SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IV - Issue #29

July 17, 2002

The competition between SANS GIAC and CISSP security certifications
appears to have ended. Starting with the October Network Security 2002
conference, SANS Security Essentials (SANS most popular training
program) will cover the CISSP Common Body of Knowledge as well
as the essential security skills needed for GSEC certification.
That means eligible students can complete the single course and
then go for CISSP or GSEC certification or both. In about 14 days,
the first of 520,000 brochures for Network Security 2002 will begin
arriving in mailboxes, so if you would like one of the limited seats,
register in the next few weeks. (http://www.sans.org/NS2002)


Alan

---

TOP OF THE NEWS

16 July 2002 Government and Industry Agree On Minimum Security Configuration Benchmarks
15 July 2002 OMB Establishes Security Measurements for Agencies
12 July 2002 Will Home Appliances Be the Next Target For Viruses?
10 July 2002 British ISPs Have Two Weeks to Set Up Tracking Systems
11 July 2002 Congressional Committee Adds Cybersecurity Program to Homeland Security Bill

THE REST OF THE WEEK'S NEWS

15 July 2002 Elcomsoft Posts More Adobe Vulnerabilities
15 July 2002 Frethem Variant Making the Rounds
15 July 2002 House Overwhelmingly Approves CSEA
15 July 2002 Operation Dark Screen To Test US Response To Cyber Attack
10 & 15 July 2002 Consulting Firms Lobby For Federal Insurance Against Liability
15 July 2002 IT Professionals Enumerate Their Security Gripes
12 July 2002 Chemical Industry is Developing Cyber Security Strategy
12 July 2002 Microsoft SQL Labs is Not Using its Own Security Product
11 July 2002 Telecom Hacker Charged
11 & 15 July 2002 Liberty Alliance Releases Identity Authentication Standard
12 July 2002 Study Finds Attacks On Open Source Increasing; Windows Decreasing
12 July 2002 USA Today Web Site Hacked
11 July 2002 Vulnerabilities in CDE ToolTalk
11 July 2002 Datom.A Windows Virus/Worm Masquerades as Microsoft Update
11 July 2002 PGP Flaw Puts Outlook Users At Risk
11 July 2002 Security Flaw in Outlook Exposed Before Patch Was Available
10 July 2002 Two Men Arrested in Brazil for ATM Hack
10 July 2002 Al Qaeda Uses Internet for Communications
9 July 2002 Phone Service Web Log Exposes Student Data
9 July 2002 W32.Liac.A Worm
8 July 2002 Reporter Says Survey Says Users Want Vulnerabilities Disclosed
8 July 2002 Critical Infrastructure Protection Exercise
8 July 2002 Copyright Hack Back Law Not a Good Idea
8 July 2002 Security Researcher Claims Apple Update Vulnerable
8 July 2002 Proposed XML Security Standards
9 July 2002 Philippine Internet Service Group To Fight Back Against Hackers
5 July 2002 Virus Traced to Temp Worker
1 July 2002 Where's The Money in Security

---

******************** This Issue Sponsored by NetIQ *******************
FREE Computer Crime Forensics Webcast from Microsoft and NetIQ
Learn how to combat hackers during the free 8/20/02 Webcast,
"Computer Crime Forensics," Part II of the "Defending the Enterprise"
series. Security experts from the FBI and Shell will cover how to
safeguard and harden your Windows network.
Register now!
http://webevents.tpcnet.com/netiq/20020820/start/default.asp?origin=sans717
**********************************************************************

---

TOP OF THE NEWS

16/17 July 2002 Government/Industry Alliance Announces Minimum Security Configuration Benchmarks

In a high-tech, high-powered version of a neighborhood watch, a group of government agencies and industry leaders announce today a common set of standards and software to fight computer hacking. The initial security benchmark applies to Microsoft Windows 2000 Professional. Benchmarks for other operating systems, including Cisco IOS, Solaris, and other Microsoft products are being developed. Government agencies involved include the National Institutes of Standards and Technology, the National Security Agency, The General Services Administration and the Defense Information Systems Agency. The Center for Internet Security, which published the benchmark, also released a free tool that tests systems, scores them on compliance with the benchmark, and guides users to the corrections needed to raise the score.
-http://www.foxnews.com/story/0,2933,57870,00.html
-http://www.washingtonpost.com/wp-dyn/articles/A15910-2002Jul16.html

