-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SANS Internet Threat Update, Plus Changing Requirements for Security
Training

May 28, 2002

This special SANS Update focuses on the latest worm and other new
attacks that were recently discovered by the Internet Storm Center, and
provides a look ahead at new training requirements and opportunities
facing security professionals including the changing face of liability
for computer security incidents.

+++ Internet Threat Update +++

The broad-based attacks on Microsoft's SQL Server sites by the so
called sqlsnake were discovered May 20th by SANS Internet Storm Center
incident handlers Matt Fearnow and Johannes Ullrich. It first became
apparent when Storm Center sensors around the world detected a sudden
increase in hosts scanning for port 1433, the port commonly used by
Microsoft's SQL Server. The malicious code propagates via an account
"SA" that is set up, by the SQL Server 7 installation program, with
no password. That much is well known and has been reported by many
other advisories. Now let's take a look at the rest of the story.

- - You may be vulnerable and not realize it. Access 2000, Visio
Enterprise Network Tools, Microsoft Project Central, Visual Studio 6
(and possibly other development tools) all appear to have an embedded
version of SQL server (with no password set for the "SA" account)
as a default install. These tools are still being sold today, and we
have no reason to believe new buyers are immune to the vulnerability.
Even worse, other vendors have embedded the run-time version of SQL
Server 7 in their products. Dell, for example, installed it inside
its IT Assistant Version 6.0 product and does not install the software
required to change the password. Compaq Insight Manager Version 7 and
IBM Director Version 3.1 both use the runtime version of SQL Server.
If someone tells you, "Microsoft fixed the problem," please point
out to them that they may have been misinformed for a large segment
of the user community.

- - User's of Microsoft's SQL Server 7 reported that they followed the
install wizard and, although they were asked many security questions,
a password for the SA account is not one of those questions.

- - The worm software sends password files from infected systems to an
account ixltdpostone.com in Singapore, but future versions of the
worm may send data to different accounts. The stolen passwords will
be decrypted offline and then used to attack these compromised systems
and associated systems where the same account names and passwords may
have been used. If your system was compromised, you must change all
passwords immediately.

For further information, please see:
http://www.incidents.org/diary/diary.php?id=156

An unproven theory being discussed is that the designer of the worm
is German. All things being equal, Germany should be one of the top
5 countries showing evidence of MSSQL infections based on the number
of connected hosts, yet it is way down on the list.

What's next? No one can tell the future, but we can watch
for signs of testing. Curiously Germany pops right back
into our attention, on the 1st and 7th of May two fascinating
spikes of activity to port 60001 were observed. The European
analysis team is on the case. In the mean time, if you capture
matching activity, please contact handlersincidents.org.
http://isc.incidents.org/port_details.html?port=60001

+++ Changing Needs For Security Skills +++

SANS is currently running focus group sessions to determine the
changing character of technical skills that system, network, and
security administrators will need in the next few years. We are
seeing patterns emerging. Two of the new topics will be subjects
of SANS programs later this year: Securing Microsoft's .net (Dot
Net) and XML and database skills especially in intrusion detection
and log analysis. A third writing safe programs -- we have tried
repeatedly but found that programmers were not interested despite
the great ratings the courses received. The fourth hot topic is the
legal aspects of system administration and risk avoidance. If you
have any interest in this area especially in liability for unsafe
systems, definitely plan to sign up for SANSFIRE, the Forensic,
Incident Response and Education conference, June 27 - July 3 in Boston
http://www.sans.org/SANSFIRE02/

Legal issues are covered in depth in the Forensics track but attendees
in all tracks may hear Kimberly Keifer, Co-Chair of the American Bar
Association's Information Security Committee, presenting an up to
the minute briefing on how legal precedents appear to be inexorably
leading to legal liability for organizations that fail to protect
their systems.

+++ Security Training Update +++

SANSFIRE, the Boston conference we mentioned earlier has experienced
explosive signups in SANS newly updated audit track. Who would have
guessed audit would be as popular as forensics? Anyway, we put extra
resources where the attendance is, so we are adding evening hands-on
audit training sessions for this track at no additional charge
for these students. SANSFIRE also offers full week-long training
programs covering SANS Security Essentials, Intrusion Detection
In-Depth, Firewalls, Hacker Techniques, Securing Windows, Securing
UNIX/Linux, and the only immersion training program on Forensics.
This unique program begins June 27, and please note the great rate
for rooms at the conference hotel is available only until June 6.
If you plan to attend, reserve your rooms now.
http://www.sans.org/SANSFIRE02/

++ Additional Conference Update ++

Last week we added a new track to the Ottawa conference, beginning
August 7, 2002. Track 3, Intrusion Detection in Depth, is a hands-on
and lecture program that will be taught in Ottawa by Stephen Northcutt
and Guy Bruneau.
http://www.sans.org/ParliamentHill02/

+++ A final note +++

You can't do information technology work without tools, and many
tools we all use are from commercial vendors. We will be sending
a note shortly to the security tools vendors inviting them to help
potential users learn about their tools through webcasts and live
conference events. If your company has a popular security tool, and
you would like to receive this email, drop a note to vendorsans.org
and we will add you to the list.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE88seb+LUG5KFpTkYRAgw5AJ9yIOocdf9+6Z7wT33z2WgHahoVlwCfTYLU
JTghSk+Oe2cSFgtoDC4Ws60=
=SI4Z
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]