From: The SANS Institute (NewsBitessans.org)
Date: Wed Mar 12 2003 - 08:19:53 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS NewsBites March 12, 2003 Vol. 5, Num. 10
***********************************************************************

TOP OF THE NEWS
  Sendmail Exploit Code Posted
  University of Texas Cyber Security Breach Exposed Information About
     55,000 People
  Bank Account Access Problem Exposes Princeton University's Accounts
  House Homeland Security Committee Creates Cybersecurity Subcommittee
  DHS Reorganization Eliminates Critical Infrastructure Protection
     Board

THE REST OF THE WEEK'S NEWS
  Microsoft and Red Hat Earn Security Awards
  W/32 Deloder-A Worm
  PeopleSoft Remote Command Execution Vulnerability
  The Darkest Side Of Identity Theft: Criminal Records
  Students Who Altered Grades are Suspended
  Men Arrested for Using Keystroke Logger in Bank Theft Scheme
  European Internet Registry Back on Track After DoS Attack
  Security Doesn't Come in a Box
  CIOs Unclear About ISACs' Role
  Former CIAO Chief Supports DHS Consolidation of Infrastructure
     Protection Efforts
  GAO Report: Cyber Criminals Will Target Financial Services
  CyberCorps Graduates Seeking Placements in Government Jobs
  Windows Root Kit Uncovered
  Google Searches Can Lead Hackers to Vulnerable Databases
  Disaster Recovery Investment Lagging, Says Study
  Macromedia Flash Player Vulnerability
  New Version of Snort Addresses Buffer Overflow Flaw in Earlier
     Versions
  GSA and Defense Manpower Data Center Join Liberty Alliance
  BIND Upgrade Recommendations Cause Confusion
  Talking About Security in Business Terms
  BGP Router Protocol Dangerously Weak

SECURITY TRAINING UPDATE
If employees have responsibility for security -- whether as system
administrators or as security officers, analysts, or consultants --
their employer deserves to know that they have mastered the minimum
set of essential skills needed to do the job. Those are the skills
covered in the GIAC Security Essentials course (SANS Track 1) and
examinations. (Track 1 Boot Camp also includes the CISSP CBK.) If
Track 1 is too advanced, SANS Security+ (SANS Track 9) program is a
great starting point. Attend live training in ten cities, mentored
training in thirty more cities, or ask to schedule a course at your
location. Details at http://www.sans.org

******** This Issue Sponsored by VeriSign - The Value of Trust ********
Secure all your Web servers now - with a proven 5-part strategy.
The FREE Server Security Guide shows you how:
- - DEPLOY THE LATEST ENCRYPTION and authentication techniques
- - DELIVER TRANSPARENT PROTECTION with the strongest security without
disrupting users. And more.

Get your FREE Guide now:
http://www.verisign.com/cgi-bin/go.cgi?a=n06120113340057000
***********************************************************************

TOP OF THE NEWS

 --Sendmail Exploit Code Posted
(4/5 March 2003)
Exploit code for the recently disclosed sendmail vulnerability had
already been posted on the Internet. There is no indication that the
code has been used to compromise machines.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,79021,00.html
http://www.theregister.co.uk/content/55/29596.html
http://zdnet.com.com/2100-1105-991041.html
More coverage of the vulnerability and public/private response:
http://www.informationweek.com/story/IWK20030309S0005

 --University of Texas Cyber Security Breach Exposed Information About
       55,000 People
(6/7 March 2003)
An administrative data reporting program on the University of Texas
(UT) at Austin's computer system was compromised, leading to the
exposure of social security numbers, e-mail addresses and other
personal information belonging to approximately 55,000 UT faculty,
staff and current and former students. UT at Austin is working with
the US Attorney's office and the Secret Service to track down the
source of the breach; the school is also trying to inform all those
affected by the breach. University officials admit they did not
have adequate security measures in place. They have also sent out
an internal memo urging vigilance about computer systems because the
publicity surrounding the breach could lead to more intrusion attempts.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,79102,00.html
http://www.austin360.com/aas/metro/030603/0306uthack.html
http://www.chron.com/cs/CDA/story.hts/metropolitan/1808297
[Editor's Note (Schultz): This is further evidence for just how badly
privacy protection legislation is needed in the U.S.]

