-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS NewsBites February 26, 2003 Vol. 5, Num. 8
***********************************************************************

THIS WEEK'S NEWS
  Lovgate.C Worm Affects Outlook and Outlook Express
  CERT/CC Warns of Multiple SIP Vulnerabilities
  HIPAA Security Standards Rule Published
  Source of Credit Card Security Breach Disclosed
  Banks Cancel Cards After Security Breach
  Oracle Releases Patches for Six Vulnerabilities

THE REST OF THE WEEK'S NEWS
  Mafiaboy Brought Need for Cybercrime Legislation to Canadian
     Government's Attention
  Jury Acquits Man of Unlawful Wireless Intrusion
  Student Arrested for School District Computer System Intrusion
  Researchers Discover ATM PIN Vulnerability
  SSL Vulnerability Not a High Risk
  Paper Argues Cyber Crime Sentences Too Harsh
  Directed-Energy Weapons Could Target Digital Communications
  Former Administrator Arrested for Hacking Company Network
  Hacker Tricked into Revealing Identity
  Universities Interested in Digital Fingerprint Monitoring to Reduce
     Bandwidth Consumption
  Triple Extension Vulnerability in Outlook Express
  Symantec Clarifies Slammer Detection Claim
  Patches Available for Lotus Domino Server 6.0 Vulnerabilities
  Interstate ISAC
  Slammer Spread Rapidly via UDP
  Few Firms Comply with UK Security Standard

TUTORIAL
  Secure MySQL Installation

SECURITY TRAINING UPDATE
Looking for CISSP training? SANS Track 1 covers both CISSP and GIAC
Security Essentials and earns much higher ratings for practical value
and teacher quality than plain CISSP courses. Although it has sold
out in San Diego, it is available in multiple other cities around the
world and may be run at your site. SANS ten other training tracks --
Auditing, Intrusion Detection, Firewalls, Hacker Exploits, Windows
Security and more - are also available at our conferences and at your
site. See: http://www.sans.org.

************* This Issue Sponsored by Tripwire, Inc. *************

ASSURE INTEGRITY WITH TRIPWIRE. GET A FREE POSTER.

Tripwire integrity assurance solutions pinpoint changes to your servers
and network devices, accelerating discovery and increasing uptime,
making you the hero of your IT organization. Click here to get a FREE
copy of our Security Exploit and Vulnerability Matrix Poster.

http://www.tripwire.com/literature/poster/index.cfm?djinn=942

***********************************************************************

TOP OF THE NEWS

 -- Lovgate.C Worm Affects Outlook and Outlook Express
(24 February 2003)
The Lovgate.C worm spreads by replying to messages computers'
in-boxes. Machines become infected either by users clicking on
an attachment or through shared files and folders. Lovgate.C also
Trojan that will allow files on the infected computer to be accessed
and modified remotely. The worm affects Outlook and Outlook Express
e-mail programs.
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,78765,00.html
http://www.gcn.com/vol1_no1/daily-updates/21248-1.html
http://news.com.com/2100-1001-985742.html

 -- CERT/CC Warns of Multiple SIP Vulnerabilities
(21 February 2003)
The Computer Emergency Response Team Coordination Center (CERT/CC)
has released an advisory warning of multiple vulnerabilities in
Session Initiation Protocol (SIP) implementations from a variety
of vendors. The vulnerabilities could be exploited to launch
denial-of-service attacks, gain unauthorized access to systems or cause
system instability. Vendors are offering patched for the problems.
http://www.cert.org/advisories/CA-2003-06.html
[Editor's Note (Northcutt): This is a well written CERT advisory
and it is still early, the exploits and worms might be along in a
few weeks. You will recall the PROTOS test suite from OSLO and the
hullabaloo over SNMP Feb. 2002. This is the same kind of thing. A
PROTOS test suite has been run against a number of SIP implementations,
and the results indicate it is possible to build buffer overflows
and such. If you start seeing lots of inexplicable traffic to UDP/TCP
5060 or TCP 5061 it would be a very good idea to report it to CERT,
your CIRT or iscsans.org]

