**********************************************************************
To: Security Express (SD397643)
From: Alan for the SANS NewsBites service
Re: June 20 SANS NewsBites
*************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Last month, the three most popular Hacker Exploits courses were run
head-to-head at SANS2001. The highest rated was Eric Cole and Ed
Skoudis' course "Computer and Network Hacker Exploits." It was also the
only one of the three courses that taught students how to block the
attacks as well as how to run them.

You may attend Eric and Ed's course in Boston or Washington in July.
If you take the entire five-day track, which combines the hacker
exploits courses with advance incident handling, you'll have finished
the course work for one of the GIAC Level 2 security certifications.
http://www.sans.org/sansfire/track4.html

                                        AP

**********************************************************************

                             SANS NEWSBITES

                 The SANS Weekly Security News Overview

Volume 3, Number 25 June 20, 2001

Editorial Team:
     Kathy Bradford, Crispin Cowan, Roland Grefer, Bill Murray,
          Stephen Northcutt, Alan Paller, Eugene Schultz

**********************************************************************

TOP OF THE NEWS

15 June 2001 Israeli Hacker Won't Go to Jail
13 June 2001 IU Computers Breached for Second Time This Year
9 - 14 June 2001 Cal-ISO Servers Compromised

THE REST OF THIS WEEK'S NEWS

15 June 2001 Wireless Keyboard Security
15 June 2001 New Malicious Hacking Tools
14 June 2001 Houston Floods Bring Physical Security Lessons
14 June 2001 Trojan Exploits Word RTF/Macro Flaw
13 & 14 June 2001 Morbid Curiosity Yields Trojan
11 & 13 June 2001 MacSimpson Worm
13 & 14 June 2001 Exchange 2000 Patch Woes
13 June 2001 Former FAA Employee Gets Jail Sentence for Stealing
              Source Code
13 June 2001 Cracker Group Defaces More Sites Because They Can
13 June 2001 SQL Server Flaw Bulletin and Patch
13 & 14 June 2001 Malicious E-Mail Could Cause Problems for Japanese
                   Wireless Internet Customers
11 June 2001 DMCA Shadow Looms

TUTORIAL
11 June 2001 Outsourcing Pros and Cons: Security Manager's Journal

UPCOMING TRAINING OPPORTUNITIES
SANS Parliament Sq., London, England, Jun. 20-23
Rocky Mt. SANS Denver, CO, Jun. 28 - Jul. 3
SANSFIRE, Washington, DC, Jul. 30 - Aug. 4
SANS Security Leadership, Washington, DC, Aug. 1-2
SANS Parliament Hill, Ottawa, Canada, Aug. 8-18
SANS Network Security 2001, San Diego, CA, Oct. 15-22
SANS Cyber Defense Initiative (CDI), Washington, DC, Nov. 27 - Dec. 3

See www.sans.org for details.

******************** Sponsored by NetIQ Corporation ********************

FREE SECURITY GUIDE:

Get the in-depth knowledge you need to secure your enterprise with
NetIQ's FREE step-by-step security guide - "Selecting The Right Security
Solution" - at
http://www.netiq.com/sponsor/default.asp?236

NetIQ's security solutions not only identify intruders, but ensure that
threats don't ever become incidents.

***********************************************************************

 --15 June 2001 Israeli Hacker Won't Go to Jail
Ehud Tenenbaum, the Israeli hacker who was part of the force behind the
"Solar Sunrise" attack on US Defense Department computer systems in
1998, was sentenced to six months of community service. Tenenbaum was
also fined approximately $18,000 and sentenced to one year of probation.
A two-year suspended prison sentence will be enforced if he commits a
computer crime within the next three years.
http://www.securityfocus.com/news/217

 --13 June 2001 IU Computers Breached for Second Time This Year
According to Indiana University (IU) officials, crackers broke into IU
School of Music computers where they accessed names, addresses and
social security numbers of people who had requested information about
the school; the crackers also used the breached servers as a private
chatroom and for file storage. Technicians said that the crackers
exploited the rpc.statd buffer overflow flaw to gain access to the
servers, and that they deleted any log files which could have offered
clues to their identities.
http://www.wired.com/news/culture/0,1284,44501,00.html

 --9 - 14 June 2001 Cal-ISO Servers Compromised
Crackers recently infiltrated two servers that were part of a
development network at the California Independent System Operator (ISO)
- - an integral part of the power grid - raising concerns that foreign
governments or terrorist groups are probing the US's critical
infrastructure networks. Security specialists say they cannot tell who
was responsible for the attacks, and that many security measures,
including firewalls, tripwires, and logs, were not in place.
http://www.latimes.com/business/cutting/20010609/t000047994.html
http://www.computerworld.com/storyba/0,4125,NAV47_STO61313,00.html
http://news.cnet.com/news/0-1003-200-6272438.html?tag=prntfr
[Editor's (Murray) Note: One might well ask why systems intended for
the development of such a sensitive application are connected to the
public network at all, much less without routine security measures.]