 --Bank Account Access Problem Exposes Princeton University's Accounts
(6 March 2003)
The financial manager for a Princeton University student publication
found that when he tried to access the magazine's bank account
online, he obtained access to all of the university's accounts -
about $9.9 million. The log-on number for the magazine and the
university are the same because it is Princeton's federal taxpayer
identification number. University officials are displeased, and the
bank says university accounts will no longer be accessible through
their web product.
http://www.cnn.com/2003/TECH/internet/03/06/offbeat.banking.error.ap/index.html

 --House Homeland Security Committee Creates Cybersecurity Subcommittee
(4/5 March 2003)
The US House Homeland Security Committee has voted to create five
subcommittees, including one that will focus on cybersecurity. The
subcommittee will oversee "protection of government and private
networks and computer systems from domestic and foreign attack
(and) prevention of injury to civilian populations and physical
infrastructure caused by cyberattack."
http://news.com.com/2100-1028-991049.html
http://www.computerworld.com/governmenttopics/government/policy/story/0,10801,79063,00.html
http://www.gcn.com/vol1_no1/daily-updates/21333-1.html
[Editors' Note (Multiple): These are lofty goals. Perhaps too lofty. We
hope they succeed.]

 --DHS Reorganization Eliminates Critical Infrastructure Protection
       Board
(3/4/6 March 2003)
An executive order that addresses reorganization attendant to the
formation of the Department of Homeland Security (DHS) eliminates
the President's Critical Infrastructure Protection Board. Officials
from every government agency worked together on the board to address
security issues facing the nation's critical infrastructure; the
board also was an impetus for the recently released National Strategy
to Secure Cyberspace. Administration officials are considering
establishing a special critical infrastructure committee on the
President's Homeland Security Advisory Council. Officials at high
tech companies are concerned about the void left by the Board's
dissolution and are lobbying the administration to make sure there
is someone who is in charge of cyber security.
http://www.fcw.com/fcw/articles/2003/0303/web-order-03-04-03.asp
http://www.fcw.com/fcw/articles/2003/0303/web-cip-03-06-03.asp
http://www.govexec.com/dailyfed/0303/030303td1.htm

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Earn a Norwich University Master's Degree in Information Security
       in 24 months.
http://www.sans.org/cgi-bin/sanspromo/NB143

(2) FOIL NETWORK ATTACKS BEFORE THEY'RE LAUNCHED! Automatically prevent
       intrusions. FREE White Paper.
http://www.sans.org/cgi-bin/sanspromo/NB144

(3) Read: Fighting the New Face of Spam, a white paper by SurfControl
http://www.sans.org/cgi-bin/sanspromo/NB145
***********************************************************************

THE REST OF THE WEEK'S NEWS

 --Microsoft and Red Hat Earn Security Awards
Microsoft earned recognition in three categories of SANS 2003
Information Security Leadership Awards, including automated patching
and training programmers to write safer code. Red Hat also was
recognized for automated patch notification.
http://www.computerworld.com/securitytopics/security/story/0,10801,79164,00.html
[Editor's Note (Paller): WorldCom and Cisco also were named in
the Press Release posted at http://www.sans.org/press/isla.php.
There are fifteen categories of awards, and we hope to find winners
in the other categories in time for the actual award presentation
at the National Information Assurance Leadership (NIAL) conference
on July 22 in Washington, DC. If you know of firms that deserve
recognition as the leaders in any of these critical areas (posted
at http://www.sans.org/press/isla_cat.php) of security please email
sansrosans.org]

 --W/32 Deloder-A Worm
(10 March 2003)
The W32/Deloder-A worm tries to connect to networked computers via TCP
Port 445. When it finds a vulnerable machine, it tries to log on to
the administrator account using easy to guess passwords, like "admin"
or "password." If the worm gains access to the administrator account,
it places a backdoor program on the machine. Deloder attacks machines
running Windows 95, 98, NT, 2000, ME and XP.
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,79220,00.html
http://zdnet.com.com/2100-1105-991712.html
http://www.theregister.co.uk/content/56/29680.html
http://www.msnbc.com/news/883415.asp?0dm=V217T

 --PeopleSoft Remote Command Execution Vulnerability
(10 March 2003)
A remote command execution vulnerability in certain releases of
PeopleSoft Version 8 could allow attackers to place malicious
code on vulnerable web servers. The problem lies in a servlet
called ScheduleTransfer that allows files to be uploaded without
authentication. PeopleSoft has released patches for the problem.
http://news.com.com/2100-1009-991907.html
http://www.eweek.com/article2/0,3959,922755,00.asp

 --The Darkest Side Of Identity Theft: Criminal Records
(9 March 2003)
Losing your clean credit history is one thing; losing your freedom is
another. And victims of America's fastest-growing crime -- identity
theft -- are discovering they may get arrested and be saddled with
a criminal record.
http://www.msnbc.com/news/877978.asp?0si=-

