|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (sans
sans.org)Date: Thu May 16 2002 - 07:10:00 CDT
To: Security Express (SD397643)
From: Alan for the SANS NewsBites service
Re: May 15 SANS NewsBites
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Update on Port 1433: Last week we reported on widespread scanning of
port 1433, commonly used by Microsoft's SQL server. We noted that we
had had no reports at Incidents.Org of exploits connected with the
scanning. A few hours later we received the following note from the
CISO of a large research organization:
[Our organization] has been hit at least twice in the last 2 weeks with
Web defacements based on the exploit Port 1433/ms-sql, CAN-2002-0154.
We were kind of shocked that within 1-2 weeks of Microsoft announcing
the vulnerability, we were already hit by the exploit. Doesn't
give much time to clean up. However, I haven't heard of widespread
exploits yet. Also, I would hope most sites block external access
to SQL Server. We happened to have a few servers that needed outside
access for special purposes.
Alan
**********************************************************************
SANS NEWSBITES
The SANS Weekly Security News Overview
Volume 4, Number 20 May 15, 2002
Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Eugene Schultz
*********************************************************************
TOP OF THE NEWS
10 May 2002 DHCP Server Vulnerability
9 & 13 May 2002 Teen Sentenced for Defacements
7 May 2002 EDS Bans IM Products For Security's Sake
6 May 2002 Code Red and Nimda Still Pose a Threat
THE REST OF THE WEEK'S NEWS
13 May 2002 Man Sentenced for Abusing FBI Computer System
12 May 2002 Personal Data Available On Line
13 May 2002 Pilot Program Puts Criminal Court Documents On Line
10 May 2002 Xbox Emulator is Really a Trojan Horse
9 May 2002 Florida's Juvenile Justice Department System is Not Secure
9 May 2002 ElcomSoft Case Will Go to Trial
8, 9 & 10 May 2002 Patch Available for Microsoft Messenger
Vulnerabilities
8 & 9 May 2002 Cloning SIM Cards
8 May 2002 House Judiciary Committee Approves Cyber Crime Bill
8 May 2002 CSIS Report Warns Cyber Terrorists Threaten Critical
Infrastructure
7 May 2002 GAO's Keith Rhodes on Security
7 May 2002 Old Software Creates "Leaky" Documents
7 May 2002 Hacker Parodies Deceptive Duo
7 May 2002 Argentine Supreme Court Wants Cyber Crime Law
7 May 2002 JDBGMGR.EXE Virus Hoax
9 May 2002 Even Without Payloads, Hoaxes Can Cause Problems
7 May 2002 Anti-Trust Remedy Threatens Security, says Microsoft Exec
7 May 2002 Another MSN Messenger Problem
6 May 2002 Sun cachefsd Buffer Overflow
6 May 2002 Intrusion Detection Systems Use Behavior Monitoring and
Anomaly Detection
6 May 2002 Lack of Virus Rating Standards can be Confusing
8 March 2002 NSA Adds Universities to its Academic Excellence Program
UPCOMING SANS IN-DEPTH TRAINING OPORTUNITIES
Toronto, Portland, OR, Colorado Springs, Chicago, Boston, San Diego
(New), Melbourne, Detroit, Ottawa, Marina Del Ray - many more, plus
online programs. See www.sans.org
********************** Sponsored by PentaSafe ************************
Need information security policies? Don't start from scratch...
Get INFORMATION SECURITY POLICIES MADE EASY V8! Now only $595! A
"must have" for every security professional, with 1100+ pre-written
policies on CD that can be easily customized for your company. Also:
Information Security Roles & Responsibilities Made Easy, offering
pre-written job descriptions and more.
Download a sample email policy: http://www.pentasafe.com/publications
**********************************************************************
TOP OF THE NEWS
--10 May 2002 DHCP Server Vulnerability
A CERT security alert warns that ISC's DHCP server could allow
an attacker to run code with DHCP privileges. The problem affects
versions 3 - 3.0.1 rc8. CERT recommends applying patches, disabling
DHCP if it is not necessary, or applying ingress-filtering techniques.
http://www.cnn.com/2002/TECH/internet/05/10/dhcp.bug.idg/index.html
http://www.cert.org/advisories/CA-2002-12.html
--9 & 13 May 2002 Teen Sentenced for Defacements
Matthew T. Kroeker, a Kansas teenager has pleaded guilty to felony
charges of hacking a variety of government and commercial web
sites. Kroeker will serve two years under probation and pay restitution
of at least $18,000.
