To: Security Express (SD397643)
From: Alan for the SANS NewsBites service
Re: May 8 SANS NewsBites

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
                           SANS NEWSBITES
                The SANS Weekly Security News Overview
Volume 4, Number 19 May 8, 2002
Editorial Team:
             Kathy Bradford, Dorothy Denning, Roland Grefer,
             Bill Murray, Stephen Northcutt, Alan Paller,
                    Marcus Ranum, Eugene Schultz
**********************************************************************

SANS annual security salary survey was launched yesterday with a new
question on career tracks for security professionals. More than 7,000
people participated last time. To get a copy of the results, fill out
the questionnaire before May 20. http://www.sans.org/salary2002.htm

The Center for Internet Security released five new security benchmarks
and tools this week:
1. An updated Level-I Benchmark for Windows 2000 (v1.1.7)
2. A new Level-II Benchmark for Windows 2000 Professional (v1.0.4)
3. A new Level-I Benchmark for Windows NT (v1.0.3)
4. An updated Windows NT/2000 Scoring Tool (v2.4.0) to evaluate your
host systems relative to these benchmarks
5. An updated Implementation Guide with instructions for using the
new Scoring Tool
Download them free from http://www.cisecurity.org

The early registration deadline for SANSFire - SANS big summer training
conference in Boston - is next Wednesday, May 15.

TOP OF THE NEWS
4 May 2002 Port 1433 is Being Scanned
3 May 2002 Ashcroft Wants Harsher Penalties for Identity Thieves
1 & 2 May 2002 Legislation Would Put Biometrics on Drivers' Licenses
1, 2 & 3 May 2002 Best Buy Shuts Off Wireless Registers Over
          Security Concerns

THE REST OF THE WEEK'S NEWS
6 May 2002 Code Red is Still Out There
6 May 2002 AIM Hole is Much Like Earlier One
4 May 2002 Cute.exe Trojan Horse
3 May 2002 Kournikova Author Appeals Sentence
3 May 2002 Vivendi May Proceed with Independent Investigation into
            Vote Hacking Allegation
3 May 2002 Macromedia Flash ActiveX Vulnerability
3 May 2002 Reverse Engineering Competition
3 May 2002 Mobile Phone Hacking Penalty Could be Prison
2 & 3 May 2002 Member of Software Piracy Group Receives Prison
                Sentence
2 & 3 May 2002 Solaris Vulnerability
2 May 2002 Interior Security Still Problematic
2 & 6 May 2002 Klez Takes on New Passengers
29 April 2002 Klez Hits New York Times
2 May 2002 Two Guilty of Attempt to Buy Encryption Devices
2 May 2002 RSA Says 1024-bit Encryption is Still Secure
1, 2 & 3 May 2002 Melissa Author Sentenced
30 April & 1 May 2002 Buffer Overflow Vulnerability in Netscape
                       and Mozilla
1 May 2002 NASA Hacker Pleads Guilty
30 April & 1 May 2002 WinAmp Vulnerability
29 April & 2 & 6 May 2002 Deceptive Duo Continue Their Defacement
                           Crusade
29 April 2002 Nimda Downs Hitachi Site
22 April 2002 Extremetech/Syscheck Information Site

IN-DEPTH TECHNICAL SECURITY TRAINING (AND MANAGEMENT COURSES) IN THE
NEXT 120 DAYS
Large SANS GIAC Certification and Training programs in Toronto,
Boston, Denver, Marina Del Ray, and New York
Smaller programs in Portland, Colorado Springs, Chicago, Detroit,
San Antonio, Virginia Beach, St. Louis, Vienna, VA, Ottawa, Melbourne,
and Vancouver
Details and registration information: www.sans.org

************************ Sponsored by NetIQ **************************

FREE Security eBook from NetIQ!!

Need solid advice on securing Microsoft Windows .NET Server? Register
now for "The Tips and Tricks Guide to Securing .NET Server." You'll
gain real-world information on securely managing .NET.

Register for the FREE eBook now!
http://www.netiq.com/offers/securityebook/register.asp?origin=sans508

**********************************************************************

TOP OF THE NEWS

 --4 May 2002 Port 1433 is Being Scanned
SANS has received a number of reports of widespread scanning of port
1433, commonly used by Microsoft's SQL server. So far, there is no
connection between the scanning and any exploit.
http://www.incidents.org/diary/diary.php?id=152

 --3 May 2002 Ashcroft Wants Harsher Penalties for Identity Thieves
Attorney General John Ashcroft wants increased penalties for identity
thieves. There are an estimated 500,000 - 700,000 cases of identity
theft every year.
http://www.washingtonpost.com/wp-dyn/articles/A24368-2002May2.html
[Editor's (Schultz) Note: I am glad to see some serious attention
paid to the growing threat of identity theft. The problem is not
only becoming more prevalent, but the consequences for victims are
considerably more severe than people imagine.]