 -- HIPAA Security Standards Rule Published
(20/21 February 2003)
The Department of Health and Human Services (HHS) has published the
final version of health care information security standards under the
Health Insurance Portability and Accountability Act (HIPAA). While
affected entities must comply with HIPAA privacy standards by April
14, 2003, they have until April 21, 2005 to comply with the security
rule. The standards include conducting a risk analysis, developing
policies and procedures and contingency plans in the event of an
attack, and ensuring that everyone is aware of the policies. The
standards do not dictate specific technology, but instead allow
health care organizations tailor their policies and procedures to
their specific needs. There is some concern that the rules will
invite litigation.
http://www.nwfusion.com/news/2003/0220goverpubli.html
http://www.fcw.com/fcw/articles/2003/0217/web-hippaa-02-21-03.asp
http://www.computerworld.com/governmenttopics/government/policy/story/0,10801,78684,00.html
[Editor's Note (Northcutt): The best HIPAA summary we have seen is
the one by Steve Weil: http://www.sans.org/projects/hipaa.php]

 -- Source of Credit Card Security Breach Disclosed
(18/19 February 2003)
The locus of the massive credit card security breach has been traced
to a computer system at Omaha-based Data Processors International,
a company that handles credit card transactions for catalogs and
direct marketers. It appears the security breach was launched from
the outside; information is being analyzed to see if there is a
trail that will lead to the hacker. Data Processors International
also handles American Express accounts. There have been no reported
cases of credit card fraud so far, and it isn't clear if the hacker
actually stole any information.
http://www.msnbc.com/news/874307.asp?0dm=C236T
http://www.msnbc.com/news/874907.asp?0si=-&cp1=1

 -- Banks Cancel Cards After Security Breach
(20/21 February 2003)
Pittsburgh's PNC bank has canceled 16,000 Visa cards after being
informed that their card were among those exposed in the recent
security breach; they are in the process of issuing new cards to
their customers. MasterCards issued by Rhode Island-based Citizens'
Financial Group were also affected by the breach.
http://www.post-gazette.com/businessnews/20030220pnc0220p4.asp
http://www.usatoday.com/tech/news/2003-02-21-hack-attack_x.htm

 -- Oracle Releases Patches for Six Vulnerabilities
(17/18 February 2003)
Oracle has released patches for six security flaws: four in its
database software and two in its Application Server. The most serious
is a buffer overflow vulnerability in the Oracle.exe binary of Oracle
database 9i Release 2, 9i Release 1, 8i Version 8.1.7 and 8 Version
8.0.6; this flaw could be exploited to take control of the system
running the software.
http://www.computerworld.com/securitytopics/security/story/0,10801,78607,00.html
http://news.com.com/2100-1001-985012.html
http://www.theregister.co.uk/content/55/29360.html
http://www.cert.org/advisories/CA-2003-05.html
[Editor's Note (Paller): The weekly Critical Vulnerability Analysis
provided in depth analyses of these vulnerabilities and what major
organizations did to protect themselves. If you do not get the CVA,
you may subscribe at http://www.sans.org/newsletters/cva/. The CVA
is nearly equal in value and effectiveness to the commercial services
costing $5,000 per year. But the CVA is free.]

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Stop spam! - Top 10 enterprise techniques to control spam
     ***white paper***
http://www.sans.org/cgi-bin/sanspromo/NB137

(2) STOP INTRUSIONS with preventive countermeasures. Automatically
      block intruders. FREE WP explains how.
http://www.sans.org/cgi-bin/sanspromo/NB138

(3) Weighed Down by Security Data? View our new White Paper at
http://www.sans.org/cgi-bin/sanspromo/NB139

***********************************************************************

THE REST OF THE WEEK'S NEWS

 -- Mafiaboy Brought Need for Cybercrime Legislation to Canadian
     Government's Attention
(23 February 2003)
The case of Mafiaboy, the Canadian teenager who launched distributed
denial-of-service (DDoS) attacks on high profile web sites in February
2000, helped alert the Canadian government to the need for legislation
regarding cybercrime. A law has been established that lets police get
warrants requiring ISPs to provide them with information; pending
legislation would require ISPs and businesses to save information
like e-mail and contents of hard drives in case the police need it.
http://www.canada.com/montreal/news/story.asp?id=3C1DAA77-791C-4754-858F-CF672F47FCE9

 -- Jury Acquits Man of Unlawful Wireless Intrusion
(21 February 2003)
A jury took fifteen minutes to acquit a man who was accused of gaining
unlawful access to the Harris County (TX) district clerk's computer
system. Stephan Puffer had maintained that he was demonstrating a
vulnerability in the wireless network to county officials; when he
did, he was indicted on fraud charges. The jury found that Mr. Puffer
never intended to cause any damage to the system, and the district
county clerk admitted he had been embarrassed by the demonstration.
http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?database=JanX.db&command=viewone&id=25&op=t
http://www.theregister.co.uk/content/55/29434.html
[Editor's Note (Ranum): Is this sending the right message? Are the
courts giving law-breakers an "out" if they get caught?]

