|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (sans
sans.org)Date: Wed Jul 18 2001 - 11:24:04 CDT
To: Security Express (SD397643)
From: Alan for the SANS NewsBites service
Re: July 18 SANS NewsBites
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Breaking News: New "Code Red" worm is spreading rapidly through
systems running Microsoft IIS. Both ISS 4.0 and 5.0 are affected.
http://www.crn.com/components/Nl/direct/article.asp?ArticleID=28301
Also Today: Users Band Together To Persuade Vendors To Improve
Security Configurations
If you work for one of the tens of thousands of organizations that
rely on Solaris systems for important applications, you'll want to
get the newly revised Solaris security benchmark being published
today by the Center for Internet Security (formed by 160 leading user
organizations). The benchmark defines a global consensus of minimum
security settings that are not likely to break any applications and
that protect your systems from many common attacks. More sophisticated
Solaris benchmarks, for greater protection, are being created. Windows
2000 and several other benchmarks will follow. The benchmarks are free
and come with tools (also free) that allow you to test your systems
instantly and as often as you like. If you have ever wished system
vendors would provide their products with a more secure configuration
"out of the box," and that they would take a greater responsibility
for protecting you, their customers, join the Center. When the
security community speaks with one voice, you will be hard to ignore.
See www.cisecurity.org
AP
**********************************************************************
SANS NEWSBITES
The SANS Weekly Security News Overview
Volume 3, Number 29 July 18, 2001
Editorial Team:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt,
Alan Paller, Marcus Ranum, Howard Schmidt, Eugene Schultz
**********************************************************************
TOP OF THE NEWS
13 July 2001 Sans.org Defaced
13 July 2001 Leave Worm Variant Disguised as Microsoft Security
Bulletin
13 July 2001 Honeynet Expansion Planned
12 July 2001 New Mailing List To Improve Speed and Accuracy Of
Security Bug Reports
12 July 2001 New Wireless Security Vulnerability Reported
THE REST OFTHIS WEEK'S NEWS
13 July 2001 Outlook E-Mail Vulnerability
12 July 2001 Welsh Cracker Tells His Story
11 July 2001 Worms Will Become More Dangerous
10 & 12 July 2001 GAO Report Enumerates Payroll Center Security
Problems
10 & 11 July 2001 NCTP Research and Recommendations for Local Law
Enforcement and Cyber Crime
10 July 2001 I-Worm.Mari
9 July 2001 FreeBSD Security To Be Improved with $1.2 Million US Grant
9 July 2001 Microsoft Warns of SMTP Vulnerability, Issues Patch
9 July 2001 Easing the Security Headache for Users
6 & 9 July 2001 Security Hole in Safe Harbor Site
6 July 2001 S1 Corp. Computer Intrusion
5 July 2001 IIS Exploit Code Posted
2 July 2001 Stopping Distributed Denial of Service Attack's
2 July 2001 Panel Urges Legislators to Strengthen Cyber Security
Research Report: How Much Time Do American's Spend On the Internet?
UPCOMING TRAINING OPPORTUNITIES
SANSFIRE (8 tracks), Washington, DC, Jul. 30 - Aug. 4
SANS Information Security Officer Training, Washington, DC, Aug. 1-2
SANS Parliament Hill (5 tracks), Ottawa, Canada, Aug. 8-18
SANS Scandinavia (3 tracks), Stockholm, Sept. 23-28
SANS Network Security 2001 (8 tracks), San Diego, CA, Oct. 15-22
SANS Cyber Defense Initiative (CDI), Washington, DC, Nov. 27 - Dec. 3
Plus new, on-line, security training programs.
See www.sans.org for details.
******************* Sponsored by Tripwire, Inc. **********************
Worried about the integrity of your data? Rest easy with Tripwire.
Tripwire data and networking integrity solutions tell you if, when, and
how data or business processes have been changed on your system. This
leads to less time consuming & labor intensive recovery processes.
