-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS NewsBites January 29, 2003 Vol. 5, Num. 4
***********************************************************************

TOP OF THE NEWS
  SQL Slammer Worm
  CIO Council Approves Single Authentication Policy Proposal
  Judge: Verizon Must Disclose Customer's Identity to RIAA
  Cyber Security Leadership Act Designed to Make Government a Model

THE REST OF THE WEEK'S NEWS
Network Solutions Exposed Customer E-Mail Addresses
  British WHOIS Temporarily Suspended Due to Data Mining Attempts
  Double Free Vulnerability in CVS
  Sprint DSL Customers Vulnerable to Login Data Theft
  AOL Not Liable for Hostile Code Sent Over its Service
  International Students' Data Stolen From University of Kansas
  Computer
  Microsoft Issues Security Bulletins for Locator, Content Management
  Server 2001 and Outlook 2002
  New e-Zine Publishes Virus Source Code
  RealNetworks Releases Third Portion of Helix DNA Code
  Good Disaster Recovery Plan Saves Observatory Data
  AOL Web-based E-Mail Vulnerability Fixed
  FTC Report Says Identity Theft is On the Rise
  Sun Will Release Patch for Solaris Vulnerability
  Russian Mobile Phone Company Customer Database was Pirated
  RIAA Web Site Under Attack and Unavailable - Again
  Plaintiffs to Appeal Verdict in Johansen DeCSS Case
  PeopleSoft Application Messaging Gateway Servlet Flaw
  Boulder Campus Now Requires SSL e-Mail Encryption
  W32/Sahay Worm Tries to Get Rid of Yaha
  1,700 Receive FunLove Along with Computer Security Newsletter
  GameSpy Network Serv Could be Used in Denial of Service Attacks
  Swiss Town had On Line Voting Option
  Hewlett-Packard Wireless Keyboards are Not Secure
  Los Alamos Lab Hard Drive May be Missing

SECURITY TRAINING UPDATE
Looking for CISSP training? SANS Track 1 cover both CISSP and GIAC GSEC
topics and earns much higher teacher ratings than simple CISSP courses.
And Track 9 gives you both Security + and GIAC GISO training. Two
for the price and time of one - and great teachers, too. Both are
available for groups in house, as are our other training tracks. They
are also being held in San Diego, Baltimore and many other cities.
See: http://www.sans.org

*************** This Issue Sponsored by Qualys, Inc ******************

Bulletproof Your Network: FREE Guide

Existing security products -- firewalls, anti-virus and IDS --
are simply no longer enough to ensure your networks are safe against
sophisticated attacks and worms such as Code Red and Nimda. FREE Guide
shows you how to ensure TOTAL security for your network.

Get it now. https://www.qualys.com/forms/nsguideh_488.php

***********************************************************************

TOP OF THE NEWS

- --SQL Slammer Worm
(25/26/27 January 2003)
The W32/SQL Slammer worm exploits a known buffer overflow vulnerability
in Microsoft SQL Server 2000 web servers and other systems using
MSDE and has infected between 150,000 and 200,000 servers around the
world. South Korea was among the countries hardest hit by Slammer,
which caused packet loss rates of between 20% and 33%; regular packet
loss rates are under 1%. The problem was fixed quickly; ten hours
after the attack had begun, packet loss rates were down to 5%.
Webcast of White House, ISS, Symantec and SANS technical experts
discussing the worm:
http://www.sans.org/webcasts/012703.php
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,77898,00.html
http://www.washingtonpost.com/wp-dyn/articles/A46928-2003Jan26.html
http://www.cnn.com/2003/TECH/internet/01/27/internet.attack.ap/index.html
http://www.cnn.com/2003/TECH/internet/01/27/worm.why/index.html
http://news.com.com/2100-1001-982284.html
http://www.govexec.com/dailyfed/0103/012703h1.htm
http://www.theregister.co.uk/content/56/29040.html
http://www.cert.org/advisories/CA-2003-04.html

Microsoft itself was apparently infected with the Slammer worm.
http://news.com.com/2100-1001-982305.html

[Editor's Note (Paller): Damage from this worm was reduced much more
quickly than for other worms because systems infected by SQL Slammer
immediately flooded their own networks and created local outages.
People fixed their systems quickly because there was no other way to
stop the pain.
(Schultz): The response team for the lab at which I work (CIAC) really
threw us and others a curve in that it issued a severity rating of
less than critical when this vulnerability was first reported. And
I notice that nothing has been done to upgrade the severity rating,
even after all that has occurred.]

