SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume V - Issue #21

May 28, 2003

In the past three weeks, people from four large organizations have
contacted us with almost identical requests. In each case, they have
asked for help in getting all of their system administrators GIAC
certified in security - in part by scheduling in-house classes. When
we asked what triggered the request each told us that their CIO had
decided that every person who has privileged access (root or
administrator logins) to computers must also have at least the technical
security skills required by GIAC's Security Essentials, Windows or UNIX
security certifications.


It is very hard for CIOs to feel confident in assuring their bosses that
they have "sufficient security." It appears they are beginning to view
sysadmin security training and GIAC certification as a necessary step
in meeting minimum standards of due care.


Alan

---

TOP OF THE NEWS

California Senate Approves Harsher Anti-Spam Bill
Proposed Anti-Spam Bill is in Congress
Cyber Terror Drill Demonstrates Cooperation is Essential
Air Force Service Evaluates Patches

THE REST OF THE WEEK'S NEWS

University of Calgary to Offer Malware Writing Course
Cybersecurity Chief Position and Cyber Security Ops Center to be Part of DHS
StartPage Trojan
Study: Federal IT Spending Will Rise
Data Thieves Target PayPal Users
Data Thieves Target Citibank c2it Customers
Teen Repeats Internet Scam After First Arrest
McQueary Questioned About Private Sector Critical Cyber
Infrastructure Subsidies
Disgruntled Former Employee Hacking Cases on the Rise
Spammers Could Exploit Sobig-B (Formerly Palyh) Worm
Seized PDAs Encrypted with PGP
Fear of Poor Security Keeps People from Internet Banking
Man Ordered to Pay More than $500,000 in Internet Stock Manipulation Case
Alleged Cyber Criminal Arrested in Thailand
Wormhole Attacks on Wireless Networks Could be Mitigated with Help of GPS
Get Legal Advice Before Reverse Engineering Malware
Demand for Workers with Security Clearances Outstrips Supply

---

*************** Sponsored by Internet Security Systems ****************
Discover how state-of-the-art correlation techniques will allow you to
substantially improve enterprise security and dramatically lower overall
costs. Learn more about the latest threat prioritization systems and
how to automatically match threats to known vulnerabilities in this ISS
whitepaper.
Visit: http://www.iss.net/ad/dtp_sansdtpwp052803/
***********************************************************************

---

TOP OF THE NEWS

California Senate Approves Harsher Anti-Spam Bill (23/26 May 2003)

A bill recently passed by the California State Senate would make sending unsolicited commercial e-mail a felony and would allow people to sue spammers $500 for each message sent. Current California law is based on an "opt-out" model, which can in fact backfire because responding to a message alerts spammers to live e-mail addresses. The new bill presents an "opt-in" model, and is based on a federal law against unsolicited and junk faxes due to the cost incurred by the recipient. The bill next goes to a vote in the California Assembly, and if approved there, makes its way to Governor Gray Davis.
-http://zdnet.com.com/2100-1105_2-1009411.html
-http://www.computerworld.com/printthis/2003/0,4814,81542,00.html

Proposed Anti-Spam Bill is in Congress (24 May 2003)

The Reduction in Distribution of Spam Act is likely to pass through Congress quickly. The Bill imposes stiff penalties for people who use false identities to send unsolicited commercial e-mail or fail to honor people's requests to be removed from their mailing lists. Critics of the proposed legislation say it does not go far enough; marketers could still send out unlimited numbers of messages.
-http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=2811844

Cyber Terror Drill Demonstrates Cooperation is Essential (19 May 2003)

Preceding last week's Topoff2 exercise, officials in Seattle (WA) participated in a mock cyber attack. The drill included a variety of attack types, including viruses and distributed denial-of-service (DDoS) attacks. They found they were best able to mitigate the effects of the attack when they cooperated across federal, state and local levels.
-http://www.gcn.com/22_11/homeland-security/22099-1.html
[Editor's Note (Schultz): But genuine cooperation between different entities becomes considerably more difficult in situations other than mock scenarios. Cooperation in incident response efforts is one of the most difficult challenges in the information security arena. ]

Air Force Service Evaluates Patches (19 May 2003)

The Air Force has established the Enterprise Network Operations Support Cell (ENOSC), a software patch service. Patches are tested by the Air Force Computer Emergency Response Team which assesses its effectiveness and assigns it a number indicating its likelihood of interfering with other software. The patch along with that information is placed on the site and administrators can decide if it's an appropriate patch for their systems. ENOSC supports Windows 9x, NT 4.0, 2000 and XP, as well as Exchange Server and Internet Explorer. It also supports Sun Solaris and plans to add Linux and HP-UX.
-http://www.gcn.com/22_11/security/22059-1.html