http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8061
http://online.securityfocus.com/news/404
--7 May 2002 EDS Bans IM Products For Security's Sake
EDS, the computer branch of the British government, has banned the
use of Instant Messenger products as of May 8, 2002. Because the IM
services bypass security checkpoints, they could allow viruses and
other malware to propagate within the organization's network.
http://www.theregister.co.uk/content/55/25185.html
--6 May 2002 Code Red and Nimda Still Pose a Threat
Code Red and Nimda are still squirming across the Internet, despite
the fact that patches for the flaws they exploit have been available
for nearly a year. Their continued spread could be attributed to new,
unpatched machines being put on the Internet. There is speculation
that machines infected with these worms have been compromised by
hackers and could be used to launch a denial of service attack.
http://www.pcworld.com/news/article/0,aid,98504,00.asp
**********************************************************************
(1) Dorian Software Creations: Automate Event Log Archiving, Analysis,
and Detection! http://www.sans.org/cgi-bin/sanspromo/NB34
(2) Recourse ManTrap(r) 3.0 makes deception a snap. FREE white paper:
http://www.sans.org/cgi-bin/sanspromo/NB35
(3) Urgent: Deploy patches across every server in seconds with
BladeLogic. FREE TRIAL. http://www.sans.org/cgi-bin/sanspromo/NB36
**********************************************************************
THE REST OF THE WEEK'S NEWS
--13 May 2002 Man Sentenced for Abusing FBI Computer System
Former corrections officer Gary Piedmont has been sentenced to
"community confinement," a year of probation and will pay a $5,000
fine for using the FBI's National Crime Information Center's computer
system to check on the status of a warrant that had been issued for
a friend of his.
http://www.gcn.com/vol1_no1/daily-updates/18631-1.html
--12 May 2002 Personal Data Available On Line
The Internet has proven to be a virtual bazaar for identity thieves;
law enforcement web sites publish names, birth dates, social security
numbers and even pictures and driver's license numbers of prison
inmates and wanted criminals. Court documents available on line can
contain much of the same data; bankruptcy cases can even include bank
account information. Though some states are passing laws requiring
that such sensitive data be edited out of public documents, much will
remain to be picked over by data miners.
http://www.msnbc.com/news/750428.asp?0dm=C23BT
[Editor's (Schultz) Note: How far will invasion and the potential
for invasion of privacy through electronic means go in the US? The
potential for damage to individuals is now growing way out of
control. The US Congress needs to take on electronic privacy protection
as a major priority. And if Congress won't do it, states (many of
which are way ahead of the US Government in computer security-related
legislation) will need to fill the void.]
--13 May 2002 Pilot Program Puts Criminal Court Documents On Line
The Judicial Conference of the United States has approved a pilot
program in 11 federal courts allowing public access to criminal case
court files on line. Privacy advocates hope to establish limitations
on the purposes for which the documents are viewed.
http://www.fcw.com/fcw/articles/2002/0513/news-court-05-13-02.asp
--10 May 2002 Xbox Emulator is Really a Trojan Horse
People are being tricked into downloading malicious code masquerading
as an Xbox emulator; what actually gets installed on their PCs
is a Trojan horse program called Net BUIE.exe, which subsequently
connects to remote servers. The program could be reaping money for
someone through pay-per-clicks. It also connects to four servers run
by Microsoft. The site from which the Trojan was downloaded has been
pulled off the Internet.
http://www.vnunet.com/News/1131681
http://www.newsbytes.com/news/02/176472.html
--9 May 2002 Florida's Juvenile Justice Department System is Not
Secure
The Florida auditor general has found that the state's Juvenile
Justice Department has implemented poor access controls on its computer
system, exposing the data it contains to the threat of modification
or disclosure. Department officials said they would make changes.
http://www.gcn.com/vol1_no1/daily-updates/18617-1.html
--9 May 2002 ElcomSoft Case Will Go to Trial
A federal District Court Judge in California has denied ElcomSoft's
motion to dismiss a case against the company. The Russian Software
company is charged with violating the Digital Millennium Copyright
Act (DMCA) for selling a tool that circumvents copy protection in
Adobe eBooks.
