To: Security Express (SD397643)
From: Alan for the SANS NewsBites service
Re: August 8 SANS NewsBites

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A very busy week.

1.We are not out of the woods yet on Code Red and more vicious
worms and other automated attack tools are on the horizon. Still,
it is worth taking a moment and thanking the extraordinary people
who gave up their nights and weekends to make it possible for the
community to fight back against Code Red. If they hadn't gone above
and beyond the call, the number of people damaged by these worms,
and the number of e-commerce sites losing customer credit card data,
would have been much, much higher. The people are:

Mark Maiffret and Ryan Rermeh at eEye Digital Security, John Stewart
at Digital Island; Ron Dick, Bob Gerber, Jeff Tricoli, Vince Rowe,
Tom Ervin and the team at the NIPC; Marty Lindner and the CERT/CC
team; Steve Lipner, Scott Culp and the Microsoft team; Elias Levy
and the SecurityFocus team; the CAIDA team; UNIRAS (the UK CERT);
Mark Krause, Chris Morrow, and Jared Allison of UUNET; Marcus Sachs
and the team at JTF-CNO; Margie Gilbert at the NSC; Steve Gibson of
Gibson Research; Tinabeth Burton of ITAA; Chris Rouland, Dennis Treece
and the team at ISS; Jimmy Kuo, Dmitry Gryaznov, Neil Cowie, Chris
Stubbs, and the NAI team; Vicki Irwin, Johannes Ullrich, John Green,
Matt Fearnow and the team at SANS incidents.org, and Ken E. whose
full name and organization are not public.

2. Navy-Wide Information Assurance Leadership Program
The Chief of Naval Operations (CNO) and SANS are conducting a joint
technical conference as an integral part of SANS Network Security 2001
in San Diego October 15-16. All authorized Navy personnel are also
allowed to attend the SANS training and certification classes that
follow the Leadership Program, at significantly reduced costs. The
registration is posted at http://infosec.navy.mil/pubs/docs/training.
Along with the form there, fax a Form 1556 for payment. Details on
where to send it are at the end of this digest.

3. Online Registration Opens for SANS Network Security 2001.
With the Navy's program running at SANS Network Security 2001, some of
SANS most popular certification courses will fill up earlier than usual
(the Certified Information Security Officer Training, for example,
but two or three others will as well.). So please register in the
next two weeks. If you register by August 15, you also get any of
five bonus books.
Conference information at: http://www.sans.org/NS2001/NS2001.htm
Secure online registration form:
https://registration.sans.org/cgi-bin/ns2001register

                                                AP

**********************************************************************

                             SANS NEWSBITES

                 The SANS Weekly Security News Overview

Volume 3, Number 32 August 8, 2001

Editorial Team:
     Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt,
       Alan Paller, Marcus Ranum, Howard Schmidt, Eugene Schultz

**********************************************************************

TOP OF THE NEWS
6 - 8 August 2001 Code Red II Slows Parts of the Net
31 July 2001 Code Red's Presence Underscores Patch Apathy
1 August 2001 Users Ask Software Vendors To Stand Behind Security

3 August 2001 Security Site Traffic Up
2 August 2001 DOD Shuts Down Sites Again
1 August 2001 States Anticipate Code Red Trouble
6 August 2001 Sklyarov Out on Bail
2 August 2001 Sklyarov's Presentation Demonstrates Poor E-Book
Encryption
3 August 2001 GAO Finds Poor Security at Commerce Department
3 August 2001 Wireless Vulnerability
3 August 2001 Internet Security Tips
2 August 2001 SirCam Poses Double Infection Threat
1, 2, & 3 August 2001 SirCam Still Spreading; Ukrainian President a
                       Victim
1 August 2001 Postponed Sentencing for Melissa Author Leads to
               Questions
1 August 2001 Proposed School Hacking Bill Too Broad, Say Critics
31 July 2001 SubSeven Comes to Mac
31 July 2001 Telnet Exploit on Bugtraq Causes a Stir
29 July 2001 Georgia Students' Info Exposed on Google
27 July 2001 Former Employee Arrested for Unauthorized Access,
              Disruption
27 July 2001 Former IRS Employee Pleads Guilty to Cyber Sabotage
27 July 2001 ITNet Exposes Applicant Data

******************** Sponsored by NetIQ Corp. ************************

Free Security Guide from NetIQ.

