From: The SANS Institute (NewsBitessans.org)
Date: Wed May 14 2003 - 01:53:25 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS NewsBites May 14, 2003 Vol. 5, Num. 19
***********************************************************************

TOP OF THE NEWS
  AusCERT to Provide Free Alert Service
  South African Man Tried for Allegedly Introducing Virus into
     Company's System
  Passport Flaw
  Earthlink Wins Damages in Buffalo Spammer Case

THE REST OF THE WEEK'S NEWS
  NASCAR Hacker Sentenced To Six Months Community Confinement
  Academics Propose Innovative Defenses For Denial Of Service Attacks
     Fizzer Worm
  High Schooler Expelled on Grounds of Unauthorized Access
  Wireless Access Points Pose Security Problems
  Peido-B Virus
  Phony e-Mails to Bank Customers Try to Steal Passwords, Download
     Trojan
  German Student Arrested on Suspicion of Running MP3 File Sharing
     Service
  Web Hosting Companies Hacked
  Cisco Warns of VPN Flaws
  Media Player Skins Vulnerability
  Fluffi Bunni Hacker Worked for Siemens
  OSU Police Seize Computers That May Have Been Used for Illegal File
     Sharing
  Virginia Credit Union Blocks Use of Compromised Visa Cards
  UK's CSIA to Create "Assured Products" List

TUTORIAL
  Reinstalling After a Security Breach

NEW SECURITY TRAINING PROGRAMS ANNOUNCED
SANS has added several additional cities to its schedule of immersion
security training:
  Chicago, IL, May 18-23 (2 tracks)
  Atlanta, GA, June 2-7 (2 tracks)
  Monterey, CA, June 11-26 (6 tracks)
  San Francisco, June 18-23 (2 tracks -including new management track)
  London, UK, June 23-28 (5 tracks)
  Washington, DC, July 14-19 (9 tracks -including new management track)
  Washington, DC, July 21-22 (Nat'l. Info. Assurance Leadership Conf.)
  Melbourne, AU, July 28 - Aug 2 (2 tracks)
  Plus online courses and local mentor programs in 45 cities.
     See www.sans.org

************ Sponsored by Internet Security Systems *******************

New appliance whitepaper from Internet Security Systems!

ISS' new, easily deployed appliances dynamically protect regardless of
network speed or threat type, without requiring separate firewalls,
antivirus and intrusion detection.

Click here to download whitepaper:
http://www.iss.net/ad/appliance_sansappliance051403

***********************************************************************

TOP OF THE NEWS

 --AusCERT to Provide Free Alert Service
(12 May 2003)
The Australian Computer Emergency Response Team (AusCERT) has launched
a free security threat alert service. A corresponding incident
reporting system is due to be operational within three months. Because
worms and viruses often start spreading at the beginning of the workday,
Australia can be especially vulnerable; the country is 10 hours ahead
of Europe, and as much as 15 hours ahead of the United States, so they
are often among the first to see malicious activity.
http://australianit.news.com.au/articles/0,7204,6422070^15306^^nbv^,00.html

 --South African Man Tried for Allegedly Introducing Virus into
    Company's System
(9 May 2003)
The case of a former employee of a South African retail company who
allegedly intentionally infected the company's computer system with a
virus was heard in Johannesburg Commercial Crimes Court last month.
Losses to the company were estimated at 5 million Rand (about
US$690,000). This is the first case of its kind in South Africa.
http://www.itweb.co.za/sections/techforum/2003/0305090720.asp?A=VIR&S=Virus%20Watch&T=Section&O=FPSH

 --Passport Flaw
(8/9 May 2003)
A security flaw in Microsoft's Passport service password recovery system
could have allowed attackers to change the passwords of accounts for
which they knew only the user name. Passport product manager Adam Sohn
said the company had locked out any accounts it suspected had been
fraudulently altered; the flaw was fixed by Thursday morning.
Microsoft's admission of the vulnerability, which affected as many as
200 million customer accounts, could land the company substantial
Federal Trade Commission (FTC) fines as well as sanctions.
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,81030,00.html
http://www.theregister.co.uk/content/55/30620.html
http://news.com.com/2100-1002_3-1000429.html
http://news.com.com/2100-1002_3-1000575.html
http://news.bbc.co.uk/1/hi/technology/3013665.stm
http://www.washingtonpost.com/wp-dyn/articles/A30330-2003May8.html
http://www.cnn.com/2003/TECH/biztech/05/09/microsoft.flaw.ap/index.html