- --CIO Council Approves Single Authentication Policy Proposal
(27 January 2003)
The CIO Council approved a proposal that would create a single
authentication policy for all agencies. The policy would apply to
e-mail, documents and users. The single policy should make it easier
for agencies to implement PKI, because policy development is a major
cost and major hurdle in such implementations.
http://www.fcw.com/fcw/articles/2003/0127/news-policy-01-27-03.asp

- --Judge: Verizon Must Disclose Customer's Identity to RIAA
(21/22 January 2003)
A federal judge has ruled that under the Digital Millennium Copyright
Act (DMCA), Verizon Communications must disclose the identity of KaZaA
users to the Recording Industry Association of America (RIAA). Verizon
maintains that the DMCA does not apply in cases where customers'
identities are sought by copyright holders, and plans to appeal
the decision.
http://www.pcworld.com/news/article/0,aid,108889,00.asp
http://zdnet.com.com/2100-1106-981449.html
http://www.cnn.com/2003/TECH/internet/01/22/downloading.music.ap/

- --Cyber Security Leadership Act Designed to Make Government a Model
(20 January 2003)
Senator John Edwards' (D-N.C.) Cyber Security Leadership Act is aimed
at making the federal government a model of information security. Among
the bill's provisions: agency CIOs would be required to identify
vulnerabilities in their systems and establish goals for eliminating
them and the National Institute of Standards and Technology (NIST)
would develop mandatory guidelines for addressing the vulnerabilities.
http://www.gcn.com/vol1_no1/daily-updates/20899-1.html
[Editor's Note (Paller): The key provision in the Cyber Security
Leadership Act is an important correction to the Federal Information
Security Management Act (FISMA), just signed by the President. FISMA
required agencies to test only "major" systems. As this weekend's
worm proved, unprotected and unimportant systems create havoc and
denial of service attacks. If the government is going to demonstrate
leadership in cybersecurity, it must demonstrate effective methods
for checking and securing huge numbers of systems cost-effectively.
There's no doubt in my mind that it can be done -- in part through
procurement innovation and partnerships with vendors.]

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Alert! New attacks coming. Stop email threats, including
spam. Here's how. http://www.sans.org/cgi-bin/sanspromo/NB125

(2) Instantly stop DDoS attacks and port scans.
http://www.sans.org/cgi-bin/sanspromo/NB126

(3) BE OFFENSIVE. Don't react to network intrusions. Actively
prevent them. FREE DEMO. http://www.sans.org/cgi-bin/sanspromo/NB127

***********************************************************************
SANS National Information Assurance Leadership Conference (March
5-6 in San Diego) is the only conference to attend for CISO's
and other security managers and team leaders. The highest rated
speakers in the security field - no vendor marketing fluff. And it
is not too technical for managers. You can even attend it and then
attend SANS immersion training in the same hotel right after the
conference. http://www.sans.org/SANS2003/ (Click on NIAL in "Select
a Course")
***********************************************************************

THE REST OF THE WEEK'S NEWS

- --Network Solutions Exposed Customer E-Mail Addresses
(24 January 2003)
The Internet domain registrar Network Solutions inadvertently sent out
messages containing customer e-mail addresses to some of its customers
who purchased .org addresses; about 85,000 e-mail addresses were
exposed. Those affected fear they will be targeted by spammers. The
e-mail information is available through the Whois databases, but
potential spammers would have to look them up one at a time.
http://www.washingtonpost.com/wp-dyn/articles/A35318-2003Jan23.html
[Editor's Note (Grefer): This is not a very big issue because scripting
WHOIS queries enumerating names is not very difficult.]

