-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1





We wish everyone in the SANS community around the globe a healthy

and happy year in 2002.



                                    AP



**********************************************************************



                             SANS NEWSBITES



                 The SANS Weekly Security News Overview



Volume 3, Number 52                                  December 27, 2001



Editorial Team:

      Kathy Bradford, Dorothy Denning, Roland Grefer, Vicki Irwin,

             Bill Murray, Stephen Northcutt, Alan Paller,

             Marcus Ranum, Howard Schmidt, Eugene Schultz



**********************************************************************



TOP OF THE NEWS

20-24 December 2001  Windows UPnP Vulnerabilities Prompt Advice

                     from NIPC

20 December 2001  Oracle's 9i Application Server Has Buffer Overflow

                  Vulnerability

21 December 2001  CCBill Ecommerce Customers Infected

20 December 2001  Man to be Tried for Installing Distributed Computing

                  Clients

19 & 20 December 2001  Universities in NY, Netherlands Targeted in

                       Warez Raids

17 December 2001  Fast Packet Keying Addresses 802.11 Vulnerability



THE REST OF THE WEEK'S NEWS

24 December 2001  Microsoft-SQL Server Holes

24 December 2001  Top Ten Cyber Hoaxes

21 December 2001  Labor Department Addresses Cyber Security

21 December 2001  UCITA Changes Still Don't Satisfy Critics

21 December 21001  Russian Hacker Cuts Deal for Freedom

20 December 2001  PayPal Spam Scam Doesn't Pay Off

20 December 2001  Shoho Worm

20 December 2001  Microsoft Gold Security Program Offers Perks in

                  Return for Delayed Public Disclosure

19 & 20 December 2001  Homeland Defense and Crisis Management

                  Conference: Info Sharing

19 December 2001  Reeezak Worm

18 December 2001  Social Engineering Tactics

18 December 2001  Bill Seeks to Examine Possibility of Cyber-Congress

18 December 2001  Gartner Says Apply Patches and Demand Security

17 & 19 December 2001  Decentralization is a Good Protective Strategy

17 December 2001  Seventeen Year Old Becomes Youngest CISSP

17 December 2001  DES to AES Migration Will be Slow



UPCOMING TRAINING OPPORTUNITIES

**   SANS South Beach (2 tracks), Miami, Jan. 7-12

**   SANS Gateway Asia (2 tracks), Singapore, Jan 10-15

*    SANS Down Under (1 tracks), Melbourne, Jan 10-15

***  SANS Darling Harbour (4 tracks), Sydney, Jan 19-24

**   SANS Peachtree 2002 (3 tracks), Atlanta, Jan 18-24

***  SANS Aloha IV (4 tracks), Honolulu, Jan 28-Feb 2

**** SANS Computer Security Bootcamp (7 tracks), Monterey, CA, Feb 9-14

*    SANS San Diego Info. Sec. Officer (1 track), Feb 25-Mar 1

*    SANS Ottawa Info. Sec. Officer (1 track), Feb 25-Mar 1

**   SANS Lone Star (3 tracks), San Antonio, March 11-16

*****SANS 2002 (our largest conference) (12 tracks plus a free

            technical conference for all who attend the tracks),

            Orlando, April 1-7

Plus:

*    Microsoft IIS Security in multiple cities

*    Hackers Beware: Live! in multiple cities

*    Ewarfare in multiple cities

*    Marty Roesch's Intrusion Detection with Snort in multiple cities

**** Plus new, on-line, security training programs.

       See www.sans.org for details.



**************** This issue sponsored by VIGILANTe *******************



Reactive Solutions - One Step Forward And Two Steps Backwards!



So far, network and Internet security has revolved around reactive

security measures such as firewalls, IDS, and anti-virus software. This

is no longer adequate! Step into the 21st century of protection with

the SecureScan(tm) offerings by VIGILANTe: State-of-the-art proactive

vulnerability assessment solutions that will help you manage your

risks instead of taking them!