Keep the bad guys out with NetIQ's security guide, "Jack the Hacker
Tells All: Insights into Security Dos and Don'ts."

Respond to threats before they become major incidents.
Download it now before it's too late.
http://www.netiq.com/sponsor/default.asp?302

**********************************************************************

CORRECTION on SSH: Our editorial comment last week minimizing the
importance of the SSH vulnerability was completely wrong. If you
are using SSH Secure Shell for Unix v.3.0.0 and running the sshd2
daemon, please go to http://commerce.ssh.com for commercial or
ftp://ftp.ssh.com/pub/ssh for non-commercial to download version
3.0.1.]

Code Red II: Cleaning Up After the Compromise
- ----------------------------------------------
Many people have been asking: "How do I get rid of the Code Red II
worm once it has infected a system?"

Code Red II installs a backdoor that is open to any attacker.
This means that it is impossible to tell what changes may have been
made while the Code Red II backdoor was open. We are facing a public
health problem. Many people who had unpatched IIS servers had no
knowledge that IIS was running on their systems. An administrator
can remove the Code Red II worm itself, but any additional backdoors
or malicious changes made by follow-on attackers will still remain,
undetected, after the worm is removed.

The only real solution is to reformat the hard drive and reinstall
all the software. For some individuals, this is not an option, the
best short cut is probably to update your antivirus signatures to
detect any Trojans that might be installed on your system and remove
the worm as shown below:

It is possible to remove the worm from the system as described here:
http://archives.neohapsis.com/archives/incidents/2001-08/0107.html

Further, the Privacy Software Corporation is providing a free
tool that will help you remove the worm from an infected server:
http://www.nsclean.com/cr2kill.html

==============

ADDITION TO MANAGED SECURITY SERVICES POSTER
Solutionary, Inc. was inadvertently left off the recently distributed
SANS Roadmap to Managed Security Services poster. Solutionary is a
full-service MSSP dedicated to protecting the electronic assets and
information of companies and organizations worldwide. Solutionary's
service offerings include: IDS Monitoring, Intelligence Gathering,
Vulnerability Assessment, Firewall/VPN Management, Incident Response,
Policy Compliance and Virus Scrubbing.
Visit http://www.solutionary.com for more information and free
white papers.

==============

TOP OF THE NEWS
 --6 - 8 August 2001 Code Red II Slows Parts Of The Net
The Code Red II worm is not a variant of the Code Red that recently
ran rampant, though it does take advantage of the same vulnerability,
uses the same method of attack, and is stopped by the same patch.
Code Red II leaves a back door in infected systems which allows
attackers to gain control; the back doors are already implicated
in denial of service attacks. Code Red II also sets off a reaction
in many cable broadband provider networks, that slows service and
complete stops service to some subscribers.
Most up to date summary:
http://iwsun4.infoworld.com/articles/hn/xml/01/08/08/010808hndeeper.xml
More solid reporting:
http://news.cnet.com/news/0-1003-200-6792918.html?tag=prntfr
http://www.cnn.com/2001/TECH/internet/08/06/code.red.two/index.html
http://www.computerworld.com/storyba/0,4125,NAV47_STO62834,00.html
http://www.wired.com/news/technology/0,1282,45847,00.html
Constant technical updates as the worms evolve:
http://www.incidents.org

*****The Debate Begins On What To Do About The Worms*****
 --31 July 2001 Code Red's Presence Underscores Patch Apathy
The author of this opinion piece says what's really scary about Code
Red is the apathy about patches and updates. For those unable to keep
up with the constant stream of fixes themselves, he suggests services
that will send daily e-mails containing individually tailored security
information or will even host a company's security and keep on top
of fixes. He also applauds the idea of holding liable someone whose
negligence in maintaining security is responsible for infections.
http://www.zdnet.com/zdnn/stories/comment/0,5859,2800273,00.html
[Editor's (Ranum) Note: I am not a licensed or practicing ethicist,
but where I come from, blaming the victim is not an acceptable response
to a problem.
(Schultz) It is very naive to attribute lack of patch installation
to apathy. The *real* problem here is vendors who supply us with
poor quality software. We are told that we must install patch 1, then
patch 2, then patch 3, then patch so and so, so that our systems will
be secure. But keeping up with all these patches is not realistic.
Why can't the vendors just deliver better quality software?

