Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: The SANS Institute (sanssans.org)
Date: Wed Aug 08 2001 - 18:07:44 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    To: Security Express (SD397643)
    From: Alan for the SANS NewsBites service
    Re: August 8 SANS NewsBites

    Hash: SHA1

    A very busy week.

    1.We are not out of the woods yet on Code Red and more vicious
    worms and other automated attack tools are on the horizon. Still,
    it is worth taking a moment and thanking the extraordinary people
    who gave up their nights and weekends to make it possible for the
    community to fight back against Code Red. If they hadn't gone above
    and beyond the call, the number of people damaged by these worms,
    and the number of e-commerce sites losing customer credit card data,
    would have been much, much higher. The people are:

    Mark Maiffret and Ryan Rermeh at eEye Digital Security, John Stewart
    at Digital Island; Ron Dick, Bob Gerber, Jeff Tricoli, Vince Rowe,
    Tom Ervin and the team at the NIPC; Marty Lindner and the CERT/CC
    team; Steve Lipner, Scott Culp and the Microsoft team; Elias Levy
    and the SecurityFocus team; the CAIDA team; UNIRAS (the UK CERT);
    Mark Krause, Chris Morrow, and Jared Allison of UUNET; Marcus Sachs
    and the team at JTF-CNO; Margie Gilbert at the NSC; Steve Gibson of
    Gibson Research; Tinabeth Burton of ITAA; Chris Rouland, Dennis Treece
    and the team at ISS; Jimmy Kuo, Dmitry Gryaznov, Neil Cowie, Chris
    Stubbs, and the NAI team; Vicki Irwin, Johannes Ullrich, John Green,
    Matt Fearnow and the team at SANS incidents.org, and Ken E. whose
    full name and organization are not public.

    2. Navy-Wide Information Assurance Leadership Program
    The Chief of Naval Operations (CNO) and SANS are conducting a joint
    technical conference as an integral part of SANS Network Security 2001
    in San Diego October 15-16. All authorized Navy personnel are also
    allowed to attend the SANS training and certification classes that
    follow the Leadership Program, at significantly reduced costs. The
    registration is posted at http://infosec.navy.mil/pubs/docs/training.
    Along with the form there, fax a Form 1556 for payment. Details on
    where to send it are at the end of this digest.

    3. Online Registration Opens for SANS Network Security 2001.
    With the Navy's program running at SANS Network Security 2001, some of
    SANS most popular certification courses will fill up earlier than usual
    (the Certified Information Security Officer Training, for example,
    but two or three others will as well.). So please register in the
    next two weeks. If you register by August 15, you also get any of
    five bonus books.
    Conference information at: http://www.sans.org/NS2001/NS2001.htm
    Secure online registration form:



                                 SANS NEWSBITES

                     The SANS Weekly Security News Overview

    Volume 3, Number 32 August 8, 2001

    Editorial Team:
         Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt,
           Alan Paller, Marcus Ranum, Howard Schmidt, Eugene Schultz


    6 - 8 August 2001 Code Red II Slows Parts of the Net
    31 July 2001 Code Red's Presence Underscores Patch Apathy
    1 August 2001 Users Ask Software Vendors To Stand Behind Security

    3 August 2001 Security Site Traffic Up
    2 August 2001 DOD Shuts Down Sites Again
    1 August 2001 States Anticipate Code Red Trouble
    6 August 2001 Sklyarov Out on Bail
    2 August 2001 Sklyarov's Presentation Demonstrates Poor E-Book
    3 August 2001 GAO Finds Poor Security at Commerce Department
    3 August 2001 Wireless Vulnerability
    3 August 2001 Internet Security Tips
    2 August 2001 SirCam Poses Double Infection Threat
    1, 2, & 3 August 2001 SirCam Still Spreading; Ukrainian President a
    1 August 2001 Postponed Sentencing for Melissa Author Leads to
    1 August 2001 Proposed School Hacking Bill Too Broad, Say Critics
    31 July 2001 SubSeven Comes to Mac
    31 July 2001 Telnet Exploit on Bugtraq Causes a Stir
    29 July 2001 Georgia Students' Info Exposed on Google
    27 July 2001 Former Employee Arrested for Unauthorized Access,
    27 July 2001 Former IRS Employee Pleads Guilty to Cyber Sabotage
    27 July 2001 ITNet Exposes Applicant Data

    ******************** Sponsored by NetIQ Corp. ************************

    Free Security Guide from NetIQ.

    Keep the bad guys out with NetIQ's security guide, "Jack the Hacker
    Tells All: Insights into Security Dos and Don'ts."

    Respond to threats before they become major incidents.
    Download it now before it's too late.


