TOP OF THE NEWS
--20-24 December 2001 Windows UPnP Vulnerabilities Prompt Advice
from NIPC
The FBI's National Infrastructure Protection Center (NIPC) is
recommending that in addition to installing a Microsoft patch,
Windows XP users should disable the Universal Plug-and-Play (UPnP)
service to protect themselves from crackers. Vulnerabilities in the
operating system's UPnP service could allow attackers to take control
of computers remotely or use machines to launch a denial-of-service
attack. Windows 98 and ME users are affected only if UPnP has been
installed; the service is on by default in Windows XP. Gartner
predicts that hackers will incorporate the UPnP vulnerabilities into
their attack tools within the next three months.
http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm
http://www.computerworld.com/storyba/0,4125,NAV47_STO66939,00.html
http://www.cnn.com/2001/TECH/internet/12/23/microsoft.hackers.ap/index.html
http://www.washingtonpost.com/wp-dyn/articles/A10033-2001Dec20.html
http://www.wired.com/news/business/0,1367,49301,00.html
http://www.msnbc.com/news/675850.asp?0dm=B13QT
http://www.cert.org/advisories/CA-2001-37.html
Gartner Commentary:
http://news.cnet.com/news/0-1003-201-8254545-0.html?tag=prntfr
Steve Gibson has just released a simple tool that allows anyone -- no
matter how junior and inexperienced -- to quickly disable or enable
the Universal Plug & Play Internet server that runs by default --
even after applying Microsoft's patch -- in every copy of Windows XP.
Software: http://grc.com/files/UnPnp.exe
Companion web page: http://grc.com/UnPnP/UnPnP.htm
----- Original Message -----
From: "The SANS Institute" <[EMAIL PROTECTED]>
To: "Scott Fosseen (SD381534)" <[EMAIL PROTECTED]>
Sent: Thursday, December 27, 2001 2:40 PM
Subject: SANS NewsBites Vol. 3 Num. 52
| To: Scott Fosseen (SD381534)
| From: Alan for the SANS NewsBites service
| Re: December 27 SANS NewsBites
|
|
| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
|
|
| We wish everyone in the SANS community around the globe a healthy
| and happy year in 2002.
|
| AP
|
| **********************************************************************
|
| SANS NEWSBITES
|
| The SANS Weekly Security News Overview
|
| Volume 3, Number 52 December 27, 2001
|
| Editorial Team:
| Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin,
| Bill Murray, Stephen Northcutt, Alan Paller,
| Marcus Ranum, Howard Schmidt, Eugene Schultz
|
| **********************************************************************
|
| TOP OF THE NEWS
| 20-24 December 2001 Windows UPnP Vulnerabilities Prompt Advice
| from NIPC
| 20 December 2001 Oracle's 9i Application Server Has Buffer Overflow
| Vulnerability
| 21 December 2001 CCBill Ecommerce Customers Infected
| 20 December 2001 Man to be Tried for Installing Distributed Computing
| Clients
| 19 & 20 December 2001 Universities in NY, Netherlands Targeted in
| Warez Raids
| 17 December 2001 Fast Packet Keying Addresses 802.11 Vulnerability
|
| THE REST OF THE WEEK'S NEWS
| 24 December 2001 Microsoft-SQL Server Holes
| 24 December 2001 Top Ten Cyber Hoaxes
| 21 December 2001 Labor Department Addresses Cyber Security
| 21 December 2001 UCITA Changes Still Don't Satisfy Critics
| 21 December 21001 Russian Hacker Cuts Deal for Freedom
| 20 December 2001 PayPal Spam Scam Doesn't Pay Off
| 20 December 2001 Shoho Worm
| 20 December 2001 Microsoft Gold Security Program Offers Perks in
| Return for Delayed Public Disclosure
| 19 & 20 December 2001 Homeland Defense and Crisis Management
| Conference: Info Sharing
| 19 December 2001 Reeezak Worm
| 18 December 2001 Social Engineering Tactics
