-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS NewsBites December 18, 2002 Vol. 4, Num. 51
***********************************************************************

TOP OF THE NEWS
16 December 2002 Gilmore Commission Critical of Administration's
                 Cybersecurity Policy
16 December 2002 Security Certifications Lead to Salary Increases

THE REST OF THE WEEK'S NEWS
16 December 2002 DeCSS Creator's Trial Over; Ruling Expected Soon
16 December 2002 MySQL Vulnerabilities
16 December 2002 Opinion: DMCA and P2P Piracy Prevention Act Hinder
                 Cybersecurity
11, 13 & 14 & 17 December 2002 Elcomsoft DMCA Case - Not Guilty
16 December 2002 Expert Witness Tries to Prove Hacking, But Gets His
                 Testimony Thrown Out Instead
12 December 2002 RaQ Server Vulnerability
12 December 2002 DALnet Target of DDoS Attack
12 December 2002 Open College Proxy Servers Exploited to Download
                 Journals
10 December 2002 Senate Shuts Down Open Proxy Server
12 December 2002 Purloined e-Mail Message Spells Trouble
12 December 2002 Microsoft JVM Vulnerabilities
12 December 2002 Prestige Worm
11 December 2002 UK's Computer Misuse Act Might Not Cover DoS Attacks
11 December 2002 eBay Warns Customers of Phony Site Scam
10 December 2002 W3C Approves XML Standards
10 December 2002 Microsoft Offers Windows Installation Blueprints
10 December 2002 Wireless Network Security Advice
10 December 2002 Gateway Filtering
9 December 2002 University of Washington IMAP Buffer Overflow
                Vulnerability
9 December 2002 UK's NHTCU Offers Anonymity for Companies Sharing
                Attack Info
9 December 2002 NIPC Director Ronald Dick to Retire
6 December 2002 Windows Messenger Service Allows Pop-up Spam, Could
                Pose Security Risk

SECURITY TRAINING UPDATE
SANS Cyber Defense Initiative Conferences in
* New Orleans (Jan 13-18/03) - http://www.sans.org/CDI03NewOrleans
* Austin (Jan 12-17/03) - http://www.sans.org/CDI03Austin
* San Antonio (Jan 25-30/03) - http://www.sans.org/CDI03SanAntonio
feature SANS most popular immersion training tracks, from Security
Essentials to Auditing to Hacker Exploits, to Intrusion Detection
to UNIX and Windows hardening.
*Other programs in 60 cities: See http://www.sans.org

**************** This Issue Sponsored by SANS 2003 ********************
Here are four people who can tell you why you should attend SANS2003
in San Diego in March:

"Relevant material, great instructors - and it lived up to its
   'firehose' reputation. Excellent!" Chris McCown, Intel Corp.
"The one primary reason that I keep coming back to SANS events is the
   quality of the faculty." Jim Clausing, AT&T
"SANS' value lies in the fact that you have industry leaders that
   actually practice, not just preach, authoring and instructing the
   classes." Cory Steers, State Farm Insurance
"There is simply no substitute for hands-on experience." Kaelin
   Colclasure, Resilience Corp.
Add to that the largest security expo, the only conference relevant to
chief information security officers, and you have a can't miss program.
http://www.sans.org/SANS2003/nial.php
***********************************************************************

TOP OF THE NEWS
 --16 December 2002 Gilmore Commission Critical of Administration's
                    Cybersecurity Policy
The Gilmore Commission, also known as the Advisory Panel to Assess
Domestic Response Capabilities for Terrorism Involving Weapons of
Mass Destruction, found that the administration's incessant focus on
public/private partnerships to improve cybersecurity an inadequate
solution for the job at hand. "That simply hasn't worked," said
former Virginia Governor Gilmore.
http://computerworld.com/newsletter/0%2C4902%2C76827%2C0.html?nlid=AM
http://www.gcn.com/vol1_no1/daily-updates/20702-1.html

 --16 December 2002 Security Certifications Lead to Salary Increases
Security professionals quantify the costs and benefits of security
certifications.
http://www.eweek.com/article2/0,3959,768101,00.asp

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) STOP SPAM and unwanted email. Take control. FREE WHITE PAPER!!!
http://www.sans.org/cgi-bin/sanspromo/NB111