    CORRECTION on SSH: Our editorial comment last week minimizing the
    importance of the SSH vulnerability was completely wrong. If you
    are using SSH Secure Shell for Unix v.3.0.0 and running the sshd2
    daemon, please go to http://commerce.ssh.com for commercial or
    ftp://ftp.ssh.com/pub/ssh for non-commercial to download version

    Code Red II: Cleaning Up After the Compromise
    - ----------------------------------------------
    Many people have been asking: "How do I get rid of the Code Red II
    worm once it has infected a system?"

    Code Red II installs a backdoor that is open to any attacker.
    This means that it is impossible to tell what changes may have been
    made while the Code Red II backdoor was open. We are facing a public
    health problem. Many people who had unpatched IIS servers had no
    knowledge that IIS was running on their systems. An administrator
    can remove the Code Red II worm itself, but any additional backdoors
    or malicious changes made by follow-on attackers will still remain,
    undetected, after the worm is removed.

    The only real solution is to reformat the hard drive and reinstall
    all the software. For some individuals, this is not an option, the
    best short cut is probably to update your antivirus signatures to
    detect any Trojans that might be installed on your system and remove
    the worm as shown below:

    It is possible to remove the worm from the system as described here:

    Further, the Privacy Software Corporation is providing a free
    tool that will help you remove the worm from an infected server:


    Solutionary, Inc. was inadvertently left off the recently distributed
    SANS Roadmap to Managed Security Services poster. Solutionary is a
    full-service MSSP dedicated to protecting the electronic assets and
    information of companies and organizations worldwide. Solutionary's
    service offerings include: IDS Monitoring, Intelligence Gathering,
    Vulnerability Assessment, Firewall/VPN Management, Incident Response,
    Policy Compliance and Virus Scrubbing.
    Visit http://www.solutionary.com for more information and free
    white papers.


     --6 - 8 August 2001 Code Red II Slows Parts Of The Net
    The Code Red II worm is not a variant of the Code Red that recently
    ran rampant, though it does take advantage of the same vulnerability,
    uses the same method of attack, and is stopped by the same patch.
    Code Red II leaves a back door in infected systems which allows
    attackers to gain control; the back doors are already implicated
    in denial of service attacks. Code Red II also sets off a reaction
    in many cable broadband provider networks, that slows service and
    complete stops service to some subscribers.
    Most up to date summary:
    More solid reporting:
    Constant technical updates as the worms evolve:

    *****The Debate Begins On What To Do About The Worms*****
     --31 July 2001 Code Red's Presence Underscores Patch Apathy
    The author of this opinion piece says what's really scary about Code
    Red is the apathy about patches and updates. For those unable to keep
    up with the constant stream of fixes themselves, he suggests services
    that will send daily e-mails containing individually tailored security
    information or will even host a company's security and keep on top
    of fixes. He also applauds the idea of holding liable someone whose
    negligence in maintaining security is responsible for infections.
    [Editor's (Ranum) Note: I am not a licensed or practicing ethicist,
    but where I come from, blaming the victim is not an acceptable response
    to a problem.
    (Schultz) It is very naive to attribute lack of patch installation
    to apathy. The *real* problem here is vendors who supply us with
    poor quality software. We are told that we must install patch 1, then
    patch 2, then patch 3, then patch so and so, so that our systems will
    be secure. But keeping up with all these patches is not realistic.
    Why can't the vendors just deliver better quality software?

     --1 August 2001 Users Ask Software Vendors To Stand Behind Security
    CNN reports a growing public cry for manufacturers of software to
    take more responsibility for correcting security flaws in products
    they sell. Shipping insecure software and waiting for it to hurt
    customers is not working. The video news segment also reports that
    the cyber insurance industry claims it has sold cyber insurance to 5%
    of American businesses.
    [Editor's (Schultz) Note: How many news items of this nature
    are we going to have to read before we wake up to the fact that
    software vendors for the most part deliver poor quality software
    that leads to security problems? One of the unfortunate results of
    this ill-advised practice of the software industry is a plethora of
    security vulnerabilities. The only solution is appropriate legislation.
    (Schmidt) We still have humans developing software. I am sure ALL of
    the vendors (including the open source Linux developers) would love to
    reach perfection in coding. If you know of any coders who are perfect,
    I would be happy to look at hiring them.
    (Murray) I have to come down with Howard on this. It sounds as though
    Gene is suggesting that we legislate perfect software. Be careful what
    you ask for and the words that you use to ask for it. Having spent
    five years of my career in development, I am impressed that, given the
    quantity of code that we ship and the number of users and uses that
    it must satisfy, the quality is as good as it is. I am satisfied
    that we do a far better job of building code for the market place
    than we ever did building bespoke code for the enterprise.
    (Paller) A compromise, perhaps. To avoid reactive legislation, the
    vendors could take a leadership role by automating the updating and
    patching process and take responsibility for delivering the latest
    (completely patched) version to each new customer. The Linux vendors
    will probably be first because it will demonstrate the security
    advantage of their software over Microsoft, but one can only hope
    Microsoft will see the opportunity to better serve its client base,
    as well. Microsoft managers appeared surprised when I told them last
    week that many users would gladly pay 20 to 30% of the price of the
    software each year if Microsoft would take responsibility for patching
    the code as AOL does for its 20 million users. IBM's updating service
    is one of the key reasons that large companies feel safe in buying
    from IBM. If you work for a medium to large company or government
    agency and use Microsoft products on a large number of computers,
    please send an email to sansrosans.org (subject: MS patches) telling
    us what percentage of the product price you would be willing to pay
    Microsoft, each year, for active updates of security and hot fixes.]

