-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SANS Internet Threat Update, Plus Changing Requirements for Security Training
May 28, 2002 This special SANS Update focuses on the latest worm and other new attacks that were recently discovered by the Internet Storm Center, and provides a look ahead at new training requirements and opportunities facing security professionals including the changing face of liability for computer security incidents. +++ Internet Threat Update +++ The broad-based attacks on Microsoft's SQL Server sites by the so called sqlsnake were discovered May 20th by SANS Internet Storm Center incident handlers Matt Fearnow and Johannes Ullrich. It first became apparent when Storm Center sensors around the world detected a sudden increase in hosts scanning for port 1433, the port commonly used by Microsoft's SQL Server. The malicious code propagates via an account "SA" that is set up, by the SQL Server 7 installation program, with no password. That much is well known and has been reported by many other advisories. Now let's take a look at the rest of the story. - - You may be vulnerable and not realize it. Access 2000, Visio Enterprise Network Tools, Microsoft Project Central, Visual Studio 6 (and possibly other development tools) all appear to have an embedded version of SQL server (with no password set for the "SA" account) as a default install. These tools are still being sold today, and we have no reason to believe new buyers are immune to the vulnerability. Even worse, other vendors have embedded the run-time version of SQL Server 7 in their products. Dell, for example, installed it inside its IT Assistant Version 6.0 product and does not install the software required to change the password. Compaq Insight Manager Version 7 and IBM Director Version 3.1 both use the runtime version of SQL Server. If someone tells you, "Microsoft fixed the problem," please point out to them that they may have been misinformed for a large segment of the user community. - - User's of Microsoft's SQL Server 7 reported that they followed the install wizard and, although they were asked many security questions, a password for the SA account is not one of those questions. - - The worm software sends password files from infected systems to an account [EMAIL PROTECTED] in Singapore, but future versions of the worm may send data to different accounts. The stolen passwords will be decrypted offline and then used to attack these compromised systems and associated systems where the same account names and passwords may have been used. If your system was compromised, you must change all passwords immediately. For further information, please see: http://www.incidents.org/diary/diary.php?id=156 An unproven theory being discussed is that the designer of the worm is German. All things being equal, Germany should be one of the top 5 countries showing evidence of MSSQL infections based on the number of connected hosts, yet it is way down on the list. What's next? No one can tell the future, but we can watch for signs of testing. Curiously Germany pops right back into our attention, on the 1st and 7th of May two fascinating spikes of activity to port 60001 were observed. The European analysis team is on the case. In the mean time, if you capture matching activity, please contact [EMAIL PROTECTED] http://isc.incidents.org/port_details.html?port=60001 +++ Changing Needs For Security Skills +++ SANS is currently running focus group sessions to determine the changing character of technical skills that system, network, and security administrators will need in the next few years. We are seeing patterns emerging. Two of the new topics will be subjects of SANS programs later this year: Securing Microsoft's .net (Dot Net) and XML and database skills especially in intrusion detection and log analysis. A third writing safe programs -- we have tried repeatedly but found that programmers were not interested despite the great ratings the courses received. The fourth hot topic is the legal aspects of system administration and risk avoidance. If you have any interest in this area especially in liability for unsafe systems, definitely plan to sign up for SANSFIRE, the Forensic, Incident Response and Education conference, June 27 - July 3 in Boston http://www.sans.org/SANSFIRE02/ Legal issues are covered in depth in the Forensics track but attendees in all tracks may hear Kimberly Keifer, Co-Chair of the American Bar Association's Information Security Committee, presenting an up to the minute briefing on how legal precedents appear to be inexorably leading to legal liability for organizations that fail to protect their systems. +++ Security Training Update +++ SANSFIRE, the Boston conference we mentioned earlier has experienced explosive signups in SANS newly updated audit track. Who would have guessed audit would be as popular as forensics? Anyway, we put extra resources where the attendance is, so we are adding evening hands-on audit training sessions for this track at no additional charge for these students. SANSFIRE also offers full week-long training programs covering SANS Security Essentials, Intrusion Detection In-Depth, Firewalls, Hacker Techniques, Securing Windows, Securing UNIX/Linux, and the only immersion training program on Forensics. This unique program begins June 27, and please note the great rate for rooms at the conference hotel is available only until June 6. If you plan to attend, reserve your rooms now. http://www.sans.org/SANSFIRE02/ ++ Additional Conference Update ++ Last week we added a new track to the Ottawa conference, beginning August 7, 2002. Track 3, Intrusion Detection in Depth, is a hands-on and lecture program that will be taught in Ottawa by Stephen Northcutt and Guy Bruneau. http://www.sans.org/ParliamentHill02/ +++ A final note +++ You can't do information technology work without tools, and many tools we all use are from commercial vendors. We will be sending a note shortly to the security tools vendors inviting them to help potential users learn about their tools through webcasts and live conference events. If your company has a popular security tool, and you would like to receive this email, drop a note to [EMAIL PROTECTED] and we will add you to the list. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE88seb+LUG5KFpTkYRAgw5AJ9yIOocdf9+6Z7wT33z2WgHahoVlwCfTYLU JTghSk+Oe2cSFgtoDC4Ws60= =SI4Z -----END PGP SIGNATURE----- --- [This E-mail Scanned For Viruses By Declude Virus Scanner] --- [This E-mail Scanned For Viruses By Declude Virus Scanner] --- [This E-mail scanned for viruses by Declude Virus] --------------------------------------------------------- Archived messages from this list can be found at: http://www.mail-archive.com/tech-cord@aea5.k12.ia.us/ ---------------------------------------------------------