 --1 & 2 May 2002 Legislation Would Put Biometrics on Drivers'
                   Licenses
Recently introduced legislation would require all states to incorporate
biometric identifiers into drivers' licenses within five years.
The ACLU has charged that the licenses are basically national ID cards.
http://www.govexec.com/dailyfed/0502/050102td1.htm
http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,70721,00.html
http://zdnet.com.com/2100-1105-897050.html
[Editor's (Murray) Note: Drivers licenses already contain the
most powerful and general purpose biometric reference of all,
the photographic image. In the short run, it requires human
reconciliation. Within the time contemplated by this proposal it will
be possible to routinely and automatically do such reconciliation.]

 --1, 2 & 3 May 2002 Best Buy Shuts Off Wireless Registers Over
                       Security Concerns
Best Buy shut off its wireless cash registers last week after they
became aware that hackers could sit in the parking lot and intercept
the data they transmit, including credit card information. Other
stores that transmit without encryption include WalMart and Petsmart.
http://www.msnbc.com/news/746380.asp?0dm=T22CT
http://www.silicon.com/public/door?6004REQEVENT=&REQINT1=53089&REQSTR1=silicon.com
http://news.com.com/2100-1017-898710.html
[Editor's (Ranum) Sarcastic Note: And a big thanks to the media for
suggesting where all the war drivers should go hunting for game.]

************************* Sponsored Links ****************************

(1) WARNING! Your network security is not effective if it's not
available! FREE WHITE PAPER. http://www.resilience.com/newsbites1.html

(2) Recourse ManTrap (r) 3.0 makes honeypots deceptively easy to
manage. Free report: http://www.sans.org/cgi-bin/sanspromo/NB33

**********************************************************************

THE REST OF THE WEEK'S NEWS

 --6 May 2002 Code Red is Still Out There
Code Red version 2 is still worming its way across the Internet; more
than 18,000 systems are apparently infected. Compromised machines
could be used to launch a distributed denial of service (DDoS) attack.
http://zdnet.com.com/2100-1105-899489.html

 --6 May 2002 AIM Hole is Much Like Earlier One
A security hole in AOL Instant messenger (AIM) which had purportedly
been fixed can still be exploited in a new way. When notified of the
problem, AOL Time Warner addressed it right away, applying filters
on their machines so the fix was immediate. The person who found
the flaw says the company is addressing the specific vulnerability
but is neglecting the overall security problems that enabled it in
the first place.
http://zdnet.com.com/2100-1105-899485.html

 --4 May 2002 Cute.exe Trojan Horse
The cute.exe Trojan horse program uses social engineering to spread
through e-mail. It changes system files so the program will execute
when the infected machine is rebooted. It also contacts an IRC server
on a specific channel and can send out information about the infected
computer and be used to launch denial of service (DoS) attacks.
http://www.incidents.org/diary/diary.php?id=151
[Editor's (Murray) Note: That an attacker can always find some people
to execute a program is the most fundamental vulnerability of all,
it is not necessary to find a flaw. We must have controls in the
network that we can use to resist attacks that exploit fundamental
vulnerabilities.]

 --3 May 2002 Kournikova Author Appeals Sentence
The author of the Kournikova virus is appealing the verdict in his
case; he received a sentence of 150 hours of community service.
http://www.computerworld.com/securitytopics/security/story/0,10801,70752,00.html
[Editor's (Murray) Note: If being "clueless" becomes a defense for
overt acts, then the law is mocked.]