- --British WHOIS Temporarily Suspended Due to Data Mining Attempts
(24 January 2003)
Nominet UK suspended its WHOIS service for nearly nine hours
after it became apparent someone was attempting to copy the entire
database. Service has been started again, but will be suspended if
the attacks resume.
http://www.theregister.co.uk/content/6/29022.html

- --Double Free Vulnerability in CVS
(23/24 January 2003)
The Computer Emergency Response Team Coordination Center (CERT/CC)
has issued an advisory warning of a double-free vulnerability in the
Concurrent Versions System (CVS) that could allow attackers to take
over CVS servers and alter source code.
http://zdnet.com.com/2100-1104-981801.html
http://www.theregister.co.uk/content/56/29019.html
http://www.cert.org/advisories/CA-2003-02.html
vendor status information: http://www.kb.cert.org/vuls/id/650937#systems

- --Sprint DSL Customers Vulnerable to Login Data Theft
(23 January 2003)
Weak security controls on ZyXel Communications DSL modems issued
to Sprint FastConnect DSL customers could allow attackers to steal
passwords and e-mail addresses; the vulnerabilities can exist even
when computers are powered down, because the modems, which store login
data, are often still on. Remote access to the modems' administrative
software is protected by a default password of "1234." Sprint does
not provide instructions for resetting the password in its customer
documentation, but plans to post information on its website about
disabling the remote administration feature; modems without the
feature will be shipped starting in February.
http://www.wired.com/news/infostructure/0,1377,57342,00.html

- --AOL Not Liable for Hostile Code Sent Over its Service
(23 January 2003)
The U.S. Court of Appeals for the Third Circuit upheld a ruling
that AOL is not liable for hostile code sent by a subscriber through
its service. The original suit was brought by a man who alleged AOL
failed to enforce its terms of service because he received hostile
code designed to kick him off the service from an AOL subscriber.
http://news.com.com/2100-1023-981800.html
[Editor's Note (Schultz): So far ISP's, most of whom who have a long
way to go when it comes to security, have been getting off pretty
light when it comes to legal rulings related to security problems
and incidents, as this and other recent rulings have shown.]

- --International Students' Data Stolen From University of Kansas Computer
(23/25 January 2003)
The FBI is investigating a computer security breach at the University
of Kansas. A hacker allegedly downloaded personal information belonging
to 1,450 international students from a computer at the University's
Academic Computing Center. The information was collected as a part
of homeland security measures, and included passport and student ID
numbers, countries of origin and courses taken. Apparently a patched
hole reverted to its unpatched state after a security upgrade was
installed. University officials believe the hole has now been fixed.
http://www.thekansascitychannel.com/education/1930636/detail.html
http://24hour.startribune.com/24hour/technology/story/734845p-5355931c.html

- --Microsoft Issues Security Bulletins for Locator, Content Management
  Server 2001 and Outlook 2002
(23 January 2003)
Microsoft has issued three security bulletins. The first, which
received a 'critical" rating, is for a buffer overflow flaw in the
Windows Locator service and affects Windows versions NT 4.0, 2000
and XP. The two other bulletins address flaws in Content Management
Server 2001 and in Outlook 2002's handling of V1 Exchange Server
Security Certificates; these flaws received "important" and "moderate"
ratings, respectively.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,77801,00.html
http://zdnet.com.com/2100-1105-981745.html
http://www.microsoft.com/technet/security/bulletin/MS03-001.asp
http://www.microsoft.com/technet/security/bulletin/MS03-002.asp
http://www.microsoft.com/technet/security/bulletin/MS03-003.asp
http://www.cert.org/advisories/CA-2003-03.html

- --New e-Zine Publishes Virus Source Code
(23 January 2003)
A group of virus writers has published an e-zine called Mitosis that
contains source code for viruses and advice for evading detection by
anti-virus software.
http://www.infosecuritymag.com/2003/jan/digest23.shtml#news4

- --RealNetworks Releases Third Portion of Helix DNA Code
(23 January 2003)
RealNetworks, Inc. is releasing the source code to its Helix DNA
Server. The company has already released code to Helix DNA Client and
Helix DNA Producer. The company hopes the code's release will produce
"the industry's first open-source media delivery system."
http://www.computerworld.com/developmenttopics/development/webdev/story/0,10801,77805,00.html
[Editor's Note (Grefer): Releasing/Publishing source code does not
automatically make it open-source in the traditional meaning of
this expression.]