 --1 August 2001 Users Ask Software Vendors To Stand Behind Security
CNN reports a growing public cry for manufacturers of software to
take more responsibility for correcting security flaws in products
they sell. Shipping insecure software and waiting for it to hurt
customers is not working. The video news segment also reports that
the cyber insurance industry claims it has sold cyber insurance to 5%
of American businesses.
http://www.cnn.com/video/tech/2001/08/01/dg.micro.security.cnn.med.html
[Editor's (Schultz) Note: How many news items of this nature
are we going to have to read before we wake up to the fact that
software vendors for the most part deliver poor quality software
that leads to security problems? One of the unfortunate results of
this ill-advised practice of the software industry is a plethora of
security vulnerabilities. The only solution is appropriate legislation.
(Schmidt) We still have humans developing software. I am sure ALL of
the vendors (including the open source Linux developers) would love to
reach perfection in coding. If you know of any coders who are perfect,
I would be happy to look at hiring them.
(Murray) I have to come down with Howard on this. It sounds as though
Gene is suggesting that we legislate perfect software. Be careful what
you ask for and the words that you use to ask for it. Having spent
five years of my career in development, I am impressed that, given the
quantity of code that we ship and the number of users and uses that
it must satisfy, the quality is as good as it is. I am satisfied
that we do a far better job of building code for the market place
than we ever did building bespoke code for the enterprise.
(Paller) A compromise, perhaps. To avoid reactive legislation, the
vendors could take a leadership role by automating the updating and
patching process and take responsibility for delivering the latest
(completely patched) version to each new customer. The Linux vendors
will probably be first because it will demonstrate the security
advantage of their software over Microsoft, but one can only hope
Microsoft will see the opportunity to better serve its client base,
as well. Microsoft managers appeared surprised when I told them last
week that many users would gladly pay 20 to 30% of the price of the
software each year if Microsoft would take responsibility for patching
the code as AOL does for its 20 million users. IBM's updating service
is one of the key reasons that large companies feel safe in buying
from IBM. If you work for a medium to large company or government
agency and use Microsoft products on a large number of computers,
please send an email to sansrosans.org (subject: MS patches) telling
us what percentage of the product price you would be willing to pay
Microsoft, each year, for active updates of security and hot fixes.]

 --3 August 2001 Internet Security Tips
Advice for Internet safety includes updating antivirus software weekly,
installing firewalls on broadband connections, being very cautions
about opening e-mail attachments, and checking credit reports annually.
http://www.usatoday.com/life/cyber/2001-08-03-net-dangers.htm
[Editor's (multiple) Note: A useful article to share with your users.
(Grefer): Firewalls also are recommended for dial-up connections.]

******* Also Sponsored by VeriSign -The Internet Trust Company *******

Do you have 128-bit SSL encryption server security?

Get VeriSign's FREE Guide, "Securing Your Web Site for Business"
and learn everything you need to know about using 128-bit SSL to
encrypt your e-commerce transactions, secure your intranets and
authenticate your Web site. 128-bit SSL is serious security for your
online business.

Get it now! http://www.verisign.com/cgi-bin/go.cgi?a=n094742310014000

**********************************************************************

THE REST OF THE WEEK'S STORIES

 -- 3 August 2001 Security Site Traffic Up
Concern over the Code Red and SirCam worms is the likely driving
force behind significant surges in antivirus company website traffic.
http://news.cnet.com/news/0-1003-200-6773085.html?tag=owv

 --2 August 2001 DOD Shuts Down Sites Again
The Defense Department again shut off access to certain web sites as
a precaution against the potential menace of a second onslaught of
Code Red infestations.
http://www.fcw.com/fcw/articles/2001/0730/web-dodred-08-02-01.asp

 --1 August 2001 States Anticipate Code Red Trouble
The state of Rhode Island shut down all state web sites for 12
hours beginning the evening of August 31st to guard against Code
Red infections. Michigan and West Virginia kept their web sites
up, but also had technical staff on standby should anything serious
have transpired.
http://www.gcn.com/vol1_no1/daily-updates/4781-1.html
[Editor's (Murray) Note: Widespread disconnection is the result most to
be hoped for by the rogues and vandals and the one to be most feared
by the rest of us. It is sad that those with the most resources
and who ought to know better are the ones who are disconnecting.
Fixing the vulnerability is more efficient than disconnecting.
Disconnection is the response of fearful high-level management that
has no other controls that it is prepared to rely upon.]

