**********************************************************************
To: Security Express (SD397643)
From: Alan for the SANS NewsBites service
Re: June 6 SANS NewsBites
*************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- From time to time a "must read" document is published. Steve Gibson,
author of ShieldsUp! and one of the gurus of Windows security lived
through a major distributed denial of service attack and traced the
attackers. He wrote an extremely readable tutorial on it. It's long,
and worth every minute. Just one of his many interesting tidbits:
Windows 2000 and XP, unlike their predecessors, have enormous capacity
to generate malicious Internet traffic with spoofed IP addresses.
http://grc.com/dos/grcdos.htm

While we are talking about great tutorials, SANS has created a must-
attend program for information security officers. It provides essential
skills that every ISO must master if he or she wants to excel in the
world of the Internet and distributed computing. It will be one of seven
immersion tracks at SANS Network Security (San Diego, October 15- 22).
If you are an ISO or CISO, mark your calendar today. October is a superb
time to visit San Diego.

                                        AP

**********************************************************************

                             SANS NEWSBITES

                 The SANS Weekly Security News Overview

Volume 3, Number 23 June 6, 2001

Editorial Team:
     Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
          Stephen Northcutt, Alan Paller, Eugene Schultz

**********************************************************************

TOP OF THE NEWS
31 May 2001 SULFNBK.EXE Worm Hoax
30 May 2001 Judge Rules FBI Acted Properly in Russian Hacker Case
29 & 31 May 2001 Open Source Sites Attacked
29 May 2001 Insider Attacks System and is Caught
26 May 2001 Russian Police Arrest Crackers
23 May 2001 Microsoft Word Flaw: RTF Files and Macros

THE REST OF THIS WEEK'S NEWS
1 June 2001 Denial-of-Service Attacks' Potential for Increased Damage
1 June 2001 University Systems Vulnerable
1 June 2001 Hotmail and Yahoo E-mail Vulnerability
1 June 2001 Gartner Analysts Point to Complacency as Root of Increased
             Infections
1 June 2001 Fighting Internet Fraud with Software
31 May 2001 New Worm Variant Makes Use of Social Engineering Tactics
31 May 2001 Former Employees Hack for Revenge
30 May 2001 Hackers Pilfer SETIhome Volunteers' E-Mail Addresses
30 May 2001 OpenPGP Alliance
29 May 2001 Hacker Helps ExciteHome With Security
29 May 2001 Echelon's Reach Exceeds its Grasp, Says EU Committee
29 May 2001 Researcher Says Education is Key to Halting Viruses
29 May 2001 The Costs of CyberCrime
24 May 2001 Weather.com Hit By Denial of Service Attack
19 May 2001 Cracker Compromises Customer Credit Card Data

UPCOMING TRAINING OPPORTUNITIES

Caribbean SANS San Juan, Puerto Rico, Jun. 5-8
SANS PeachTree Atlanta, GA, Jun. 10-13
SANS Parliament Sq.* London, England, Jun. 20-23
Rocky Mt. SANS Denver, CO, Jun. 28 - Jul. 3
SANSFIRE* Washington, DC, Jul. 30 - Aug. 4
SANS Security Leadership Washington, DC, Aug. 1-2
SANS Parliament Hill* Ottawa, Canada, Aug. 8-18
SANS Network Security 2001* San Diego, CA Oct. 15-22
SANS Cyber Defense Initiative (CDI) Washington, DC, Nov. 27 - Dec. 3

See www.sans.org for details.

*********************** Sponsored by SurfControl *********************

MONITOR & MANAGE INTERNET USE - FREE TRIAL!

If you're not managing Internet access, you're asking for trouble.
SurfControl, the #1 market leader in Internet filtering, improves
security & frees up network traffic. Find out exactly WHO is doing WHAT,
WHEN, & WHERE on the 'Net.

