SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume V - Issue #17

April 30, 2003

TOP OF THE NEWS

Virginia's Anti-Spam Law Toughest In Nation
Judge Rules Peer-to-Peer Software Companies Not Liable for Copyright Infringement
Microsoft Warns of Vulnerabilities in Internet Explorer and Outlook Express
Penn. State Students Lose Internet Access for Filesharing

THE REST OF THE WEEK'S NEWS

"Fluffi Bunni" Hacker Arrested in London
Columbia University Finds Home Page Hacker
Privacy and Security Regulations Open Companies Up to Potential Litigation
Spammers Using Trojan Horse Programs
Addressing Insider Security Threats
Microsoft Windows Server 2003 Security Guide
Cisco ACS Vulnerability
Vulnerability in Cisco Switches
Web Authentication Security
Web Hosting Company Hacked
W32/Coronex-A "SARS" Worm Not Spreading
Patch for Windows XP Slows Some Computers; Microsoft Developing New Version
LaBrea Creator Pulls Application from Website
Proposed Law Allows CD and DVD Copying
Opinion: Good Worms Could Patch Internet
AT&T Voice Mail Security Measures
Former Employee Pleads Guilty to Breaking Into Company Computers

---

************ Sponsored by Information Security Magazine ***************
With costly and destructive breaches and security incidents being
reported in increasing numbers, now more than ever it's critical to
stay informed and up-to-date.
INFORMATION SECURITY is the magazine that no security conscious IT
professional can risk being without. Today - for a limited time only
you can be part of the growing community of information security
professionals with this FREE subscription opportunity. INFORMATION
SECURITY is your most reliable source in staying one step ahead of
issues and concerns critical to the security of your organization's
information.
To subscribe, simply point your browser to:
http://www.submag.com/sub/IS?PK=0304SN
***********************************************************************

---

TOP OF THE NEWS

Virginia's Anti-Spam Law Toughest In Nation (29 April 2003)

Under a new law that goes into effect on July 1, anyone who uses forged addresses for high volume spam and others who send pornographic spam to computers in Virginia are subject to penalties of up to five years in jail and forfeiture of assets. The spammers do not need to be in Virginia to be subject to the law.
-http://seattlepi.nwsource.com/business/aptech_story.asp?category=1700&slug=F
ighting%20Spam

Judge Rules Peer-to-Peer Software Companies Not Liable for Copyright Infringement (25 April 2003)

Federal court judge Stephen Wilson ruled that StreamCast and Grokster are not liable for copyright infringements that occur when customers use their software. Judge Wilson compared the companies to those that sell video recorders and copy machines, which can be used to violate copyrights. Unlike Napster, the two companies have no control over what users do with their software.
-http://news.com.com/2100-1027-998363.html

Microsoft Warns of Vulnerabilities in Internet Explorer and Outlook Express (23 April 2003)

Microsoft has issued security updates warning of vulnerabilities in Internet Explorer (IE) and Outlook Express. Four flaws in IE 5.01, 5.5 and 6.0 include a buffer overflow vulnerability and a problem with how IE handles third-party files. The flaw in Outlook Express could allow attackers to run programs on victims' computers due to the way in which OE handles HTML encapsulation in e-mail. Patches are available.
-http://news.com.com/2100-1002-998101.html
-http://www.eweek.com/article2/0,3959,1040373,00.asp
-http://www.microsoft.com/technet/security/bulletin/ms03-014.asp
-http://www.microsoft.com/technet/security/bulletin/ms03-015.asp

Penn. State Students Lose Internet Access for Filesharing (21 April 2003)

More than 200 Pennsylvania State University students found their high-speed dormitory Internet connections cut off after the university administration became aware they were sharing copyrighted material. The connections will be re-established once the offending material is removed form their computers.
-http://www.washingtonpost.com/wp-dyn/articles/A4823-2003Apr21.html

---

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
1) BE OFFENSIVE. Don't react to network intrusions. Actively prevent
them. FREE White Paper.
http://www.sans.org/cgi-bin/sanspromo/NB163
(2) ALERT! "Outsmart Web Application Hackers" - FREE Product Trial
http://www.sans.org/cgi-bin/sanspromo/NB164
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

"Fluffi Bunni" Hacker Arrested in London (29 April 2003)

Lynn Htun, the 24 year old hacker who allegedly led the Fluffi Bunni hacker ring, was arrested in London today. Fluffi Bunni is credited with attacking many high profile sites such as McDonalds, Exodus, and SANS. He is wanted in the United States for hacking and was arrested while attending a computer security conference.
-http://seattlepi.nwsource.com/business/aptech_story.asp?category=1700&slug=F
luffi%20Bunni