15 July 2002 OMB Establishes Security Measurements for Agencies

The Office of Management and Budget released new regulations providing specific measures to evaluate performance of federal security managers and CIOs.
-http://www.fcw.com/fcw/articles/2002/0715/news-gisra-07-15-02.asp
The regulations:
-http://www.whitehouse.gov/omb/memoranda/m02-09.pdf
[Editor's Note (Paller): An important element is missing from the regulation, but could be easily added. NASA and other organizations have provided proof that safe configuration of systems can be measured and does reduce attacks. And the benchmarks announced today provide additional measurement tools. OMB could ask agencies to measure the safety of their systems' configuration as an essential part of their security report card. ]

12 July 2002 Will Home Appliances Be the Next Target For Viruses?

Virus expert Eugene Kaspersky warns that embedded computers in home appliances provide an appealing target for virus writers because they will have a common operating system and millions of potential victims.
-http://zdnet.com.com/2100-1103-943408.html
[Editor's Note (Schultz): Kaspersky might well be correct. The monoculture that Microsoft has created has already proverbially bitten us several times, and Murphy's Law says that matters will only get worse. (Grefer): Kaspersky's warning should serve as a reminder to include defense mechanism in the appliances' operating system(s), and preferably design it with security in mind, rather than trying to apply security as an after-thought. ]

10 July 2002 British ISPs Have Two Weeks to Set Up Tracking Systems

The British Home Office is requiring that Internet Service Providers (ISPs) in the United Kingdom intercept and store electronic communications such as faxes, e-mails, and Web surfing information in an effort to curb organized crime and terrorism. The new Regulation of Investigatory Powers Act (RIPA), which goes into effect on August 1, exempts ISPs with fewer than 10,000 customers.
-http://news.zdnet.co.uk/story/0,,t269-s2118894,00.html

11 July 2002 Congressional Committee Adds Cybersecurity Program to Homeland Security Bill

House Energy and Commerce Committee passed a version of HR 5005, the Homeland Security Bill, after adding a specific cybersecurity component. The new program will be a resource to other federal agencies to help identify and correct weaknesses in federal computer systems.
-http://www.govexec.com/dailyfed/0702/071102td1.htm

---

************************ SPONSORED LINKS *****************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Experts Predict Major Cyberattack: ActiveGuardTM 24x7 Intrusion
Detection & Prevention http://www.sans.org/cgi-bin/sanspromo/NB52
(2) WEB SERVER BODY ARMOR! Protect your IIS Web Server with SecureIIS -
FREE Trial http://www.sans.org/cgi-bin/sanspromo/NB53
(3) Stop Unwanted E-Mail at the Server - FREE White Paper on Email
Security http://www.sans.org/cgi-bin/sanspromo/NB54
**********************************************************************

---

THE REST OF THE WEEK'S NEWS

15 July 2002 Elcomsoft Posts More Adobe Vulnerabilities

Elcomsoft has posted details of security vulnerabilities in Adobe's eBook software on the BugTraq and Vuln-dev mailing lists; the company did not inform Adobe of the problems before the postings. Elcomsoft is the Russian company at the center of a case brought under the Digital Millennium Copyright Act (DMCA).
-http://www.vnunet.com/News/1133551

15 July 2002 Frethem Variant Making the Rounds

The Frethem worm exploits a Microsoft Outlook vulnerability that executes attachments when e-mail is previewed. Users who have installed the patch to fix the flaw can still become infected if they click on the .exe attachment that accompanies the worm. Apart from bogging down corporate e-mail systems, Frethem does not appear to carry a malicious payload. The worm is a variant of one released several weeks ago. Frethem was reported to have already hit twenty-five organizations, including the National Institute of Standards and Technology (NIST).
-http://www.msnbc.com/news/780651.asp?0dm=C21BT

15 July 2002 House Overwhelmingly Approves CSEA

By a vote of 385-3, the House of representatives approved the Cyber Security Enhancement Act (CSEA), which provides for life sentences for people convicted of malicious cyber crimes. The bill now heads to the Senate.
-http://news.com.com/2100-1040-944023.html