(2) ALERT: Outsmart the Top 14 Web Application Hacks - FREE 15-day
WebInspect Download http://www.sans.org/cgi-bin/sanspromo/NB112

(3) V1.0 now available. Download NT OBJECTives Fire & Water FREE
security toolkit http://www.sans.org/cgi-bin/sanspromo/NB113

***********************************************************************

THE REST OF THE WEEK'S NEWS
 --16 December 2002 DeCSS Creator's Trial Over; Ruling Expected Soon
The trial of Jon Johansen, the Norwegian teenager who wrote the
DeCSS DVD encryption-breaking program, has ended. Johansen's attorney
maintains the young man wrote the program so he could watch DVDs he
already owned on his Linux-based computer. Prosecutors asked for a
90-day suspended sentence and $1,400 in court costs. The judge is
likely to rule in the case early next year.
http://news.com.com/2100-1023-978009.html
http://www.washingtonpost.com/wp-dyn/articles/A62526-2002Dec16.html

 --16 December 2002 MySQL Vulnerabilities
A number of vulnerabilities have been found in the MySQL database
system and client libraries. The flaws could allow attackers to
cause denial of service, execute arbitrary code and bypass password
checking. Versions up to 3.23.53a and 4.0.5a are affected; an updated
version, 3.23.54, is not vulnerable to the flaws.
http://zdnet.com.com/2100-1104-977958.html

 --16 December 2002 Opinion: DMCA and P2P Piracy Prevention Act
                    Hinder Cybersecurity
The author of this column argues that the Digital Millennium Copyright
Act (DMCA) and the proposed P2P Piracy Prevention Act, which are
aimed at protecting intellectual property rights, actually hinder
the development of cyber security products and projects.
http://www.siliconvalley.com/mld/siliconvalley/business/columnists/4750230.htm

 --11, 13 & 14 &17 December 2002 Elcomsoft DMCA Case - Not Guilty
Elcomsoft is the Russian company that created software that removes
protections from Adobe eBooks and they are the first company to be
charged under DMCA. Jurors requested a complete copy of the Digital
Millennium Copyright Act (DMCA); U.S. District Court Judge Ronald
Whyte declined their request, but instead said he would answer specific
questions about the law. In the end, the jury decided Not Guilty.
http://www.wired.com/news/business/0,1367,56853,00.html
http://sanjose.bizjournals.com/sanjose/stories/2002/12/16/daily28.html

 --16 December 2002 Expert Witness Tries to Prove Hacking, But Gets
                    His Testimony Thrown Out Instead
In an attempt to prove that opposing counsel was entering his
password-protected web site without permission, expert witness David
Egilman planted a false headline on the site implying the law firm had
paid off the judge. The lawyers did bring the headline to court, but
the judge was not amused; he threw out Egilman's testimony. Egilman
was not successful in convincing the court that the attorneys had
acted unlawfully. Cyber law experts say that guessing a password to
enter a protected web site and gathering information is tantamount
to breaking into an office and stealing documents for discovery,
and is a violation of the Computer Fraud and Abuse Act.
The following site requires (free) registration.
http://www.washingtonpost.com/wp-dyn/articles/A55951-2002Dec14.html

 --12 December 2002 RaQ Server Vulnerability
According to a Computer Emergency Response Team Coordination Center
(CERT/CC) advisory, Sun Cobalt RaQ 4 and RaQ 3 Server appliances
that have the Security Hardening Patch (SHP) installed could allow
crackers "to execute arbitrary code with superuser privileges." Of
particular concern is the fact that an exploit for the vulnerability
is already available.
http://www.zdnet.com.au/newstech/security/story/0,2000024985,20270646,00.htm
http://www.cert.org/advisories/CA-2002-35.html

 --12 December 2002 DALnet Target of DDoS Attack
Internet Relay Chat (IRC) service provider DALnet was the focus of
"an unusually strong, unusually persistent" distributed denial of
service (DDoS) attack; all DALnet client servers were targeted.
http://www.theregister.co.uk/content/55/28515.html