Attend a free online seminar & get a Tripwire cap!
http://www.tripwire.com/products/register.cfml?semID=65
**********************************************************************
TOP OF THE NEWS
--13 July 2001 Sans.org Defaced
The Sans.org web site was defaced on Friday morning. The site was
taken off line immediately. It was brought back up Sunday evening.
Forensic analysis is ongoing.
http://www.msnbc.com/news/600122.asp?0dm=C12NT
[Editor's (Northcutt) Note: This has been a startling reminder of
just how devastating an Internet attack can be. Every single program
and setting has to be reviewed and in many cases, redesigned so that
they can safely operate, not just in today's attacks, but also in the
face of the threat level we will experience two years down the road.
Some services may not be available for days.
Editor's (Paller) Note: Though we would have greatly preferred not
to have been attacked, the subsequent analysis is reaping far more
fruit than we expected or hoped. We will provide a complete report of
the lessons learned. We are gratified and humbled by the outpouring
of active, unsolicited assistance being provided by many of the most
experienced people in security. It helps a lot!]
--13 July 2001 Leave Worm Variant Disguised as Microsoft Security
Bulletin
A variant of the W32-Leave worm is wending its way about the
Internet pretending to be a Microsoft security bulletin.
The worm, which affects only machines previously infected
with the SubSeven Trojan, downloads components from web
sites and could potentially be used to plant denial-of-service
software on infected machines. Computers with current antivirus
software and firewall protection should be safe from infection.
http://www.computerworld.com/storyba/0,4125,NAV47_STO62194,00.html
--13 July 2001 Honeynet Expansion Planned
The founders of the Honeynet project (that uses fake web
sites to track and fingerprint attackers) are proposing
mechanisms that will greatly expand the number of honeypots,
making them more difficult for the attackers to recognize.
http://news.cnet.com/news/0-1003-200-6560377.html?tag=prntfr
--12 July 2001 New Mailing List To Improve Speed and Accuracy Of
Security Bug Reports
Three well-known vulnerability researchers, Rain Forest Puppy, Weld
Pond, and Steve Manzuik, have formed a new vulnerability mailing
list for reporting new vulnerabilities and threats. The new site,
at www.vulnwatch.org is designed to improve both the timeliness
and quality of bug reports over what has been provided by Bugtraq
and NTBugtraq.
http://www.newsbytes.com/news/01/167891.html
--12 July 2001 New Wireless Security Vulnerability Reported
A third vulnerability in the WEP protocol was reported by security
researcher Tim Newsham. The vulnerability involves breaking a 64
bit key which Newsham says can be done in less than 30 seconds.
http://news.cnet.com/news/0-1003-200-6554365.html?tag=prntfr
Additional stories on Wireless insecurity:
http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO62144,00.html
http://www.newscientist.com/news/news.jsp?id=ns99991018
http://www.zdnet.com/zdnn/stories/comment/0,5859,2783681,00.html
****************** Also sponsored by Oblix, Inc. *********************
Learn how IDENTITY MANAGEMENT drives down the COST OF OWNERSHIP and
increases security in a UNIFIED ACCESS CONTROL system for e-business.
Attend a FREE web conference on July 26 11:00AM PT/2:00PM ET
featuring Frank Prince, Sr. Analyst, Forrester Research and Oblix.
Register today at http://www.oblix.com/reply/sans07182001
**********************************************************************
THE REST OF THIS WEEK'S NEWS
--13 July 2001 Outlook E-Mail Vulnerability
Georgi Guninski has reported an ActiveX control flaw in Outlook 98,
2000, and 2002 e-mail software that could allow an attacker to alter
calendar information, delete e-mail, or run malicious code on the
affected computer. Users can be exposed to the vulnerability either by
viewing a specially crafted web page or by opening specially crafted
HTML e-mail. Microsoft Corp. has issued a security bulletin, and a
company security manager indicates that they would have preferred
having had time to prepare a fix before the vulnerability became
public knowledge.
http://www.computerworld.com/storyba/0,4125,NAV47_STO62182,00.html
http://www.msnbc.com/news/599983.asp?0dm=T18NT
http://www.microsoft.com/technet/security/bulletin/MS01-038.asp
[Editor's (Murray) Note: Guninski has not yet decided whether he
wants to be part of the problem or part of the solution.]
