-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



**********************************************************************
                           SANS NEWSBITES
                The SANS Weekly Security News Overview
Volume 4, Number 18                                        May 1, 2002
Editorial Team:
             Kathy Bradford, Dorothy Denning, Roland Grefer,
             Bill Murray, Stephen Northcutt, Alan Paller,
                    Marcus Ranum, Eugene Schultz
**********************************************************************

Last chance this spring for security training in Washington DC area:
next week. http://www.sans.org/CapitolHill


TOP OF THE NEWS
24-29 April 2002  Klez Continues to Spread
26 April 2002  Hotmail Cookie Vulnerability
23 April 2002  Scam Artists Use Brute Force to Find Valid Credit Cards
22 April 2002  IM Users Tricked Into Downloading DDoS Software

THE REST OF THE WEEK'S NEWSS
29 April 2002  XP Automatic Updating Feature Generates Complaints
29 April 2002  Vivendi Plans Hacking Suit Over Questionable Online
               Voting
29 April 2002  GAO Undercover Agents Gain Access to Federal Buildings
26 April 2002  Outlook E-mail Editing Vulnerability
29 April 2002  Outlook E-Mail Editing Patch May Not Fix the Whole
               Problem
26 April 2002  Belgian ISP Sends Out Infected CD
26 April 2002  Hybrid Attacks Gaining Popularity
26 April 2002  Military Academy Cyber Defense Exercise
26 April 2002  Chilean Computer Thieves Caused Traffic Chaos
26 April 2002  Chernobyl Probably Won't Cut a Wide Swath This Year
26 April 2002  FBI to Establish Three New Regional Cyber Forensic Labs
25, 26 & 29 April 2002  CIA Report Describes China Cyber Attack Threat
25 April 2002  File-Sharing Companies Taste the Bitter Brew of Irony
24 April 2002  PKI Vendors Agree to Interoperability
24 April 2002  Finjan Points Out MBSA Flaw
24 April 2002  Microsoft Pulls Office Tools Because of Security Flaws
23 & 24 April 2002  IE6 Privacy Features Have Security Holes
23 April 2002  Moscow ATM Crackers Sentenced
23 April 2002  Kagra Virus
22 April 2002  IT Security Resource List
22 April 2002  Industry Group Concerned That NIST Could Mandate
               Product Features
22 April 2002  Windows Update Not Reliable, Say Consumers
22 April 2002  Taiwan to Hold Cyber Security Drill

IN-DEPTH TECHNICAL SECURITY TRAINING (AND MANAGEMENT COURSES) IN THE
NEXT 120 DAYS
Large SANS GIAC Certification and Training programs in Washington,
Toronto, Boston, Denver, New York, and Los Angeles
Smaller programs in Minneapolis, Portland, Colorado Springs, Chicago,
Detroit, Ottawa, and Melbourne
Details and registration information: www.sans.org

********************** Sponsored by Cisco Systems *********************

One Flexible, Modular and Cost-Effective Way to Make your Network SAFE

Today's sophisticated networks need more than just a "Firewall here,
intrusion detection system there" approach. They need an ironclad
network security solution that will protect their network against
malicious activity. That's why Cisco Systems has created the SAFE
Blueprint, which empowers businesses with best practices and robust
solutions to effectively secure their networks.

For more information, visit http://www.cisco.com/go/safe
***********************************************************************

TOP OF THE NEWS

 --24 - 29 April 2002  Klez Continues to Spread
The latest versions of Klez have infected more than 7% of PCs around
the world, moving past totals accrued by SirCam and Nimda. Variants of
the Klez virus continue to spread with such rapidity that some suspect
the virus's spread is hastened with the use of "seeding," though there
is no evidence to support this.  Klez uses a variety of subject lines
and can spoof senders' e-mail addresses, making it harder for people
to look out for the usual signs of virus-laden e-mails.  Klez uses
its own SMTP server to mail itself out to e-mail addresses found on
infected computers' hard drives. Corporate users are less likely to
become infected because they are more vigilant than home users about
updating their anti-virus signatures. Klez severely disrupted Internet
service in Zimbabwe, disabling mail servers and forcing some ISPs to go
off-line to clean up the virus residue.  More than 75% of the country's
businesses and private citizens were cut off from Internet access. The
Czech Republic is reportedly the hardest hit of all European countries.
http://news.com.com/2100-1001-894706.html
http://news.com.com/2100-1001-891030.html
http://www.computerworld.com/storyba/0,4125,NAV47_STO70574,00.html
http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=7962
http://www.europemedia.net/shownews.asp?ArticleID=10300
[Editor's (Schultz) Note: Klez's success is, lamentably, not only in
the number of computers it has infected.  The fact that it spoofs
sender identities has created a massive amount of confusion within
the user community.]