- --Good Disaster Recovery Plan Saves Observatory Data
(23 January 2003)
Valuable data collected by the Mt. Stromlo Observatory in Canberra,
Australia were not lost in a firestorm that destroyed the facility
thanks to a "comprehensive data recovery plan." Data from the
telescopes had been being sent to a StorageTek 9310 Powderhorn library
at the Canberra campus of the Australian National University (ANU);
administrative and research data had been being backed up regularly
and stored at two separate remote locations.
http://www.zdnet.com.au/newstech/enterprise/story/0,2000025001,20271482,00.htm
[Editor's Note (Shpantzer): I love hearing success stories
like this. It's not all cyberterrorism and hackers. Plan for
natural disasters with remote storage and test the restoration
process. Business continuity is not as glamorous as some of the
cool technologies out there, but it is essential for the long term
existence of the organization.]

- --AOL Web-based E-Mail Vulnerability Fixed
(22/23 January 2003)
A vulnerability in AOL's international web-based e-mail authentication
system allowed access to accounts without first verifying account
passwords; all an attacker would need to read someone else's e-mail
was the account name. Those exploiting the vulnerability would also be
able to access AIM passwords. AOL says only several hundred accounts
were affected and has reportedly repaired the hole.
http://www.eweek.com/article2/0,3959,840980,00.asp

- --FTC Report Says Identity Theft is On the Rise
(22 January 2003)
A Federal Trade Commission (FTC) report says that complaints about
identity theft have increased 73% since last year and account for 43%
of all the complaints they received in 2002. Problems with Internet
auctions generated 13% of complaints.
http://zdnet.com.com/2100-1105-981489.html
FTC website with information about identity theft:
http://www.consumer.gov/idtheft/

- --Sun Will Release Patch for Solaris Vulnerability
(22 January 2003)
A vulnerability in the Kodak Color Management System (KCMS) library
service daemon in Sun Microsystems' Solaris 2.5.1, 2.6, 7, 8 and 9
running on Sparc- or Intel-based servers could allow remote access
to all files and possible root privileges on unprotected systems. Sun
Microsystems plans to release a patch sometime in the future.
http://www.eweek.com/article2/0,3959,840818,00.asp
[Editor's Note (Grefer): Few people use this feature. If you do not
use it, remove it by executing a pkgrm pkgname as root.]

- --Russian Mobile Phone Company Customer Database was Pirated
(22 January 2003)
Russian mobile phone company Mobile Telesystems has acknowledged that
it suffered a serious security breach that has resulted in pirated
CDs of the company's entire five million customer database appearing
for sale in Moscow. A company spokeswoman said they are investigating
how the breach took place.
Note: this site requires free registration
http://www.nytimes.com/2003/01/23/business/worldbusiness/23DATA.html

- --RIAA Web Site Under Attack and Unavailable - Again
(27 January 2003)
The RIAA web site is again being targeted by a denial-of service
attack; the site has been unavailable since Friday, 24 January. The
RIAA is trying to restore the site and the U.S. Secret Service is
investigating the incident.
http://news.com.com/2100-1023-982274.html?tag=fd_top

- --Plaintiffs to Appeal Verdict in Johansen DeCSS Case
(21 January 2003)
Norway's Economic Crime Unit plans to appeal the recent acquittal of
Jon Johansen, the teenager in the DeCSS DVD decryption case. Johansen's
lawyer is confident they will win any appeals.
http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=2079046

- --PeopleSoft Application Messaging Gateway Servlet Flaw
(21 January 2003)
A vulnerability in PeopleSoft's Application Messaging Gateway servlet
could allow attackers to access confidential information. The
flaw affects versions 8.1x of PeopleTools; version 8.4x is not
affected. Internet Security Systems (ISS), the network security company
that discovered the flaw, recommends that affected users restrict
or block access to the vulnerable servlets until PeopleTools 8.19 ,
which addresses the problems, comes out in early February.
http://news.zdnet.co.uk/story/0,,t269-s2129044,00.html

