-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



**********************************************************************
                           SANS NEWSBITES
                The SANS Weekly Security News Overview
Volume 4, Number 17                                   April 24, 2002
Editorial Team:
             Kathy Bradford, Dorothy Denning, Roland Grefer,
             Bill Murray, Stephen Northcutt, Alan Paller,
                    Marcus Ranum, Eugene Schultz
*********************************************************************

Positive security news. In a White House Ceremony last Thursday,
President Bush's Homeland Security and Cyber Security Advisors, Tom
Ridge and Dick Clarke presented plaques and checks to six school
children for their winning entries in the Kids Improving Security
poster contest. Kudos to the White House staff, the National Cyber
Security Alliance, the FBI and its InfraGard program, and the InfraGard
members and SANS alumni who helped publicize the program and judge
the regional entries.  The children and their parents won free trips
to Washington, and their schools won $1,500 each. Winning entries
will be converted to screen savers by the US Department of Defense
and are posted at http://www.sans.org/KIS/winners.htm

                                        Alan

TOP OF THE NEWS
22 April 2002  Database Files Posted on Defaced SPAWAR Website
19 April 2002  European Commission Drafts Cybercrime Law
18 April 2002  Florida Bank's Security Breached
17 April 2002  Canada's Auditor General Says Government Security
               is Lacking

THE REST OF THE WEEK'S NEWS
22 April 2002  Army's Proxy Server
22 April 2002  FBI Security Still Lacking
21 April 2002  Oracle9i Database Server Vulnerability
19 & 22 April 2002  Army to Deploy Automated Vulnerability Scanner
17 & 19 April 2002  Fragroute Fools Intrusion Detection Systems
19 April 2002  Senate Passes $3.2 Billion Border Security Bill
19 April 2002  Higher Ed Organizations Get Behind Cyber Security
19 April 2002  Search Engines Remove Links at Request of Deutsche Bahn
18 & 19 April 2002  Klez Variants on the Loose
17 & 19 April 2002  GovNet Input Reviewed
19 April 2002  Suit Alleges Rival Broke and Posted Pay TV Smart
               Card Codes
18 April 2002  Default Registry Setting for TCP Port 445 Could Allow
               DoS Attacks
18 April 2002  Malicious Bots Popping Up in Chat Rooms
18 April 2002  Patch Available for SQL Server Buffer Overflow
               Vulnerability
17 April 2002  IE Flaw Allows Malicious Script to Execute in Local Zone
17 April 2002  Microsoft Patch for Macintosh Vulnerabilities
17 April 2002  Hacker/Author is Now US Government Consultant
17 April 2002  US Secret Service Establishes Eight Electronic Crimes
               Task Forces
17 April 2002  Unhappy MBSA Users Misinterpret Results, says Microsoft
15 April 2002  Phony Credit Card Data Experiment Successful

IN-DEPTH TECHNICAL SECURITY TRAINING (AND MANAGEMENT COURSES) IN THE
NEXT 120 DAYS
Large SANS GIAC Certification and Training programs in Washington,
Toronto, Boston, Denver, New York, and Los Angeles
Smaller programs in Minneapolis, Portland, Colorado Springs, Chicago,
Detroit, Ottawa, and Melbourne
Details and registration information: www.sans.org

******************* Sponsored by SurfControl, Inc. *******************

ALL Web content your users read, send and receive carries a RISK,
whether it's BROWSING shady neighborhoods, LEAKING confidential data,
SENDING inappropriate jokes, or RECEIVING spam and viruses.