--13 July 2001 Microsoft Speaks Out On Raw Sockets
Microsoft's Security Program Manager, Scott Culp, tells why he believes
raw socket support is useful for effective security in Windows XP and
why taking raw sockets out would not stop DDOS attacks. The interview
was presented by the Register as a rebuttal to claims made by Windows
guru Steve Gibson.
http://www.theregister.co.uk/content/4/20387.html
[Editor's (Murray) Note: Gibson does not "say necessary and
sufficient," and as Culp suggests. He merely says useful, that it
will so lower the cost that it will result in a dramatic increase.]
--12 July 2001 Welsh Cracker Tells His Story
Raphael Gray, the Welsh teenager who stole a plethora of
credit card data from a variety of web sites, describes his
background in cracking and the events that led to his arrest.
http://news.bbc.co.uk/hi/english/uk/newsid_1434000/1434530.stm
--11 July 2001 Worms Will Become More Dangerous
Jose Nazario, a security expert speaking at the Black Hat Security
Briefings, said that computer worms will evolve into stealthier
programs capable of targeting specific victims. University of
washing to security engineer Dave Dittrich agreed, drawing an analogy
between computer systems' security and the human immune system.
http://news.cnet.com/news/0-1003-200-6548363.html?tag=prntfr
[Editor's (Murray) Note: Biological viruses evolve of biological
necessity. It is part of their essential nature. Computer viruses
and worms are artifacts. They have only the motivation that people
program into them. There is nothing necessary, essential, or inevitable
about them.]
--10 & 12 July 2001 GAO Report Enumerates Payroll Center Security
Problems
A General Accounting Office (GAO) report asserts the National Business
Center, based in Denver, has inadequate physical security, does not
sufficiently limit employee access to systems, and lacks monitoring
and investigative programs. The security weaknesses could potentially
be exploited to alter payroll data. An official says that work is
well underway to fix the problems.
http://www.usatoday.com/life/cyber/tech/2001-07-10-govt-payroll-computer-security.htm
http://www.fcw.com/fcw/articles/2001/0709/web-safe-07-12-01.asp
[Editors' (multiple) Note: These conclusions are as true for most
sites as they are for the National Business Center. GAO would do far
more good for security of government systems if it were to provide
agencies with specific, measurable, technical criteria (metrics) for
what constitutes due care and adequate security of federal systems.]
--10 & 11 July 2001 NCTP Research and Recommendations for Local Law
Enforcement and Cyber Crime
The National Cybercrime Training Partnership (NCTP) conducted
research that reveals state and local police are not well
equipped to manage cyber crimes. Problems they face include lack
of funding, equipment, and forensic expertise. Among the 10
recommendations NCTP issued are establishing specialized crime
units, working with technology companies, offering standardized
training and certification, and updating forensic tools.
http://news.cnet.com/news/0-1007-200-6538290.html?tag=prntfr
http://www.wired.com/news/technology/0,1282,45129,00.html
--10 July 2001 I-Worm.Mari
The I-Worm.Mari spreads, as many do, via Outlook address books
when uses click on e-mail attachments. The worm does no harm
to computers, but spreads a short polemic in favor of legalizing
marijuana, and sets Internet Explorer's start page to marijuana.com.