 --Students Who Altered Grades are Suspended
(6/8 March 2003)
Six Mission San Jose (CA) High School students who used KeyLogger
software to gain access to a school computer and change some
of their grades have been suspended. The school district
has taken steps to improve security of its computer systems;
staff members received new passwords for access to the student
information database, and the firewall is being improved.
http://www.siliconvalley.com/mld/siliconvalley/business/special_packages/security/5335721.htm
http://www.bayarea.com/mld/mercurynews/news/local/5346271.htm

 --Men Arrested for Using Keystroke Logger in Bank Theft Scheme
(6 March 2003)
Two men have been arrested in Tokyo for allegedly using a keystroke
logger to obtain bank account passwords and steal $136,000. The pair
could face 10-year prison terms.
http://www.cnn.com/2003/TECH/internet/03/06/internet.theft.ap/index.html
[Editor's Note (Ranum): Unfortunately all the operating systems we
use have so many layers of virtual drivers between the user and the
keyboard that it would be impossible to prevent keylogging attacks.
(Schneier): I'm surprised we're not seeing more of this sort of
thing. Illustrates the dangers of using a public terminal for
commercial access.]

 --European Internet Registry Back on Track After DoS Attack
(6 March 2003)
The Rseaux IP Europens (RIPE) Internet registry says its services are
back to normal after weathering a February 27 distributed denial of
service (DDoS) attack that, at its peak, caused 90% packet loss. The
attack lasted two-and-a-half hours and rendered RIPE's DNS, Whois
and FTP services unavailable for the duration.
http://www.theregister.co.uk/content/6/29623.html
[Editor's Note (Grefer): A few weeks ago we saw the attack against
the Root Name Servers; now they are attacking RIPE. Is someone spot
testing cyber warfare against "developed" nations?]

 --Security Doesn't Come in a Box
(6 March 2003)
The author of this opinion piece, an IT security consultant, points
out that some companies buy the newest and hottest security products
and have them installed without establishing security policies
and procedures. He also outlines what it takes to establish an IT
security program.
http://www.computerworld.com/securitytopics/security/story/0,10801,79083,00.html?nas=SEC-79083
[Editor's Note (Ranum): This is something many, many security experts
have been pointing out for years. It's such an important, obvious,
point that eludes so many customers that it's worth pointing it
out again!]

 --CIOs Unclear About ISACs' Role
(6 March 2003)
After a role-playing exercise in which security experts responded
to a fictional disaster involving both physical and cyber attacks,
Computerworld polled private sector CIOs and IT managers who observed
the scenario. The results revealed that many of them were unclear
about the roles of various entities in addressing attacks. 55% assigned
blame for the disaster to the Information Sharing and Analysis Centers
(ISACs), whose role is information sharing, not regulation.
http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,79104,00.html

 --Former CIAO Chief Supports DHS Consolidation of Infrastructure
      Protection Efforts
(5 March 2003)
At a government technology conference, Former Critical Infrastructure
Assurance Office chief John Tritak spoke in favor of the consolidation
of infrastructure protection efforts into the Department of Homeland
Security (DHS). He discounted the notion that the dissolution of the
Critical Infrastructure Protection Board indicated a lack of concern
about cybersecurity on the administration's part, and said that the
DHS would take up all of the board's functions. Tritak also said that
improving critical infrastructure security depends on disseminating
the information gathered by the DHS to the appropriate governmental
and private entities.
http://www.govexec.com/dailyfed/0303/030503td2.htm

 --GAO Report: Cyber Criminals Will Target Financial Services
(5 March 2003)
A report from the General Accounting Office (GAO) says that entities
performing financial transactions are more and more likely to be
attacked by cyber criminals. As the Internet is increasingly used
to handle these transactions, access to the systems also grows,
increasing the possibility for cyber attacks.
http://www.wired.com/news/business/0,1367,57911,00.html
[Editor's Note (Schneier): I made this point back in December
2002 in my "Crime: The Internet's Next Big Thing" essay:
<http://www.counterpane.com/crypto-gram-0212.html#7>
(Paller): The FBI reported that more than 100 entities involved in
online financial transactions had been subjected to extortion nearly
2 years ago. It is an epidemic.]