Cover yourself and your company. Download FREE trials of SurfControl
Web Filter and Email Filter now:
http://www.surfcontrol.com/go/zsnb0424
**********************************************************************

TOP OF THE NEWS

 --22 April 2002  Database Files Posted on Defaced SPAWAR Website
A website at the US Space and Naval Warfare Systems Command was
defaced with screenshots of database files from Midwest Express
Airlines and a bank.  The airline data appeared to include customer
names and e-mail addresses.
http://www.internetnews.com/dev-news/article/0,,10_1013341,00.html

 --19 April 2002  European Commission Drafts Cybercrime Law
The European Commission has adopted a draft cybercrime law aimed at
those who gain unauthorized access to computer systems with malicious
intent, as well as those who spread logic bombs, worms, viruses and
Trojan horses.  If the 15 European Union nation governments back
the legislation, cyber criminals could find themselves facing prison
sentences of at least 1-4 years.
http://www.reuters.com/news_article.jhtml?type=internetnews&StoryID=847344

 --18 April 2002  Florida Bank's Security Breached
A cracker breached security at Florida's Republic Bank (RB), stealing
a file that contained names and addresses of 3,600 on line banking
customers. RB said no transactions or account balances were accessed.
The perpetrator told the bank about the intrusion and data theft.
The bank did not tell customers of the events immediately because
the FBI asked them not to, though they are being contacted now.
http://www.newsbytes.com/news/02/175977.html

 --17 April 2002  Canada's Auditor General Says Government Security
                  is Lacking
Canada's Auditor General Sheila Fraser said citizens' personal data
is at risk of exposure and tampering because the government has not
been vigilant about electronic security.  Of 260 government sites
tested, nearly one-third were found to be vulnerable to hackers.
Fraser's recommendations include training employees in information
security, performing risk assessments and audits, and considering
security at networks' development stage.
http://www.theglobeandmail.com/servlet/ArticleNews/printarticle/gam/20020417/UTECHN
http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=7886
Text of Auditor General's report on Information Technology Security:
http://www.oag-bvg.gc.ca/domino/reports.nsf/html/0203ce.html

************************* Sponsored Links ****************************

(1) ActiveGuardTM - Monitoring! Alerts! Defense! 24 x 7 Intrusion
Detection & Prevention!  http://www.sans.org/cgi-bin/sanspromo/NB28

(2) Plug that perimeter security gap - FREE full-function PestPatrol
evaluation software
http://www.sans.org/cgi-bin/sanspromo/NB29

(3) Dorian Software Creations: Automate Event Log Archiving, Analysis,
and Detection!  http://www.sans.org/cgi-bin/sanspromo/NB30

**********************************************************************


THE REST OF THE WEEK'S NEWS

 --22 April 2002  Army's Proxy Server
The army has set up a proxy server for hosting its public web
sites without creating a back door for hackers.  The proxy server
is "basically an application-level firewall" that can reduce the
likelihood of content-altering attacks.
http://www.fcw.com/fcw/articles/2002/0422/news-army-04-22-02.asp

 --22 April 2002  FBI Security Still Lacking
Speaking at a Senate Judiciary Committee hearing, FBI Assistant
Director for Security Kenneth Senser says security at the FBI is still
inadequate, even after steps taken to tighten procedures following
the disclosure of the Hanssen case last year.  The testimony follows
close on the heels of the Webster report, which enumerated problems in
the FBI's security infrastructure.  A new system designed to enhance
case auditing security is due to be deployed soon.
http://www.computerworld.com/storyba/0,4125,NAV47_STO70310,00.html

 --21 April 2002  Oracle9i Database Server Vulnerability
A vulnerability in Oracle9i Database Server, version 9.0.1.x,
could grant a malicious user unauthorized access to data.  A fix
is available.
http://www.securiteam.com/securitynews/5PP0L0A6UO.html

 --19 & 22 April 2002  Army to Deploy Automated Vulnerability Scanner
The US Army plans to deploy a vulnerability assessment tool called
Security Threat Avoidance Technology (STAT) Scanner as part of its
efforts to automate vulnerability detection and patch application.
The STAT tool will be employed with the intent of centralizing Army
network monitoring.
http://www.computerworld.com/storyba/0,4125,NAV47_STO70379,00.html
http://www.gcn.com/vol1_no1/daily-updates/18430-1.html
[Editor's (Paller) Note: By focusing only on a limited number of
vulnerabilities, the Army is giving its system administrators a real
chance to succeed. NASA led the way in targeting a the most important
vulnerabilities and proved they could radically reduce the rate number
of security incidents.  Too many federal agencies run vulnerability
scans that find thousands of vulnerabilities - most of which are not
critical. The really remedial important work gets lost in the clutter.
It would be good for federal security if Federal Inspectors General
recognized the need to focus on critical vulnerabilities across
all systems.]

