From: The SANS Institute (NewsBitessans.org)
Date: Wed Apr 09 2003 - 09:11:06 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Free Resources from the "Audit and Security Controls that Work"
Conference

Co-chairs Michele Guel from Cisco and Gene Kim from Tripwire did a
wonderful job on this conference, and the participants contributed more
than papers -- they also shared the most effective control tools they
had created (like a tool for documenting risks for Gramm-Leech-Bliley
compliance). If you missed the conference, take a look at the summary
of presentations and download the presentations and whitepapers that
look interesting http://www.sans.org/rr/audittech/

                                Alan

***********************************************************************
SANS NewsBites April 9, 2003 Vol. 5, Num. 14
***********************************************************************

TOP OF THE NEWS
   Web Site That Was to Post Local Election Results Crashes After Virus
     Attack
   SETIhome Software Vulnerabilities
   ISS Study Shows Security Incidents Increased Significantly in First
     Quarter of 2003
   Apache HTTP Server Vulnerability
   Study Says Incident Recovery in 2002 Takes Longer and Costs More
     than in 2001

THE REST OF THE WEEK'S NEWS
   Nevada Hospital System Hack Traced to Russia
   RIAA Files Piracy Suits Against Four Students
   Texas Teen to be Arraigned on Charges of Alleged Yale Computer
     Systems Hacks
   Agencies Not Addressing Security Concerns, Says GAO Report
   Unauthorized WLAN Connections Used to Send Spam
   WebDAV Protocol Still Widely Enabled
   Vulnerabilities in Two Digital Media Players
   Navigating IT Security Decision Making
   Johansen Appeal Hearing Date Set for December
   Georgia Tech Server Security Breached
   Al-Jazeera Web Site Bolsters Security
   Danish Firm Critical of BugTraq Practices; Starts New Vulnerability
     Mailing List
   Klez is Still a Menace
   System Log Analysis Can be Fruitful
   California State University Implements Interim Security Measures
   OMB Provides Federal Agencies with Compliance Oversight

SECURITY TRAINING UPDATE
Mark your calendar:
Four security training racks in Portland, OR (May 5-10)
Six security training tracks in Monterey, CA (June 11-16)
Five security training tracks in London, UK (June 23-28)
Our largest summer conference: SANS Fire in Washington DC (July 14-19)
Plus smaller programs in Raleigh, Atlanta, Melbourne (AU), and San Francisco.
If you cannot travel, we have local mentor and evening programs in
thirty cities, or ask to schedule a course at your location. Details
at http://www.sans.org

************************* Sponsored by GuardedNet *********************

Weighed Down by Security Data?

With GuardedNet's neuSECURE(tm), you can transform mountains of raw
security data into what you really need - knowledge to manage your
security environment. neuSECURE is a central monitoring system for
log aggregation, event correlation, threat analysis, response and
forensics of events from firewalls, IDS', hosts and routers.

Sign up to receive a free white paper on improving the relevancy of
your raw security data at http://www.guarded.net/logdataoverload.html

***********************************************************************

 -- Web Site That Was to Post Local Election Results Crashes After
     Virus Attack
(7 April 2003)
A web site designed to tally and publish the results of a local
election in Will County, Illinois was unable to perform as expected
because it was deluged with phony requests. The Will County Director
of Information Systems has informed the FBI.
http://www.theage.com.au/articles/2003/04/07/1049567599656.html
[Editor's Note (Schultz): Although this news item might superficially
appear to not be all that important, it is really quite significant.
There is considerable apprehension concerning computerized voting
systems, and incidents such as this one will only increase the level
of concern.]

