|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: The SANS Institute (sans
sans.org)Date: Wed Jun 26 2002 - 11:54:02 CDT
To: Security Express (SD397643)
From: Alan for the SANS NewsBites service
Re: June 26 SANS NewsBites
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If you are one of the more than 60% of web sites running Apache, patch
it soon. Even if you are running a personal web site with no critical
data, if a worm is launched using the newly discovered vulnerability,
it will undoubtedly find your systems and use them to attack others.
Quote of the week (from CIO Magazine, July 1, 2002) Kevin Turner,
CIO of Walmart, says,
"I'd really like to see our technology vendors step up and help us
with these [security] vulnerabilities because the money that we are
pouring into security right now is being pulled away from development
and strategic things that we could be investing in. A lot of the
vulnerabilities that we deal with are preventable and could be avoided
if the technology vendors would do the due diligence to tighten up
[the security configuration of] their products."
Alan
**********************************************************************
SANS NEWSBITES
The SANS Weekly Security News Overview
Volume 4, Number 26 June 26, 2002
Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Eugene Schultz
*********************************************************************
TOP OF THE NEWS
20 June 2002 Apache Exploit Posted
18 June 2002 Apache Users Urged to Upgrade
20 June 2002 Legislation is Asking More of ISPs
19 June 2002 Microsoft Can't Escape Security Woes
18 June 2002 Tannenbaum Begins Jail Sentence
THE REST OF THE WEEK'S NEWS
24 June and 1 July 2002 Microsoft Pushes Palladium
24 June 2002 Questions About Perrun's Threat
19 June 2002 Man Claims to be Perrun Author
24 June 2002 Yaha-E Worm
21 June 2002 Russian Federation Sites Running Vulnerable Versions
of Apache
21 June 2002 Homeland Security Dept. Transition Office Established
21 June 2002 DOT Wants Input on Enhancing Their Smart Cards
21 June 2002 KPNQuest Due to Shut Down Network-But Survives
18 & 20 June 2002 University Computers Compromised
20 June 2002 Searching for a Terrorist Web Site
20 June 2002 Web Spamming
20 June 2002 Wyoming State Auditor to Outsource Payroll and Accounting
19 June 2002 Pro-Islamic Groups May Be Banding Together for Cyber
Attacks
19 June 2002 Town Hall Meeting on Cyber Security
19 June 2002 Aviation Security Task Force Recommendations
18 June 2002 Apache Vulnerability Raises Standards Questions
18 June 2002 DoD Fixes Some Security Problems and Finds Another
18 June 2002 Virus Count Could be Double Last Year's, says MessageLabs
18 June 2002 2600 IRC Server Hit by DoS, Down Indefinitely
18 June 2002 Frethem.E Worm
June 2002 Consumer Reports: Anti-Virus Software and Firewalls
IN-DEPTH TECHNICAL SECURITY TRAINING (AND SECURITY MANAGEMENT COURSES)
IN THE NEXT 90 DAYS
*Large SANS Training programs: Washington, DC (the largest security
conference), Denver, Marina Del Ray (CA), New York
*Smaller SANS programs: Chicago, Detroit, San Antonio, Virginia
Beach, St. Louis, San Diego, Vienna, VA, Omaha, London, Vancouver,
Kuala Lumpur.
Details and registration information: www.sans.org
******** This Issue Sponsored by Internet Security Systems ***********
Reduce Your Risk Exposure Through Instant Messaging and Peer-To-Peer
(P2P) Networks
The popularity of Instant Messaging and peer-to-peer networking
technologies has risen dramatically in recent years. As these services
become increasingly popular, an increased risk emerges as well. Users
of these services are unknowingly putting information about themselves
or their companies at risk.
Download this FREE award-winning whitepaper at
http://www.iss.net/ad/sc_sans062602/ to learn about the dangers of
using these services, their potential for misuse and what steps can
be taken to minimize their inherent risks.
**********************************************************************
TOP OF THE NEWS
--20 June 2002 Apache Exploit Posted
Gobbles Security posted an exploit for an Apache server software
vulnerability on several mailing lists and on-line libraries.
