SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume V - Issue #19

May 14, 2003

TOP OF THE NEWS

AusCERT to Provide Free Alert Service
South African Man Tried for Allegedly Introducing Virus into Company's System
Passport Flaw
Earthlink Wins Damages in Buffalo Spammer Case

THE REST OF THE WEEK'S NEWS

NASCAR Hacker Sentenced To Six Months Community Confinement
Academics Propose Innovative Defenses For Denial Of Service Attacks
Fizzer Worm
High Schooler Expelled on Grounds of Unauthorized Access
Wireless Access Points Pose Security Problems
Peido-B Virus
Phony e-Mails to Bank Customers Try to Steal Passwords, Download Trojan
German Student Arrested on Suspicion of Running MP3 File Sharing Service
Web Hosting Companies Hacked
Cisco Warns of VPN Flaws
Media Player Skins Vulnerability
Fluffi Bunni Hacker Worked for Siemens
OSU Police Seize Computers That May Have Been Used for Illegal File Sharing
Virginia Credit Union Blocks Use of Compromised Visa Cards
UK's CSIA to Create "Assured Products" List

TUTORIAL

Reinstalling After a Security Breach

---

************ Sponsored by Internet Security Systems *******************
New appliance whitepaper from Internet Security Systems!
ISS' new, easily deployed appliances dynamically protect regardless of
network speed or threat type, without requiring separate firewalls,
antivirus and intrusion detection.
Click here to download whitepaper:
http://www.iss.net/ad/appliance_sansappliance051403
***********************************************************************

---

TOP OF THE NEWS

AusCERT to Provide Free Alert Service (12 May 2003)

The Australian Computer Emergency Response Team (AusCERT) has launched a free security threat alert service. A corresponding incident reporting system is due to be operational within three months. Because worms and viruses often start spreading at the beginning of the workday, Australia can be especially vulnerable; the country is 10 hours ahead of Europe, and as much as 15 hours ahead of the United States, so they are often among the first to see malicious activity.
-http://australianit.news.com.au/articles/0,7204,6422070^15306^^nbv^,00.html

South African Man Tried for Allegedly Introducing Virus into Company's System (9 May 2003)

The case of a former employee of a South African retail company who allegedly intentionally infected the company's computer system with a virus was heard in Johannesburg Commercial Crimes Court last month. Losses to the company were estimated at 5 million Rand (about US$690,000). This is the first case of its kind in South Africa.
-http://www.itweb.co.za/sections/techforum/2003/0305090720.asp?A=VIR&S=Virus%
20Watch&T=Section&O=FPSH

Passport Flaw (8/9 May 2003)

A security flaw in Microsoft's Passport service password recovery system could have allowed attackers to change the passwords of accounts for which they knew only the user name. Passport product manager Adam Sohn said the company had locked out any accounts it suspected had been fraudulently altered; the flaw was fixed by Thursday morning. Microsoft's admission of the vulnerability, which affected as many as 200 million customer accounts, could land the company substantial Federal Trade Commission (FTC) fines as well as sanctions.
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,81030,0
0.html
-http://www.theregister.co.uk/content/55/30620.html
-http://news.com.com/2100-1002_3-1000429.html
-http://news.com.com/2100-1002_3-1000575.html
-http://news.bbc.co.uk/1/hi/technology/3013665.stm
-http://www.washingtonpost.com/wp-dyn/articles/A30330-2003May8.html
-http://www.cnn.com/2003/TECH/biztech/05/09/microsoft.flaw.ap/index.html

Earthlink Wins Damages in Buffalo Spammer Case (7 May 2003)

Earthlink has been awarded 416 million in damages against Howard Carmack, a New York state man who allegedly used stolen credit cards and identities to establish Internet accounts, then used those accounts to send out more than 825 unsolicited e-mails, also known as SPAM. The district court in Atlanta also banned Mr. Carmack, known as the Buffalo Spammer, from sending out more SPAM. Earthlink has also begun testing SpamBlocker, a permission-based blocking technology.
-http://www.infoworld.com/article/03/05/07/HNspamcase_1.html
-http://news.com.com/2100-1032-1000272.html
-http://www.washingtonpost.com/wp-dyn/articles/A22390-2003May6.html
[Editor's Note (Schultz): Hopefully this ruling will set a strong legal precedent in dealing with flagrant sources of SPAM. ]