 -- SETIhome Software Vulnerabilities
(7 April 2003)
The SETIhome distributed computing project is encouraging users to
download the latest version of its software, which addresses buffer
overflow and information-leaking vulnerabilities in earlier versions.
The SETI project allows users to donate processing time to search
for extraterrestrials.
http://news.com.com/2100-1002-995801.html
http://www.theregister.co.uk/content/55/30124.html

 -- ISS Study Shows Security Incidents Increased Significantly in
     First Quarter of 2003
(3/4/7 April 2003)
A report from Internet Security Systems (ISS) says that the number of
security incidents reported in the first quarter of 2003 was almost
84% higher than the number reported in the last quarter of 2002.
The reason for the significant change is the increase in worms and
automated attack software like the Slammer worm, according to the
report. The data were collected from about 400 ISS clients around
the world. The rise in incidents could be attributed in part to the
fact that hackers are turning more often to databases as targets;
database administrators often don't want to install patches until
they've been tested in a production environment.
http://news.com.com/2100-1009-995380.html
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,80049,00.html
http://www.eweek.com/article2/0,3959,1007007,00.asp

 -- Apache HTTP Server Vulnerability
(2/3 April 2003)
The Apache Software Foundation issued an advisory urging all users of
Apache 2.0 HTTP Server to upgrade to version 2.0.45, which addresses
a denial-of-service vulnerability in 2.0.44. All operating systems
are vulnerable to the flaw, and the upgrade still does not address
the vulnerability on OS/2. Details of the vulnerability will be
released on April 8.
http://www.internetnews.com/dev-news/article.php/2174351
http://news.com.com/2100-1009-995309.html

 -- Study Says Incident Recovery in 2002 Takes Longer and Costs More
     than in 2001
(31 March 2003)
A survey from Icsa labs found that it is took companies longer and
cost them more to recover from cyber disasters in 2002 than in 2001.
The companies surveyed had more than 500 PCs. Disasters, which were
defined as attacks on 25 or more PCs, cost companies an average of
£52,000 (approximately $80,000) in 2002, up from £45,000 (approximately
$70,000) in 2001. The average recovery time grew from 20 days in 2001
to 23 days in 2002. The survey also found that instead of suffering
from a major attack, companies are more likely to sustain a series
of smaller attacks.
http://www.vnunet.com/News/1139852

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) PREVENT INTRUSIONS FOR GOOD. Identify attackers. Block them with
countermeasures! FREE WP. http://www.sans.org/cgi-bin/sanspromo/NB155

(2) ALERT: How a Hacker Launches a SQL Injection Attack Step-by-Step- White
Paper http://www.sans.org/cgi-bin/sanspromo/NB156

(3) Instantly stop DDoS attacks and port scans. Hands-on, online demo--launch
and mitigate live attacks. http://www.sans.org/cgi-bin/sanspromo/NB157

***********************************************************************

 -- Nevada Hospital System Hack Traced to Russia
(7 April 2003)
The security of a small Nevada hospital's computer system was breached
by a hacker who has been traced back to Russia. The hacker routed
the attack through the al-Jazeera web site to make it look as if
the attack came from the Middle East. The hacker may have accessed
employees' social security numbers and bank account information.
A Trojan horse program embedded in a game some employees had downloaded
allowed the attackers access. The hospital's payroll system has been
removed from the network and employees have been instructed never to
install software or sign on to streaming Internet services.
http://www.usatoday.com/tech/webguide/internetlife/2003-04-07-hospital-hack_x.htm
[Editor's Note (Schultz): Employees installing software or signing on
to streaming Internet services may have been a problem, but I wonder
whether the hospital's failing to set requirements for and failing
to enforce a baseline level of security may have had a lot to do with
what happened here.]

 -- RIAA Files Piracy Suits Against Four Students
(4/5 April 2003)
The Recording Industry Association of America (RIAA) has filed suits
against four students at three universities across the country. The
suits allege that the students set up file sharing networks on their
university computer systems, and ask for permanent injunctions to
shut down those sites as well as a fine of $150,000 per copyright
infringement. The RIAA said the suits would not be dropped if the
students shut down the sites themselves. The music industry blames
Internet music piracy for declining revenues.

http://www.washingtonpost.com/wp-dyn/articles/A23933-2003Apr3.html
http://news.bbc.co.uk/1/hi/technology/2917779.stm
http://www.wired.com/news/digiwood/0,1412,58351,00.html