 --17 & 19 April 2002  Fragroute Fools Intrusion Detection Systems
Fragroute, a new tool posted by Arbor Network's Dug Song, manipulates
data packets allowing them to slip past firewalls and intrusion
detection systems.
http://news.com.com/2100-1001-887065.html
http://www.vnunet.com/News/1130999

 --19 April 2002  Senate Passes $3.2 Billion Border Security Bill
The Senate passed a $3.2 billion bill that would tighten US border
security through the use of biometrics, track foreign students with
visas, create a database to help immigration officials identify
possible terrorists and require that travel documents for those
entering the country include fingerprints or retinal scans.
http://www.fcw.com/fcw/articles/2002/0415/web-border-04-19-02.asp

 --19 April 2002  Higher Ed Organizations Get Behind Cyber Security
College and University organizations have given their support to a
cyber security framework that cyberspace security advisor Richard
Clarke hopes will be a foundation for individual institutions to
develop their own cyber security strategies.
http://www.fcw.com/fcw/articles/2002/0415/web-cyber-04-19-02.asp

 --19 April 2002  Search Engines Remove Links at Request of Deutsche
                  Bahn
Alta Vista and Google say they have removed links to railway sabotage
instructions after Deutsche Bahn, Germany's national railway, asked
them to.  A Dutch court has ordered an ISP, XS4AII, to remove the
documents as well.
http://news.com.com/2100-1023-885345.html
http://www.newsbytes.com/news/02/176028.html

 --18 & 19 April 2002  Klez Variants on the Loose
A new variant of the Klez worm appears to be spreading again.  The code
has been altered enough to sneak past anti-virus software.  The worm
can exploit an old Automatic Execution of MIME bug, bypassing the need
for the recipient to open it.  The worm copies itself to remote disk
drives, mails itself out, and tries to disable antivirus software.
Klez.h can attach files to the infected e-mails it sends, possibly
distributing sensitive information.  Klez can also contain a virus
called ElKern, which overwrites executables.
http://news.com.com/2100-1001-887330.html
http://www.searchsecurity.com/originalContent/0,289142,sid14_gci818032,00.html

 --17 & 19 April 2002  GovNet Input Reviewed
Richard Clarke says the GSA has finished reviewing input from companies
about how GovNet could work and has concluded that the secure system
is feasible.  The next steps are to determine whether or not GovNet
would be cost effective and if so, figuring how it would be set up.
http://www.govexec.com/dailyfed/0402/041702h1.htm
http://www.newsbytes.com/news/02/176029.html

 --19 April 2002  Suit Alleges Rival Broke and Posted Pay TV Smart
                  Card Codes
A lawsuit filed in California claims NDS broke smart card codes
belonging to Canal Plus Technologies and then posted the information on
the Internet. Canal Plus is suing for over $1 billion in lost revenue.
Though NDS issued a statement calling the charges unfounded, an NDS
employee allegedly planned to testify in court that his company was
in fact responsible for the release of the competitor's information,
then decided against the action because he feared for his life.
http://www.msnbc.com/news/740634.asp?0dm=C11JT

 --18 April 2002  Default Registry Setting for TCP Port 445 Could
                  Allow DoS Attacks
Default registry settings on both the desktop and server versions
of Windows 2000 could allow denial of service (DoS) attacks via TCP
port 445.  Microsoft has issued a description of the problem along
with suggestions for fixing it.
http://www.vnunet.com/News/1131065
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q320751

 --18 April 2002  Malicious Bots Popping Up in Chat Rooms
Bots are small scripts that control how computers respond and act -
for example by automating responses to newcomers in chat rooms. They
can be used for helpful purposes, but hackers have been using them
to disrupt chat rooms: meddling with people's displays, sending phony
messages and even booting people out of the room.
http://news.globetechnology.com/servlet/GAMArticleHTMLTemplate?tf=globetechnology/TGAM/NewsFullStory.html&cf=globetechnology/tech-config-neutral&slug=TWBOTS&date=20020418