 --CyberCorps Graduates Seeking Placements in Government Jobs
(5 March 2003)
The Cyber Corps, the program that offers two year scholarships in
computer security-related fields in return for a two year stint working
for the government, is looking for placements for the 39 people who
will graduate this spring and summer. More than 100 students will be
available for summer internships in May.
http://www.gcn.com/vol1_no1/daily-updates/21334-1.html

 --Windows Root Kit Uncovered
(5 March 2003)
After a group of Windows 2000 servers at an Ontario university began
to crash, it was determined that the university's network had been
compromised and root kits had been installed. Root kits tie into the
operating system's Application Programming Interface (API) and are
usually not detectable with anti-virus software. Instances of Windows
root kits are rare, though some believe they have been around for a
while and are just now being uncovered.
http://www.securityfocus.com/news/2879

 --Google Searches Can Lead Hackers to Vulnerable Databases
(4 March 2003)
Searching for certain phrases in Google could allow hackers to access
unprotected web-based databases. A database containing information
about neurosurgical patients at Drexel University College of Medicine
was accessible; when university officials learned of the problem,
they shut down the database and are taking measures to ensure the
same thing does not happen again.
http://www.wired.com/news/infostructure/0,1377,57897,00.html
Eighteen months ago, News.com had a similar story
http://news.com.com/2100-1023-276155.html?legacy=cnet
[Editor's Note (Ranum): Bill Cheswick demonstrated this back in 1996,
by doing an altavista search for "phf.pl" URLs. This is a well-known
technique.]

 --Disaster Recovery Investment Lagging, Says Study
(4 March 2003)
According to a Dataquest Inc. study, companies are not investing
enough in disaster recovery; presently, as many as one third of
businesses could lose data in the event of a disaster. Only 52% of
the 205 companies surveyed had a plan in place, and 17% said they
do not plan to develop plans. Only 10% regularly assess the business
continuity of each new initiative they undertake.
http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,79014,00.html

 --Macromedia Flash Player Vulnerability
(4 March 2003)
A critical vulnerability in Version 6 of Macromedia Flash Player
could allow an attacker to run malicious code on vulnerable
computers. Macromedia Flash Player Version 6.0.79.0 is available on
the company's website; it also serves as a cumulative patch.
http://www.computerworld.com/securitytopics/security/story/0,10801,79003,00.html
http://www.macromedia.com/devnet/security/security_zone/mpsb03-03.html

 --New Version of Snort Addresses Buffer Overflow Flaw in Earlier Versions
(4 March 2003)
A buffer overflow vulnerability in the remote procedure call (RPC)
component of Snort intrusion detection software could be exploited
to crash the system or allow malicious code to run. The vulnerability
affects Snort versions 1.8 and earlier; version 1.9.1 is now available.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,79015,00.html
http://zdnet.com.com/2100-1105-990964.html

 --GSA and Defense Manpower Data Center Join Liberty Alliance
(5 March 2003)
The General Services Administration (GSA) and the Defense
Department's Defense Manpower Data Center have joined the Liberty
Alliance, a consortium of government and private entities focused
on establishing electronic identity management standards. One of the
GSA's responsibilities is to develop and implement a government-wide
infrastructure for authentication services.
http://www.fcw.com/fcw/articles/2003/0303/web-liberty-03-05-03.asp
[Editors' Note (Multiple): It might be worthwhile to point out to
our readers (and the government entities involved) that the "Liberty
Alliance" was founded by Sun and Oracle to try to counter Microsoft
in this particular market segment.]

 --BIND Upgrade Recommendations Cause Confusion
(5 March 2003)
Though the Internet Software Consortium (ISC) initially dubbed
its recent release of BIND software a "maintenance release," the
organization later "strongly recommended" that users upgrade to version
9.2.2 because of the discovery of a buffer overflow vulnerability in
the earlier version.
http://zdnet.com.com/2100-1105-991094.html

 --Talking About Security in Business Terms
(5 March 2003)
As cyber security gains a higher profile in businesses, it behooves
security professionals to learn the language of business if they want
to get funding. This article offers advice on assessing business risk,
return on investment (ROI) and total cost of ownership to justify
security projects and purchases to management.
http://www.networkmagazine.com/article/NMG20030305S0012

 --BGP Router Protocol Dangerously Weak
(3 March 2003)
The router system used to direct internet traffic between the world's
major networks needs to be upgraded to prevent major accidental -
or deliberate - disruption, warned Stephen Dugan. BGP routes the
packets, so disrupting BGP means the packets do not get to the right
places. The IETF is working on a more secure version.
http://www.newscientist.com/news/news.jsp?id=ns99993454

===end===

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit http://www.sans.org/sansnews/

To update your address, visit http://www.sans.org/sansurl and enter
your SD number (from the header of this email.) You will receive your
personal URL via email.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+bzVO+LUG5KFpTkYRAizgAJ41EV9u55+qwESm64aGkVCtcnMrAgCfdTOb
5S6ykMgrPwZXQhk0OUQeac0=
=hMKI
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]