 -- Texas Teen to be Arraigned on Charges of Alleged Yale Computer
     Systems Hacks
(3/4 April 2003)
A Texas teenager will be arraigned on six counts of computer crimes
in connection with alleged intrusions into computer systems at Yale
University. Jason Jarrell allegedly broke into the university's
computer systems from his home, created user accounts and installed
software to gather passwords and gained root access to a number
of computers. Damages were estimated to be at least $150,000.
The Connecticut Computer Crimes Task Force was able to track Jarrell
down through his ISP because he allegedly had connected to the Internet
by dialing from his home phone.
http://www.newhavenregister.com/site/news.cfm?newsid=7603021&BRD=1281&PAG=461&dept_id=7573&rfi=6
http://www.yaledailynews.com/article.asp?AID=22379

 -- Agencies Not Addressing Security Concerns, Says GAO Report
(2/3 April 2003)
According to a recently released General Accounting Office (GAO)
report, several government offices have failed to comply with all the
requirements of Presidential Decision Directive 63. Specifically,
the Environmental Protection Agency, the Department of Health and
Human Services, and the Energy and Commerce Departments have not
adequately assessed their computers and networks to determine which
require the most protection.
http://www.washingtonpost.com/wp-dyn/articles/A13552-2003Apr2.html
http://www.wired.com/news/politics/0,1283,58327,00.html
http://www.gao.gov/new.items/d03233.pdf

 -- Unauthorized WLAN Connections Used to Send Spam
(2 April 2003)
Data gathered from a wireless LAN (WLAN) honeypot showed that nearly
75% of intentional unauthorized connections made were used to send
spam.
http://www.newsfactor.com/perl/story/21168.html

 -- WebDAV Protocol Still Widely Enabled
(2 April 2003)
A Netcraft survey found that 75% of polled web servers running
Microsoft's Internet Information Server (IIS) 5.0 have WebDAV enabled,
making them potentially vulnerable to a buffer overflow attack as
announced in a Microsoft security alert in March.
http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?database=JanY.db&command=viewone&id=67&op=t
http://news.netcraft.com/archives/2003/03/18/three_quarters_of_microsoftiis_sites_have_webdav_enabled.html
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-007.asp

 -- Vulnerabilities in Two Digital Media Players
(2/4 April 2003)
A heap corruption vulnerability in RealNetworks' RealPlayer could allow
the execution of malicious code; the vulnerability is caused by the
use of an older data-compression library in the RealPix component and
could be exploited by creating a corrupted Portable Network Graphics
(PNG) file. RealNetworks has released an updated version of the
data-compression library. An unrelated vulnerability was reported in
Apple Computer's QuickTime Player; a buffer overflow vulnerability
could be exploited by getting a user to click on a specially crafted
URL which would then inject and run code, potentially giving the
attacker control of the system. The vulnerability affects versions
5.x and 6.0; version 6.1, in which the vulnerability is addressed,
is available for download.
http://news.com.com/2100-1025-995085.html?tag=fd_top
http://www.idefense.com/advisory/03.31.03.txt
http://www.theregister.co.uk/content/55/30107.html
RealPlayer Advisory:
http://service.real.com/help/faq/security/securityupdate_march2003.html

 -- Navigating IT Security Decision Making
(2 April 2003)
Advice for companies maneuvering through the process of implementing
IT security includes ignoring vendors' hype, becoming educated about
actual risks and building up security by layers, starting with the
fundamentals.
http://www.computerworld.com/securitytopics/security/story/0,10801,79965,00.html?nas=SEC-79965

 -- Johansen Appeal Hearing Date Set for December
(2 April 2003)
Jon Johansen, the Norwegian teenager who in January was acquitted
of DVD piracy charges stemming from his involvement in creating and
distributing the DeCSS descrambling utility, will be in court again
in December for an appeal hearing. Johansen's attorney is confident
that his client will prevail against the appeal, which was brought
by Norway's special division for white-collar crimes, Økikrim.
http://www.theregister.co.uk/content/4/30062.html

