor programs in 35 cities.
for all these programs
TOP OF THE NEWS - FOCUSING ON VULNERABILITY REMEDIATION AND THREATS
--7 October 2002 Feds, SANS Announce New Top 20 Vulnerabilities;
Vendors Release Testing Tools
The US General Services Administration, the FBI's National
Infrastructure Protection Center and SANS announced a new set of
the twenty most commonly exploited vulnerabilities on Windows and
UNIX systems. ISS, Foundstone, and Qualys simultaneously announced
upgrades to their scanning products and services that specifically
test for the Top 20.
The Top 20 list and remediation techniques: http://www.sans.org/top20/
[Editor's note (Paller) on vulnerability remediation: An initiative
is being launched to teach consumers not to share their credit card
information with organizations that have not fixed at least all of the
Top 20 - because their credit card information will be at extreme risk.
Similarly businesses will be encouraged to require B2B partners to
prove that they have, at a minimum eliminated the top 20 on their
systems, because otherwise they will be creating an easy path for
hackers. The tools and services that scan your systems may be found
--4 October 2002 Slapper Variants On the Loose
At least four variants of the Slapper worm are presently circulating
on the Internet, attacking Linux systems using an unpatched version of
OpenSSL in the Apache web server software. A variant called "Mighty"
has infected a number of machines, allowing them to be remotely
controlled through certain IRC channels. The worm could be used
to steal or corrupt data or to launch distributed denial of service
[Editor's Note (Paller): 339 Slapper-infected Linux machines launched a
DDoS attack on a US government agency on Friday and Saturday, flooding
it with more than 1,000,000 packets per second, disabling its web
presence down for more than 24 hours. Many more such attacks and much
larger attacks could be launched at any time. The Internet Storm
Center (ISC) analysis at www.incidents.org
will give you a genealogy
of the worm and what to do to protect your systems. Readers who want
fewer technical details will find a page compiled by the folks at
F-Secure to be an excellent resource: http://www.f-secure.com/slapper/
--4 October 2002 Upgrades Available for Apache Vulnerabilities
Apache users are encouraged to update their software to new versions
(1.3.27 or 2.0.43) that fix a number of security vulnerabilities.
--3 October 2002 Microsoft Issues Bulletins for Bevy of Flaws in
A critical security flaw in Microsoft Windows' HTML-based help function
could be exploited in a buffer overflow attack. The flaw could be
exploited by a web site or by HTML e-mail. The flaw affects Windows
98, Me, NT 4.0, 2000 and XP. Users who have installed Outlook E-mail
Security Update are protected, as are users of Outlook Express 6 and
Outlook 2002; users of Internet Explorer 5.01, 5.5 and 6.0 can install
a patch which also addresses two additional Help flaws. Microsoft also
released a cumulative patch for SQL Server and SQL Server 2000 that
addresses four vulnerabilities, including two buffer overflow flaws.
--2 & 4 October 2002 Bugbear Worm Spreading
Spreading rapidly, and evading detection by appending multiple
extensions to the attachment that carries the worm, Bugbear shuts down
security software, installs a keystroke logger, mass mails itself
and copies itself onto network shared directories. It also opens a
backdoor on successfully infected machines. Bugbear does not carry
a destructive payload; it appears to be designed to steal credit card
and banking account numbers and other sensitive data.
[Editor's Note (Paller): This insight comes from Righard
Zwienenberg, Senior Virus Analyst, Norman Data Defense Systems in
the Netherlands. Bugbear is spreading particularly fast in Europe
because it picks a random email subject from the victim's in-box
to use as the subject when it is sent to other people. That means
that the email subject is often in the local language - and not in
English. Europeans appear to be more trusting of emails with subjects
in their own languages.]
--2 October 2002 Bugbear Infection Account
The manager of an Australian business hit by the Bugbear virus says
it arrived in an e-mail that didn't appear to have an attachment.
The company knew something was wrong when the printers began spewing
reams of paper with odd characters and business associates began
calling the company saying they'd received odd e-mail messages
THE REST OF THE WEEK'S NEWS
--7 October 2002 IP, DNS and BGP Security
The National Strategy to Secure Cyberspace acknowledges that the
Internet Protocol (IP), Domain Name System (DNS) and Border Gateway
Protocol (BGP) components of the Internet all lack communication
authentication mechanisms. The available fixes are too costly and
complex to install for the majority of ISPs. Some say that even if the
security problems in these components are addressed, the infrastructure
of the Internet still has other vulnerabilities.
--4 & 5 October 2002 Russian Hacker Sentenced
Vasily Gorshkov, one of the Russian hackers who was lured to the US
by the FBI under the pretense of a job offer at a fictional company,
was sentenced to three years in federal prison. He was also ordered
to pay $690,000 in restitution. Gorshkov and his accomplice, Alexey
Ivanov, were convicted of stealing credit card numbers from computers.