| 18 December 2001 Bill Seeks to Examine Possibility of Cyber-Congress
| 18 December 2001 Gartner Says Apply Patches and Demand Security
| 17 & 19 December 2001 Decentralization is a Good Protective Strategy
| 17 December 2001 Seventeen Year Old Becomes Youngest CISSP
| 17 December 2001 DES to AES Migration Will be Slow
|
| UPCOMING TRAINING OPPORTUNITIES
| ** SANS South Beach (2 tracks), Miami, Jan. 7-12
| ** SANS Gateway Asia (2 tracks), Singapore, Jan 10-15
| * SANS Down Under (1 tracks), Melbourne, Jan 10-15
| *** SANS Darling Harbour (4 tracks), Sydney, Jan 19-24
| ** SANS Peachtree 2002 (3 tracks), Atlanta, Jan 18-24
| *** SANS Aloha IV (4 tracks), Honolulu, Jan 28-Feb 2
| **** SANS Computer Security Bootcamp (7 tracks), Monterey, CA, Feb 9-14
| * SANS San Diego Info. Sec. Officer (1 track), Feb 25-Mar 1
| * SANS Ottawa Info. Sec. Officer (1 track), Feb 25-Mar 1
| ** SANS Lone Star (3 tracks), San Antonio, March 11-16
| *****SANS 2002 (our largest conference) (12 tracks plus a free
| technical conference for all who attend the tracks),
| Orlando, April 1-7
| Plus:
| * Microsoft IIS Security in multiple cities
| * Hackers Beware: Live! in multiple cities
| * Ewarfare in multiple cities
| * Marty Roesch's Intrusion Detection with Snort in multiple cities
| **** Plus new, on-line, security training programs.
| See www.sans.org for details.
|
| **************** This issue sponsored by VIGILANTe *******************
|
| Reactive Solutions - One Step Forward And Two Steps Backwards!
|
| So far, network and Internet security has revolved around reactive
| security measures such as firewalls, IDS, and anti-virus software. This
| is no longer adequate! Step into the 21st century of protection with
| the SecureScan(tm) offerings by VIGILANTe: State-of-the-art proactive
| vulnerability assessment solutions that will help you manage your
| risks instead of taking them!
|
| Find out more! http://www.vigilante.com/info/SANS
|
| ***********************************************************************
|
| TOP OF THE NEWS
| --20-24 December 2001 Windows UPnP Vulnerabilities Prompt Advice
| from NIPC
| The FBI's National Infrastructure Protection Center (NIPC) is
| recommending that in addition to installing a Microsoft patch,
| Windows XP users should disable the Universal Plug-and-Play (UPnP)
| service to protect themselves from crackers. Vulnerabilities in the
| operating system's UPnP service could allow attackers to take control
| of computers remotely or use machines to launch a denial-of-service
| attack. Windows 98 and ME users are affected only if UPnP has been
| installed; the service is on by default in Windows XP. Gartner
| predicts that hackers will incorporate the UPnP vulnerabilities into
| their attack tools within the next three months.
| http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm
| http://www.computerworld.com/storyba/0,4125,NAV47_STO66939,00.html
|
http://www.cnn.com/2001/TECH/internet/12/23/microsoft.hackers.ap/index.html
| http://www.washingtonpost.com/wp-dyn/articles/A10033-2001Dec20.html
| http://www.wired.com/news/business/0,1367,49301,00.html
| http://www.msnbc.com/news/675850.asp?0dm=B13QT
| http://www.cert.org/advisories/CA-2001-37.html
| Gartner Commentary:
| http://news.cnet.com/news/0-1003-201-8254545-0.html?tag=prntfr
|
| Steve Gibson has just released a simple tool that allows anyone -- no
| matter how junior and inexperienced -- to quickly disable or enable
| the Universal Plug & Play Internet server that runs by default --
| even after applying Microsoft's patch -- in every copy of Windows XP.