 --6 August 2001 Sklyarov Out on Bail
Dmitry Sklyarov, the Russian researcher arrested at DefCon for
violating the Digital Millennium Copyright Act (DMCA), has been
released on $50,000 bail; he must remain in Northern California.
http://www.wired.com/news/politics/0,1283,45870,00.html

 --2 August 2001 Sklyarov's Presentation Demonstrates Poor E-Book
                  Encryption
Examination of Sklyarov's DefCon presentation reveals that encryption
software for at least two e-book makers is ridiculously simple
to break. The article goes on to argue that the software Sklyarov
distributes has a legitimate use.
http://www.zdnet.com/zdnn/stories/comment/0,5859,2800985,00.html

 --3 August 2001 GAO Finds Poor Security at Commerce Department
A General Accounting Office (GAO) report indicates that computer
systems security at the Department of Commerce is sorely lacking.
Using readily available tools and techniques, "ethical hackers"
employed by the GAO attempted to penetrate Commerce Department
networks more than 1,000 times, but were detected only four times.
GAO listed weak passwords and inappropriate levels of access, even
for former employees, as two of Department's security problems.
The report also indicated that an earlier, successful attack by a
Russian cracker had gone undetected.
http://www.usatoday.com/life/cyber/tech/2001-08-03-commerce-security.htm
http://www.cnn.com/2001/TECH/internet/08/03/commerce.security.ap/index.html
http://www.msnbc.com/news/608838.asp?0dm=T15OT
http://energycommerce.house.gov/107/hearings/08032001Hearing348/gao.pdf
[Editor's (Ranum) Note: "Ethical hackers" is my favorite form
of double speak. In addition, this article underscores something
that most of us have known for a long time: When a .GOV domain gets
studied for security, the GAO condemns them for ineptitude. Few things
change. Then the site gets broken into or tested again and the same
thing happens. Nobody is held accountable. "Weak passwords" and
"inappropriate levels of access for former employees" are not even
advanced enough problems to be Security 101: they are kindergarten
level issues. As a taxpayer, I am disappointed in my employees and
would fire a bunch of them, if I could.
(Paller) We've seen the same "weak passwords" and "inappropriate
levels of access" in many commercial systems. Marcus may be correct
that people should be held accountable for repeated lapses in basic
security. However, there is no proof that the problem is limited to
government or even worse in government. GAO makes their reports of
audits of federal agencies public; the security consultants hide their
security audits of commercial organizations, on fear of law suits.]

 --3 August 2001 Wireless Vulnerability
Researchers say a vulnerability in the Wi-Fi standard's security
system allows attackers to determine the encryption key easily.
Companies that use wireless networks are strongly encouraged to
augment security with additional tools.
http://www.zdnet.com/zdnn/stories/news/0,4586,5095205,00.html?chkpt=zdhpnews01
[Editor's (Murray) Note: It is no longer possible for the manager
of a network, much less the manager of an application, to know what
the connection looks like. That there may be a wireless link in the
connection is only one example of the vulnerabilities that the manager
is unlikely to know about. Therefore, one should not rely upon the
connection for security. Applications should use end-to-end security
that is appropriate to the application and that assumes an unreliable
connection, not to say a hostile environment.]