Find out more! http://www.vigilante.com/info/SANS



***********************************************************************



TOP OF THE NEWS

 --20-24 December 2001  Windows UPnP Vulnerabilities Prompt Advice

                        from NIPC

The FBI's National Infrastructure Protection Center (NIPC) is

recommending that in addition to installing a Microsoft patch,

Windows XP users should disable the Universal Plug-and-Play (UPnP)

service to protect themselves from crackers.  Vulnerabilities in the

operating system's UPnP service could allow attackers to take control

of computers remotely or use machines to launch a denial-of-service

attack.  Windows 98 and ME users are affected only if UPnP has been

installed; the service is on by default in Windows XP.  Gartner

predicts that hackers will incorporate the UPnP vulnerabilities into

their attack tools within the next three months.

http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm

http://www.computerworld.com/storyba/0,4125,NAV47_STO66939,00.html

http://www.cnn.com/2001/TECH/internet/12/23/microsoft.hackers.ap/index.html

http://www.washingtonpost.com/wp-dyn/articles/A10033-2001Dec20.html

http://www.wired.com/news/business/0,1367,49301,00.html

http://www.msnbc.com/news/675850.asp?0dm=B13QT

http://www.cert.org/advisories/CA-2001-37.html

Gartner Commentary:

http://news.cnet.com/news/0-1003-201-8254545-0.html?tag=prntfr



Steve Gibson has just released a simple tool that allows anyone -- no

matter how junior and inexperienced -- to quickly disable or enable

the Universal Plug & Play Internet server that runs by default --

even after applying Microsoft's patch -- in every copy of Windows XP.

Software: http://grc.com/files/UnPnp.exe

Companion web page: http://grc.com/UnPnP/UnPnP.htm



 --20 December 2001  Oracle's 9i Application Server Has Buffer

                     Overflow Vulnerability

Despite Oracle's claims of superior security -- or perhaps because of

those claims --  British security researcher David Litchfield found

and published a buffer overflow vulnerability that allows attackers

to execute remote commands.

http://www.siliconvalley.com/docs/news/svfront/secur122101.htm



 --21 December 2001  CCBill Ecommerce Customers Infected

On-line billing processor CCBill, which hosts ecommerce applications

for other companies, acknowledged that its customers' web servers

suffered a security breach and could be infected with a bot called

"eggdrop" that awaits directions from an IRC channel to take part in a

distributed denial-of-service attack.  CCBill customers' administrative

user names and passwords and the user names and passwords of their

customers may have been exposed.

http://www.zdnet.com/zdnn/stories/news/0,4586,5100990,00.html?chkpt=zdnn_mh_mac

http://www.computerworld.com/storyba/0,4125,NAV47_STO66920,00.html



 --20 December 2001  Man to be Tried for Installing Distributed

                     Computing Clients

David McOwen, a former DeKalb Technical Institute computer technician,

is facing felony computer theft and trespassing charges for installing

distributed computing clients for a non-profit project on the

school's computers.  Under Georgia's stringent computer crime law,

McOwen could draw a prison sentence of up to 120 years and a fine of

$400,000 in addition to restitution payment.

http://www.securityfocus.com/news/300



 --19 & 20 December 2001  Universities in NY, Netherlands Targeted

                          in Warez Raids

The US Justice Department and international law enforcement agencies

last week seized over 130 computers belonging to suspected software

pirates around the world.  Many of the people targeted in the raids

have been providing law enforcement officials with information that

has resulted in additional search warrants.  The Rochester Institute of

Technology and the University of Twente in Hilversum, the Netherlands

were both targets in the raids.

http://news.cnet.com/news/0-1005-200-8233279.html?tag=prntfr

http://news.cnet.com/news/0-1005-200-8244958.html?tag=prntfr



 --17 December 2001  Fast Packet Keying Addresses 802.11 Vulnerability

RSA and Hifn have developed a technology called Fast Packet Keying

which addresses a security vulnerability in the 802.11 wireless

standard.  The encryption algorithm created closely related keys for

successive data packets which enabled hackers to crack the code and

access network traffic.  The fix, which is available as a software

or a firmware patch, generates keys which are less similar.

http://www.cnn.com/2001/TECH/internet/12/17/rsa.security.reut/index.html

http://www.computerworld.com/storyba/0,4125,NAV47_STO66707,00.html

[Editor's (Murray) Note: While this fix is helpful, it does not address

the two big 802.11 vulnerabilities, i.e., encryption not turned on and

rogue access points.  It does not help much to strengthen a mechanism

that no one turns on or that is easily bypassed.