Columbia University Finds Home Page Hacker (28 April 2003)

A hacker who allegedly defaced Columbia University's home web page and redirected visitors to a lewd site, has been caught, according to the assistant director of Academic Information Systems. He will not say if the perpetrator is a student. The hacker likely obtained access to the server through a privileged account.
-http://www.columbiaspectator.com/vnews/display.v/ART/2003/04/28/3eacc57a1cf94

Privacy and Security Regulations Open Companies Up to Potential Litigation (28 April 2003)

Although regulations like the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act require that companies take steps to protect personal data, there are no standards or guidelines against which the companies can measure compliance. Because the regulations put the companies in the position of being legally liable for the privacy and security of the personal data they hold, companies should put security-audit logging in place. They should also be able to explain who has access to their data, how access is controlled and how infractions are dealt with.
-http://www.computerworld.com/securitytopics/security/story/0,10801,80744,00.html
[Editor's Note (Grefer): Guidelines and guidance regarding HIPAA can be found at the U.S. Department of Health & Human Services' Office for Civil Rights - HIPAA
-http://www.hhs.gov/ocr/hipaa/
-http://www.hhs.gov/ocr/hipaa/
privacy.html
-http://www.hhs.gov/ocr/hipaa/
guidelines/guidanceallsections.pdf ]

Spammers Using Trojan Horse Programs (25/26 April 2003)

As authorities begin cracking down on unsolicited e-mail, spammers are turning to methods used by hackers to launch distributed denial of service attacks. They are using Trojan horses that include their own SMTP engines to route their unsolicited messages through unwitting users' computers.
-http://www.securityfocus.com/news/4217
-http://www.theregister.co.uk/content/6/30412.html
-http://news.findlaw.com/hdocs/docs/mgm/mgmgrokster42503ord.pdf

Addressing Insider Security Threats (25 April 2003)

Two companies share steps they have taken to guard against insider security threats. British Telecom employees have access to company web applications on a need-to-know basis; the company has also deployed intrusion detection systems and firewalls. In addition, software that controls employee access and activity is linked to the human resources department; when employees leave the company, their access is revoked. Palm uses intrusion detection systems and penetration scanner utilities among other security tools. Palm's Director of Global IT Services Matt Archibald recommends conducting unannounced penetration studies and checking for configuration changes.
-http://www.infoworld.com/article/03/04/25/17FEinjob.sb1_1.html?security
[Editor's Note (Shpantzer): IDS, Firewalls and policy enforcement tools are great for access control and detecting breaches. The insider threat, however, can often be mitigated or prevented by other, less technological means. Some insider threats arise, for example, when an insider has financial or substance abuse problems, among others. Awareness of these factors can help a company maintain a productive employee through assistance plans that specialize in helping employees get back on track with their lives. ]
See
-http://www.dss.mil/search-dir/training/csg/security/Eap/Intro.htm

Microsoft Windows Server 2003 Security Guide (25 April 2003)

Microsoft has published a security guide for its newly released Windows Server 2003. The guide includes "guidance, tools and templates" for securing Windows Server 2003 in a variety of environments.
-http://news.com.com/2100-1012-998390.html
-http://microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-521
EA6C7B4DB&displaylang=en

Cisco ACS Vulnerability (24/25 April 2003)

A buffer overflow vulnerability in Cisco's Secure Access Control Server (ACS) for Windows could allow an attacker to take control of the service. The vulnerability affects ACS versions 2.6.4, 3.0.3 and 3.1.1. Cisco recommends that users install patches; administrators are encouraged to block TCP port 2002 until patches are applied.
-http://news.com.com/2100-1002-998160.html
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,80702,0
0.html
-http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-acs-win

Vulnerability in Cisco Switches (24/25 April 2003)

A vulnerability in Cisco's Catalyst OS software version 7.5(1) running in Catalyst 4000, 6000 and 6500 series switches could allow attackers to circumvent password authentication and gain control over the vulnerable switch. A new version of Catalyst OS software
[version 7.6(1) ]
that fixes the problem is available.
-http://www.eweek.com/article2/0,3959,1041766,00.asp
-http://www.theregister.co.uk/content/55/30402.html
-http://www.cisco.com/warp/public/707/cisco-sa-20030424-catos.shtml

Web Authentication Security (24 April 2003)

The first half of a two-part article describes an audit procedure for evaluating the security of web authentication procedures, covering questions about usernames and passwords
-http://www.securityfocus.com/infocus/1688
[Editor's Note (Northcutt): Everyone associated with information security needs to stay current with security of web applications. In addition to the article referenced above, the SCORE project has a checklist for auditing the security of web applications. We urge you to review it and welcome your comments.
-http://www.sans.org/score/webappschecklist.php]