FREE 30-day SuperScout Web Filter trial:
http://www.surfcontrol.com/promo/SNB0606

**********************************************************************

TOP OF THE NEWS
 --31 May 2001 SULFNBK.EXE Worm Hoax
A hoax e-mail may have convinced many people to delete SULFNBK.EXE, a
Windows utility, from their hard drives. While the e-mail may have
begun with good intentions - there have been reports of e-mails
containing copies of the file infected with W32.Magistr.24876mm - the
hoax e-mail uses social engineering to get people to do the work of a
malicious worm.
A Symantec site offers information about the hoax e-mail and
instructions for restoring the deleted file.
http://www.zdnet.com/zdnn/stories/news/0,4586,5091958,00.html?chkpt=zdhpnews01
http://www.symantec.com/avcenter/venc/data/sulfnbk.exe.warning.html
[Editor's (Paller) Note: The Magistr virus is sometimes delivered
inside a file called sulfnbk.exe. This story has two morals: (1) "Do
it yourself" virus cleaning is dangerous. (2) People who pass along
unverified virus warnings can be a major part of the virus problem. If
your organization's AUP (appropriate use policy) allows these two
behaviors, you might want to change the policy.]

 --30 May 2001 Judge Rules FBI Acted Properly in Russian Hacker Case
A federal judge has ruled that the FBI did not violate the rights of
two alleged cyber-criminals when it tricked the Russian pair into
divulging passwords and account numbers and downloaded evidence from
machines in Russia using that information. In his ruling, the judge
wrote that the suspects had no expectations of privacy when they were
asked to demonstrate their skills, that computers and data are not
subject to Fourth Amendment protection, and that the FBI obtained a
warrant before examining the data they downloaded from the Russians'
computers. The suspects allegedly stole financial information from two
banks and they have been linked to credit card thefts from CD Universe
and Western Union.
http://www.msnbc.com/news/563379.asp?0nm=C21D
[Editor's (Murray) Note: Bad cases make bad law. We will all live to
regret this decision.]
[Editor's (Paller) Assessment of Murray's Note: Nonsense. Our courts do
an incredibly good job of protecting alleged criminals against
overzealous law enforcement. This ruling is balanced. It provides
protection for both the alleged criminals and the public.]

 --29 & 31 May 2001 Open Source Sites Attacked
At least two open-source web sites - the Sourceforge.net development
site and the Apache Software Foundation's public server - were targeted
by crackers. Sourceforge had to reset all users' passwords.
Tucows.com and themes.org may also have been victims.
http://news.cnet.com/news/0-1003-200-6077471.html?tag=prntfr
http://www.zdnet.com/zdnn/stories/news/0,4586,5091936,00.html
http://it.mycareer.com.au/breaking/2001/05/31/FFXQ0QREDNC.html

 --29 May 2001 Insider Attacks System and is Caught
This story details the case of Abdelkader Smires who used insider
knowledge to launch attacks against Internet Trading Technologies
(ITTI), a brokerage. Smires was caught because he failed to mask the
IP addresses he used and had read his e-mail while launching the
attacks; he received an 8-month prison term.
http://www.techtv.com/cybercrime/internetfraud/story/0,23008,3013872,00.html

 --26 May 2001 Russian Police Arrest Crackers
Russian police have arrested members of a cracker group behind an on-
line credit card fraud scheme. The five men are not thrill-seeking
crackers, but professional criminals out to make money. The ringleader,
a 63-year-old grandfather, could face a 10-year jail sentence.
http://news.bbc.co.uk/hi/english/world/europe/newsid_1353000/1353092.stm

 --23 May 2001 Microsoft Word Flaw: RTF Files and Macros
Microsoft has warned of a flaw in Word that could allow macros to run
without warnings. If users of Word 97 and higher open a Rich Text
Format (RTF) file that references a template with an embedded macro,
that macro can be run without any warnings, and could be constructed to
disable Word security settings. Microsoft has issued a patch for the
flaw.
http://www.infoworld.com/articles/hn/xml/01/05/23/010523hnwordflaw.xml
http://www.microsoft.com/technet/security/bulletin/ms01-028.asp
[Editor's (Murray) Note: code is now riddled with escape mechanisms.
Ken Thompson's warning has come true; there is no longer a useful
distinction between programs and data.]
[Editor's (Cowan) Note: For those wondering what this is about, this
brief article from the SANS Reading Room explains how to use RTF instead
of Word's native .doc format to avoid most macro virus problems. The
bug and fix described above relate to the RTF approach to macro virus
defense.
http://www.sans.org/newlook/resources/macro.htm]

******************** Also Sponsored by Oblix, Inc.********************

SECURITY AT THE SPEED OF E-BUSINESS

Hear what the GARTNER GROUP has to say about single sign-on,
authentication and information security. Oblix invites you to listen to
a FREE replay of "Best Practices: Enabling Single Sign-on and Automated
Provisioning" featuring Gartner Research, KPMG, Access360 and Oblix.