(Northcutt)  Wireless Access Points are being deployed rapidly so this

is a significant issue. It seems likely the Trojans of the future

will include technology to turn infected wireless-equipped systems

into sniffers. Fast Keying may prove to be mostly a band-aid type

solution, but it could buy the community some needed time.]





THE REST OF THE WEEK'S NEWS



 --24 December 2001  Microsoft SQL Server Holes

Microsoft has revealed two flaws in SQL Server 2000 and 7.0.  The first

flaw is a buffer overflow vulnerability that could allow an attacker

to gain control of the server and reconfigure the operating system

or reformat the hard drive.  The second flaw is a format string

vulnerability that could be exploited for a denial-of-service.

http://www.computerworld.com/storyba/0,4125,NAV47_STO66936,00.html

http://www.microsoft.com/technet/security/bulletin/MS01-060.asp



 --24 December 2001  Top Ten Cyber Hoaxes

A list of the top ten Internet hoaxes includes links to debunking

and urban myth sites like Vmyths.com, HoaxBusters, and Urban Legends

Reference.

http://www.cnn.com/2001/TECH/internet/12/24/internet.hoaxes.idg/index.html



 --21 December 2001  Labor Department Addresses Cyber Security

In an effort to protect its employees, the Labor Department is looking

into ways to prevent unauthorized people from accessing sensitive

information on its computer systems.

http://www.fcw.com/fcw/articles/2001/1217/web-labor-12-21-01.asp



 --21 December 2001  UCITA Changes Still Don't Satisfy Critics

The panel drafting the Uniform Computer Information Transactions

Act (UCITA) software licensing law have backed away from several

controversial provisions, including remote software disabling and

reverse-engineering prohibition.  UCITA critics say the law is still

problematic.

http://www.computerworld.com/storyba/0,4125,NAV47_STO66888,00.html





 --21 December 21001  Russian Hacker Cuts Deal for Freedom

Dmitri Sklyarov, arrested in the United States under a controversial

digital copyright law, soon will be free to return home to Moscow

under a deal reached with prosecutors last week

http://chicagotribune.com/technology/chi-0112210063dec21.story?coll=chi%2Dtechnology%2Dhed



 --20 December 2001  PayPal Spam Scam Doesn't Pay Off

Not many people appear to have been fooled by a phony PayPal e-mail

asking customers to update their information - including credit card

details - at a phony web site in return for a $5 account credit.

http://www.theregister.co.uk/content/6/23479.html



 --20 December 2001  Shoho Worm

The Shoho worm exploits the automatic execution of embedded MIME

types Internet Explorer vulnerability.  The attached file appears

to be a .txt file but is really an .exe file; it deleted Windows

files and self-propagates via e-mail.  Patches are available for the

security hole.

http://www.zdnet.com/zdnn/stories/news/0,4586,2834295,00.html?chkpt=zdnnp1tp02

for IE 5.01:

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

for Outlook 98:

http://hotfiles.zdnet.com/cgi-bin/texis/swlib/hotfiles_zdnet/info.html?fcode=0018YB&b=help

for Outlook 2000:

http://hotfiles.zdnet.com/cgi-bin/texis/swlib/hotfiles_zdnet/info.html?fcode=0018YA&b=help



 --20 December 2001  Microsoft Gold Security Program Offers Perks in

                     Return for Delayed Public Disclosure

Participants in Microsoft's Gold Certified Partner Program for Security

Solutions will receive a plethora of security references and links,

technical training, software licenses in return for a $1,450 annual fee

and adherence to the company's security vulnerability disclosure code.

http://www.computerworld.com/storyba/0,4125,NAV47_STO66799,00.html



 --19 & 20 December 2001  Homeland Defense and Crisis Management

                          Conference: Info Sharing

Panelists at the Homeland Defense and Crisis Management conference

said local, state and federal law enforcement agencies, intelligence

organizations, and government officials at all levels need to share

information to forestall future terrorist attacks.  Certain obstacles

need to be overcome, however; groups use differing methods of

communication, radio frequencies and terminology.