 --26 April 2002  Hotmail Cookie Vulnerability
Because cookies are used for Hotmail account authentication,
if crackers get hold of two specific cookies -- which are stored
unencrypted in a fixed location -- they can always access the account,
even after a password change.  Hotmail users are advised not to use
the "keep me signed in" option.
http://www.wired.com/news/technology/0,1282,52115,00.html
[Editor's (Murray) Note: This is the second time that Hotmail has
been shown to store privileged state in the clear.  It now appears
that instead of fixing it the first time, they simply moved it from
the URL to the cookie.  I always wondered how they had managed to
fix it in only 12 hours; now I know.]

 --23 April 2002  Scam Artists Use Brute Force to Find Valid Credit
                  Cards
Several groups of credit card scam artists are using brute force to run
credit card numbers through Authorize.Net, "a payment gateway system"
that requires no password, only a login name.  Every transaction is
charged a fee, regardless of the credit card number's validity.
http://www.msnbc.com/news/742677.asp?0dm=C1AMT

 --22 April 2002  IM Users Tricked Into Downloading DDoS Software
Many IRC and IM users have been tricked into downloading malicious
software onto their computers which could then be used to launch a
distributed denial of service (DDoS) attack.  The users are tricked
into downloading the malware. Hackers send messages telling victims
that their systems are infected (not true), and instructing the victim
to go to a certain website and download the software or risk being
banned from the IM system.  When the user executes the downloaded
software, their systems become infected.
http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=7929


************************* Sponsored Links ****************************

(1) Plug that perimeter security gap - FREE full-function PestPatrol
evaluation software
http://www.sans.org/cgi-bin/sanspromo/NB31

(2) ALERT! Hackers gain access to backend data via web
applications. FREE WHITE PAPER:
http://www.sans.org/cgi-bin/sanspromo/NB32

**********************************************************************

THE REST OF THE WEEK'S NEWS

 --29 April 2002  XP Automatic Updating Feature Generates Complaints
Windows XP users get pop up screens informing them of new updates
available for their systems.  Users have complained that some patches
are making their systems unstable.
http://www.wired.com/news/technology/0,1282,52108,00.html
[Editor's (Murray) Note: One fundamental property of "patch and fix"
is that the solution becomes the problem.  That said, AOL manages to
update their very intrusive client without generating complaints.)

 --29 April 2002  Vivendi Plans Hacking Suit Over Questionable
                  Online Voting
Vivendi Chief Executive Jean-Marie Messier says hackers sabotaged on
line voting during the media company's recent shareholders' meeting;
votes cast by certain shareholders did not correlate with records. Some
think the allegations are dubious.  The board plans to call a new
shareholders' meeting for June.
http://story.news.yahoo.com/news?tmpl=story&cid=528&ncid=528&e=1&u=/ap/20020429/ap_on_hi_te/vivendi_voting_2
http://www.wired.com/news/business/0,1367,52162,00.html
http://europe.cnn.com/2002/BUSINESS/04/29/vivendi.hacker/index.html

 --29 April 2002  GAO Undercover Agents Gain Access to Federal
                  Buildings
Undercover investigators from the General Accounting Office (GAO)
were able to gain access to and move freely about through four federal
buildings in Atlanta.  They were also able to obtain building passes
and after hours access codes, and made copies of the credentials
on computers.
http://www.msnbc.com/news/745303.asp

 --26 April 2002  Outlook E-mail Editing Vulnerability
When Outlook users view their e-mail, scripts often cannot run because
the IE security is set to block them. However, if they use MS Word as
their e-mail editor, the documents are called in unprotected mode,
allowing HTML e-mail messages to execute scripts.  Microsoft has
released a patch for the vulnerability.
http://www.computerworld.com/storyba/0,4125,NAV47_STO70570,00.html
http://www.theregister.co.uk/content/55/25033.html
http://www.microsoft.com/technet/security/bulletin/ms02-021.asp

 --29 April 2002  Outlook E-Mail Editing Patch May Not Fix the
                  Whole Problem
Microsoft's recently release patch for the Outlook/Word e-mail flaw is
only partially effective, according to Georgi Guninski.  The exploit
path through Excel remains vulnerable.
http://www.theregister.co.uk/content/55/25064.html
Guninski's description: http://www.guninski.com/m$oxp-2.html