 --3 May 2002 Vivendi May Proceed with Independent Investigation
               into Vote Hacking Allegation
A Paris court will allow Vivendi to conduct an independent
investigation into the wireless voting system used to tally
shareholder votes. The equipment has been under seal since the
alleged vote tampering.
http://www.vnunet.com/News/1131506

 --3 May 2002 Macromedia Flash ActiveX Vulnerability
A buffer overflow vulnerability in a Macromedia Flash ActiveX
component called Flash.ocx could allow malicious code to execute
on vulnerable computers. The flaw affects Flash player version 6,
revision 23; earlier versions may be vulnerable as well. Macromedia
has released a new version of the Flash player (version 6, revision
29).
http://zdnet.com.com/2100-1105-898517.html
http://www.computerworld.com/securitytopics/security/story/0,10801,70751,00.html

 --3 May 2002 Reverse Engineering Competition
The Honeypot Project's Reverse Challenge offers programmers the chance
to reverse engineer a piece of malicious code. They will try to
discover what the code does, how it can be stopped, and who wrote it.
http://www.newscientist.com/news/news.jsp?id=ns99992250

 --3 May 2002 Mobile Phone Hacking Penalty Could be Prison
Altering your mobile GSM phone's ID, also known as "chipping," is not
difficult; chipping software is readily available on the Internet.
The phone's International Mobile Equipment Identity (IMEI) number
determines where the phone can be used. Proposed legislation in
the UK would make the sale of chipping kits illegal and provide a
five-year prison sentence for those guilty of reprogramming a phone.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1966000/1966381.stm
http://www.vnunet.com/News/1131474

 --2 & 3 May 2002 Member of Software Piracy Group Receives Prison
                   Sentence
Barry Erickson, a former Symantec software engineer, was sentenced
to nearly three years in prison for providing copy protection removal
technology to a software piracy group known as DrinkOrDie. As apart
of his plea, Erickson agreed that his action caused damages of $2.5
- -$5 million. Following his prison sentence, Erickson will serve two
years of supervised release.
http://news.com.com/2100-1023-897956.html
http://www.washingtonpost.com/wp-dyn/articles/A24762-2002May2.html
[Editor's (Ranum) Note: Taking this article with the article about
the Kournikova author I see an important pattern. The guy who hurts
the BIG BOYS (the software companies) gets 3 years lock-time. The
guy who does a lot more damage to a lot more people gets a 240 hour
community service slap on the wrist for his cluelessness.]

 --2 & 3 May 2002 Solaris Vulnerability
According to a CERT advisory, a format string vulnerability in the
rwall daemon in Sun Solaris versions 2.5.1, 2.6, 2.7 and 2.8 could
allow crackers to execute code with elevated privileges. Sun is
working on a patch for the problem.
http://www.computerworld.com/news/2002/story/0,11280,70717,00.html
http://www.cert.org/advisories/CA-2002-10.html
http://www.theregister.co.uk/content/55/25153.html

 --2 May 2002 Interior Security Still Problematic
IBM found security problems at the Interior Department's Minerals
Management Service (MMS) which receives mineral royalties for lands
held in trust. The entire Interior Department was put off line in
December for failing an intrusion test that demonstrated that Indian
trust money was at risk of tampering.
http://www.fcw.com/fcw/articles/2002/0429/web-int-05-02-02.asp

 --2 & 6 May 2002 Klez Takes on New Passengers
Newer versions of the Klez worm contain strains of old malware like
Elkern and more recently, the Chernobyl virus. Chernobyl was not
deliberately added to Klez, but has "piggybacked" as Klez has spread.
http://www.vnunet.com/News/1131458
http://news.com.com/2100-1001-900050.html

 --29 April 2002 Klez Hits New York Times
The New York Times is yet another victim of the Klez worm; 250 members
of its TimesDigest service received infected e-mails. The company
e-mailed its affected customers, advising them to delete e-mail that
do not look like the e-mail the Times normally sends.
http://www.newsbytes.com/news/02/176220.html

 --2 May 2002 Two Guilty of Attempt to Buy Encryption Devices
Two men have been found guilty of trying to purchase military
encryption devices with the intent of shipping them to China.
A Customs Service special agent said the devices could have posed a
threat to national security had they fallen into the wrong hands.
http://www.washingtonpost.com/wp-dyn/articles/A18193-2002May1.html

 --2 May 2002 RSA Says 1024-bit Encryption is Still Secure
RSA refutes assertions that 1024-bit encryption is not secure. Though
a Bugtraq mailing list discussion concluded that 1024-bit encryption
was "compromised," RSA maintains the paper on which the discussion
was based is theoretical, and says the encryption is secure.
http://www.vnunet.com/News/1131452
[Editor's (Schultz) Note: It is amazing how speculation and conjecture
can be interpreted as fact. Just because Bernstein *thinks* of an
architecture that he *thinks* can break 1024-bit RSA encryption does
not in any way mean than 1024-bit RSA encryption is any weaker than
it was before. Where is the proof of concept?]