15 July 2002 Operation Dark Screen To Test US Response To Cyber Attack

Federal, state and local officials are partnering with utility companies in a test of the nation's response to cyberattacks. The University of Texas at San Antonio and the Air Force Air Intelligence Agency, Lackland Air Force Base, Texas are taking the lead in this project sponsored by Texas Congressman Ciro Rodriguez.
-http://www.fcw.com/geb/articles/2002/0715/web-dark-07-15-02.asp

10 & 15 July 2002 Consulting Firms Lobby For Federal Insurance Against Liability

Businesses that plan to manufacture products to be used in homeland defense want indemnity from liability should their products fail on the job. Representative Tom Davis (R-Va.) plans to attach such a provision to the Homeland Security Bill wending its way through the legislature. The amendment would place the onus of liability on the government rather than the companies. Companies may be reluctant to bid on homeland defense contracts if they are required to shoulder the associated burden of product failure liability.
-http://digitalmass.boston.com/news/wire_story.html?uri=/dailynews/191/economy/Te
chnology_industry_pushes_leg:.shtml
-http://www.fcw.com/fcw/articles/2002/0715/news-home-07-15-02.asp
[Editor's Note (Murray): Microsoft, Sun, and IBM enjoy no such protection and do not seem to need it. (Grefer) Without liability, companies could deliver "anything" at any level of quality, without risking any repercussions. (Schultz) It's ironic how consulting firms are so apt to point out the lack of responsibility organizations frequently demonstrate in securing their own systems and networks, but now try to avoid responsibility for what they deliver. ]

15 July 2002 IT Professionals Enumerate Their Security Gripes

A survey of more than 1200 security professionals, including system administrators, consultants and auditors yielded a list of their security frustrations. Topping the list are bosses who won't provide an adequate budget and who undermine initiatives, and who ignore simple precautions by taping passwords to monitors, failing to update anti-virus software and clicking on attachments of unknown origin.
-http://www.uniontrib.com/news/uniontrib/mon/business/news_mz1b15securi.html

12 July 2002 Chemical Industry is Developing Cyber Security Strategy

The US chemical industry is developing a plan to improve cyber security at chemical facilities; the plan will be submitted for inclusion in the White House's National Strategy for Protecting Cyberspace. The plan is flexible enough to allow IT managers at various chemical facilities to select appropriate modules for their individual organizations.
-http://www.computerworld.com/governmenttopics/government/policy/story/
0,10801,72672,00.html

12 July 2002 Microsoft SQL Labs is Not Using its Own Security Product

Microsoft's SQL Labs is using a NetScreen security appliance instead of its own Internet Security and Acceleration (ISA) Server to protect its systems against Nimda and other worm threats.
-http://computerworld.com/securitytopics/security/story/0,10801,72686,00.html

11 July 2002 Telecom Hacker Charged

A 22-year-old Sydney man has been charged with "unauthorised modification of data with intent to cause impairment to a computer." The man allegedly accessed the accounts of more than 400,000 Optus dial-up Internet customers; his arrest is the result of a six-month investigation.
-http://www.themercury.news.com.au/common/story_page/0,5936,4683306^421,00.html

11 & 15 July 2002 Liberty Alliance Releases Identity Authentication Standard

The Liberty Alliance, which includes Sun Microsystems, American Express and Sony, among other companies, released a standard for Internet identity authentication. The standard facilitates logging into a variety of systems. The standard also gives rise to concerns of on line profiling and data security threats.
-http://www.usatoday.com/life/cyber/2002/07/11/internet-id.htm
-http://www.wired.com/news/business/0,1367,53859,00.html
[Editor's Note (Murray): It seems likely that the identity of users in the WWW will be vouched for by trusted third parties. I think that it is noble of Microsoft to volunteer for this role. However, the role already belongs to the credit card companies. They also vouch for payment. Given a choice between MS and AmEx, I choose AmEx. ]