 --2 August 2001 SirCam Poses Double Infection Threat
The Register reports that a managed services company has intercepted
at least 100 e-mails in which the SirCam worm has randomly chosen
a file than happens to be infected with another virus or worm.
http://www.theregister.co.uk/content/56/20789.html

 --1, 2, & 3 August 2001 SirCam Still Spreading; Ukrainian President a
                          Victim
The SirCam worm, which is a danger to home users while Code Red is
generally not, is still spreading. The worm managed to send out a
file from a victim's disk containing the schedule of the Ukrainian
president's planned independence anniversary celebration.
http://www.zdnet.com/zdnn/stories/news/0,4586,2800626,00.html
http://news.cnet.com/news/0-1003-200-6759035.html?tag=prntfr
http://www.cnn.com/2001/TECH/internet/08/02/ukraine.sircam/index.html

 --1 August 2001 Postponed Sentencing for Melissa Author Leads to
                  Questions
The absence of any scheduled sentencing date for David L. Smith,
the author of the Melissa Outlook worm, has led to speculation
that Smith may be cooperating with authorities on another case.
http://www.securityfocus.com/news/230

 --1 August 2001 Proposed School Hacking Bill Too Broad, Say Critics
Senator Robert Torricelli (D-NJ) has introduced legislation that would
punish any disruption of school computer systems with prison time.
Critics, including educators and civil rights advocates, say the
bill's sweeping language criminalizes ordinary activity.
http://www.wired.com/news/politics/0,1283,45752,00.html
[Editor's (Grefer) Note: The author's efforts are laudable.]

 --31 July 2001 SubSeven Comes to Mac
Macintosh users are now susceptible to the SubSeven Trojan; antivirus
vendors are releasing signatures to protect against infection.
http://vnunet.com/News/1124342

 --31 July 2001 Telnet Exploit on Bugtraq Causes a Stir
The appearance of the Telnet exploit on Bugtraq has angered the
members of the group that authored it; they evidently put a legal
warning not to post the code on a public web site at the top of their
source code. Bugtraq administrator Elias Levy said that posting the
code was an error.
http://www.securitynewsportal.com/article.php?sid=1293&mode=thread&order=0
http://www.cert.org/advisories/CA-2001-21.html

 --29 July 2001 Georgia Students' Info Exposed on Google
More than 3,000 pages of personal data belonging to students at
Southern Polytechnic University in Marietta, Georgia were available on
Google.com between April and June of this year. Google began deleting
the pages as soon as it became aware of the problem which arose when a
Georgia Student Finance Commission firewall was inadvertently disabled.
The governor has called for an investigation.
http://www.securitynewsportal.com/article.php?sid=1269&mode=thread&order=0

 --27 July 2001 Former Employee Arrested for Unauthorized Access,
                 Disruption
A former employee at a Baltimore web-hosting company has been arrested
for allegedly gaining unauthorized access to the company network
after his dismissal and shutting down access to a major client for
the greater part of a day.
http://www.sunspot.net/business/bal-bz.computer27jul27.story

 --27 July 2001 Former IRS Employee Pleads Guilty to Cyber Sabotage
A former Internal Revenue Service (IRS) system administrator has
pleaded guilty to charges of computer sabotage. The erstwhile employee
planted malicious code designed to delete data from three IRS servers
after his security clearance was reduced as a disciplinary measure.
He faces up to 10 years in jail and a fine of as much as $250,000.
http://www.newsbytes.com/news/01/168453.html

 --27 July 2001 ITNet Exposes Applicant Data
ITNet job applicants who filled out on line forms had their personal
information exposed on the Internet. The HTML pages generated by
the on line forms were stored outside the company firewall and were
cached by Google.com. An ITNet manager says Google has been contacted
and that changes have been made to security to ensure such a fiasco
does not occur again.
http://www.silicon.com/public/door?6004REQEVENT=&REQINT1=46094&REQSTR1=silicon.com

==end==

Please feel free to share this with interested parties via email (not
on bulletin boards). For a free subscription, (and for free posters)
e-mail sanssans.org with the subject: Subscribe NewsBites

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.

You may also email <sanssans.org> with complete instructions and
your SD number for subscribe, unsubscribe, change address, add other
digests, or any other comments.

Navy-Wide Information Assurance Leadership Conference Details

To register, use the forms posted at
http://infosec.navy.mil/pubs/docs/training

Also include a Form 1556 form for payment using the following vendor
information:

The SANS Institute
Suite 1501
5401 Westbard
Bethesda, MD 20816
301-951-0102

EIN: 52-1935637

Fax all information to 301-951-0140 or mail it to the address above.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7caxf+LUG5KFpTkYRAir3AKCg64rtmWzhp6HD44w6xnNzg9xxFACeL0Ky
jkOW00Nt2IZRAjuyFTU0lTI=
=5Lw6
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]