 --Earthlink Wins Damages in Buffalo Spammer Case
(7 May 2003)
Earthlink has been awarded 416 million in damages against Howard
Carmack, a New York state man who allegedly used stolen credit cards
and identities to establish Internet accounts, then used those accounts
to send out more than 825 unsolicited e-mails, also known as SPAM. The
district court in Atlanta also banned Mr. Carmack, known as the Buffalo
Spammer, from sending out more SPAM. Earthlink has also begun testing
SpamBlocker, a permission-based blocking technology.
http://www.infoworld.com/article/03/05/07/HNspamcase_1.html
http://news.com.com/2100-1032-1000272.html
http://www.washingtonpost.com/wp-dyn/articles/A22390-2003May6.html
[Editor's Note (Schultz): Hopefully this ruling will set a strong legal
precedent in dealing with flagrant sources of SPAM.]

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Deadly Internet Sin #2: Gluttony - Stop multimedia downloads from
     devouring IT resources.
http://www.sans.org/cgi-bin/sanspromo/NB168

(2) Instantly stop DDoS attacks. Prevent worm propagation. Hands-on,
     online demo--launch and mitigate live attacks.
http://www.sans.org/cgi-bin/sanspromo/NB169

(3) ALERT! -Cross-Site Scripting Attacks on Web Applications- FREE XSS
     White paper!
http://www.sans.org/cgi-bin/sanspromo/NB170
***********************************************************************

THE REST OF THE WEEK'S NEWS

 --NASCAR Hacker Sentenced To Six Months Community Confinement
(13 May 2003)
Michael Melo acknowledged he fired off more than a half-million e-mail
messages to WFXT-TV 25 in Boston after the Red Sox game was broadcast
instead of a NASCAR race in 2001. He was sentenced to six months of
community confinement.
http://www.sportsline.com/autoracing/story/6369117

 --Academics Propose Innovative Defenses For Denial Of Service Attacks
(13 May 2003)
At an IEEE symposium on Security and Privacy, graduate students from
Carnegie Mellon University proposed two methods aimed at greatly
reducing the effects of Internet denial of service attacks. Steve
Bellovin called both proposals credible attempts at solving for network
administrators the sticky problems of denial-of-service attacks.
http://zdnet.com.com/2100-1105_2-1001200.html

 --Fizzer Worm
(12 May 2003)
A mass-mailing worm called Fizzer is spreading around the world. Fizzer
spreads through both e-mail and file-sharing programs, and affects
computers running Windows operating systems. It disables anti-virus
software, steals passwords, and places a backdoor in infected computers.
http://news.bbc.co.uk/1/hi/technology/3021927.stm
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,81150,00.html
http://zdnet.com.com/2100-1105_2-1001062.html
[Editor's Note (Shpantzer): Another important reminder of why we should
enforce policies against P2P programs at work. We all have those
policies in place, right?]

 --High Schooler Expelled on Grounds of Unauthorized Access
(10 May 2003)
A student at Stoughton (Wisconsin) High School has been suspended
following a hearing regarding his involvement in using keystroke-logging
software to gain access to the school's computer system and alter
student grades. Charges against other students are pending.
http://www.stoughtonnews.com/news.cfm?num=3471

 --Wireless Access Points Pose Security Problems
(9 May 2003)
At the NetWorld+Interop conference in Las Vegas, wireless LAN security
firm AirDefense Inc. set up a sensor on the show floor, and within two
hours had detected 230 wireless access points. 92 were not using
encryption, 38 were configured with default settings, and 15 were
plugged directly into network hubs. AirDefense also detected malicious
activity, including denial-of-service attacks.
http://www.informationweek.com/story/showArticle.jhtml?articleID=9700025
http://www.eweek.com/article2/0,3959,1072266,00.asp

 --Peido-B Virus
(8/9 May 2003)
The Computer Emergency Response Team Coordination Center (CERT/CC) has
issued a warning about the Peido-B virus, also called VBS/Inor.B or
Mothers Day Virus. The virus arrives as an .hta attachment which, when
executed, installs a Trojan horse program, Troj/DLoader-BO, on the
victim's computer. In turn, Troj/Dloader-BO downloads and executes a
file from a certain web site.
http://www.cert.org/current/current_activity.html#peido
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,81106,00.html

 --Phony e-Mails to Bank Customers Try to Steal Passwords, Download
    Trojan
(8 May 2003)
Customers of First Union Bank have been receiving fraudulent e-mail
messages claiming to be from First Union, telling them their user names
and passwords have been lost, and directing them to a web site so they
can supply the bank with their information. Even if the users do not
enter their information, merely visiting the site causes the Backdoor
AMQ Trojan horse program to be downloaded to their computers.
http://www.eweek.com/article2/0,3959,1068224,00.asp