The FBI used keystroke logging software to obtain the passwords to
the pairs' computers in Russia that contained incriminating evidence.
The special agents involved in the case received the FBI Director's
Award for Outstanding Criminal Investigation.
--4 October 2002 P2P Security Advice
Peer-to-peer (P2P) file sharing programs can be the source of serious
security breaches; users searching for available files were able to
access a list of salaries of top executives at a Texas company and
the Aspen, Colorado police department's computer passwords, to name
but two instances. Users of P2P programs would be well advised to
educate themselves about the default settings of the programs and
pay careful attention to which folders they designate available for
sharing. They should also let IT people at their work know if they're
installing this type of program on company computers. Companies should
implement acceptable use policies and install traffic content monitors.
[Editor's Note (Murray): Enterprises should be using a restrictive,
rather than a permissive, policy. Restrictive policies are proactive
rather than reactive.
(Shpantzer) The IT department of a major East coast university
doing battle with the new version of Kazaa says it is "extremely
adaptive." It is programmed to circumvent bandwidth shaping tools
used by network operations staff. This has resulted in a doubling of
network traffic, and network latency to the nearest ISP has increased
200 times! Aside from the difficult technical issues, there are many
unresolved legal issues associated with the use of these applications
to facilitate the distribution of copyrighted material, not to mention
other illegal material such as child pornography. Civil suits from
the music industry and law enforcement raids on your facility are
not good for productivity or reputation.]
--2 & 4 October 2002 Opaserv Worm
The Opasoft or Opaserv worm spreads through local area networks (LANs).
It is designed to gain remote control of infected machines; it tries
to download information from a website that has now been taken down
by the webmaster.
[Editors' Note: Unless required, file and printer sharing should be
--4 October 2002 State Dept. Site Defaced
Russian hackers defaced a State Department web site last week,
according to Department officials. www.usinfo.state.gov
briefly but was back on line as of Friday afternoon.
--3 & 4 October 2002 GAO Report Outlines Satellite Vulnerabilities
A report from the General Accounting Office (GAO) warns that commercial
satellites, which are used by some federal agencies, may be susceptible
to hackers. On some, tracking and control uplinks are not encrypted.
The new cyber security plan does not address satellite security.
The report recommends changing federal policy regarding satellite
security to cover commercial satellites instead of just government
--2 & 3 October 2002 Quantum Cryptography Advances
Researchers in the UK and Germany have made large strides in
the development of quantum cryptography; they were able to send a
cryptographic key by means of a beam of low intensity light 14 miles
between two mountains in Germany. Unlike electronically sent keys,
if these quantum keys are intercepted, it is readily apparent to the
key's recipient. The technology still needs more work before it is
feasible for use across the globe.
--3 October 2002 CIS Benchmark Tools Available To Federal Agencies
Federal agencies are now free to use and distribute the Center for
Internet Security's (CIS) security configuration testing tools,
available at www.cisecurity.org/federalcisusers.
The tools measure
system security against benchmarks for Windows, Linux, AIX, Solaris,
Cisco and other operating systems.
--3 October 2002 Hong Kong Online Paper Suffers Redirect Attack
People in mainland China trying to read Mingpao.com, an independent
Hong Kong-based online newspaper, found themselves redirected to
a site containing information about the Falun Gong movement, which
is banned in China. A Falun Gong spokesman in Hong Kong, where the
practice is not banned, denied responsibility for the cyber attack.
--3 October 2002 Man Pleads Guilty to Identity Fraud
Abraham Abdallah pleaded guilty to attempting to steal the identities
of wealthy Americans and steal money from their bank accounts.
--3 October 2002 FedCIRC Offers Free Dissemination Patch Service
Government agencies soon will be able to subscribe to a free patch
dissemination service from the General Services Administration's (GSA)
Federal Computer Incident Response Center (FedCIRC). The service
will also provide information on keeping systems safe from exploits
until patches are developed for known vulnerabilities and will test
patches before they are delivered to subscribers. There is not yet
any provision for agencies to report back that the appropriate patches
have been installed.
--2 October 2002 N.C. CIO Consolidating Servers
North Carolina's CIO has begun to consolidate government servers by up
to 60% in an effort to improve state cyber security and reduce costs.
[Editor's Note: (Murray): While most enterprises can benefit from some
server consolidation, this strategy has clear limitations. One would
not want to consolidate all of one's services on one server and then
run that server on a vulnerable operating system.
(Paller) Good point, Bill. But the combined imperatives of security
and budget pressure will lead to consolidation, anyway. One possible
solution is for states to buy the consolidation service and systems
only from vendors that can prove they can install and maintain systems
with secure configurations and with strong perimeter protection.]
