SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume V - Issue #18

May 07, 2003

Useful New Free Security Data and a Call For Papers
What's the Best Firewall? How Does a Reverse Proxy Work?
For answers to these and other popular questions, go to the new:
Internet Guide To Popular Resources On Information Security
http://www.sans.org/resources/popular.php


Help us get real-world security solutions and knowledge into the
hands of front line practitioners and their managers. This is your
invitation to participate in a world-wide web broadcast on July 9th,
2003. The goal is to allow members of the security community to share
their unique security research and operational implementations with
peers all over the world. The focus of this technical symposium will be
Enterprise Infrastructure Protection: Securing Your Corporate Homeland.
Visit http://www.sans.org/esymposium2003/ for more information.

---

TOP OF THE NEWS

Lawsuit Against Microsoft and ISPs Filed Over Slammer Damage
Four Students Reach Settlement Agreements with RIAA
Microsoft Considering External Patch Testing
Majority of Cyber Crime Losses are Due to Data Theft

THE REST OF THE WEEK'S NEWS

Oracle Database Server Buffer Overflow Vulnerability
ISS Confirms Web Hack; Claims It Was A Honeypot
Apple Fixes On-Line Store Vulnerability
Couple Arrested for Allegedly Stealing Credit Reports, Using Info to Make Purchases
RIAA Sends Peer-to-Peer Users Warnings by Instant Messaging
New Jersey Institute of Technology Disables Use of Peer-to-Peer Sites
Peer-to-Peer Users Block Instant Message Warnings
Internet Radio Network Hacked
Klez Still Most Widely Reported Worm; Infections Rates are Down
Remote Users' Anti-Virus Software Not Updated Frequently Enough
Wisconsin High School Students Investigated for Altering Grades
Pending New Hampshire Legislation Could Make it Harder to Prosecute War Drivers
ITAA Survey Says IT Hiring is Likely to Decrease
Study Predicts Significant Growth in Information Security Services Market
Overseas Software Development is Cause for Concern

TUTORIAL

Web Site Authentication Auditing: Part II

---

********************** Sponsored by GuardedNet ************************
Event Correlation - Security's Holy Grail?
GuardedNet's neuSECURE is a central monitoring system for log
aggregation and correlation of events from firewalls, IDS', native
systems and routers.
neuSECURE enables security teams to detect attacks in real-time,
pulling the proverbial needle out of the haystack.
Sign up to receive a free white paper on event correlation at
http://www.guarded.net/secondary/sans_correlation.html
***********************************************************************

---

TOP OF THE NEWS

Lawsuit Against Microsoft and ISPs Filed Over Slammer Damage (30 April 2003)

A Korean civic group has filed a damage suit against Internet service providers (ISPs), the Information Ministry, and Microsoft for damages caused by the outbreak of the Slammer worm in January. The suit, which was filed on behalf of Internet users, Internet salon owners and an Internet shopping mall, alleges Microsoft servers came with security flaws and the company did not inform them of the risks.
-http://english.chosun.com/w21data/html/news/200304/200304300025.html

Four Students Reach Settlement Agreements with RIAA (1/2 May 2003)

The Recording Industry Association of America (RIAA) has reached settlements with four college students it says were running illegal music file sharing services. The students will each pay the RIAA between $12,000 and $17,500. Attorneys for a Princeton University student involved in the case said their client had reached a settlement with the RIAA but had not admitted guilt.
-http://www.washingtonpost.com/wp-dyn/articles/A2755-2003May1.html
-http://www.wired.com/news/digiwood/0,1412,58707,00.html
[Editor's Note (Schneier): The money is trivial (though not to the students involved, most likely), but the precedent is interesting. Looks like the RIAA pushed and they blinked. ]

Microsoft Considering External Patch Testing (30 April 2003)

Microsoft is considering testing patches externally before releasing them to the general public. Because patches are often created very quickly, there is not adequate time to test them for efficacy and to ensure that they do not cause other problems.
-http://www.theregister.co.uk/content/55/30464.html

Majority of Cyber Crime Losses are Due to Data Theft (30 April 2003)