Though the site asserts it has nothing to do with the worm, angry
victims have launched denial of service attacks in retaliation.
http://www.wired.com/news/technology/0,1282,45101,00.html
--9 July 2001 FreeBSD Security To Be Improved with $1.2 Million US
Grant
With funds from the Defense Advanced Research Projects Agency, the
Navy's SPAWAR organization is providing $1.2 million to add anti DDOS
capabilities to FreeBSD. This grant is one of a series being made
under the Community-Based Open Source Security project administered
by NAI Labs.
http://news.cnet.com/news/0-1003-200-6526301.html?tag=prntfr
--9 July 2001 Microsoft Warns of SMTP Vulnerability, Issues Patch
A Microsoft security bulletin warns of an authentication
vulnerability in Windows 2000 Simple Mail Transfer Protocol
(SMTP) that could permit crackers to gain user-level privileges
and potentially use compromised computers as spamming
zombies. Microsoft has issued a patch for the security hole.
http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO62059,00.html
http://www.microsoft.com/technet/security/bulletin/ms01-037.asp
--9 July 2001 Easing the Security Headache for Users
Because security measures are generally tacked on after computer
systems are designed, users often find them cumbersome and
develop methods for bypassing permissions, virus filters,
digital certificates and the like. Unfortunately, passwords
on post-its and disabled filters undermine security.
http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO62041,00.html
--6 & 9 July 2001 Security Hole in Safe Harbor Site
A security hole in the Commerce Department Safe Harbor web site
allowed any visitor to read and even modify private information about
companies who had registered for the program. Participants in the Safe
Harbor program agree to abide by a set of privacy practices and in
turn gain legal protection from the Europe's stringent privacy laws.
The Commerce Department says no data was altered; the two affected
pages have been taken down while the situation is investigated.
http://www.wired.com/news/print/0,1294,45031,00.html
http://www.zdnet.com/zdnn/stories/news/0,4586,5093806,00.html?chkpt=zdnn_nbs_hl
http://www.computerworld.com/cwi/stories/0,1199,NAV47_STO62076,00.html
--6 July 2001 S1 Corp. Computer Intrusion
Intruders who broke into a computer at web-based banking services
company S1 Corp. may have been able to access sensitive customer
data, according to one source. Federal law enforcement authorities
are investigating.
http://www.msnbc.com/news/597071.asp?0dm=T26CT
--5 July 2001 IIS Exploit Code Posted
A hacker has posted code that can be used to exploit a known
buffer overflow vulnerability in Microsoft Internet Information
Server (IIS). Microsoft customers received a security alert about
the problem in mid- June and the company has released a patch.
http://www.zdnet.com/zdnn/stories/news/0,4586,2782723,00.html
--2 July 2001 Stopping Distributed Denial of Service Attack's
Shawn McCarthy offers a brief tutorial on types of DDOS
attacks and how your ISPs can help you counter them.
http://www.gcn.com/vol20_no17/news/4573-1.html
--2 July 2001 Bureaucrats Urge Legislators to Strengthen Cyber
Security Oversight
A panel of bureaucrats told the Joint Economic Committee that all
the attention paid to defacements, hacking and other minor cyber
threats distracts from the larger risk of cyber warfare launched by
foreign governments. The panel urged the legislators to strengthen
federal security oversight.
http://www.gcn.com/vol20_no17/news/4564-1.html
Research Report
How Americans Use The Internet
The Pew Foundation Internet and American Life Foundation just released
a study of the amount of time spent and the activities performed on
the Internet. Also compares veteran Internet users with newcomers.
http://www.pewinternet.org/reports/pdfs/PIP_Time_spent_online.pdf
==end==
Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sanssans.org with the subject: Subscribe NewsBites
To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.
You may also email <sanssans.org> with complete instructions and
your SD number for subscribe, unsubscribe, change address, add other
digests, or any other comments.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7Vaj8+LUG5KFpTkYRAr72AJ9RSB+citEaSBA+QwS/S0jL3zQjUgCgmOhS
6OcGmiOAlbhYMepTqPjOqz0=
=JA2D
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]