---

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Deadly Internet Sin #2: Gluttony - Stop multimedia downloads from
devouring IT resources.
http://www.sans.org/cgi-bin/sanspromo/NB168
(2) Instantly stop DDoS attacks. Prevent worm propagation. Hands-on,
online demo
--launch and mitigate live attacks.
http://www.sans.org/cgi-bin/sanspromo/NB169
(3) ALERT! -Cross-Site Scripting Attacks on Web Applications- FREE XSS
White paper!
http://www.sans.org/cgi-bin/sanspromo/NB170
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

NASCAR Hacker Sentenced To Six Months Community Confinement (13 May 2003)

Michael Melo acknowledged he fired off more than a half-million e-mail messages to WFXT-TV 25 in Boston after the Red Sox game was broadcast instead of a NASCAR race in 2001. He was sentenced to six months of community confinement.
-http://www.sportsline.com/autoracing/story/6369117

Academics Propose Innovative Defenses For Denial Of Service Attacks (13 May 2003)

At an IEEE symposium on Security and Privacy, graduate students from Carnegie Mellon University proposed two methods aimed at greatly reducing the effects of Internet denial of service attacks. Steve Bellovin called both proposals credible attempts at solving for network administrators the sticky problems of denial-of-service attacks.
-http://zdnet.com.com/2100-1105_2-1001200.html

Fizzer Worm (12 May 2003)

A mass-mailing worm called Fizzer is spreading around the world. Fizzer spreads through both e-mail and file-sharing programs, and affects computers running Windows operating systems. It disables anti-virus software, steals passwords, and places a backdoor in infected computers.
-http://news.bbc.co.uk/1/hi/technology/3021927.stm
-http://www.computerworld.com/securitytopics/security/virus/story/0,10801,81150,0
0.html
-http://zdnet.com.com/2100-1105_2-1001062.html
[Editor's Note (Shpantzer): Another important reminder of why we should enforce policies against P2P programs at work. We all have those policies in place, right? ]

High Schooler Expelled on Grounds of Unauthorized Access (10 May 2003)

A student at Stoughton (Wisconsin) High School has been suspended following a hearing regarding his involvement in using keystroke-logging software to gain access to the school's computer system and alter student grades. Charges against other students are pending.
-http://www.stoughtonnews.com/news.cfm?num=3471

Wireless Access Points Pose Security Problems (9 May 2003)

At the NetWorld+Interop conference in Las Vegas, wireless LAN security firm AirDefense Inc. set up a sensor on the show floor, and within two hours had detected 230 wireless access points. 92 were not using encryption, 38 were configured with default settings, and 15 were plugged directly into network hubs. AirDefense also detected malicious activity, including denial-of-service attacks.
-http://www.informationweek.com/story/showArticle.jhtml?articleID=9700025
-http://www.eweek.com/article2/0,3959,1072266,00.asp

Peido-B Virus (8/9 May 2003)

The Computer Emergency Response Team Coordination Center (CERT/CC) has issued a warning about the Peido-B virus, also called VBS/Inor.B or Mothers Day Virus. The virus arrives as an .hta attachment which, when executed, installs a Trojan horse program, Troj/DLoader-BO, on the victim's computer. In turn, Troj/Dloader-BO downloads and executes a file from a certain web site.
-http://www.cert.org/current/current_activity.html#peido
-http://www.computerworld.com/securitytopics/security/virus/story/0,10801,81106,0
0.html

Phony e-Mails to Bank Customers Try to Steal Passwords, Download Trojan (8 May 2003)

Customers of First Union Bank have been receiving fraudulent e-mail messages claiming to be from First Union, telling them their user names and passwords have been lost, and directing them to a web site so they can supply the bank with their information. Even if the users do not enter their information, merely visiting the site causes the Backdoor AMQ Trojan horse program to be downloaded to their computers.
-http://www.eweek.com/article2/0,3959,1068224,00.asp