An IBM research report, Information at Risk, suggests that most monetary losses businesses suffer from cyber crime are due not to virus attacks but to data and intellectual property theft. The report, which used data from the UK's National Hi-Tech crime Unit (NHTCU) and the US Computer Security Unit, found that UK companies lost 145 million pounds (approximately $233 million) to cyber crime last year.
-http://www.vnunet.com/News/1140571
[Editor's Note (Schneier): I had an article on just this subject back in December <
-http://www.counterpane.com/crypto-gram-0212.html#7>
not that it should come as news in any case. ]

---

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) FREE White Paper: How A Hacker Launches A Web App Attack!
http://www.sans.org/cgi-bin/sanspromo/NB165
(2) ALERT: Top 8 SPAM BLOCKING methods. ***FREE White paper***
http://www.sans.org/cgi-bin/sanspromo/NB166
(3) Instantly stop DDoS attacks and port scans.
Hands-on, online demo
-- launch and mitigate live attacks.
http://www.sans.org/cgi-bin/sanspromo/NB167
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Oracle Database Server Buffer Overflow Vulnerability (29 April 2003)

Oracle has released a patch for a buffer overflow vulnerability in all supported versions of Oracle database servers. An attacker could exploit the vulnerability to alter data and to take control of the machine hosting the database server. The vulnerability affects Oracle 7 Release 7.3.x, all released of Oracle 8 and 8i, and releases 1 and 2 of Oracle 9i database. Oracle has released patches for two versions of 9i and one version of 8i, as well as a patch for version 8.0.6.3 for customers with extended maintenance support, but does not intend to release patches for earlier versions.
-http://www.infoworld.com/article/03/04/29/HNoraclepatch_1.html
-http://www.eweek.com/article2/0,3959,1047710,00.asp
[Editor's Note (Schneier): So Oracle's "unbreakable" database isn't after all? Imagine our surprise. (Schultz): I presume that Larry Ellison will now retract his statement that this product is hackproof? ]

ISS Confirms Web Hack; Claims It Was A Honeypot (6 May 2003)

A web site offering and delivering free versions of BlackICE to college students was hacked. Shortly thereafter, ISS's Chris Klaus declared that despite its use of a valid ISS domain name and its use for delivering software to students, the system "was not a production system" and was "configured to include numerous vulnerabilities, including several well-known, older vulnerabilities."
-http://www.zdnet.com.au/newstech/security/story/0,2000048600,20274253,00.htm
-http://www.zdnet.com.au/newstech/security/story/0,2000048600,20274289,00.htm

Apple Fixes On-Line Store Vulnerability (5 May 2003)

Apple has fixed a vulnerability in its on-line store that could have allowed an attacker to hijack a customer account without knowing anything more than an e-mail address. The flaw was in the part of the store that helps people who have forgotten their passwords; the person who discovered the flaw found that by cutting and pasting a certain hash into another page, he was able to change his password without having to answer the secret question.
-http://www.wired.com/news/privacy/0,1848,58718,00.html

Couple Arrested for Allegedly Stealing Credit Reports, Using Info to Make Purchases (1 May 2003)

A woman who worked at Weichert Financial Services in New Jersey and a man she lives with have been charged with using fraudulently obtained credit reports to make Internet purchases. Mary Louissaint and Ronald Hyppolyte are being held without bail. More than 3,700 credit reports were allegedly illegally accessed through Weichert Financial's computer system, some of them from a computer at an address where Louissaint and Hyppolyte recently lived.
-http://www.philly.com/mld/philly/news/local/5762824.htm

RIAA Sends Peer-to-Peer Users Warnings by Instant Messaging (29/30 April 2003)

The Recording Industry Association of America (RIAA) has begun sending instant messages to people using Grokster and Kazaa file-sharing services, warning them that they may be violating copyright laws which could result in legal action.
-http://www.washingtonpost.com/wp-dyn/articles/A56869-2003Apr29.html
-http://www.wired.com/news/digiwood/0,1412,58676,00.html
-http://news.com.com/2100-1025-998825.html
[Editor's Note (Grefer): Instant messaging could also be used by the RIAA to quickly identify which of the nodes previously detected by their bots is currently active ]

New Jersey Institute of Technology Disables Use of Peer-to-Peer Sites (2 May 2003)

In light of the recent actions the Recording Industry Association of America (RIAA) has taken against college students who allegedly ran file swapping sites on school networks, the New Jersey Institute of Technology has disabled the use of peer-to-peer sites on the campus computer network.
-http://www.wired.com/news/digiwood/0,1412,58698,00.html