 -- Student Arrested for School District Computer System Intrusion
(18 February 2003)
A Turlock, California high school student has been arrested for
breaking into the school district's computer system and copying files,
usernames and passwords. The student apparently wanted to demonstrate
the system's vulnerability; he had told his computer teacher about the
flaw, but the system administrator said it couldn't be exploited. The
student faces expulsion and criminal charges.
http://www.bayarea.com/mld/mercurynews/news/local/5209779.htm
[Editor's Note (Paller): As sympathetic as this student's plight may
seem, especially in light of the acquittal of the Texas man described
in the previous NewsBites item, it makes no sense to allow people to
demonstrate vulnerabilities by exploiting them. Court decisions of that
sort would blur the line between legal and illegal activity and reverse
a pattern of lengthening sentences for convicted hackers. Without
substantial sentences there is little to deter criminals from
hacking and claiming they were "just trying to demonstrate a
vulnerability." The student could have had the desired impact if he
had fully documented his attack strategy without exploiting it and
provided the document to the school board and, if the school board
refused to act, then the press.]

 -- Researchers Discover ATM PIN Vulnerability
(21 February 2003)
Researchers in Cambridge, England have published a paper describing a
technique for discovering a PIN in 15 guesses. The attack against bank
ATM hardware security modules (HSMs) depends on the decimalization
tables used for encryption and would have to be conducted by an
insider. The researchers say the best way to protect systems from
the attack is to ensure the decimalization tables cannot be changed
without permission. The researchers have been asked to testify as
expert witnesses in a case involving the alleged theft of 50,000 pounds
from a bank account via ATMs. The judge in the case has imposed a
secrecy order; one of the researchers has observed that some of the
information is already public knowledge.
http://www.newscientist.com/news/news.jsp?id=ns99993424
http://www.theregister.co.uk/content/55/29425.html
http://www.eweek.com/article2/0,3959,899812,00.asp
http://www.theage.com.au/articles/2003/02/21/1045638471679.html
http://zdnet.com.com/2100-1105-985545.html

 -- SSL Vulnerability Not a High Risk
(20/21 February 2003)
Researchers in Switzerland say they have developed a technique that
allows them to guess passwords send though Secure Sockets Layer (SSL)
encryption. The technique, which involves intercepting and altering e-
mail to generate error messages, applies only to e-mail; banks and
e-commerce web sites use a different sort of SSL technology. The
vulnerability is present in OpenSSL versions prior to 0.9.6i and
0.9.7a. Experts say the vulnerability is not serious.
http://www.newscientist.com/news/news.jsp?id=ns99993420
http://news.bbc.co.uk/2/hi/technology/2785145.stm
http://www.theregister.co.uk/content/55/29423.html
http://zdnet.com.com/2100-1105-985460.html

 -- Paper Argues Cyber Crime Sentences Too Harsh
(20 February 2003)
A recently published position paper maintains that people convicted
of cyber crimes are given harsher sentences than those given to
people who commit similar, non-cyber crimes. Jennifer Granick,
director of Stanford University's Center for Internet and society,
says the sentences are handed down "based on the fear of the worst-case
scenario" instead of looking at the cases for what they are.
http://news.com.com/2100-1001-985407.html
[Editor's Note (Ranum): Ms. Granick also represents clients accused
of cyber crimes. She may not have an entirely unbiased perspective.]

 -- Directed-Energy Weapons Could Target Digital Communications
(20 February 2003)
In the event of war with Iraq, the United Stated may for the first time
use directed energy weapons, which are designed to disrupt and destroy
digital communications systems. While terrorists probably do not have
the capability to create such weapons now, they may become a part of
warfare in the future, and US systems are not hardened against this
kind of attack. The weapons are similar to the electromagnetic pulse
(EMP) generated by nuclear weapon detonation, but with a closer range
and more specifically targeted.
http://www.nytimes.com/2003/02/20/technology/circuits/20warr.html
(please note that this site requires free registration)
The Directed Energy Directorate of the Air Force Research Labs site:
http://www.de.afrl.af.mil/
[Editor's Note (Shpantzer): Here is an example of how directed
energy can be used as a less-lethal technology for crowd dispersal:
http://www.afrlhorizons.com/Briefs/Sept01/DE0101.html