http://zdnet.com.com/2100-1104-903768.html
http://www.theregister.co.uk/content/55/25211.html
Judge's ruling:
http://www.eff.org/IP/DMCA/US_v_Elcomsoft/20020508_dismiss_deny_order.pdf
--8, 9 & 10 May 2002 Patch Available for Microsoft Messenger
Vulnerabilities
Microsoft is warning of a critical vulnerability in its MSN
Messenger and Exchange Instant Messenger services; a buffer overflow
vulnerability in an ActiveX control, known as the MSN Chat OCX Control,
could allow malicious code to run on unprotected computers. The
vulnerability affects version 4.5 and 4.6 of both programs. Users are
encouraged to upgrade to new versions, and MSN Chat users are also
encouraged to download a new version of that program. Microsoft has
released a patch for the vulnerability.
http://zdnet.com.com/2100-1105-904203.html
http://www.washingtonpost.com/wp-dyn/articles/A56332-2002May8.html
http://www.theregister.co.uk/content/55/25209.html
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,71011,00.html
http://www.cnn.com/2002/TECH/internet/05/10/messenger.hole.idg/index.html
http://www.microsoft.com/technet/security/bulletin/ms02-022.asp
http://www.cert.org/advisories/CA-2002-13.html
--8 & 9 May 2002 Cloning SIM Cards
IBM researchers have found a way to clone cell phone security
identification module (SIM) cards. Called "partitioning," the technique
requires having physical possession of the phone, querying its SIM card
and analyzing the corresponding power fluctuations and electromagnetic
field changes.
http://zdnet.com.com/2100-1105-902149.html
http://online.securityfocus.com/news/400
--8 May 2002 House Judiciary Committee Approves Cyber Crime Bill
The House Judiciary Committee approves a bill that will make it easier
for Internet Service Providers (ISPs) to report potential criminal
behavior occurring on their networks; the measure would also increase
penalties for those found guilty of cyber crimes. While current
legislation assigns punishment based on economic damage caused by
cyber crime, the new bill, sponsored by Lamar Smith (R-Texas) would
take into consideration such factors as the intent of the attackers
and the targets.
http://www.wired.com/news/politics/0,1283,52388,00.html
--8 May 2002 CSIS Report Warns Cyber Terrorists Threaten Critical
Infrastructure
A Canadian Security Intelligence Service report (CSIS) says cyber
terrorists pose a threat to critical infrastructures in nations around
the world. Many of the systems used in critical infrastructures can
be controlled with wireless technology; a year ago, a man in Australia
used wireless technology to send sewage into water systems.
http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8051
--7 May 2002 GAO's Keith Rhodes on Security
In an interview, US General Accounting Office (GAO) chief technologist
Keith Rhodes talks about what companies are doing right and what
he sees as the biggest security risks. Rhodes and his team conduct
regular penetration tests on government computer systems.
http://itmanagement.earthweb.com/secu/article/0,,11953_1040041,00.html
--7 May 2002 Old Software Creates "Leaky" Documents
Some .doc files available for downloading were created with software
that left fragments of deleted data in otherwise unused areas of the
files. The data can be seen if the documents are browsed with a hex
editor. The affected documents were created with unpatched versions
of Microsoft Word 6.0 and 7.0, and version 7.0 of PowerPoint and
Excel. The security hole affects some documents on government web
sites.
http://news.com.com/2100-1023-901112.html
--7 May 2002 Hacker Parodies Deceptive Duo
A hacker calling herself Evil Angelica has defaced two websites with
parodies of the recent defacements by the Deceptive Duo, who have
been posting screenshots of databases on a variety of websites in an
effort, they claim, to demonstrate the poor state of cyber security
in the United States.
http://www.newsbytes.com/news/02/176429.html
--7 May 2002 Argentine Supreme Court Wants Cyber Crime Law
After an Argentine federal court threw out a case against a group of
hackers who defaced Argentina's Supreme Court web site because no law
existed under which to prosecute them, Argentina's Supreme Court has
said it wants legislation that would outlaw hacking. The court has sent
a formal request to the legislature asking that such a law be penned.
http://www.reuters.com/news_article.jhtml?type=internetnews&StoryID=930771
--7 May 2002 JDBGMGR.EXE Virus Hoax
A hoax warning of a virus infection has been circulating around
the Internet, apparently telling people to delete the JDBGMGR.EXE
file. Several variants have been found, some maintaining that the virus
"hibernates" for two weeks before launching its payload. Deleting
the file may make Java applets not work properly, but it can be
reinstalled.