Peer-to-Peer Users Block Instant Message Warnings (30 April 2003)

Peer-to-peer users have begun blocking the ranges of IP addresses used to send the copyright violation warning messages.
-http://www.securityfocus.com/news/4359

Internet Radio Network Hacked (2 May 2003)

Hackers broke into the computer network of Denver-based Internet radio network w3w3 and stole names and e-mail addresses of 1,000 people who had registered for a cybersecurity conference sponsored by w3w3. Damages were estimated to be more than $50,000; the FBI is expected to investigate.
-http://www.rockymountainnews.com/drmn/business/article/0,1299,DRMN_4_1931529,00.
html

Klez Still Most Widely Reported Worm; Infections Rates are Down (30 April 2003)

The Klez worm heads the list of Central Command's most reported viruses; however, the overall infection rate has dropped considerably since last April. Klez was followed by Yaha, Sobig and Lovgate. Klez also headed the list from Sophos, followed by Lovgate, Bugbear and Sobig. Sophos has also called attention to the appearance of Datemake, dialer malware that tries to dial up premium phone lines and run up large phone bills.
-http://www.centralcommand.com/30042003.html
-http://news.zdnet.co.uk/story/0,,t269-s2134120,00.html

Remote Users' Anti-Virus Software Not Updated Frequently Enough (29 April 2003)

A Sophos press release expresses concern that businesses are not adequately protecting computers used by remote workers from worms, viruses and other malware. Though 66% of 3,000 businesses polled update their office anti-virus signatures daily, 70% update remote computers' signatures less often than once a week, with 45% updating them once a month. More and more businesses are employing remote workers, which can increase network security risks.
-http://www.sophos.com/pressoffice/pressrel/uk/20030429survey.html

Wisconsin High School Students Investigated for Altering Grades (30 April 2003)

A group of students at Stoughton High School in Stoughton, Wisconsin allegedly bought keystroke logging software for less than $100 on the Internet and used it to break into their school's computer system and alter their grades. Approximately 20 students are being investigated; some have begun suspensions and are awaiting decisions on expulsion.
-http://www.madison.com/captimes/news/stories/47911.php

Pending New Hampshire Legislation Could Make it Harder to Prosecute War Drivers (29 April 2003)

A bill being considered by the New Hampshire state legislature would protect people who access unsecured wireless networks. The legislation would require wireless network operators to secure their networks or lose ground in their ability to prosecute those who access them without permission.
-http://www.wired.com/news/wireless/0,1382,58651,00.html

ITAA Survey Says IT Hiring is Likely to Decrease (5 May 2003)

A recent Information Technology Association of America (ITAA) survey of 400 technology and nontechnology hiring managers indicates that IT hiring is likely to stay the same or decrease over the next year. Companies are also increasingly moving some of their operations overseas to save on labor costs.
-http://news.com.com/2100-1022_3-999782.html

Study Predicts Significant Growth in Information Security Services Market (29 April 2003)

A study from IDC titled "Worldwide and U.S. Information Security Forecast 2003 - 2007," predicts that the market for information security services will grow to more than $23.5 billion over the next four years, which amounts to more that 20% annual growth.
-http://www.computerworld.com/securitytopics/security/story/0,10801,80790,00.html

Overseas Software Development is Cause for Concern (5 May 2003)

Because of the current international security climate, some IT professionals have expressed concern that US companies are outsourcing software development to foreign countries, including India, China and Pakistan, where it is more difficult to assess security risks.
-http://www.computerworld.com/managementtopics/management/
outsourcing/story/0,10801,80935,00.html
[Editor's Note (Northcutt): this really isn't news, but it is a reminder for all of us to consider the risks of outsourcing no matter where it is done. Just prior to Y2K, CIA analyst Terrill Maynard released a report saying that these same countries have an information warfare capability and might insert code during outsourced Y2K remediation.
-http://catless.ncl.ac.uk/Risks/20.61.html
-http://www.chaosprotocol.com/reuters_oct1_1999.htm]

---

TUTORIAL

Web Site Authentication Auditing: Part II (5 May 2003)

The second half of a two-part article on web site authentication auditing provides a list of questions organizations can ask themselves about user privacy, session authentication, user security and cookies.
-http://www.securityfocus.com/infocus/1691

---

---end---
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) or to update a current subscription, visit
http://portal.sans.org/