 -- Former Administrator Arrested for Hacking Company Network
(20 February 2003)
A man who used to work as a network administrator for a Los Angeles
Airport limousine company has been arrested on charges of hacking
into the company's computer system and causing damage that cost the
company thousands of dollars in lost revenue. The man allegedly changed
passwords, deleted the customer database and erased applications.
http://www.securityfocus.com/news/2567

 -- Hacker Tricked into Revealing Identity
(20 February 2003)
A hacker tricked a Nottingham, UK teen-aged girl into downloading
keystroke-logging software, which he then used to steal her father's
credit card information. The girl helped police find the hacker when
she contacted him through a chat room a year later and asked him
to take a quiz to see if they were compatible. The suspect provided
ample information for police to track him down in Scotland. Police
seized his computer equipment and found evidence that he had stolen
credit card information from other people. He was recently sentenced
to 100 hours of community service.
http://www.theregister.co.uk/content/55/29403.html

 -- Universities Interested in Digital Fingerprint Monitoring to
     Reduce Bandwidth Consumption
(20 February 2002)
The University of Wyoming is piloting technology on its computer
network that examines every bit of file sharing traffic; the digital
fingerprinting technology will eventually block transmissions of
files that are determined to be pirated. Universities are interested
in the technology because they are concerned about over-consumption
of bandwidth.
http://news.com.com/2100-1023-985027.html

 -- Triple Extension Vulnerability in Outlook Express
(20 February 2003)
A vulnerability in Outlook Express has been exploited by attackers
to send Trojans. By specially crafting triple extension attachments,
attackers can send executable files that evade detection. The first
extension, which is visible to the recipient of the message, will
look like something familiar and safe, for instance .jpg. The second
extension is the executable that can contain the malicious code,
and the third another safe extension which generates a safe icon. The
vulnerability has been exploited to send Trojans.
http://techupdate.zdnet.co.uk/story/0,,t507-s2130783,00.html

 -- Symantec Clarifies Slammer Detection Claim
(20 February 2003)
Symantec's Vincent Weafer clarified the company's statement last week
that claimed it had detected the Slammer worm hours before it became
public knowledge. Actually, Symantec's DeepSight Threat Management
System sends automated alerts to customers when firewall sensors
picked up increased attempts to access port 1434. At that time the
company was aware of a "network anomaly," but not until a few hours
later, about the time the first Slammer postings appeared on Bugtraq,
did the information coalesce to indicate an actual attack.
http://www.theregister.co.uk/content/56/29406.html

 -- Patches Available for Lotus Domino Server 6.0 Vulnerabilities
(19 February 2003)
IBM has released patches for a trio of vulnerabilities in Lotus Domino
Server 6.0. The flaws could allow attackers to run malicious code on
vulnerable machines. The fixes are available at the Lotus site below.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78642,00.html
http://www-10.lotus.com/ldd/r5fixlist.nsf/Progress/601?OpenDocument

 -- Interstate ISAC
(19 February 2003)
Thirteen states, including New York and Florida, are moving toward
creating an interstate information sharing and analysis center
(ISAC). During a recent "dry run," states reported suspicious Internet
activity of a central location.
http://www.gcn.com/vol1_no1/security/21169-1.html

 -- Slammer Spread Rapidly via UDP
(18 February 2003)
The Slammer worm spread across the Internet in a matter of hours, and
the majority of infections occurred within the first 15 minutes. The
rapid spread can be attributed in part to the fact that Slammer spread
via UDP rather than TCP; UDP, an older and less secure protocol, does
not require the "three-way handshake" authentication that TCP requires.
http://www.newsfactor.com/perl/story/20776.html

 -- Few Firms Comply with UK Security Standard
(17 February 2003)
Although the UK has established BS7799, a standard that offers a
framework for establishing a security policy, only 80 companies
have received certification. The government may consider making the
standard mandatory.
http://www.vnunet.com/News/1138801

TUTORIAL
 -- Secure MySQL Installation
(18 February 2003)
Advice for securely installing the MySQL database includes both basic
database security and information specific to MySQL.
http://www.securityfocus.com/infocus/1667

===end===

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit http://www.sans.org/sansnews/

To update your address, visit http://www.sans.org/sansurl and enter
your SD number (from the header of this email.) You will receive your
personal URL via email.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+XLCG+LUG5KFpTkYRAnjMAJ4kH+UqfGcyH2nZR08q7mjd/q66OACeI12M
nGxKL1nAX3aQcuiEVi20AvQ=
=c61V
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]