The program exploits a security hole in OpenBSD systems running
Apache 1.3.x. In an e-mail interview, Gobbles said they released
the code because they were fed up with hearing about how it was
an unexploitable hole. A comment line in the code suggests it may
have been used in the surreptitious backdoor installations in tools
available on Monkey.org.
http://online.securityfocus.com/news/493
--18 June 2002 Apache Users Urged to Upgrade
Everyone running Apache servers should upgrade their software,
according to the software's developers. A potentially serious buffer
overflow vulnerability could allow hackers to take control of unpatched
computers or launch a denial of service attack. CERT/CC has issued
an advisory. No attacks exploiting the problem have been reported.
http://www.computerworld.com/softwaretopics/os/linux/story/0,10801,72089,00.html
http://www.cert.org/advisories/CA-2002-17.html
--20 June 2002 Legislation is Asking More of ISPs
New legislation in Europe and the US is requiring that Internet service
providers (ISPs) take a more active role in preventing illegal activity
from taking place on its servers. A Finnish judge ordered Jippii,
an ISP, to remove a web site that allegedly provided people with
activation numbers to use pirated software. The ISP had been refusing
to abide by the previous requests of the Business Software Alliance
(BSA) until the BSA could prove the site was doing what it has been
alleged to be doing. ISPs are usually more willing to cooperate with
authorities in hacking or piracy cases than in content cases.
http://zdnet.com.com/2100-1105-937846.html
[Editor's Note (Schultz: This is a truly encouraging development.
Although some ISPs have been extremely responsible, many have been
the opposite with respect to being good citizens of the Internet.
If ISPs provide access, they should do their fair share in providing
and enforcing at least minimum levels of security. ]
--19 June 2002 Microsoft Can't Escape Security Woes
Despite Microsoft's claims of a renewed focus on security, the
vulnerability-beleaguered company has issued 30 advisories for 40
vulnerabilities so far in 2002. While Microsoft's efforts to scour
its own code for security problems are commendable, the company is
also taking some risks by offering an automated update system and by
including new, activated features on update CDs.
http://www.usatoday.com/life/cyber/tech/2002/06/20/microsoft-security.htm
--18 June 2002 Tannenbaum Begins Jail Sentence
Ehud Tannenbaum has begun serving an 18-month jail sentence for
his role in a series of intrusions into a variety of computers,
including those at the Defense Department. An Israeli high court
http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8343
[Editor's Note: Stephen Northcutt provides a review of the Tannenbaum
case, also known around the US Department of Defense as the Solar
Sunrise case, at the end of this issue.]
************************ SPONSORED LINKS *****************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Stop Spam and Secure Exchange/Notes/GroupWise
FREE Email Security White Paper
http://www.sans.org/cgi-bin/sanspromo/NB46
(2) AUTOMATICALLY protect yourself from unknown attacks and new worms.
FREE WHITE PAPER
http://www.sans.org/cgi-bin/sanspromo/NB47
(3) ALERT: Test and assess your Web Applications
FREE Trial Download of WebInspect
http://www.sans.org/cgi-bin/sanspromo/NB48
**********************************************************************
THE REST OF THE WEEK'S NEWS
--24 June and 1 July 2002 Microsoft Pushes Palladium
Microsoft wants to change the architecture of PCs to incorporate
hardware that will support a multi-faceted security system called
Palladium. The system could be used to protect data from hackers,
block worms, do away with spam, and control privacy. It could also
be used for digital rights management.
http://www.msnbc.com/news/770511.asp?0dm=C14MT
http://www.computerworld.com/securitytopics/security/story/0,10801,72221,00.html
http://www.theregister.co.uk/content/55/25843.html
[Editor's Note: (Murray): I encourage you to look at all three articles
to get a full perspective on Palladium.]
--24 June 2002 Questions About Perrun's Threat
Users are questioning a statement made by a McAfee's Vincent Gullotto
that executables could be contained in .jpg files. Data files are
opened by applications that don't look for executables. Gullotto says
Perrun still raises the specter of a new type of threat.
http://www.computerworld.com/securitytopics/security/story/0,10801,72220,00.html
[Editor's Note (Grefer): No matter what Gullotto claims, this type
of threat is not new.]
--19 June 2002 Man Claims to be Perrun Author
21-year-old Paul Glenerson B. Amurao of the Philippines is claiming
to be the author of the Perrun virus that may infect .jpg files.