 --12 December 2002 Open College Proxy Servers Exploited to Download
                    Journals
A cracker or crackers found open college proxy servers and
exploited them to access and download scholarly journals in the
JSTOR database. By the time the (attack) was discovered, about
50,000 articles, less than five percent of JSTOR's library, had been
downloaded. Steps were taken to stop the illegal downloading. JSTOR
president Kevin M. Guthrie said he wants to make sure institutions
know about the problem of open proxy servers so they can address them.
http://chronicle.com/free/2002/12/2002121201t.htm
[Guest Editor's Note: Johannes Ullrich, who leads the Internet Storm
Center, had these comments: This is a common problem and one to watch
out for. The New York Times story is one of the best known cases,
that URL is shown below:
http://news.com.com/2100-1023-846215.html
And a list of open proxies can be found at
http://tools.rosinstrument.com/proxy/
It wouldn't hurt to give it a look and make sure your network is not
on the list.
(Murray) Just one more instance of how open college and university
networks make the entire environment more vulnerable. A generation
ago, in response to the exploitation of their systems by a notorious
criminal hacker, the University of Southern California closed its
network to all but registered users and devices. If anything, it
has improved their ability to efficiently accomplish their academic
mission. It is time to close most college and university networks.]

 --10 December 2002 Senate Shuts Down Open Proxy Server
The U.S. Senate recently shut down an open proxy server on its
www.senate.gov web site. The open server, which could be used as
an anonymizer, was discovered by Adrian Lamo, who sent a message to
administrators about the problem.
http://online.securityfocus.com/news/1780

 --12 December 2002 Purloined e-Mail Message Spells Trouble
The editor of Durban's (South Africa) Independent newspaper has found
himself in the hot seat after a cracker broke into the newspaper's
e-mail system and sent around an e-mail from the editor to the
paper's managing director. In the e-mail message, the editor had
listed a number of senior staff who he felt should be ousted from
their positions. The editor is on leave indefinitely.
http://www.news24.com/News24/South_Africa/News/0,1113,2-7-1442_1296958,00.html

 --12 December 2002 Microsoft JVM Vulnerabilities
Microsoft has released a security bulletin regarding eight security
holes in its Java Virtual Machine (JVM). The flaws could allow an
attacker to gain control of a vulnerable system, reformat hard drives
or steal information. Affected users should update to newer versions
of JVM. Microsoft released two additional security bulletins: one
is for Windows 2000 and XP without Service Pack 1 installed, and the
other is for a privilege elevation vulnerability in Windows NT 4.0,
Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP.
http://zdnet.com.com/2100-1104-977067.html
JVM Security Bulletin:
http://www.microsoft.com/technet/security/bulletin/MS02-069.asp
Windows XP or 2000 without Service Pack 1 Security Bulletin:
http://www.microsoft.com/technet/security/bulletin/MS02-070.asp
Privilege Elevation Vulnerability Security Bulletin:
http://www.microsoft.com/technet/security/bulletin/MS02-071.asp

 --12 December 2002 Prestige Worm
The Prestige worm arrives as an attachment purporting to be pictures
of the Prestige oil tanker disaster off the Spanish coast. The worm
is in an .exe file included in the .zip attachment. If the attachment
is executed, a Spanish message asks users if they want to install an
application to view the pictures; if they click their approval, an
error message tells them the application could not be installed, and
behind the scenes, the worm is doing its work. Prestige self replicates
through Outlook address books and IRC programs, changes files in the
Windows system directory and replaces and renames the regedit.exe file.
http://www.net-security.org/virus_news.php?id=142

 --11 December 2002 UK's Computer Misuse Act Might Not Cover DoS
                    Attacks
The UK's Home Office is considering amending the Computer Misuse
Act (CMA) because some experts feel that the law, which was passed
in 1990, does not cover denial of service (DoS) attacks. The law
addresses illegally accessing a computer and altering data contained
on a computer; DoS attacks are not attempts to break into machines,
so the question of whether the CMA covers DoS attacks lies in whether
the attacks alter the system.
http://news.zdnet.co.uk/story/0,,t269-s2127395,00.html

 --11 December 2002 eBay Warns Customers of Phony Site Scam
Some eBay customers received e-mail messages informing them there were
billing problems with their accounts and pointing them to a phony site
that tried to collect their credit card information. The site has since
been taken off line. eBay has warned its customers about the scam.
http://zdnet.com.com/2100-1106-976862.html
http://www.cnn.com/2002/TECH/internet/12/11/ebay.scam/index.html

