SECURITY WIRE DIGEST, VOL. 2, NO. 50, November 9, 2000

Date Wed, 08 Nov 2000 21:01:51 +0400

[: hacktivism :]


*Middle East Cyberterrorism Spreads to U.S.
*IIS Patch Released, Could Have Prevented Breaches

*Political Party Web Sites Hacked on Election Day
*Mafiaboy: Guilty as Charged

*Do You Know Where Your Outsourcer Is?



Lucent Technologies confirmed Tuesday its systems were attacked
by a pro-Palestinian cracker group earlier this month. The FBI
says this could be the first in a series of cyberattacks against
U.S. government and business Web sites stemming from the
continuing Israeli-Palestinian conflict.

Despite some computer experts denial that this is a "clear and
present danger," the Emergency Response & Research Institute
(ERRI) fears that Middle East unrest may become a larger issue
than was previously anticipated. "We would urge greater caution
and protective measures on the part of U.S. government,
corporations and particularly organizations identified with
Israeli or Palestinian causes," says Clark Staten, executive
director of the ERRI. "Our present assessment would suggest
continued escalation of cyberattacks as tensions in the Middle
East remain."

Tactics used by the attackers have included e-mail spamming, Web
page defacements, "disinformation," and the use of a FloodNet-type
tool. Current actions have been labeled "e-Jihad" and
"cyberjihad," according to sources.

So far, pro-Palestinian crackers have hit at least 30 sites, and
another 15 sites have been attacked by pro-Israeli crackers,
according to computer security and cyberintelligence firm

ERRI analysts have said that cyberwarfare tactics being exhibited
in the Palestinian/Israeli conflict could escalate as tensions in
the region continue. One analyst said that there's also a
possibility that similar attacks could be directed at the U.S.,
U.K. or other allied nations.

The Nov. 2 attack on Lucent Technologies may have been the work
of pro-Palestinians protesting the company's extensive high-tech
dealings with Israel.

"There could be other organizations hit here in the U.S., but
this is the first U.S. corporation named directly on target lists
being circulated by pro-Palestinian hacker groups I've seen so
far," said Ben Venzke, director of intelligence production at

"We believe we are seeing the beginnings of what a real cyberwar
might look like....Although the tactics being used so far are not
particularly cutting edge, they do give us an inkling of what
might be expected if and when the United States were to be
involved in some future conflict," said Staten. "There are many
lessons to be learned by studying the tactics and techniques of
the adversaries in these Mid-East incidents....More importantly,
they bring up both ethical and strategic questions about the use
of both offensive and defensive cyberwar."

According to cyber-security experts, a number of Israeli
e-commerce and other sites have already been moved to network
servers in the United States, increasing the likelihood of attacks
on servers in the U.S.

"This type of activity, at this level, has really entered us into
a new chapter in terms of the threat environment in cyberspace,"
said Venzke. "I really think that from this day forward, any
company, organization or government around the word that finds
itself embroiled in tensions or conflicts on the ground like what
we are seeing in the Middle East, that they now need to understand
the very real possibility that they may also face a rather strong
and dedicated effort running in parallel in cyberspace."

Microsoft Monday released a patch that addresses a serious flaw
in Microsoft IIS 5.0 "Web Server File Request Parsing" and fixes
the "Web Server Folder Traversal Vulnerability" issue, which was
exploited twice in recent weeks within Microsoft's own systems.

When IIS receives a valid request for an executable file, it
passes the name of the requested file to the underlying NT
operating system for processing. However, due to an implementation
flaw in Web server file request parsing, it's possible to create a
specially malformed file request that contains both a file name
and one or more OS commands. Upon receiving such a request, IIS
would pass the entire string to the OS, which would process the
file and execute the commands. In order to successfully exploit
the flaw, the file requested must be an existing file residing in
a folder in which the user possesses executable permissions.

The ability to execute OS-level commands on the Web server could
lead to privilege escalation, deletion, addition and modification
of files. This would not give the malicious user administrative
control over the server; however, it would enable a cracker to
cause widespread damage.

Vulnerable versions are IIS 5.0 and 4.0 with service packs 4 and
earlier. Users of IIS 4.0 who have not yet done so are urged to
upgrade to the latest service pack. A Microsoft bulletin
recommends that all customers running IIS 5.0 immediately apply
the patch for this vulnerability. Exploit code has not yet been

"It's somewhat unbelievable that Microsoft is still unable to
come up with all of the possible combinations of input that could
invoke a DOS prompt remotely on a Web server," said Russ Cooper,
editor of NT Bugtraq and surgeon general of TruSecure Corp. "This
must get solved once and for all...somehow."

The IIS Web Server Folder Traversal Vulnerability reportedly
allowed a Dutch hacker, who goes by the alias Dimitri, to
penetrate a Microsoft server that hosts events and redirects
information for the Redmond, Wash. company's Web site. While
Dimitri broke into a semi-retired server, it provided him a
potential platform for distributing malware, including
reversed-engineered backdoors and Trojan horses, and access to
encrypted files containing administrator user names and

Microsoft confirmed Dimitri hacked into their server, but
considers it a minor intrusion because of the server's low value.
The company says the intrusion was a result of not applying the
IIS patch across its entire network, which left a server slated to
be taken out of service vulnerable to attack. Technicians are in
the process of correcting the vulnerability and ensuring other
servers have received the patch.