********************* Also sponsored by Trend Micro ********************

TREND ANTIVIRUS ISPC MAGAZINE'S EDITORS' CHOICE

If you are worried about email viruses, you need Trend Micro ScanMail
for Exchange. It is the best solution for your Exchange server and PC
Magazine agrees: ScanMail and its plug-in eManager are PC Magazine's
Editors' Choice for Best Email Virus Protection. Buy a license for
ScanMail and get the content-management plug-in eManager FREE:

http://www.antivirus.com/banners/tracking.asp?si=19&bi=106&ul=/promo1

************************************************************************

THE REST OF THE WEEK'S NEWS

 --15 June 2001 Wireless Keyboard Security
Daten-Treuhand, a German security concern, has posted a warning on
Bugtraq that crackers can sniff passwords from wireless keyboards from
up to 30 meters.
http://www.theregister.co.uk/content/8/19736.html
http://www.daten-treuhand.de/sicherheitsnews/logitech/bugtraq.htm

 --15 June 2001 New Malicious Hacking Tools
Security consultants say there are two new hacking tools available on
the Internet: GodMessage and Choke. GodMessage lets crackers put
ActiveX code on web pages which would make browsers download a
compressed program. Users with current antivirus software should be
protected. The Choke worm circumvents security controls using MSN
Messenger.
http://www.zdnet.com/zdnn/stories/news/0,4586,2775804,00.html

 --14 June 2001 Houston Floods Bring Physical Security Lessons
The recent flooding in Houston not only underscored the importance of
having a detailed emergency plan in place, but also brought to light
some important physical security considerations. Data and
communications equipment centers should not be on the lower floors of
buildings, provisions need to be made for refueling generators, and IT
staff members should be included as members of emergency command
centers.
http://www.computerworld.com/storyba/0,4125,NAV47_STO61363,00.html

 --11 & 13 June 2001 MacSimpson Worm
A mass mailing worm that targets Macintosh computers arrives as an
attachment purporting to be secret episodes of The Simpsons. The
attachment is actually an AppleScript that sends copies of itself to
everyone in the Outlook Express or Entourage address book(s) of
infected machines. Finally, the worm moved the contents of the sent
mail folder to the deleted items folder and opens Internet Explorer to
a Simpsons archive. The worm affects Macintosh Systems 9.0 and higher,
and Outlook Express 5.02 and higher. The Computerworld article offers
advice for removing the worm from infected systems.
http://news.cnet.com/news/0-1006-200-6250087.html?tag=prntfr
http://www.zdnet.com/zdnn/stories/news/0,4586,2772050,00.html
http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO61323,00.html

 --14 June 2001 Trojan Exploits Word RTF/Macro Flaw
A Trojan horse named Goga exploits a recently disclosed security flaw
in Microsoft Word. Goga arrives in the guise of a Rich Text Format
(RTF) attachment that links to a template file on a Russian web site.
A macro in the file circumvents Windows security and gathers logons and
passwords.
http://news.cnet.com/news/0-1003-200-6280162.html?tag=prntfr
http://www.microsoft.com/technet/security/bulletin/ms01-028.asp

 --13 & 14 June 2001 Morbid Curiosity Yields Trojan
Computer users who thought they were downloading a bootlegged video of
Timothy McVeigh's execution were actually being tricked into installing
the SubSeven Trojan horse program on their computers. The program,
which affects only computers running Windows operating systems, allows
crackers to remotely control infected machines. The web page that
contained the program is no longer up, and users with current antivirus
software should be protected.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1386000/1386606.stm
http://www.zdnet.com/zdnn/stories/news/0,4586,2775026,00.html?chkpt=zdhpnews01
[Editor's (Murray) Note: Those who do not take the bait should also be
safe.]