 --10 December 2002 W3C Approves XML Standards
The World Wide Web Consortium (W3C) has approved the XML Encryption
Syntax and Processing and Decryption Transform for XML Signature
standards. The standards allow for encryption of sensitive sections
of XML documents.
http://zdnet.com.com/2100-1104-976701.html
http://www.computerworld.com/developmenttopics/development/xml/story/0,10801,76673,00.html

 --10 December 2002 Microsoft Offers Windows Installation Blueprints
Microsoft has released five blueprints for installing Windows more
efficiently and less expensively. One of the blueprints is called
Critical Path Deployment and addresses effective ways to use Microsoft
System Management Server and Software Update Services for getting
out fixes for bugs, patches and product updates.
http://news.com.com/2100-1001-976656.html

 --10 December 2002 Wireless Network Security Advice
Advice for securing wireless networks includes placing antennae so
they limit the signal's reach, changing the default SSID and disabling
its broadcast, disabling DHCP and using access lists.
http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?database=JanT.db&command=viewone&id=85&op=t
[Editor's Note (Northcutt): This is a well written article, but
even if you follow all six steps you are still far from secure. So
on the one hand, a little security is better than less security. On
the other hand, after you do all six steps, if you are connecting to
a wireless network, make sure you also have an encrypted VPN such as
secure shell or IPsec.]

 --10 December 2002 Gateway Filtering
Gateway filtering monitors the Simple Mail Transfer Protocol (SMTP),
the HyperText Transfer Protocol (HTTP) and the File Transfer Protocol
(FTP) for suspicious behavior, weeding out malicious code before it
reaches network desktop computers. It should be used in conjunction
with other security methods, such a desktop antivirus software,
and should be configured by someone knowledgeable.
http://www.newsfactor.com/perl/story/20201.html

 --9 December 2002 University of Washington IMAP Buffer Overflow
                   Vulnerability
The Computer Emergency Response Team Coordination Center (CERT/CC)
has released a vulnerability note for the University of Washington's
IMAP server up through imap-2002 inclusive. A buffer overflow could
allow an attacker to run arbitrary code with the privileges associated
with the UID of the user. Users are encouraged to upgrade to the most
recent release.
http://www.kb.cert.org/vuls/id/961489

 --9 December 2002 UK's NHTCU Offers Anonymity for Companies Sharing
                   Attack Info
The UK's National Hi-Tech Crime Unit (NHTCU) says it will offer
anonymity to companies that are forthcoming with information when they
suffer cyber attacks; businesses often don't share such information
because they fear the attendant negative PR repercussions. Some
companies have shared information with the NHTCU through an
intermediary.
http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=1875748
http://www.business.scotsman.com/technology.cfm?id=1364472002

 --9 December 2002 NIPC Director Ronald Dick to Retire
Ronald Dick, who has served as director of the FBI's National
Infrastructure Protection Center (NIPC) since March 2001 will retire
later this month. NIPC deputy director Navy Rear Admiral James Plehal
will serve as interim director until March 2003 when the agency will
become part of the Department of Homeland Security (DHS). Dick made
substantial contributions in improving cyber threat and cybercrime
information sharing between the public and private sectors; he also
helped to create and expand the FBI's InfraGard program.
http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,76538,00.html

 --6 December 2002 Windows Messenger Service Allows Pop-up Spam,
                   Could Pose Security Risk
A number of companies have figured out how to exploit Windows
Messenger Service to send pop-up spam to Internet users. AOL now
block the ports that Messenger Service uses. Messages are accepted
by default in Windows 2000, NT and XP; Windows 95, 98 and Me do
not have the service enabled. The open port could also be used for
malicious purposes. One company that sells software that allows
massive Messenger mailings maintains its product was designed for
administrators to send alerts to users on LANs and that misuse of
their product is not their responsibility.
http://story.news.yahoo.com/news?tmpl=story2&ncid=1212&e=10&u=/pcworld/20021207/tc_pcworld/107754&sid=95612658
[Editor note (Northcutt): This is not a new vulnerability. If you
want to block the Messenger Service, it is running on UDP 135.]

===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sanssans.org with the subject:
Subscribe NewsBites

To update your address, visit http://www.sans.org/sansurl and enter
your SD number (from the header of this email.) You will receive your
personal URL via email.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+AHNJ+LUG5KFpTkYRAqq+AJ9bEvoiKIplVkSvFq/2cRHELUyiIwCdFp5C
9feUCiHRgnaBtZTSE84tcbs=
=vv00
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]