| Software: http://grc.com/files/UnPnp.exe
| Companion web page: http://grc.com/UnPnP/UnPnP.htm
|
| --20 December 2001 Oracle's 9i Application Server Has Buffer
| Overflow Vulnerability
| Despite Oracle's claims of superior security -- or perhaps because of
| those claims -- British security researcher David Litchfield found
| and published a buffer overflow vulnerability that allows attackers
| to execute remote commands.
| http://www.siliconvalley.com/docs/news/svfront/secur122101.htm
|
| --21 December 2001 CCBill Ecommerce Customers Infected
| On-line billing processor CCBill, which hosts ecommerce applications
| for other companies, acknowledged that its customers' web servers
| suffered a security breach and could be infected with a bot called
| "eggdrop" that awaits directions from an IRC channel to take part in a
| distributed denial-of-service attack. CCBill customers' administrative
| user names and passwords and the user names and passwords of their
| customers may have been exposed.
|
http://www.zdnet.com/zdnn/stories/news/0,4586,5100990,00.html?chkpt=zdnn_mh_
mac
| http://www.computerworld.com/storyba/0,4125,NAV47_STO66920,00.html
|
| --20 December 2001 Man to be Tried for Installing Distributed
| Computing Clients
| David McOwen, a former DeKalb Technical Institute computer technician,
| is facing felony computer theft and trespassing charges for installing
| distributed computing clients for a non-profit project on the
| school's computers. Under Georgia's stringent computer crime law,
| McOwen could draw a prison sentence of up to 120 years and a fine of
| $400,000 in addition to restitution payment.
| http://www.securityfocus.com/news/300
|
| --19 & 20 December 2001 Universities in NY, Netherlands Targeted
| in Warez Raids
| The US Justice Department and international law enforcement agencies
| last week seized over 130 computers belonging to suspected software
| pirates around the world. Many of the people targeted in the raids
| have been providing law enforcement officials with information that
| has resulted in additional search warrants. The Rochester Institute of
| Technology and the University of Twente in Hilversum, the Netherlands
| were both targets in the raids.
| http://news.cnet.com/news/0-1005-200-8233279.html?tag=prntfr
| http://news.cnet.com/news/0-1005-200-8244958.html?tag=prntfr
|
| --17 December 2001 Fast Packet Keying Addresses 802.11 Vulnerability
| RSA and Hifn have developed a technology called Fast Packet Keying
| which addresses a security vulnerability in the 802.11 wireless
| standard. The encryption algorithm created closely related keys for
| successive data packets which enabled hackers to crack the code and
| access network traffic. The fix, which is available as a software
| or a firmware patch, generates keys which are less similar.
| http://www.cnn.com/2001/TECH/internet/12/17/rsa.security.reut/index.html
| http://www.computerworld.com/storyba/0,4125,NAV47_STO66707,00.html
| [Editor's (Murray) Note: While this fix is helpful, it does not address
| the two big 802.11 vulnerabilities, i.e., encryption not turned on and
| rogue access points. It does not help much to strengthen a mechanism
| that no one turns on or that is easily bypassed.
| (Northcutt) Wireless Access Points are being deployed rapidly so this
| is a significant issue. It seems likely the Trojans of the future
| will include technology to turn infected wireless-equipped systems
| into sniffers. Fast Keying may prove to be mostly a band-aid type
| solution, but it could buy the community some needed time.]
|
|
| THE REST OF THE WEEK'S NEWS
|
| --24 December 2001 Microsoft SQL Server Holes
| Microsoft has revealed two flaws in SQL Server 2000 and 7.0. The first
| flaw is a buffer overflow vulnerability that could allow an attacker
| to gain control of the server and reconfigure the operating system
| or reformat the hard drive. The second flaw is a format string
| vulnerability that could be exploited for a denial-of-service.
| http://www.computerworld.com/storyba/0,4125,NAV47_STO66936,00.html
| http://www.microsoft.com/technet/security/bulletin/MS01-060.asp
|
| --24 December 2001 Top Ten Cyber Hoaxes
| A list of the top ten Internet hoaxes includes links to debunking
| and urban myth sites like Vmyths.com, HoaxBusters, and Urban Legends
| Reference.