     --3 August 2001 Internet Security Tips
    Advice for Internet safety includes updating antivirus software weekly,
    installing firewalls on broadband connections, being very cautions
    about opening e-mail attachments, and checking credit reports annually.
    [Editor's (multiple) Note: A useful article to share with your users.
    (Grefer): Firewalls also are recommended for dial-up connections.]

    ******* Also Sponsored by VeriSign -The Internet Trust Company *******

    Do you have 128-bit SSL encryption server security?

    Get VeriSign's FREE Guide, "Securing Your Web Site for Business"
    and learn everything you need to know about using 128-bit SSL to
    encrypt your e-commerce transactions, secure your intranets and
    authenticate your Web site. 128-bit SSL is serious security for your
    online business.

    Get it now! http://www.verisign.com/cgi-bin/go.cgi?a=n094742310014000



     -- 3 August 2001 Security Site Traffic Up
    Concern over the Code Red and SirCam worms is the likely driving
    force behind significant surges in antivirus company website traffic.

     --2 August 2001 DOD Shuts Down Sites Again
    The Defense Department again shut off access to certain web sites as
    a precaution against the potential menace of a second onslaught of
    Code Red infestations.

     --1 August 2001 States Anticipate Code Red Trouble
    The state of Rhode Island shut down all state web sites for 12
    hours beginning the evening of August 31st to guard against Code
    Red infections. Michigan and West Virginia kept their web sites
    up, but also had technical staff on standby should anything serious
    have transpired.
    [Editor's (Murray) Note: Widespread disconnection is the result most to
    be hoped for by the rogues and vandals and the one to be most feared
    by the rest of us. It is sad that those with the most resources
    and who ought to know better are the ones who are disconnecting.
    Fixing the vulnerability is more efficient than disconnecting.
    Disconnection is the response of fearful high-level management that
    has no other controls that it is prepared to rely upon.]

     --6 August 2001 Sklyarov Out on Bail
    Dmitry Sklyarov, the Russian researcher arrested at DefCon for
    violating the Digital Millennium Copyright Act (DMCA), has been
    released on $50,000 bail; he must remain in Northern California.

     --2 August 2001 Sklyarov's Presentation Demonstrates Poor E-Book
    Examination of Sklyarov's DefCon presentation reveals that encryption
    software for at least two e-book makers is ridiculously simple
    to break. The article goes on to argue that the software Sklyarov
    distributes has a legitimate use.

     --3 August 2001 GAO Finds Poor Security at Commerce Department
    A General Accounting Office (GAO) report indicates that computer
    systems security at the Department of Commerce is sorely lacking.
    Using readily available tools and techniques, "ethical hackers"
    employed by the GAO attempted to penetrate Commerce Department
    networks more than 1,000 times, but were detected only four times.
    GAO listed weak passwords and inappropriate levels of access, even
    for former employees, as two of Department's security problems.
    The report also indicated that an earlier, successful attack by a
    Russian cracker had gone undetected.
    [Editor's (Ranum) Note: "Ethical hackers" is my favorite form
    of double speak. In addition, this article underscores something
    that most of us have known for a long time: When a .GOV domain gets
    studied for security, the GAO condemns them for ineptitude. Few things
    change. Then the site gets broken into or tested again and the same
    thing happens. Nobody is held accountable. "Weak passwords" and
    "inappropriate levels of access for former employees" are not even
    advanced enough problems to be Security 101: they are kindergarten
    level issues. As a taxpayer, I am disappointed in my employees and
    would fire a bunch of them, if I could.
    (Paller) We've seen the same "weak passwords" and "inappropriate
    levels of access" in many commercial systems. Marcus may be correct
    that people should be held accountable for repeated lapses in basic
    security. However, there is no proof that the problem is limited to
    government or even worse in government. GAO makes their reports of
    audits of federal agencies public; the security consultants hide their
    security audits of commercial organizations, on fear of law suits.]