Web Hosting Company Hacked (24 April 2003)

A hacker broke into a server belonging to Bargainhost, a web hosting company, stole passwords and defaced websites. Customers are being advised to change their passwords, though at least one customer has already reported losing valuable data. Website backups have also been corrupted.
-http://news.bbc.co.uk/2/hi/technology/2967749.stm

W32/Coronex-A "SARS" Worm Not Spreading (23/24 April 2003)

The W32/Coronex-A worm purports to offer information about the SARS (Severe Acute Respiratory Syndrome) virus, but instead uses its own SMTP engine to mass mail itself to everyone in the infected machine's address book. Computer users are apparently becoming more savvy about attachments as the worm has failed to spread in any significant way.
-http://news.zdnet.co.uk/story/0,,t269-s2133789,00.html
-http://www.zdnet.com.au/newstech/security/story/0,2000048600,20273926,00.htm
-http://www.infoworld.com/article/03/04/23/HNsarsworm_1.html

Patch for Windows XP Slows Some Computers; Microsoft Developing New Version (23/24 April 2003)

A recently released patch for a vulnerability in the Windows kernel causes some computers running Windows XP to slow down, taking up to ten seconds before launching applications. Removing the patch reverses the problem. Microsoft is investigating. The patch was released with Microsoft Security Bulletin MS03-013 on April 16.
-http://www.computerworld.com/securitytopics/security/story/0,10801,80605,00.html
Microsoft is developing a revised version of the patch, but recommends that XP users still install the first version until the new one is ready.
-http://www.nwfusion.com/news/2003/0424micropulls.html
[Editor's Note (Schultz): There is another side to this story. Critics have been quick to point out that Microsoft did not adequate test this patch, something they say is "business as usual" with this vendor. Microsoft says it wants to expand testing to include testing by customers. ]

LaBrea Creator Pulls Application from Website (23 April 2003)

Tom Liston has pulled his LaBrea "digital tar pit" from his website for fear that he could be prosecuted under a four-month-old "super-DMCA" law in Illinois.
-http://www.informationweek.com/story/showArticle.jhtml?articleID=8800603
[Editor's Note (Grefer): This is neither the first, nor will it be the last of such cases of self-imposed censoring in reaction to the "Super-DMCA" legislation passed in various U.S. states. For further reading on this subject, go to
-http://www.freedom-to-tinker.com/superdmca.html
-http://www.freedom-to-tinker.com/archives/cat_superdmca.html
See a description of one of the irritating side-effects of such legislation under the heading, "Use a Firewall, Go To Jail" at
-http://www.freedom-to-tinker.com/archives/000336.html]

Proposed Law Allows CD and DVD Copying

Representative Dick Boucher (D-Virginia) has authored the Digital Media Consumer Rights Act (HR 107) which would allow people to make archival copies of the CDs and DVDs they purchase.
-http://www.wired.com/wired/archive/11.05/view.html?pg=3

Opinion: Good Worms Could Patch Internet (21 April 2003)

The author of this article opines that a trusted security entity, like CERT or SANS, should create good worms to address unpatched vulnerabilities in computers connected to the Internet. He reasons that though such worms would be intruding on people's systems, they have "abdicated responsibility" for the systems' security by virtue of neglecting to apply available fixes.
-http://www.eweek.com/article2/0,3959,1037127,00.asp
[Editor's Note (Schultz): There is nothing new here. The issue of "good worms" has been debated for years. It's difficult to claim that code that runs without authorization is "good." ]

AT&T Voice Mail Security Measures (21 April 2003)

AT&T has implemented security measures to protect customers from phone phreaking; recently, hackers have been manipulating people's voice mail systems to accept unauthorized long-distance calls. AT&T customers will be required to use random codes rather than saying "yes" to accept collect calls. Customers are also encouraged to use complex voice-mail passwords, to change them frequently and to check their announcements to see if they have been changed.
-http://www.computerworld.com/securitytopics/security/story/0,10801,80554,00.html

Former Employee Pleads Guilty to Breaking Into Company Computers (17 April 2003)

Alan Giang Tran, a former Airline Coach Service and Sky Limousine Company employee, has pleaded guilty to breaking into the company's computers, deleting critical data and changing passwords, locking employees out of their accounts. Tran could face up to ten years in federal prison; sentencing is scheduled for July 28.
-http://www.fbi.gov/fieldnews/april/la041703.htm

---

---end---
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) or to update a current subscription, visit
http://portal.sans.org/