Visit us at: http://www.oblix.com/reply/sans2

**********************************************************************

THE REST OF THIS WEEK'S NEWS

 --1 June 2001 Denial-of-Service Attacks' Potential for Increased
                Damage
The author of a recent study on denial-of-service attacks says they are
on the rise and are becoming more serious; the potential for damage
increases as more elements of critical infrastructure are placed on
line. Steve Gibson, a security consultant whose GRC.com web site has
been the victim of attacks, suggests that ISPs should filter outgoing
packets for invalid addresses.
http://www.zdnet.com/zdnn/stories/news/0,4586,5092020,00.html

- --1 June 2001 University Systems Vulnerable
University computers are desirable targets for crackers due to their
ubiquitous vulnerabilities and weak protection. In addition, the
systems offer storage space for illegal software, fast Internet
connections for launching denial-of-service attacks, and access to a
plethora of sensitive data. Crackers have been known to trade addresses
of compromised .edu computers on the "digital black market."
http://www.cnn.com/2001/TECH/internet/06/01/hacking.colleges.ap/index.html
[Editor's (Murray) Note: Universities should segregate and isolate
student-managed systems, enforce origin addressing, and enforce their
acceptable use policies.]
[Editor's (Paller) Question: If your university has found a solution to
the student computer problem - one that effectively protects the rest
of the Internet from all of your student computers without crushing
creativity and openness - please share it with us at infosans.org with
subject "Academic excellence in security."]

 --1 June 2001 Hotmail and Yahoo E-mail Vulnerability
A vulnerability in Hotmail and Yahoo e-mail programs allows a
deliberately composed e-mail containing an HTML link to behave like a
worm and flood Internet mail servers. Microsoft had the flaw fixed by
Friday afternoon, and Yahoo was working on a fix.
http://news.cnet.com/news/0-1003-200-6162983.html?tag=prntfr
[Editor's (Grefer) Note: Though these two well-known email services have
corrected the problem, one must wonder whether the many smaller email
services have done anything about it.]

 --1 June 2001 Gartner Analysts Point to Complacency as Root of
                Increased Infections
Gartner analysts say the rise in e-mail worm infestations is due to
complacency, and advise IS organizations to continuously educate about
guarding against e-mail-borne infections, to establish and enforce
strong security policies, and to strip .vbs files from messages.
http://news.cnet.com/news/0-1003-201-6157094-0.html?tag=prntfr
[Editor's (Murray) Note: While we must expect new viruses to contaminate
some systems, vigilance and timeliness can prevent them from using the
internet to spread. It now appears that if as few as twenty percent of
our systems and networks are resistant to a virus, it will die out.
However, in order to achieve this level it is essential that all desktop
and laptop systems update frequently and that enterprise gateways, our
first line of defense, be updated at least weekly. My preference is
for these gateways to scan both inbound and outbound traffic.]

 --1 June 2001 Fighting Internet Fraud with Software
Forensic data mining, which can be used to fight Internet fraud,
searches for patterns that suggest questionable activity and warrant
closer examination. Programs can detect unusual activity such as a
credit card being swiped twice at the same location, a patient charging
services to another family member's account when benefit limits have
been reached, and high correlation between physicians who refer patients
to one another and overcharge the insurer.
http://www.wired.com/news/technology/0,1282,44203,00.html
[Editor's (Murray) Note: Real hackers (as opposed to vandals) work at
the application layer. Because intent is most obvious at this layer it
is also the layer where resistance is most effective.]

 --31 May 2001 New Worm Variant Makes Use of Social Engineering
                Tactics
The Chernobyl worm, which carries a malicious payload capable of
overwriting a computer's BIOS information, is making the rounds this
time in the guise of an attachment purporting to be pictures of Jennifer
Lopez.
http://news.cnet.com/news/0-1003-200-6135045.html?tag=prntfr
[Editor's (Murray) Note: "Social engineering" is a term that hackers
use to put a pleasant face on fraud and deceit.]