     --3 August 2001 Wireless Vulnerability
    Researchers say a vulnerability in the Wi-Fi standard's security
    system allows attackers to determine the encryption key easily.
    Companies that use wireless networks are strongly encouraged to
    augment security with additional tools.
    [Editor's (Murray) Note: It is no longer possible for the manager
    of a network, much less the manager of an application, to know what
    the connection looks like. That there may be a wireless link in the
    connection is only one example of the vulnerabilities that the manager
    is unlikely to know about. Therefore, one should not rely upon the
    connection for security. Applications should use end-to-end security
    that is appropriate to the application and that assumes an unreliable
    connection, not to say a hostile environment.]

     --2 August 2001 SirCam Poses Double Infection Threat
    The Register reports that a managed services company has intercepted
    at least 100 e-mails in which the SirCam worm has randomly chosen
    a file than happens to be infected with another virus or worm.

     --1, 2, & 3 August 2001 SirCam Still Spreading; Ukrainian President a
    The SirCam worm, which is a danger to home users while Code Red is
    generally not, is still spreading. The worm managed to send out a
    file from a victim's disk containing the schedule of the Ukrainian
    president's planned independence anniversary celebration.

     --1 August 2001 Postponed Sentencing for Melissa Author Leads to
    The absence of any scheduled sentencing date for David L. Smith,
    the author of the Melissa Outlook worm, has led to speculation
    that Smith may be cooperating with authorities on another case.

     --1 August 2001 Proposed School Hacking Bill Too Broad, Say Critics
    Senator Robert Torricelli (D-NJ) has introduced legislation that would
    punish any disruption of school computer systems with prison time.
    Critics, including educators and civil rights advocates, say the
    bill's sweeping language criminalizes ordinary activity.
    [Editor's (Grefer) Note: The author's efforts are laudable.]

     --31 July 2001 SubSeven Comes to Mac
    Macintosh users are now susceptible to the SubSeven Trojan; antivirus
    vendors are releasing signatures to protect against infection.

     --31 July 2001 Telnet Exploit on Bugtraq Causes a Stir
    The appearance of the Telnet exploit on Bugtraq has angered the
    members of the group that authored it; they evidently put a legal
    warning not to post the code on a public web site at the top of their
    source code. Bugtraq administrator Elias Levy said that posting the
    code was an error.

     --29 July 2001 Georgia Students' Info Exposed on Google
    More than 3,000 pages of personal data belonging to students at
    Southern Polytechnic University in Marietta, Georgia were available on
    Google.com between April and June of this year. Google began deleting
    the pages as soon as it became aware of the problem which arose when a
    Georgia Student Finance Commission firewall was inadvertently disabled.
    The governor has called for an investigation.

     --27 July 2001 Former Employee Arrested for Unauthorized Access,
    A former employee at a Baltimore web-hosting company has been arrested
    for allegedly gaining unauthorized access to the company network
    after his dismissal and shutting down access to a major client for
    the greater part of a day.

     --27 July 2001 Former IRS Employee Pleads Guilty to Cyber Sabotage
    A former Internal Revenue Service (IRS) system administrator has
    pleaded guilty to charges of computer sabotage. The erstwhile employee
    planted malicious code designed to delete data from three IRS servers
    after his security clearance was reduced as a disciplinary measure.
    He faces up to 10 years in jail and a fine of as much as $250,000.

     --27 July 2001 ITNet Exposes Applicant Data
    ITNet job applicants who filled out on line forms had their personal
    information exposed on the Internet. The HTML pages generated by
    the on line forms were stored outside the company firewall and were
    cached by Google.com. An ITNet manager says Google has been contacted
    and that changes have been made to security to ensure such a fiasco
    does not occur again.


    Please feel free to share this with interested parties via email (not
    on bulletin boards). For a free subscription, (and for free posters)
    e-mail sanssans.org with the subject: Subscribe NewsBites

    To change your subscription, address, or other information, visit
    http://www.sans.org/sansurl and enter your SD number (from the
    headers.) You will receive your personal URL via email.

    You may also email <sanssans.org> with complete instructions and
    your SD number for subscribe, unsubscribe, change address, add other
    digests, or any other comments.

    Navy-Wide Information Assurance Leadership Conference Details

    To register, use the forms posted at

    Also include a Form 1556 form for payment using the following vendor

    The SANS Institute
    Suite 1501
    5401 Westbard
    Bethesda, MD 20816

    EIN: 52-1935637

    Fax all information to 301-951-0140 or mail it to the address above.

    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    -----END PGP SIGNATURE-----