 --26 April 2002  Belgian ISP Sends Out Infected CD
Belgian ISP Skynet sent some of its customers a CD infected with
W95.Hybris.gen.
http://www.europemedia.net/shownews.asp?ArticleID=10308

 --26 April 2002   --26 April 2002  Hybrid Attacks Gaining Popularity
Hybrid attacks, like Code Red and Nimda, have overtaken denial
of service (DoS) attacks as the most prevalent security threat,
according to Internet Security Systems' X-Force unit's Internet Risk
Impact Summary.  The group also expressed concern about the PHP and
SNMP vulnerabilities.
http://www.vnunet.com/News/1131294

 --26 April 2002  Military Academy Cyber Defense Exercise
Military academy students participated in a cyber defense exercise.
Six groups of students were pitted against professional military teams
comprised of National Security Agency (NSA) employees and soldiers
from the U.S. Air Force's 92nd Information Warfare Aggressor Squadron
and the Army's Land Information Warfare Activity. For some students,
this competition inspired a passion for hands on cyber security.
http://zdnet.com.com/2100-1105-893418.html

 --26 April 2002  Chilean Computer Thieves Caused Traffic Chaos
Thieves stole 15 PCs and 2 servers from a roadway traffic control
center in Santiago de Chile, throwing traffic signals out of
synchronization and causing traffic turmoil.
http://www.wired.com/news/business/0,1367,52114,00.html

 --26 April 2002  Chernobyl Probably Won't Cut a Wide Swath This Year
The Chernobyl virus, set to launch its payload on April 26, is
viewed as a minor threat because anti-virus signatures would have
to be significantly outdated not to detect it.  If launched, the
virus can cause a great deal of damage, overwriting hard drives.
Chernobyl affects only Windows 95, 98 and ME.
http://www.newsbytes.com/news/02/176177.html

 --26 April 2002  FBI to Establish Three New Regional Cyber Forensic
                  Labs
The FBI plans to set up three new cyber forensics laboratories in
Kansas City, Chicago and San Francisco; the FBI has already established
labs in Dallas and San Diego.  Half of all cases the FBI opens now
involve computers.
http://www.siliconvalley.com/mld/siliconvalley/news/editorial/3145543.htm

 --25, 26 & 29 April 2002  CIA Report Describes China Cyber Attack
                           Threat
According to a CIA report, the Chinese military wants to sabotage
US computer systems.  Though it is believed they do not presently
have that capability, independent hackers, possibly students, may
increase cyber harassment through viruses, defacements and DoS attacks
on the anniversary of the collision between a U.S. spy plane and a
Chinese plane.
http://www.msnbc.com/news/743518.asp?0dm=T22AT
http://www.latimes.com/news/nationworld/world/la-042502china.story
http://www.washingtonpost.com/wp-dyn/articles/A50900-2002Apr25.html
http://www.fcw.com/fcw/articles/2002/0429/news-hack-04-29-02.asp
[Editor's Murray] Note: Most nation states develop both offensive and
defensive capabilities that they hope never to use.    They do not
require "sophistication."  In any case, whatever US intelligence or
reporters may think, while China may be poor, relative to the West and
per capita, they are not primitives.  The Chinese are sophisticated;
we disparage or under-estimate them at our peril.]

 --25 April 2002  File-Sharing Companies Taste the Bitter Brew of Irony
A programmer going by the name of Dr. Damn has been releasing
file-sharing software stripped of bundled adware and spyware.
The companies that developed this software have been the target of
complaints from the film and recording industries for contributing
to the theft of intellectual property.  Now they are crying foul.
http://news.com.com/2100-1023-891724.html

 --24 April 2002  PKI Vendors Agree to Interoperability
The British government has convinced public key infrastructure (PKI)
vendors to make their products interoperable, which will increase
the likelihood that more businesses will adopt the technology.
http://www.silicon.com/public/door?6004REQEVENT=&REQINT1=52901&REQSTR1
[Editor's (Schultz) Note: This development is a huge step forward;
lack of PKI product interoperability is one of the major reasons that
PKIs have not been more widely deployed.  But it may be too little,
too late for PKI.]