He says he wrote the virus with Microsoft Visual Basic 6.
http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8364
--24 June 2002 Yaha-E Worm
The W32/Yaha-E worm is spreading in the wild. It arrives in an
attachment; the accompanying e-mail can have a variety of subject
lines. The worm attempts to turn of anti-virus and firewall
protection.
http://www.mcafee.com/anti-virus/viruses/yaha/
http://www.sophos.com/virusinfo/articles/yahae.html
--21 June 2002 Russian Federation Sites Running Vulnerable Versions
of Apache
Independent tests indicate that the site and other Russian Federation
web sites are running an older version of Apache server software that
may be vulnerable to attacks. Netcraft and eEye Digital security
both say Putin's website is running Apache version 1.3.20.
http://www.wired.com/news/technology/0,1282,53412,00.html
--21 June 2002 Homeland Security Dept. Transition Office Established
Bush signed an executive order establishing a Homeland Security
Department transition office within the Office of Management and Budget
(OMB).
http://www.gcn.com/vol1_no1/daily-updates/19104-1.html
--21 June 2002 DOT Wants Input on Enhancing Their Smart Cards
The Transportation Department (DOT) wants information on methods and
technologies for enhancing their smart card system. The DOT will
review white papers every three months until June 30, 2003.
http://www.fcw.com/fcw/articles/2002/0617/web-dot-06-21-02.asp
--21 June 2002 KPNQuest Due to Shut Down Network - But Survives
KPNQuest's network was due to shut down Friday night, June 21 after
it failed to receive emergency funding. The shutdown could have
a noticeable impact on European network traffic as the company's
networks carry 40% of European Internet traffic.
http://www.ananova.com/news/story/sm_612949.html
Last minute support from users and a deferral of a demand for repayment
by Alcatel averted the immediate threat.
http://www.theregister.co.uk/content/6/25795.html
--18 & 20 June 2002 University Computers Compromised
The Secret Service is investigating the possibility that students at
universities in Texas, Arizona, Florida and California were monitored
by surreptitiously installed software designed to capture passwords
and credit card numbers. Nearly 20 hard drives were removed from
computers at Arizona State University.
http://news.com.com/2100-1001-938126.html
http://www.tucsoncitizen.com/local/6_18_02russia_asu.html
--20 June 2002 Searching for a Terrorist Web Site
Agents from the FBI and the CIA are scouring the Internet for a
web site allegedly used by al Qaeda for communication. The site
is registered in Singapore and was taken down earlier this month,
but officials expect it to resurface.
http://www.usatoday.com/life/cyber/tech/2002/06/21/terrorweb.htm
--20 June 2002 Web Spamming
Web spammers have developed a more sophisticated technique for tricking
search engines into returning their sites as top ranked results.
The most recent case involved AOL Search and Inktomi who were tricked
into returning results that linked to a Russian-based web site.
http://zdnet.com.com/2100-1106-937782.html
--20 June 2002 Wyoming State Auditor to Outsource Payroll and
Accounting
Weaknesses in the state government's own security management (no
firewall, for example) led the Wyoming State Auditor's Office to
outsource the state's payroll and accounting data management.
http://www.fcw.com/geb/articles/2002/0617/web-wyo-06-20-02.asp
--19 June 2002 Pro-Islamic Groups May Be Banding Together for
Cyber Attacks
A British firm claims to have found evidence of an alliance between
pro-Islamic hacker groups launching ideologically motivated attacks;
the groups have been focusing on the problems in Kashmir, the Middle
East conflict and the war on terrorism.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_2052000/2052320.stm
--19 June 2002 Town Hall meeting on Cyber Security
At a town hall meeting on cybersecurity, vice chairman of the Critical
Infrastructure Protection Board Howard Schmidt described the National
Strategy to Secure Cyberspace, which will be released in September,
as a living document, meaning it will be amended and altered as
needs dictate. The strategy plans to address home users as well
as industry and government. The Bush administration does not plan
to regulate private industry with security requirements; instead,
it hopes the industry will self-regulate. One insurance executive
observed that companies are unlikely to self-regulate until liability
litigation starts becoming a reality.
http://www.computerworld.com/securitytopics/security/story/0,10801,72108,00.html
[Editor's Note (Schultz): With the possible exception of the financial
community, industry has in general not done a credible job with
respect to self-regulation in the practice of information security
so far. One recent study suggested that companies spend more on
coffee than information security! The Bush Administration has once
again given industry no reason to change. It is well time for the
Bush Administration to wake up to the immense threat that industry
computers and networks are facing and to do something meaningful to
prompt necessary change.]
--19 June 2002 Aviation Security Task Force Recommendations
The Blue Ribbon Task Force on Aviation Security and Technology has
issued a report describing how to use existing IT to enhance airport
and airline security. Among the group's recommendations are using
biometrics to identify airport/airline workers and to allow access to
aircraft, and using Global Positioning System (GPS) devices to keep
tabs on vehicles within the airport perimeter. The recommendations
will be tested at 20 airports across the country.
http://www.computerworld.com/securitytopics/security/story/0,10801,72098,00.html
[Editor's Note (Murray) The best biometric for this application is
the face, the best reference the photograph. Put the photograph on
the ticket. Seems outrageous at first but think about it.]