 -- Georgia Tech Server Security Breached
(28 March/1 April 2003)
The Georgia Institute of Technology recently discovered that intruders
accessed one of its servers a number of times in the last two months;
among the data stolen were the names, addresses and some credit card
numbers of about 57,000 patrons of the university's Ferst Center for
the Arts. School officials have e-mailed those affected by the breach.
The server was not protected by a firewall. The Georgia Bureau of
Investigations and the FBI are investigating.
http://www.accessatlanta.com/ajc/business/0303/28hacker.html
http://zdnet.com.com/2100-1105-994821.html

 -- Al-Jazeera Web Site Bolsters Security
(1 April 2003)
Al-Jazeera's Newsroom coordinator is hopeful that their website will
soon be up and running normally. Security barriers have been added
to the website, which has recently been targeted by denial of-service
(DoS) and redirect attacks.
http://news.bbc.co.uk/1/hi/technology/2906503.stm

 -- Danish Firm Critical of BugTraq Practices; Starts New Vulnerability
     Mailing List
(26 March/1 April 2003)
Danish security company Secunia Ltd. has started a new vulnerability
mailing list meant to take the place of BugTraq, which Secunia claims
"delay and partially censor[s] the information" in order to give their
customers advance notification. Symantec, which last year acquired
SecurityFocus, the outfit that owns BugTraq, denies the allegations.
http://www.eweek.com/article2/0,3959,990434,00.asp
http://www.theregister.co.uk/content/55/29941.html

 -- Klez is Still a Menace
(31 March 2003)
Klez topped the list of Sophos' most reported viruses in March of this
year, indicating that there are numerous machines on which anti-virus
signatures have not been updated for more than a year. This marks
the fourteenth month in a row that Klez has appeared in the top ten.
http://www.theregister.co.uk/content/56/30026.html
http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/03-31-2003/0001916690&EDATE=

 -- System Log Analysis Can be Fruitful
(31 March 2003)
System log analysis in Windows systems can provide good information
about what's been happening on your network, but you have to know
what a log entry for a legitimate event looks like in order to spot
the entries that indicate malicious activity. There are also types
of malware that do not show up in logs; it would be wise to examine
the win.ini and system.ini files for unexpected executables, and to
examine the registry for unexpected .exe or .dll files.
http://www.computerworld.com/securitytopics/security/story/0,10801,79803,00.html

 -- California State University Implements Interim Security Measures
(29 March 2003)
Following the results of an audit showing that California State
University new multi-million dollar computer system allowed
unauthorized people to view students' personal information, the
institution's chancellor announced an interim security measure while
the school works with the software developer on a secure search
feature. For now, university employees will have access to student
social security numbers only if their jobs require it and if they
have signed a confidentiality agreement.
http://www.oaklandtribune.com/Stories/0,1413,82~1726~1280447,00.html

 -- OMB Provides Federal Agencies with Compliance Oversight
(28 March 2003)
Federal agencies have the Office of Management and Budget (OMB)
oversight to ensure they comply with security guidelines set by GISRA
and FISMA. The private sector might benefit from a similar framework.
Representative Sherwood Boehlert (R-N.Y.) is concerned about the low
level of government spending on cyber security.
http://www.fcw.com/fcw/articles/2003/0324/web-dhs-03-28-03.asp
http://www.fcw.com/fcw/articles/2003/0324/web-omb-03-28-03.asp

===end===

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editors: Bruce Schneier and Hal Pomeranz

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit http://www.sans.org/sansnews/

To update your address, visit http://www.sans.org/sansurl and enter
your SD number (from the header of this email.) You will receive your
personal URL via email.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+lBcj+LUG5KFpTkYRAgvbAJ9wIXI5aTwSzbzdipRwkVvVYKG8xwCglder
9yv0snZDhosyCRfhW3AwqeE=
=kIK8
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]