--2 October 2002 California State Government Server Breached
California state agencies were warned that a state server nicknamed
Godzilla suffered security breaches; officials asked people at the
agencies to check the security of their computer systems. It does
not appear that any data on the machine was stolen.
[Editor's Note (Schultz) Something like this happened to the state of
California not too long ago, and a spokesperson made it clear that the
state would not accept any responsibility for what happened. I wonder
if the same kind of evasion of responsibility will surface again, or
whether management will accept responsibility and make changes that
will lessen the likelihood of this kind of incident occurring again.]
--2 October 2002 CD-ROMs for UN Inspectors Contained Viruses
UN inspectors in Vienna were given four CD-ROMs of reports from an
Iraqi official; the disks also contained computer viruses. The viruses
were fairly common, leading to speculation that their appearance on
the disks was not intentional, but the result of inadequate antivirus
software. American companies are prohibited from exporting their
products to Iraq under the current US embargo.
--2 October 2002 Word Flaw Allows File Stealing
A vulnerability in the field code feature of Microsoft Word could
allow an attacker to steal files from hard drives. All versions of
Word from 97 running on Windows operating systems from Windows 95
onward are vulnerable to the exploit. The attacker needs to know the
names of the files and the full filepath to steal them. An attacker
would sent a target a document containing specially crafted field
code; when the recipient sends the document back to the sender, the
targeted files tag along. The article also includes ways to mitigate
the possibility of getting stung by the exploit; Microsoft plans to
issue patches for Word 2000 and XP but not for earlier versions.
--1 & 2 October 2002 DoD Continues Wireless Moratorium
The Defense Department (DoD) has extended a moratorium on wireless
devices in and around the Pentagon until wireless network security
vulnerabilities are adequately assessed. The DoD has asked the
National Security Agency (NSA) to develop a database to help with
the assessment. In addition, DoD employees are forbidden from using
wireless devices like phones and PDAs to access classified data or
to communicate about mission-critical operations.
--1 October 2002 Klez Tops Lists for September
The Klez-H worm was found most frequently on the September virus lists
at both Sophos and MessageLabs. Bugbear is likely to make the top
ten list in October. Klez-E tops September's list at Central Command
and Kaspersky Labs places Klez at the top of its list as well, with
more than 70% of "registered instances."
--1 October 2002 What Does a FIPS Encryption Compliance Seal Mean?
Six information technology labs across the country can issue the
governmental FIPS (Federal Information Processing Standard) compliance
seal for encryption products. Companies wishing to sell their products
to the government must hold a FIPS-2 rating. While some experts see
the certification as an assurance that "someone with a moderate degree
of skill has looked over the design" of the products, others view
the seal as nothing more than "a marketing tool." The certification
process can take from four to ten weeks and costs between $20,000
[Editor's Note (Murray): There is an infinity of ways to implement
cryptography, most of them wrong. Anyone who wants to widely
deploy a crypto product will want it evaluated by a third party.
Keep in mind that the certification speaks to the implementation of
the crypto and gives no assurance that the code does not introduce
other problems. The recent problem with Open-SSL is a case where
a crypto implementation introduces a vulnerability, exploited by the
Slapper worm, that would not have been there without it.]
--30 September 2002 Virus Masquerades As Microsoft Patch
A virus is circulating on the Internet in the guise of a Microsoft
security patch. The virus is in an .exe attachment, which the text
of the e-mail advises users to run.
[Editor's Note (Shpantzer): User awareness training should include
knowledge of tactics that coax people into getting infected with
malicious code. Since this is not the first virus that uses this
trick, "Microsoft does not email patches" could be a part of that
--30 September 2002 Security Contractor Certification
According to the National Strategy to Secure Cyberspace, the Bush
administration is planning to look into the possibility of requiring
computer security contractors to be certified by the government.
Critics of this plan say the cost may keep smaller companies, which
often have the most capable employees, from obtaining certification.
They also point out that certifying a company is meaningless if
its best employees leave; individual certification would be more
[Editor's Note (Schultz): I agree with the critics. Certifying
individuals is the only viable plan. Certifying security contractor
organizations would not only prove nebulous, but it would also
deteriorate into an exercise of political gamesmanship.]
--12 September 2002 CIO Survey Shows 7-8% of IT Budget Goes to
According to a CIO magazine survey of 279 IT executives, companies
spend an average of 7 - 8% of their IT budgets on security. Investment
in IT security staff correlated with decreased security breaches and
increased understanding among company officers regarding the need to
spend money on security. Sixty-three percent of the survey respondents
believe they should spend more on security, especially on technology,
education and dedicated security staff.