http://www.newsbytes.com/news/02/176442.html
http://securityresponse.symantec.com/avcenter/venc/data/jdbgmgr.exe.file.hoax.html
[Editor's (Schultz)Note: It is amazing how successful dumb little
hoaxes like this one are. Where I work we have sent a message to
every employee about this hoax, included information about it in
the weekly newsletter, and plastered information about it all over
the computer protection home page. Despite all these measures, we get
calls and emails almost daily from users who have deleted JDBGMGR.EXE,
SULFNBK.EXE, or some other file mentioned in a hoax message. Keeping
the user community informed is truly one of the most difficult tasks
facing information security professionals.
--9 May 2002 Even Without Payloads, Hoaxes Can Cause Problems
While hoax virus warnings may not carry an actual malicious payload,
they do carry the threat of bogged down servers and embarrassment
of those who've forwarded the message. The columnist suggests that
organizations designate one person to be in charge of (finding out)
the validity of virus warnings, and all employees should forward
the messages to that person rather then sending them on their merry
way around the Internet, causing unnecessary worry and resource
consumption.
http://www.vnunet.com/News/1131629
--7 May 2002 Anti-Trust Remedy Threatens Security, says Microsoft Exec
Microsoft's senior vice president for Windows Jim Allchin says
the proposed anti-trust remedy - which includes making public the
source code to Internet Explorer -- would threaten the security of
the software; as more technical information about the systems is
disclosed, creators of malware would have more insight into how they
work. Additionally, copy protections could be circumvented, allowing
for the dissemination of pirated movies and music.
http://zdnet.com.com/2100-1104-901088.html
[Editor's (Schultz) Note: Mr. Allchin certainly has a vivid
imagination. If what Allchin says is true, then open operating systems
such as OpenBSD must be compromised proportionately far more than
are Windows systems, something that is not even close to being true.]
--7 May 2002 Another MSN Messenger Problem
A misformatted font variable in a MSN Messenger header can crash
the client.
http://www.net-security.org/vuln.php?id=1657
--6 May 2002 Sun cachefsd Buffer Overflow
The default installation of the NFS/RPC file system cachefs daemon
(cachefsd) in Sun Solaris 2.5.1, 2.6, 7, and 8 has a remotely
exploitable heap overflow. Attackers could execute code with root
level privileges.
http://www.cert.org/advisories/CA-2002-11.html
--6 May 2002 Intrusion Detection Systems Use Behavior Monitoring
and Anomaly Detection
Newer intrusion detection systems (IDSes) use anomaly detection and
system and application behavior monitoring either instead of or in
conjunction with more traditional signature-based detection.
http://www.eweek.com/article/0,3658,s=712&a=26347,00.asp
--6 May 2002 Lack of Virus Rating Standards can be Confusing
Anti-virus firms not only have different names for the same virus,
but their rating systems differ from each other's because different
types of companies use the various vendors' products. There are no
industry standards for rating a virus's risk. McAfee is addressing
this problem by changing the way it handles malware risk assignment,
including offering risk assessments for home users and for corporate
users for each virus.
http://www.newsfactor.com/perl/story/17603.html
http://www.pcworld.com/news/article/0,aid,98383,tk,dn050602X,00.asp
--8 March 2002 NSA Adds Universities to its Academic Excellence
Program
The US National Security Agency has renewed seven universities
and designated an additional thirteen universities as Centers of
Academic Excellence in Information Assurance Education for academic
years 2002 through 2005. The aim of the program is to help protect
national critical infrastructure systems through promoting information
assurance in higher education and producing knowledgeable and capable
IT professionals.
http://www.nsa.gov/releases/20020308.htm
http://www.nsa.gov/isso/programs/coeiae/index.htm
==end==
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sanssans.org with the subject:
Subscribe NewsBites
To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.
You may also email <sanssans.org> with complete instructions and
your SD number for subscribe, unsubscribe, change address, add other
digests, or any other comments
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE845Zs+LUG5KFpTkYRAvzqAJ9nYXmrKJejd4QMotoVeOAwzJ5QaQCgkeJA
I8ZXAMpgnv+Oxm73CThY0GA=
=5hzw
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]