12 July 2002 Study Finds Attacks On Open Source Increasing; Windows Decreasing

London-based consulting firm mi2g reports 7,630 digital attacks on Linux systems in the first six months of 2002 vs. 5,736 attacks on Linux systems for all of 2001. Conversely, attacks on Microsoft Windows/IIS have fallen by 20 percent in the first six months of 2002 to 9,404 compared to 11,828 in the same period of 2001.
-http://www.content-wire.com/securitychannel/securitychannel.cfm?ccs=121&cs=2
045
[Editor's Note (Schultz): The credibility of data such as these is at best questionable. For one thing, can mi2g say unequivocally that they standardized and applied a consistent definition of "attack?" Additionally, attacks in and of themselves are commonplace. What about "successful attacks." Caveat emptor! ]

12 July 2002 USA Today Web Site Hacked

The "USA Today" Website was defaced with six bogus stories late Thursday July 11, 2002. The site was taken offline for three hours and was restored at 2 am Friday morning.
-http://www.reuters.com/news_article.jhtml?type=internetnews&Storyclass=11957
54
-http://www.usatoday.com/news/site-vandalism.htm

11 July 2002 Vulnerabilities in CDE ToolTalk

CERT/CC released a security bulletin warning of flaws in the ToolTalk component of the Common Desktop Environment (CDE). The flaws could be exploited to launch a denial of service attack or to overwrite files.
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,72666,0
0.html
-http://www.cert.org/advisories/CA-2002-20.html

11 July 2002 Datom.A Windows Virus/Worm Masquerades as Microsoft Update

A worm that purports to be "Copyrighted Microsoft Code" is spreading. It contains three programs, MSVXD.exe, MSVXD16.dll and MSVXD32.dll, which work together to delete personal firewalls and for other mischief. The worm uses innovative tricks to hide itself.
-http://www.vnunet.com/News/1133455

11 July 2002 PGP Flaw Puts Outlook Users At Risk

A buffer overflow flaw in certain versions of the Microsoft Outlook implementation of Pretty Good Privacy (PGP) allows hackers to send a special email to gain control of the target system. Network Associates has posted a patch for the vulnerability.
-http://www.usatoday.com/life/cyber/tech/2002/07/11/pgp-hack.htm
-http://www.theregister.co.uk/content/55/26145.html
-http://www.computing.vnunet.com/News/1133441
The Network Associates patch:
-http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp

11 July 2002 Security Flaw in Outlook Exposed Before Patch Was Available

Security Researcher Thor Larholm issued an advisory about a cross domain scripting flaw in Web Browser ActiveX Control that can give attackers the ability to read files and execute malicious code. Microsoft claims it is not an important problem and criticized Larholm for releasing the advisory before a fix was available.
-http://news.zdnet.co.uk/story/0,,t269-s2118911,00.html
-http://www.finjan.com/mcrc/alert_show.cfm?attack_release_id=73

10 July 2002 Two Men Arrested in Brazil for ATM Hack

Brazilian police have arrested two men - an electrician and an IT specialist - who allegedly installed a device inside ATMs to gather card numbers and placed digital cameras outside the machines to capture the corresponding PIN numbers.
-http://www.vnunet.com/News/1133401

10 July 2002 Al Qaeda Uses Internet for Communications

Unnamed officials say Al Qaeda is using the Internet to spread propaganda, recruit members and solicit donations to fund their cause. The group also uses web sites to communicate in Arabic, often encrypts its transmissions, and changes web addresses frequently.
-http://www.newsfactor.com/perl/story/18535.html

9 July 2002 Phone Service Web Log Exposes Student Data

The permission level to access web logs at Resicom, a telecommunications (company) that provides intra-campus phone services to colleges, was set too low, allowing people to search for student names, social security numbers and addresses. The personal data of about 2,000 students had the security flaw; Resicom says it has fixed the problem.
-http://computerworld.com/securitytopics/security/story/0,10801,72584,00.html
-http://story.news.yahoo.com/news?tmpl=story&ncid=70&e=1&cid=70&u
=/cn/20020709/tc_cn/942274

9 July 2002 W32.Liac.A Worm

W32.Liac.A is a worm written in Visual Basic Script (VBS) that arrives with an attachment purporting to be a video clip. The worm mails itself out to everyone in the Outlook address book, modifies the registry and displays this error message: "Error54: Media Player not installed correctly."
-http://www.itweb.co.za/sections/computing/2002/0207091142.asp