 --13 & 14 June 2001 Exchange 2000 Patch Woes
The first patch Microsoft issued for an Exchange 2000 security flaw
contained an error that caused servers to hang. The second, which
contained outdated files, did the same thing. The company released a
third version of the patch last week. One security consultant described
the patch's effect as essentially launching a denial-of- service attack
on one's own server.
http://www.zdnet.com/zdnn/stories/news/0,4586,5092661,00.html?chkpt=zdhpnews01
http://www.computerworld.com/storyba/0,4125,NAV47_STO61353,00.html

 --13 June 2001 Former FAA Employee Gets Jail Sentence for Stealing
                 Source Code
Thomas A. Varlotta, the Federal Aviation Administration (FAA) engineer
who stole O'Hare International Airport air traffic control monitoring
software shortly before he left the FAA's employ, was sentenced to a
year in prison and ordered to pay $13,000 in fines and restitution.
Varlotta had headed the team that developed the source code he stole.
http://www.chicagotribune.com/news/metro/dupage/printedition/article/0,2669,SAV-0106130346,FF.html

 --13 June 2001 Cracker Group Defaces More Sites Because They Can
A cracker group notorious for its defacing scads of Chinese web sites
earlier this year has recently defaced a dozen sites worldwide; all the
sites have in common is the word "security" in their domain names. In
an email to CNET, the group claims that they target Windows NT and 2000
servers because they are so easy to infiltrate.
http://news.cnet.com/news/0-1003-200-6269253.html?tag=prntfr

 --13 June 2001 SQL Server Flaw Bulletin and Patch
Microsoft simultaneously posted a bulletin about and a patch for a flaw
in SQL Server 7.0 and 2000 Gold databases that could allow a cracker to
hijack an administrative connection. The flaw affects servers that are
configured for mixed-mode authentication, and attackers must already
have access to the server in order to take advantage of the
vulnerability.
http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO61332,00.html
Bulletin: http://www.microsoft.com/technet/security/bulletin/MS01-032.asp
Patch: http://support.microsoft.com/support/kb/articles/Q299/7/17.asp

 --13 & 14 June 2001 Malicious E-Mail Could Cause Problems for
                      Japanese Wireless Internet Customers
A Japanese wireless phone carrier has warned subscribers of its I-Mode
wireless Internet service that malicious e-mail messages could cause
their phones to dial an emergency number, make lots of calls, or freeze
the phone screen. The company advises its customers not to open e-mail
from unknown sources and offers suggestions for thwarting the potential
problems.
http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO61340,00.html
http://news.cnet.com/news/0-1004-200-6282498.html?tag=prntfr
[Editor's (Cowan) Note: Script-enabled mail and web clients are a
disaster, and apparently G3 cell phone manufacturers have fallen into
the same trap as the designers of MS Outlook and the people who invented
Javascript for web browsers. At least with Netscape the user can
disable Java and Javascript for web and mail. One suspects that G3
(third generation) cell phone users will not be so lucky.]
[Editor's (Grefer) Note: This incident should serve as another reminder
to set up a separate machine that has been hardened (a.k.a. a bastion
host) to serve as log server for all systems. Once the syslog
configurations of the other systems have been adjusted to point to the
hardened log server or log host, it will be much more difficult for
intruders to cover their tracks. Any logged activities up to the point
where they manipulate the syslog daemon or its configuration will be
preserved.]

 --11 June 2001 DMCA Shadow Looms
Fearful of violating the Digital Millennium Copyright Act (DMCA), the
administrator of a TiVo web forum has asked users to refrain from
posting information about methods for sharing saved content.
http://news.cnet.com/news/0-1005-200-6249739.html?tag=prntfr

TUTORIAL
 --11 June 2001 Outsourcing Pros and Cons: Security Manager's Journal
On one hand, managed security services offer round-the-clock monitoring,
a staff with detailed knowledge, and "herd immunity." On the other
hand, the commitment to security may not be as strong as that of someone
in-house, the companies must look like gold mines to crackers, and the
cost of such services is still quite high.
http://www.computerworld.com/cwi/community/story/0,3201,NAV65-663_STO61232,00.html

==end==

Please feel free to share this with interested parties via email (not
on bulletin boards).  For a free subscription, (and for free posters)
e-mail sanssans.org with the subject: Subscribe NewsBites

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl\and enter your SD number (from the headers.)
You will receive your personal URL via email.

You may also email <sanssans.org> with complete instructions and your
SD number for subscribe, unsubscribe, change address, add other digests,
or any other comments.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE7MOAa+LUG5KFpTkYRApxgAJkB+iTTu5tS+wpCtS3Yz6FHeGpU1ACaAlht
TezHKyRLvD7HFWzZQA5WtIw=
=Et7h
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]