- --Boulder Campus Now Requires SSL e-Mail Encryption
(21 January 2003)
As of January 2, 2003, the University of Colorado at Boulder
requires the use of Secure Sockets Layer (SSL) encryption for e-mail
messages sent between campus e-mail servers and individuals' client
software. Users had to reconfigure their e-mail programs in order
to communicate with campus servers. The University of Colorado at
Boulder also began requiring the use of encrypted links for FTP and
telnet functions.
http://chronicle.com/free/2003/01/2003012101t.htm
[Editor's Note: What a GREAT idea! The fact that it is news is a bit
scary. Is it actually so unusual for a campus setting?]

- --W32/Sahay Worm Tries to Get Rid of Yaha
(21 January 2003)
The W32/Sahay.A mass mailer worm arrives as an attachment,
mathmagic.scr, and is designed to detect the Yaha worm and remove it
from infected machines. Sahay tries to attach itself to .exe files in
the Windows and C:\Program\Files\Mirc\Download folders, but its buggy
code could corrupt files in the folders or even crash the machine.
http://zdnet.com.com/2100-1105-981336.html

- --1,700 Receive FunLove Along with Computer Security Newsletter
(21 January 2003)
Norway's Data Inspectorate inadvertently sent copies of the
FunLove worm to 1,700 of its computer security newsletter
subscribers. Evidently, the agency's external e-mail server was
infected with FunLove, which allows all users administrative privileges
on infected systems.
http://www.siliconvalley.com/mld/siliconvalley/news/editorial/4998039.htm

- --GameSpy Network Servers Could be Used in Denial of Service Attacks
(21 January 2003)
PivX Solutions has posted an advisory warning that multi-player games
with servers supporting the GameSpy network could be manipulated to
intensify the effect of denial of service attacks. This is possible
because the GameSpy network code does not verify senders' addresses.
http://zdnet.com.com/2100-1105-981255.html

- --Swiss Town had On Line Voting Option
(20 January 2003)
Residents of Anieres, Switzerland, a suburb of Geneva, were given
the opportunity to vote online from their home computers in a recent
election. Those who chose to vote on line were required to enter a
series of security codes, birthdate and place of birth before casting
their votes. The head of the Geneva administration called the system
"even more secure than postal voting.
http://www.cnn.com/2003/TECH/internet/01/20/switzerland.internet.ap/index.html

- --Hewlett-Packard Wireless Keyboards are Not Secure
(20 January 2003)
After another instance of its wireless keyboards transmitting data
to computers on other, nearby residences, Hewlett-Packard will no
longer guarantee the security of those devices. A spokesman for the
company said if users are looking for good security, they should use
keyboards with cords.
http://www.aftenposten.no/english/local/article.jhtml?articleID=474623
[Editor's Note (Grefer) As I have said before, wireless keyboards
are NOT secure; a lot has to be done to change that. BTW, the same
applies for wireless mice, even though their impact might not always
be as disastrous.]

- --Los Alamos Lab Hard Drive May be Missing
(17 January 2003)
It is possible that a hard drive associated with a computer used
for security purposes at the Los Alamos National Laboratory is
missing. While conducting an equipment inventory, a worker placed
a bar code on a metal carrier that may or may not have held a hard
drive at the time; the worker did not check. The carrier is now empty.
http://www.fcw.com/fcw/articles/2003/0113/web-alamos-01-17-03.asp

===end===

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit http://www.sans.org/sansnews/

To update your address, visit http://www.sans.org/sansurl and enter
your SD number or email address (from the header of this email.) You
will receive your personal URL via email.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+N+uJ+LUG5KFpTkYRApTxAJ9xHUAljeqZHKNL8l9VaHg2vkwX3gCfcZUV
lmtWhjO1b0hEJaQO8rjiwwU=
=XtI4
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]