8 July 2002 Reporter Says Survey Says Users Want Vulnerabilities Disclosed

A reporter at the Register concludes that a survey conducted by the Hurwitz group found that end-users are overwhelmingly in favor of full disclosure for computer vulnerabilities. Thirty-nine percent of the more than 300 survey participants wanted the vulnerabilities disclosed immediately upon discovery, while another twenty-eight percent wanted them disclosed within a week.
-http://www.theregister.co.uk/content/55/26090.html
[Editor's Note (Denning): The reporter's conclusion is not accurate if you define "full disclosure" to include publication of exploit code (which I do). The survey found that only 13% favored posting "proof of concept" exploit software. ]

8 July 2002 Critical Infrastructure Protection Exercise

The Blue Cascades regional critical infrastructure protection exercise was held in Portland, Oregon in mid June. The exercise focused on power outages coupled with natural gas infrastructure and telecommunications failures, and highlighted the problems that attend interdependent systems. An action plan based on the results of the exercise will be released soon.
-http://computerworld.com/securitytopics/security/story/0,10801,72532,00.html

8 July 2002 Copyright Hack Back Law Not a Good Idea

Computerworld senior columnist Frank Hayes finds the legislation proposed by Representative Howard Berman (D-Calif.) - which would allow copyright holders to launch cyber attacks against peer-to-peer networks and others suspected digital content piracy - reprehensible. Hayes observes that the law could be interpreted to justify hacking back at companies suspected of proprietary information theft and could be used by crackers who say if the studios can do it, so can we.
-http://www.computerworld.com/securitytopics/security/story/0,10801,72519,00.html
[Editor's Note (Schultz): Hays has spoken well--Berman, the apparent new champion of cybervilaganteeism, is way out of line. ]

8 July 2002 Security Researcher Claims Apple Update Vulnerable

Russell Harding of the University of Colorado claims a vulnerability in Mac OS 10.1.X and possibly 10.0.X allows hackers to hijack automatic software updating and install malicious programs on any Mac.
-http://www.vnunet.com/News/1133364
-http://news.com.com/2100-1001-942265.html

8 July 2002 Proposed XML Security Standards

This article describes five proposed security-related XML standards: XML Encryption (Xenc), XML signatures (XML-SIG), XML key management specification (XKMS), extensible access control markup language (XACML) and Security assertion markup language (SAML).
-http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2873295,00.html

9 July 2002 Philippine Internet Service Group To Fight Back Against Hackers

Members of the Philippine Internet Service Organization (PISO) will work together to share information on spammers and hackers. Each participating ISP will promise to cut off access for any uncooperative user who is a danger to the Internet community. Spammers who do not cooperate will not only have their service terminated, but their phone numbers will also be posted on an information exchange provided by PISO.
-http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8485
[Editor's Note (Murray): We must hold ISPs responsible for some of the behavior of the users that they connect to the Internet. AOL sets the example for how it should be done. AOL enforces its acceptable use policies for the benefit of its users and the rest of us. PISO is recognizing what other ISPs will have to recognize. ]

5 July 2002 Virus Traced to Temp Worker

A temporary agency worker at the Aberdeen (Scotland) city council was fired for allegedly allowing the Metrion-B virus to infect the computer system. The virus infects executables and overwrites batch and HTML files. An estimated 200 PCs were infected, and the Council shut down its entire computer system to avoid any further infection. Police are exploring the possibility that the virus, which does not spread through e-mail, was deliberately introduced.
-http://www.theregister.co.uk/content/56/26067.html

1 July 2002 Where's The Money in Security

Most managed security firms, security consulting firms and security product firms have seen their hopes of a post-911 surge in business dashed by the economic recession. But a few organizations, the federal contractors that already had security practices, are doing very well.
-http://www.fcw.com/fcw/articles/2002/0701/cov-home-07-01-02.asp

---

==end==
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail sans@sans.org with the subject:
Subscribe NewsBites


Editorial Team:
Kathy Bradford, Dorothy Denning, Roland Grefer,
Bill Murray, Stephen Northcutt, Alan Paller,
Marcus Ranum, Eugene Schultz