| http://www.cnn.com/2001/TECH/internet/12/24/internet.hoaxes.idg/index.html
|
| --21 December 2001 Labor Department Addresses Cyber Security
| In an effort to protect its employees, the Labor Department is looking
| into ways to prevent unauthorized people from accessing sensitive
| information on its computer systems.
| http://www.fcw.com/fcw/articles/2001/1217/web-labor-12-21-01.asp
|
| --21 December 2001 UCITA Changes Still Don't Satisfy Critics
| The panel drafting the Uniform Computer Information Transactions
| Act (UCITA) software licensing law have backed away from several
| controversial provisions, including remote software disabling and
| reverse-engineering prohibition. UCITA critics say the law is still
| problematic.
| http://www.computerworld.com/storyba/0,4125,NAV47_STO66888,00.html
|
|
| --21 December 21001 Russian Hacker Cuts Deal for Freedom
| Dmitri Sklyarov, arrested in the United States under a controversial
| digital copyright law, soon will be free to return home to Moscow
| under a deal reached with prosecutors last week
|
http://chicagotribune.com/technology/chi-0112210063dec21.story?coll=chi%2Dte
chnology%2Dhed
|
| --20 December 2001 PayPal Spam Scam Doesn't Pay Off
| Not many people appear to have been fooled by a phony PayPal e-mail
| asking customers to update their information - including credit card
| details - at a phony web site in return for a $5 account credit.
| http://www.theregister.co.uk/content/6/23479.html
|
| --20 December 2001 Shoho Worm
| The Shoho worm exploits the automatic execution of embedded MIME
| types Internet Explorer vulnerability. The attached file appears
| to be a .txt file but is really an .exe file; it deleted Windows
| files and self-propagates via e-mail. Patches are available for the
| security hole.
|
http://www.zdnet.com/zdnn/stories/news/0,4586,2834295,00.html?chkpt=zdnnp1tp
02
| for IE 5.01:
| http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
| for Outlook 98:
|
http://hotfiles.zdnet.com/cgi-bin/texis/swlib/hotfiles_zdnet/info.html?fcode
=0018YB&b=help
| for Outlook 2000:
|
http://hotfiles.zdnet.com/cgi-bin/texis/swlib/hotfiles_zdnet/info.html?fcode
=0018YA&b=help
|
| --20 December 2001 Microsoft Gold Security Program Offers Perks in
| Return for Delayed Public Disclosure
| Participants in Microsoft's Gold Certified Partner Program for Security
| Solutions will receive a plethora of security references and links,
| technical training, software licenses in return for a $1,450 annual fee
| and adherence to the company's security vulnerability disclosure code.
| http://www.computerworld.com/storyba/0,4125,NAV47_STO66799,00.html
|
| --19 & 20 December 2001 Homeland Defense and Crisis Management
| Conference: Info Sharing
| Panelists at the Homeland Defense and Crisis Management conference
| said local, state and federal law enforcement agencies, intelligence
| organizations, and government officials at all levels need to share
| information to forestall future terrorist attacks. Certain obstacles
| need to be overcome, however; groups use differing methods of
| communication, radio frequencies and terminology.
| http://www.computerworld.com/storyba/0,4125,NAV47_STO66770,00.html
| Local police chiefs may apply to the Department of Justice for
| national security clearance so they can share information during
| national emergencies.
| http://www.gcn.com/vol1_no1/daily-updates/17654-1.html
|
| --19 December 2001 Reeezak Worm
| Reezak is a mass-mailer worm that appears to be a Flash media Christmas
| card, but carries an additional, malicious payload. Reezak tries
| to delete the Windows System directory, disables anti-virus software
| and redirects Internet Explorer to a web site infested with malicious
| JavaScript. Security patches are available.