 --31 May 2001 Former Employees Hack for Revenge
Federal investigators say the incidence of unhappy former employees
attacking companies' computer systems is increasing. One man altered
customer accounts and deleted databases in his former employer's system;
another sent phony e-mails that appeared to come from the management at
the company where he had worked as a contract employee. An FBI computer
intrusion squad agent points out that it is important to be aware of
who has been fired because computer access is not always cut off when
employment is terminated.
http://www.usatoday.com/life/cyber/tech/2001-05-31-revenge-hacking.htm

 --30 May 2001 Hackers Pilfer SETIhome Volunteers' E-Mail Addresses
Some hackers figured out the method SETIhome uses to exchange work
units with volunteers in its distributed computing effort, and took
advantage of the knowledge to mine up to 50,000 e-mail addresses which
were then used in a spam attack. SETIhome's project director said the
server software has been revised.
http://www.msnbc.com/news/580466.asp?0nm=C21B
[Editor's (Cowan) Note: The article says this hack exposes the pitfalls
of distributed computing. More precisely, it exposes the pitfalls of
distributed computing with weak authentication.]

 --30 May 2001 OpenPGP Alliance
Eleven companies and organizations have formed the OpenPGP Alliance,
which will allow them to share information to achieve interoperability
between different secure e-mail systems.
http://news.cnet.com/news/0-1003-200-6112943.html?tag=prntfr

 --29 May 2001 Hacker Helps ExciteHome With Security
ExciteHome has praised a hacker who came to the company with
information about a server vulnerability that could have exposed
customer support data. After meeting with the man, ExciteHome
bolstered its network security by installing firewalls, implementing a
variety of security hardware and programs, and restricting network
access.
http://news.cnet.com/news/0-1003-200-6091589.html?tag=prntfr
[Editor's (Grefer) Note: Home is a major contributor to the security
problem, because of its lax security. Just look at the GRC story
described at the beginning of this issue.]
[Editor's (Paller) Note: We do not recommend the hiring of hackers.
However, when hackers come forward to help improve security, without
any form of extortion, they are taking a big step toward using their
talents in ways that could be the beginning of a valuable career.]

 --29 May 2001 Echelon's Reach Exceeds its Grasp, Says EU Committee
A draft report from a European Parliament investigative committee
concludes that Echelon, the global electronic eavesdropping network, is
not as capable as was previously believed, but the committee still
recommends that people use encryption software.
http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO60923,00.html
Echelon Q&A:
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1357000/1357513.stm

 --29 May 2001 Researcher Says Education is Key to Halting Viruses
Sarah Gordon, a researcher studying virus writers and hackers, uses her
skills not to track down criminals, but to develop cybercrime
deterrents. She believes that education is the key to stemming the tide
of malicious cyber activity because there is a "fundamental disconnect"
between people's on-line and off-line behavior.
http://www.wired.com/news/culture/0,1284,43839,00.html

 --29 May 2001 The Costs of CyberCrime
In 1999 businesses spent over $7 billion to protect themselves from
cybercrimes; last year, computer attacks cost businesses over $17
billion, up from more than $12 billion in 1999. Experts say that
security risks can be decreased with the use of stringent security
measures and internal policies, and of course, vigilant monitoring.
http://detnews.com/2001/technews/0105/29/b01-229644.htm

 --24 May 2001 Weather.com Hit By Denial of Service Attack
The Weather Channel's web site was hit by a denial-of-service attack
that limited user access and slowed site performance for about seven
hours. The director of site operations said that in defense, they
shifted to another dedicated router and installed filtering and
intrusion detection software. In addition, system administrators are
examining the company's server logs to see if the attack was a diversion
created to draw attention away from an intrusion.
http://www.internetwk.com/story/INW20010524S0010

 --19 May 2001 Cracker Compromises Customer Credit Card Data
A security breach at A&B Sound's web site exposed customer names and
credit card data. The site was shut down to allow for investigation.
A&B Sound has sent e-mails to potentially affected customers advising
them to contact their credit card issuers.
http://www.vancouversun.com/newsite/business/010519/5020497.html
http://www.absound.ca/

==end==

Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sanssans.org with the subject: Subscribe NewsBites

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the headers.)
You will receive your personal URL via email.

You may also email <sanssans.org> with complete instructions and your
SD number for subscribe, unsubscribe, change address, add other digests,
or any other comments.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE7HkWm+LUG5KFpTkYRAgPBAJ91GC4oVrm1HMGNIXvVNQTv0NZJ7wCcCl0F
dVqMJ/S1U6/+EBWrEhRnpVo=
=RK7U
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]