http://www.computerworld.com/storyba/0,4125,NAV47_STO66770,00.html

Local police chiefs may apply to the Department of Justice for

national security clearance so they can share information during

national emergencies.

http://www.gcn.com/vol1_no1/daily-updates/17654-1.html



 --19 December 2001  Reeezak Worm

Reezak is a mass-mailer worm that appears to be a Flash media Christmas

card, but carries an additional, malicious payload.  Reezak tries

to delete the Windows System directory, disables anti-virus software

and redirects Internet Explorer to a web site infested with malicious

JavaScript.  Security patches are available.

http://www.zdnet.com/zdnn/stories/news/0,4586,2833811,00.html

http://www.msnbc.com/news/675233.asp?0dm=T22AT



 --18 December 2001  Social Engineering Tactics

Crackers use a variety of social engineering tactics to obtain access

to computer systems.  They can exploit the good will of people working

the help desk, peer over shoulders to gather PINs and passwords,

sift through trash, impersonate network administrators on line, or

even pretend to be trusted support personnel to gain physical access

to computers.  A future installment will address identification and

prevention of social engineering attacks.

http://www.securityfocus.com/infocus/1527

[Editor's (Murray) Note: "Social engineering" is a euphemism for

fraud and deceit.]



 --18 December 2001  Bill Seeks to Examine Possibility of

                     Cyber-Congress

Representative Jim Langevin (D-Rhode Island) has introduced a bill

that would require the National Institutes of Standards and Technology

(NIST) to conduct a study to assess the feasibility and cost of a

computer system that would allow Congress to convene remotely.

http://www.fcw.com/fcw/articles/2001/1217/web-econg-12-18-01.asp



 --18 December 2001  Gartner Says Apply Patches and Demand Security

Companies should apply patches to servers running AIX or Solaris

and PCs running IE 5.5 or 6, according to Gartner, because it is

likely a worm like Nimda will surface in the next month or two to

take advantage of known and dangerous vulnerabilities.  In addition,

companies should make security an important criterion in their platform

purchasing and software upgrading decisions.

http://news.cnet.com/news/0-1003-201-8209166-0.html?tag=prntfr



 --17 & 19 December 2001  Decentralization is a Good Protective

                          Strategy

The September 11 attacks have prompted some companies to decentralize

their organizations, placing smaller groups of employees in more

locations.

http://www.computerworld.com/storyba/0,4125,NAV47_STO66660,00.html

http://www.computerworld.com/storyba/0,4125,NAV47_STO66774,00.html

[Editor's (Murray) Note: What are really addressed in the article

are compartmentalization and diversity more than decentralization.]



 --17 December 2001  Seventeen Year Old Becomes Youngest CISSP

A 17-year-old aced the CISSP examination and received his credential

after an investigation instigated by his unusually young age.

Namit Merchant, who has been working in IT since he was 13 and

currently works for a consulting firm while finishing high school,

said the test should incorporate "more practical knowledge."

http://www.securityfocus.com/news/301



 --17 December 2001  DES to AES Migration Will be Slow

Analysts say the move from the Data Encryption Standard (DES) to the

recently adopted Advanced Encryption Standard (AES) is likely to

be slow; technology standards bodies need to approve it, products

incorporating AES have not yet been developed, and companies will

probably wait until low-cost implementations are available.

http://www.computerworld.com/storyba/0,4125,NAV47_STO66662,00.html



==end==





Please feel free to share this with interested parties via email (not

on bulletin boards).  For a free subscription, (and for free posters)

e-mail sans@sans.org with the subject: Subscribe NewsBites



To change your subscription, address, or other information, visit

http://www.sans.org/sansurl and enter your SD number (from the

headers.) You will receive your personal URL via email.



You may also email <sans@sans.org> with complete instructions and

your SD number for subscribe, unsubscribe, change address, add other

digests, or any other comments.







-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.0.6 (GNU/Linux)

Comment: For info see http://www.gnupg.org



iD8DBQE8K0z8+LUG5KFpTkYRArefAJ4gkyTthT5dsgekwYephTDwwBQkJQCgnJjh

uHFassqr3OlgnaYnWKj1kb8=

=5I8O

-----END PGP SIGNATURE-----