This is the second network intrusion in two weeks suffered by the
software giant. Microsoft reported Oct. 26 that a hacker broke
into its system and accessed to the source code of a product under
development. The FBI is investigating the incident.
Microsoft IIS 4.0:
Microsoft IIS 5.0:


Political protests and subversion have come a long way since the
civil rights marches on Washington, D.C., in the 1960s and Nixon's
team of "Plumbers" broke into the Watergate office building in the
1970s. Both the Democratic and Republican national committees' Web
sites were attacked this week as the presidential campaign wound
down. In the predawn hours of Election Day Tuesday, hackers
replaced the Republican National Committee's Web site with a
lengthy diatribe against presidential candidate George W. Bush and
placed a link to Vice President Al Gore's Web site. A Republican
spokesperson blamed the incident on last-minute dirty tricks by
the Democrats, but a DNC spokesperson said the charges are
unfounded. While not suffering a defacement, the DNC Web site was
repeatedly attacked Monday and was eventually forced to shut down.
The Democrats' Web site was back in operation on Tuesday, but the
Republicans were still working on their site Wednesday.

Canadian cracker "Mafiaboy" has said he will plead guilty to
attacks on several prominent Web sites when he appears in juvenile
court Dec. 8. He is accused of launching distributed
denial-of-service (DDoS) attacks that disabled CNN, Yahoo!, eBay
and, among others, back in February. In addition to the
attacks, he is also accused of breaking into numerous university
computers, which he used as launch points for the DDoS attacks. If
convicted, Mafiaboy could be sentenced to a two-year term in a
juvenile detention center.


by Peter Browne
As a large, diverse financial institution, First Union has its
share of legacy environments and a culture that "trusts
everybody." When I joined the company almost five years ago, it
was dipping its toe into the cold waters of the Internet and just
beginning to understand the role of security in this new

Over the last five years, the information security organization
at First Union has grown from eight people to nearly 120, with
more joining us each month. The key to success in this fast-growth
environment was finding the very best people, no matter their
background, and teaching them the principles and paradigms of
information security. While this strategy has worked well, the
demand for all IT and security professionals continues to exceed
the supply, and so we're never in a position to rest on our

The challenge is to be proactive in fulfilling our security
mission, despite being perpetually understaffed. Though in-house
staff understands various security components, First Union is
simply too large and too distributed to assign in-house staff to
everything related to security. And so, like most large
organizations today, we are increasingly outsourcing components of
our core technology.

Right now, we're talking with a variety of ISPs, ASPs,
Web-hosting services, network outsourcers, Internet infrastructure
outsourcers, data center outsourcers and even to security system
providers (SSPs). In this new world of co-optation, we're learning
how to exert control over organizations and people who don't
report to our CEO. We have to make sure our security standards are
maintained, especially if they're more rigorous than those
followed by the service provider. Working with outsourcers boils
down to due diligence, which involves examining operations and
verifying material facts beyond casual inquiry.

Reasonable validation would include: a review of outsourcer
documentation, organizational materials, process documentation,
audit reports and any third-party assessments of operations,
on-site assessment of operational functions, management,
evaluation of security controls in place, actual testing of
controls through penetration or validation exercises and a review
of SLAs and other agreements related to security management,
monitoring, incident response and documentation.

The last and most critical step in this process is to ensure that
the requirements for protection are written into the contract and
enforced throughout the term of the agreement. We've learned that
if you don't build security into the contract management process,
you lose any leverage you might have had.

PETER BROWNE is senior vice president of information security for
First Union Corp.

(Excerpted from a longer article appearing in the forthcoming
November 2000 issue of Information Security magazine. Browne's
article is one of 30 written by information security professionals
appearing in the November "Agenda 2001" special issue.)



27th Annual Computer Security Conference & Exhibition
M-W, Nov. 13-15, Chicago, Ill.

Ensuring Successful Wireless E-Commerce with End-to-End Security
T & W, Nov. 14-15, Alexandria, Va.

Managing Computer Security Incident Response Teams (CSIRTS)
T-Th, Nov. 14-16, Arlington, Va.

E-Commerce & Internet Risk Management, Contingency Planning &
Business Continuity
W & Th, Nov. 15-16, San Francisco, Calif. The Wireless Internet Explosion
W & Th, Nov. 15-16, Santa Clara, Calif.

Enteprise Portal Strategies
Th, Nov. 16, Boston, Mass.

Securing E-Business Relationships
Th, Nov. 16, Toronto, Canada

3rd Annual World IT Congress
F-Su, Nov. 17-19, Miami, Fla.

Introduction to Network Security
M-W, Nov.20-22, London, England

Ultimate Incident Response: Hands On
M-Th, Nov. 27-30, Boston, Mass.

Network Security & Firewall Administration
T-Th, Nov. 28-30, Philadelphia, Pa.

DITSCAP Common Criteria Implementation Symposium (DCCIS)
W-F, Nov. 29-Dec. 1, Charleston, S.C.

E-Security Conference & Expo
Th & F, Nov. 30-Dec. 1, Arlington, Va.

The Conference on PKI Interoperability
T & W, Dec. 5-6, Atlanta, Ga.

Secure Web Symposium
T-Th, Dec. 5-7, Monterey, Calif.

Biometrics in Business--The European Biometrics Summit
W-F, Dec. 6-8, Flanders Language Valley, Belgium

Secure Communications & Virtual Private Networks
W-F, Dec. 6-8, Raleigh, N.C.

FORTUNE Summit on E-Security
Th & F, Dec. 7-8, New York, N.Y.

Capitol SANS
Su-F, Dec. 10-15, Washington, D.C

Building a Global Enterprise Security Infrastructure
M & T, Dec. 11-12, Los Angeles, Calif.


Security Issues in Central, Policy-based Security
W, Nov. 22, 8 a.m. PDT


Security Wire Digest and Information Security magazine are
published by, the world's leader in Internet security

Copyright (c) 2000. All rights reserved. Redistribution of this
newsletter is permitted provided all content is reproduced
verbatim with proper attribution to Security Wire Digest and
Information Security magazine.


[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: :]