 --German Student Arrested on Suspicion of Running MP3 File Sharing
    Service
(8 May 2003)
German police have arrested a 25-year-old computer-programming student
for allegedly conducting an MP3 file sharing service. The investigation
into the man's activities was initiated by the International Federation
of the Phonographic Industry (IFPI).
http://news.zdnet.co.uk/story/0,,t269-s2134454,00.html

 --Web Hosting Companies Hacked
(8 May 2003)
Hackers broke into the servers of three Dutch web hosting companies,
stealing data and ruining essential software. Web host customers were
not fully apprised of the breach. Though one of the affected companies
claims to back up its data every 24 hours, its last back up was actually
created in January.
http://www.europemedia.net/shownews.asp?ArticleID=16233

 --Cisco Warns of VPN Flaws
(8 May 2003)
Cisco has warned of three vulnerabilities in its VPN 3000 series
concentrators and VPN 3002 hardware client, which could allow attackers
to view data, cause a denial-of-service (DoS) attack, and degrade
concentrator performance or cause the device to restart. Workarounds
are available and customers are encourages to upgrade to the latest
versions of code for the devices.
http://www.infoworld.com/article/03/05/08/HNciscovpn_1.html
http://www.cisco.com/warp/public/707/cisco-sa-20030507-vpn3k.shtml
[Editor's Note (Paller): Even without the extra vulnerabilities caused
by Cisco's programming problems, security professionals should be aware
that VPNs are pipes into important systems. An attacker who has gained
control of a VPN-attached workstation can use that control to pipe
attacks directly to the valuable resources at the other end of the VPN.
More than 50,000 workstations are taken over every month. It makes
sense to have a strategy for testing your VPN users' workstations.]

 --Media Player Skins Vulnerability
(7 May 2003)
A vulnerability in the way Windows Media Player handles the download of
"skins" could allow an attacker to execute code on unprotected PCs.
The flaw affected Windows Media Player version 7.1 and Windows Media
Player for XP (version 8.0); version 9.0 is not affected.
http://news.com.com/2100-1002_3-1000355.html
http://www.microsoft.com/technet/security/bulletin/MS03-017.asp

 --Fluffi Bunni Hacker Worked for Siemens
(7 May 2003)
Lynn Htun, the man recently arrested for his alleged involvement with
the Fluffi Bunni hacker group, had apparently worked for Siemens
Communications, an IT security supplier, for more than a year. Siemens,
which has close ties to MI5 and runs some government IT projects, is
working with police on the situation.
http://www.computerweekly.com/articles/article.asp?liArticleID=121522

 --OSU Police Seize Computers That May Have Been Used for Illegal File
    Sharing
(7 May 2003)
Ohio State University police have seized five computers that were
allegedly being used to distribute illegally downloaded music and movies
to students. No students have been charged in the case; that could
change if copyrighted material is discovered. The investigation began
three months ago when file-sharing was consuming 10% of the bandwidth
of the university's computer system.
http://www.usatoday.com/tech/news/2003-05-07-osu-seizures_x.htm
[Editor's Note (Schultz): The day of unlimited free music is
(rightfully) over. I'm curious, however, why a 10% bandwidth
consumption for peer-to-peer sharing made people at OSU investigate.
Ten percent doesn't seem like much--I've heard about amounts up to 60%
at other places.]

 --Virginia Credit Union Blocks Use of Compromised Visa Cards
(7 May 2003)
After a security breach of an unknown merchant's data system,
compromising the security of credit and debit cards, Virginia Credit
Union blocked the use of 800 affected cards; customers should receive
new cards in the mail soon. No resulting misuse of accounts has been
reported yet.
http://www.timesdispatch.com/business/MGB6S1MMEFD.html

 --UK's CSIA to Create "Assured Products" List
(6 May 2003)
In an effort to improve the nation's information technology security,
the UK government's Central Sponsor for Information Assurance (CSIA)
plans to create a list of "assured products" for the public and private
sectors to use when making purchases; present accreditation processes
are expensive and time-consuming.
http://www.vnunet.com/News/1140642

TUTORIAL
 --Reinstalling After a Security Breach
(7 May 2003)
This article describes the process for reinstalling a system after a
security breach, including steps to take to reduce the likelihood of a
repeat of the breach.
http://www.securityfocus.com/infocus/1692

- ---end---

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+wa8M+LUG5KFpTkYRAlZJAJwL7AfZ+6StPR4X29pCGpNcr/hxrwCgpXuO
M49e2zPxbF7XaF/du1nGNBE=
=O5ah
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]