 --18 April 2002  Patch Available for SQL Server Buffer Overflow
                  Vulnerability
Microsoft released a patch for a buffer overflow vulnerability in
its SQL Server 7.0 and 2000 databases.  Crackers could exploit the
vulnerability to crash the server or run code in its security zone.
http://www.infoworld.com/articles/hn/xml/02/04/18/020418hnsqlhole.xml
http://www.microsoft.com/technet/security/bulletin/ms02-020.asp

 --17 April 2002  IE Flaw Allows Malicious Script to Execute in
                  Local Zone
If users click the back button on Internet Explorer's toolbar,
Internet zone security settings will be superseded by local zone
settings, and malicious code embedded in URLs will be permitted to
execute. Suggested workarounds include disabling active scripting
and not using the back button.
http://www.wired.com/news/technology/0,1282,51899,00.html
http://www.theregister.co.uk/content/4/24902.html

 --17 April 2002  Microsoft Patch for Macintosh Vulnerabilities
Microsoft has released a cumulative patch that addresses
vulnerabilities in IE 5.1 for Macintosh and Office for Macintosh,
including a buffer overflow vulnerability that could allow an attacker
to run arbitrary commands or even crash the computer.
http://zdnet.com.com/2100-1104-884577.html
http://www.infoworld.com/articles/hn/xml/02/04/17/020417hnmac.xml
http://www.microsoft.com/technet/security/bulletin/MS02-019.asp

 --17 April 2002  Hacker/Author is Now US Government Consultant
An Indian teenager who last year wrote a book on ethical hacking
is now himself employed as a consultant by a US government agency.
At fourteen, he once defaced a magazine's website, then wrote to the
editor, offering suggestions for preventing others from doing the
same thing.
http://news.bbc.co.uk/hi/english/world/south_asia/newsid_1934000/1934874.stm
[Editor's (Schultz) Note: A person who has engaged in unethical
activities and who then writes a book does not suddenly merit being
called an "ethical hacker."  We've seen it before, and we will see it
again---despite the admonitions by information security professionals,
organizations hire hackers, not only sending the wrong message to the
hacking underground, but also often resulting in undesirable outcomes
for the organizations themselves.]

 --17 April 2002  US Secret Service Establishes Eight Electronic
                  Crimes Task Forces
The US Secret Service is establishing Electronic Crimes Task Forces
in eight cities across the country.  The task forces are composed
of federal, state and local law enforcement officials, and experts
from private industry and academia, and will work to help prevent
cybercrimes and respond to major cyber attacks.
http://www.miami.com/mld/miamiherald/2002/04/17/business/3077429.htm
http://www.ectaskforce.org/

 --17 April 2002  Unhappy MBSA Users Misinterpret Results, says
                  Microsoft
Microsoft says users who are displeased with their Baseline Security
Analyzer's (MBSA) performance may be misinterpreting the tool's
results.
http://www.infoworld.com/articles/hn/xml/02/04/17/020417hnmsbsa.xml

 --15 April 2002  Phony Credit Card Data Experiment Successful
Dan Clements, a fraud investigator, placed a page of phony credit
card data on the web to see how quickly the information would spread.
He placed links to the page in several chatrooms, and the page had
its first visitors within 15 minutes.  Over the course of the weekend,
1,600 people looked at the false data.  Clements plans to locate the
IP addresses of the visitors and inform the associated ISPs.
http://www.msnbc.com/news/739128.asp

==end==


Please feel free to share this with interested parties via email,
but no posting is allowed on web sites.  For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.

You may also email <sans@sans.org> with complete instructions and
your SD number for subscribe, unsubscribe, change address, add other
digests, or any other comments.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8xtkm+LUG5KFpTkYRAppbAJ9rMG80O8mZ4wl3CxyDpffe0I1WnACgjR+K
Au0157myWyN+GZj3KJK++UI=
=K86u
-----END PGP SIGNATURE-----