 --24 April 2002  Finjan Points Out MBSA Flaw
Finjan has issued an alert describing a security vulnerability in
Microsoft Baseline Security Analyzer. While the tool offers a good
service, it generates a report in plaintext that can be misused by
crackers to exploit the vulnerabilities listed.
http://www.finjan.com/mcrc/alert_show.cfm?attack_release_id=71

 --24 April 2002  Microsoft Pulls Office Tools Because of Security
                  Flaws
Microsoft has removed the latest version of Office Web Components
(OWC) from its site because a security consultancy has reported
that the tools could allow malicious e-mails or website to read
local files and run scripts even when scripting has been disabled.
Until a patch is available, users can disable ActiveX or uninstall OWC.
http://www.newsbytes.com/news/02/176138.html

 --23 & 24 April 2002  IE6 Privacy Features Have Security Holes
Thor Larholm has enumerated security flaws in IE6 privacy features.
Crackers could exploit the vulnerabilities to launch programs already
on a computer's hard drive, send messages to people on MSN Messenger
contact lists and steal cookies.
http://www.newsbytes.com/news/02/176077.html
http://www.theregister.co.uk/content/55/24997.html

 --23 April 2002  Moscow ATM Crackers Sentenced
Two ringleaders of a Moscow hacking group that used ATMs  to steal
nearly $1 million from bank accounts have been sentenced to five years
in prison.   A third man, who cooperated with the authorities during
the investigation, received a 3-year sentence and was then freed under
an amnesty law; three others received three-year suspended sentences.
http://story.news.yahoo.com/news?tmpl=story&cid=562&562&e=14&u=/ap/20020423/ap_on_hi_te/russia_atm_fraud_3
[Editor's (Murray) Note: This demonstrates the risk of dealing
with unknown and unauthenticated clients.  It also demonstrates the
necessity of slowing responses to repeated failed queries.  At some
level the credit card companies understand these attacks; the SET
protocols respond to them.  Like most such exposures, they seem to
accept the risk until someone starts to exploit them.  Shame.]


 --23 April 2002  Kagra Virus
Kagra, a malicious VBS virus, preys on people's prurient interests,
delivering a nasty payload instead of the promised pictures.
The mass-mailer worm displays a message on May 12 noting that the
machine has been hacked and deletes the Windows or WinNT folder on
May 13.
http://www.vnunet.com/News/1131174

 --22 April 2002  IT Security Resource List
The Washington Post has compiled a list of IT security resources for
those who want to know more about cyber security.
http://www.washingtonpost.com/wp-dyn/articles/A29557-2002Apr22.html

 --22 April 2002  Industry Group Concerned That NIST Could Mandate
                  Product Features
Pending legislation would significantly increase funding for the
National Institute of Standards and Technology's (NIST) Computer
Security Division.  Industry trade groups and network security vendors
are concerned that NIST could mandate product standards that would
slow production and increase expense.
http://www.nwfusion.com/news/2002/0422nist.html
[Editor's (Paller) Note: When you see a reference to an "industry
trade group" saying an agency should not mandate standards, you might
find it useful to remember that the auto manufacturers' industry
trade group spoke out against seat belts for decades using many of
the same arguments.  A better translation of their comments in this
article would have been "our marketing people think this may cost
us money so we'll claim it will hurt consumers to try to persuade
Congress to kill it."

 --22 April 2002  Windows Update Not Reliable, Say Consumers
Consumers are complaining that Windows Update is unreliable: it
sometimes says systems are adequately patched when they are not,
it doesn't report failed patch installations, and it doesn't always
display the most current patches.
http://www.computerworld.com/cwi/community/story/0,3201,NAV65-663_STO70382,00.html

 --22 April 2002  Taiwan to Hold Cyber Security Drill
Taiwan will hold a drill in June along with its annual air-raid
defense review.  The government hopes to better understand the ways
hackers could break into and disrupt computer networks.  There is
concern that China may launch a cyber attack against Taiwan as a
prelude to an invasion.
http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=7925


==end==


Please feel free to share this with interested parties via email,
but no posting is allowed on web sites.  For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites

To change your subscription, address, or other information, visit
http://www.sans.org/sansurl and enter your SD number (from the
headers.) You will receive your personal URL via email.

You may also email <sans@sans.org> with complete instructions and
your SD number for subscribe, unsubscribe, change address, add other
digests, or any other comments.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE80AFR+LUG5KFpTkYRAhEIAJ9N1+rDTcL4PFgjKSSs/J9ZavuTxwCgje5J
p+6B+YEafvGhRs8ilYDuyqE=
=pGSc
-----END PGP SIGNATURE-----