 --1, 2 & 3 May 2002 Melissa Author Sentenced
David Smith, the author of the Melissa virus (April 1999) received
a 20 month jail sentence, was ordered to pay a $5,000 fine and to
stay away from computer networks and the Internet unless authorized
by the court. The worm caused more than $80 million in damages.
Smith must also complete 100 hours of community service. Smith also
received a 10-year prison sentence on state charges, but under the
terms of his plea agreement, his state sentence cannot exceed his
federal sentence. He will serve the sentences concurrently.
http://www.computerworld.com/securitytopics/security/story/0,10801,70701,00.html
http://news.bbc.co.uk/hi/english/world/americas/newsid_1963000/1963371.stm
http://www.wired.com/news/politics/0,1283,52261-2,00.html
http://zdnet.com.com/2100-1105-896504.html
http://zdnet.com.com/2100-1105-898720.html

 --30 April & 1 May 2002 Buffer Overflow Vulnerability in Netscape
                          and Mozilla
Because XMLHttpRequest in Netscape and Mozilla doesn't adequately check
security settings on certain data requests, an attacker could exploit
a buffer overflow vulnerability associated with the ID3v2 tag to read
files from a targeted computer. The vulnerability affects Mozilla
0.9.7 to 0.9.9 and Netscape versions 6.1 and higher. The problem is
a related to a security hole in IE that was patched in February.
The company that found the vulnerability, GreyMagic Security, hoped
to claim a $1,000 bounty offered by Netscape, but Netscape called
the problem "trivial." GreyMagic may rethink its disclosure policies.
http://www.theregister.co.uk/content/55/25075.html
http://zdnet.com.com/2100-1104-896099.html
http://www.theregister.co.uk/content/55/25079.html
http://www.computerworld.com/securitytopics/security/story/0,10801,70700,00.html
http://www.newsbytes.com/news/02/176261.html

 --1 May 2002 NASA Hacker Pleads Guilty
Ruben Candelario has pleaded guilty to accessing a NASA server; he
was indicted a year ago. He faces maximum penalties of one year in
prison and a $100,000 fine.
http://www.gcn.com/vol1_no1/daily-updates/18544-1.html

 --30 April & 1 May 2002 WinAmp Vulnerability
A security hole in WinAmp could allow malicious code implanted in
an MP3 file to execute on a user's computer. The newest version of
WinAmp (2.80) is not vulnerable to the exploit; other versions can
be protected by disabling the software's minibrowser.
http://news.com.com/2100-1023-895429.html
http://www.newscientist.com/news/news.jsp?id=ns99992236

 --29 April & 2 & 6 May 2002 Deceptive Duo Continue Their Defacement
                              Crusade
The list of web sites defaced by the Deceptive Duo continues to grow.
The pair of hackers target government and corporate sites, posting
screen shots of databases with sensitive information from other sites.
They maintain their motives are to raise public awareness of computer
security problems in the United States and plan to continue their
activities. They have breached the systems through SQL servers that
still had default passwords, and through a NetBIOS Brute Force attack.
The two say they cooperate with administrators who want help securing
their systems.
http://www.vnunet.com/News/1131344
http://news.com.com/2100-1001-897952.html
http://www.computerworld.com/securitytopics/security/story/0,10801,70728,00.html
http://www.msnbc.com/news/748369.asp?0dm=C12JT
[Editor's (Schultz) Note: It is time to quit paying so much attention
to people who engage in illegal actions allegedly for the cause of
computer security-related good. The two in question appear to have
accomplished little more than to promote themselves. Hopefully,
the law enforcement community will investigate what has happened here.]

 --29 April 2002 Nimda Downs Hitachi Site
A web server hosting a newly designed site for Hitachi's software
security company was infected with the Nimda worm soon after the
site came on line. The server's Internet Information Server (IIS)
software was unpatched.
http://www.newsbytes.com/news/02/176217.html

 --22 April 2002 Extremetech/Syscheck Information Site
This site serves as a "clearinghouse" for tools and information that
can be used to check for security vulnerabilities. Categories include
Browser Tests, Personal Firewall Tests, System Tests and Port Scanners
and Network Performance Tests.
http://www.extremetech.com/print_article/0,3428,a=25755,00.asp

==end==

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sanssans.org with the subject:
Subscribe NewsBites

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.

You may also email <sanssans.org> with complete instructions and
your SD number for subscribe, unsubscribe, change address, add other
digests, or any other comments.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE82TjU+LUG5KFpTkYRAjGZAJ9+ZRQlzRmJLWpLnFqi91VJWtSWpACfR4bD
amDkaEKMrVrElsbddxCfQ3k=
=pGWm
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]