German Student Arrested on Suspicion of Running MP3 File Sharing Service (8 May 2003)

German police have arrested a 25-year-old computer-programming student for allegedly conducting an MP3 file sharing service. The investigation into the man's activities was initiated by the International Federation of the Phonographic Industry (IFPI).
-http://news.zdnet.co.uk/story/0,,t269-s2134454,00.html

Web Hosting Companies Hacked (8 May 2003)

Hackers broke into the servers of three Dutch web hosting companies, stealing data and ruining essential software. Web host customers were not fully apprised of the breach. Though one of the affected companies claims to back up its data every 24 hours, its last back up was actually created in January.
-http://www.europemedia.net/shownews.asp?ArticleID=16233

Cisco Warns of VPN Flaws (8 May 2003)

Cisco has warned of three vulnerabilities in its VPN 3000 series concentrators and VPN 3002 hardware client, which could allow attackers to view data, cause a denial-of-service (DoS) attack, and degrade concentrator performance or cause the device to restart. Workarounds are available and customers are encourages to upgrade to the latest versions of code for the devices.
-http://www.infoworld.com/article/03/05/08/HNciscovpn_1.html
-http://www.cisco.com/warp/public/707/cisco-sa-20030507-vpn3k.shtml
[Editor's Note (Paller): Even without the extra vulnerabilities caused by Cisco's programming problems, security professionals should be aware that VPNs are pipes into important systems. An attacker who has gained control of a VPN-attached workstation can use that control to pipe attacks directly to the valuable resources at the other end of the VPN. More than 50,000 workstations are taken over every month. It makes sense to have a strategy for testing your VPN users' workstations. ]

Media Player Skins Vulnerability (7 May 2003)

A vulnerability in the way Windows Media Player handles the download of "skins" could allow an attacker to execute code on unprotected PCs. The flaw affected Windows Media Player version 7.1 and Windows Media Player for XP (version 8.0); version 9.0 is not affected.
-http://news.com.com/2100-1002_3-1000355.html
-http://www.microsoft.com/technet/security/bulletin/MS03-017.asp

Fluffi Bunni Hacker Worked for Siemens (7 May 2003)

Lynn Htun, the man recently arrested for his alleged involvement with the Fluffi Bunni hacker group, had apparently worked for Siemens Communications, an IT security supplier, for more than a year. Siemens, which has close ties to MI5 and runs some government IT projects, is working with police on the situation.
-http://www.computerweekly.com/articles/article.asp?liArticleID=121522

OSU Police Seize Computers That May Have Been Used for Illegal File Sharing (7 May 2003)

Ohio State University police have seized five computers that were allegedly being used to distribute illegally downloaded music and movies to students. No students have been charged in the case; that could change if copyrighted material is discovered. The investigation began three months ago when file-sharing was consuming 10% of the bandwidth of the university's computer system.
-http://www.usatoday.com/tech/news/2003-05-07-osu-seizures_x.htm
[Editor's Note (Schultz): The day of unlimited free music is (rightfully) over. I'm curious, however, why a 10% bandwidth consumption for peer-to-peer sharing made people at OSU investigate. Ten percent doesn't seem like much --I've heard about amounts up to 60% at other places. ]

Virginia Credit Union Blocks Use of Compromised Visa Cards (7 May 2003)

After a security breach of an unknown merchant's data system, compromising the security of credit and debit cards, Virginia Credit Union blocked the use of 800 affected cards; customers should receive new cards in the mail soon. No resulting misuse of accounts has been reported yet.
-http://www.timesdispatch.com/business/MGB6S1MMEFD.html

UK's CSIA to Create "Assured Products" List (6 May 2003)

In an effort to improve the nation's information technology security, the UK government's Central Sponsor for Information Assurance (CSIA) plans to create a list of "assured products" for the public and private sectors to use when making purchases; present accreditation processes are expensive and time-consuming.
-http://www.vnunet.com/News/1140642
TUTORIAL

Reinstalling After a Security Breach (7 May 2003)

This article describes the process for reinstalling a system after a security breach, including steps to take to reduce the likelihood of a repeat of the breach.
-http://www.securityfocus.com/infocus/1692

---

---end---
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/