--18 June 2002 Apache Vulnerability Raises Standards Questions
Internet Security System's decision to publish an advisory about and
a patch for the Apache flaw met with criticism because it gave the
company less than two hours to respond to the problem. Apache was
working with someone else to address the flaw; they were examining
how it affected various platforms. The incident again raises the
issue of standard for reporting vulnerabilities. While a number of
groups are designed to coordinate security information, they do not
coordinate with each other. The proposed Homeland Security Department
would consolidate those efforts.
http://www.msnbc.com/news/768762.asp?0dm=T23FT
http://zdnet.com.com/2100-1105-936949.html
http://www.theregister.co.uk/content/55/25766.html
[Editor's Note (Ranum): ISS put the Apache user base at risk by
jumping the gun on a vulnerability release.]
--18 June 2002 DoD Fixes Some Security Problems and Finds Another
While in the process of closing security holes brought to light
in a Defense Department Inspector General's report, the Web Risk
Assessment Cell, group for the clean up, found another security
problem: "hidden" sites that don't turn up in basic searches but that
are still accessible with some finessing.
http://www.fcw.com/fcw/articles/2002/0617/web-dod-06-18-02.asp
[Editor's (Note (Ranum): If a FORTUNE 500 firm had such lame security,
they'd fire their network and security managers and get new ones.)
--18 June 2002 Virus Count Could be Double Last Year's, says
MessageLabs
MessageLabs says it has intercepted twice as many infected messages so
far this year as it did during all of last year. The company screens
corporate e-mail accounts. The Klez family of viruses topped the list
with SirCam coming in second. The company's marketing director says
such worms, which are constantly being tweaked into more virulent
forms, are responsible for the rising numbers of viruses. They are
also growing more malicious.
http://news.com.com/2100-1001-937228.html
--18 June 2002 2600 IRC Server Hit by DoS, Down Indefinitely
irc.2600.net is now off line due to a denial of service (DoS) attack.
The group's provider disconnected the server.
http://www.2600.com/news/display.shtml?id=1203
--18 June 2002 Frethem.E Worm
The Frethem.E worm exploits a MIME vulnerability in Internet Explorer
(IE) to execute automatically, spreading itself with the aid of its
own STMP engine. The worm hasn't done much damage because a recent
Microsoft patch designed to protect computers from the Klez virus
also keeps this one out.
http://www.esecurityplanet.com/trends/article/0,,10751_1367621,00.html
--2002 Consumer Reports: Anti-Virus Software and Firewalls
Consumer Reports tested firewalls and anti-virus software. This
article describes why the software/hardware is necessary and how
it works. Linked articles offers advice on keeping yourself safe
from common virus/worm ruses, keeping your data safe, and what to do
if your computers have been infected or hacked.
http://www.consumerreports.org/static/0206com0.html
Background on the Tannenbaum Story from Stephen Northcutt
It is amazing just how terse this and previous stories were about
Tannenbaum -- the hacker known as Analyzer. To try to recap
the history: Recall, this was the rstatd attack "/tmp/bob" that
compromised numerous DOD and other government Solaris systems in late
1997 and into the first quarter of 1998. The "Mideast" source (the
defenders were not sure which country) of the attacks, stimulates the
US government to react in many ways, and the event became known as
Solar Sunrise. You can buy a video about the FBI investigation from:
http://www.ncix.gov/pubs/videos/video_solar.html
Tannenbaum was coaching two California teenagers, and they were caught
by the FBI. Their capture led to him.
http://www.jpost.com/com/Archive/23.Mar.1998/News/Article-7.html
Then Tannenbaum went into the Army, some claim in information warfare.
http://www.jewishsf.com/bk980403/ibyte.htm
Then he tried to cash in on his infamy as a hacker by becoming
an officer in a security company while his case dragged on in the
legal system.
http://www.theregister.co.uk/content/1/14891.html
Now, he is in jail.
==end==
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sanssans.org with the subject:
Subscribe NewsBites
To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.
You may also email <sanssans.org> with complete instructions and
your SD number for subscribe, unsubscribe, change address, add other
digests, or any other comments.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9Gd4j+LUG5KFpTkYRAj/+AJ99sWcwept3cnNfzLOWNqYg0/zymwCfSTnF
0O/5gg8RhxJ+SM6C0kW0UIg=
=vZCV
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]