| http://www.zdnet.com/zdnn/stories/news/0,4586,2833811,00.html
| http://www.msnbc.com/news/675233.asp?0dm=T22AT
|
| --18 December 2001 Social Engineering Tactics
| Crackers use a variety of social engineering tactics to obtain access
| to computer systems. They can exploit the good will of people working
| the help desk, peer over shoulders to gather PINs and passwords,
| sift through trash, impersonate network administrators on line, or
| even pretend to be trusted support personnel to gain physical access
| to computers. A future installment will address identification and
| prevention of social engineering attacks.
| http://www.securityfocus.com/infocus/1527
| [Editor's (Murray) Note: "Social engineering" is a euphemism for
| fraud and deceit.]
|
| --18 December 2001 Bill Seeks to Examine Possibility of
| Cyber-Congress
| Representative Jim Langevin (D-Rhode Island) has introduced a bill
| that would require the National Institutes of Standards and Technology
| (NIST) to conduct a study to assess the feasibility and cost of a
| computer system that would allow Congress to convene remotely.
| http://www.fcw.com/fcw/articles/2001/1217/web-econg-12-18-01.asp
|
| --18 December 2001 Gartner Says Apply Patches and Demand Security
| Companies should apply patches to servers running AIX or Solaris
| and PCs running IE 5.5 or 6, according to Gartner, because it is
| likely a worm like Nimda will surface in the next month or two to
| take advantage of known and dangerous vulnerabilities. In addition,
| companies should make security an important criterion in their platform
| purchasing and software upgrading decisions.
| http://news.cnet.com/news/0-1003-201-8209166-0.html?tag=prntfr
|
| --17 & 19 December 2001 Decentralization is a Good Protective
| Strategy
| The September 11 attacks have prompted some companies to decentralize
| their organizations, placing smaller groups of employees in more
| locations.
| http://www.computerworld.com/storyba/0,4125,NAV47_STO66660,00.html
| http://www.computerworld.com/storyba/0,4125,NAV47_STO66774,00.html
| [Editor's (Murray) Note: What are really addressed in the article
| are compartmentalization and diversity more than decentralization.]
|
| --17 December 2001 Seventeen Year Old Becomes Youngest CISSP
| A 17-year-old aced the CISSP examination and received his credential
| after an investigation instigated by his unusually young age.
| Namit Merchant, who has been working in IT since he was 13 and
| currently works for a consulting firm while finishing high school,
| said the test should incorporate "more practical knowledge."
| http://www.securityfocus.com/news/301
|
| --17 December 2001 DES to AES Migration Will be Slow
| Analysts say the move from the Data Encryption Standard (DES) to the
| recently adopted Advanced Encryption Standard (AES) is likely to
| be slow; technology standards bodies need to approve it, products
| incorporating AES have not yet been developed, and companies will
| probably wait until low-cost implementations are available.
| http://www.computerworld.com/storyba/0,4125,NAV47_STO66662,00.html
|
| ==end==
|
|
| Please feel free to share this with interested parties via email (not
| on bulletin boards). For a free subscription, (and for free posters)
| e-mail [EMAIL PROTECTED] with the subject: Subscribe NewsBites
|
| To change your subscription, address, or other information, visit
| http://www.sans.org/sansurl and enter your SD number (from the
| headers.) You will receive your personal URL via email.
|
| You may also email <[EMAIL PROTECTED]> with complete instructions and
| your SD number for subscribe, unsubscribe, change address, add other
| digests, or any other comments.
|
|
|
| -----BEGIN PGP SIGNATURE-----
| Version: GnuPG v1.0.6 (GNU/Linux)
| Comment: For info see http://www.gnupg.org
|
| iD8DBQE8K0z8+LUG5KFpTkYRArefAJ4gkyTthT5dsgekwYephTDwwBQkJQCgnJjh
| uHFassqr3OlgnaYnWKj1kb8=
| =5I8O
| -----END PGP SIGNATURE-----
|
---------------------------------------------------------
Archived messages from this list can be found at:
http://www.mail-archive.com/[email protected]/
---------------------------------------------------------