---

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Instantly stop DDoS attacks. Prevent worm propagation. Hands-on,
online demo
--launch and mitigate live attacks.
http://www.sans.org/cgi-bin/sanspromo/NB174
(2) FREE White Paper: "Outsmart the Top 10 Web Application Hacks"
http://www.sans.org/cgi-bin/sanspromo/NB175
(3) Earn a Norwich University Master's Degree in Information Security
in 24 months.
http://www.sans.org/cgi-bin/sanspromo/NB176
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

University of Calgary to Offer Malware Writing Course (23/26 May 2003)

This autumn the University of Calgary plans to offer a course called "Computer Viruses and Malware," in which students will learn to create viruses, worms and Trojan horse programs. The professor offering the course says understanding how malware is written will help develop more effective methods of stopping it. Members of the anti-virus community disagree with the approach; Sophos' Graham Cluley wonders if the university will be held liable if malware developed in the course is used in an actual cyber attack.
-http://www.eweek.com/article2/0,3959,1104161,00.asp
-http://www.sophos.com/virusinfo/articles/calgary.html
-http://www.globetechnology.com/servlet/story/
RTGAM.20030526.gtmalwaremay26/BNStory/Technology/

Cybersecurity Chief Position and Cyber Security Ops Center to be Part of DHS (23/26 May 2003)

The Bush administration will announce the creation of a cybersecurity chief position within the Department of Homeland Security. The cyberchief's responsibilities will include carrying out recommendations made in the National Strategy to Secure Cyberspace. The cyberchief will be three levels below DHS Secretary Tom Ridge; former presidential cybersecurity advisor Richard Clarke says the position is "not ... senior enough." Candidates for the position are still being sought. The DHS also plan to announce the establishment of a national cyber-security center, which brings all the department's information security assets under one umbrella.
-http://www.washingtonpost.com/ac2/wp-dyn/A32736-2003May23?language=printer
-http://www.eweek.com/article2/0,3959,1109041,00.asp

StartPage Trojan (22/23 May 2003)

The StartPage Trojan exploits a vulnerability in Exploit.SelfExecHTML in Internet Explorer's (IE) security system. StartPage arrives as a Zip-archive containing an HTML file and an EXE file; infection occurs when the HTML file is opened. The vulnerability affects IE 5.0 for Windows 2000, 95, 98 and NT 4.0. There is not presently a patch for the vulnerability.
-http://196.37.50.65/sections/internet/2003/0305221102.asp
-http://www.theage.com.au/articles/2003/05/23/1053585679689.html

Study: Federal IT Spending Will Rise (22 May 2003)

The findings of a recent market research study indicate that federal agency spending on information technology security will increase steadily over the next five years, reaching $6 billion by 2008. The security sector showed a marked increase after the terrorist attacks in 2001.
-http://news.com.com/2102-1009_3-1009139.html?tag=ni_print

Data Thieves Target PayPal Users (22 May 2003)

PayPal customers are being targeted by data thieves intent on obtaining personal information that can be used to steal identities. Some PayPal users have received e-mail messages with "PayPal Verification" in the subject line; the message offers a link to a site that appears to be official but is not. It asks for users' names, credit card numbers, mothers' maiden names, bank account numbers and other sensitive information. The site was registered in the name of someone whose identity had been stolen.
-http://www.securityfocus.com/news/5039

Data Thieves Target Citibank c2it Customers (22 May 2003)

Personal data thieves are also targeting some Citibank customers. Customers who use the c2it money transfer service have been receiving e-mails that are HTML messages that contain forms that ask for such personal data as social security numbers, dates of birth and mothers' maiden names. The message is well-crafted; only the return address in the message header gives pause, as it is a Hotmail account rather than a Citibank address.
-http://www.eweek.com/article2/0,3959,1102980,00.asp

Teen Repeats Internet Scam After First Arrest (22 May 2003)

19-year-old Shiva Sharma of Queens (NY) allegedly tricked AOL users into divulging personal and financial information that he used to purchase and sell $30,000 worth of electronic equipment on the Internet. Sharma was arrested on similar charges four months ago; he could face up to seven years in prison.
-http://www.nydailynews.com/front/story/85857p-78336c.html
-http://www.nypost.com/news/regionalnews/76372.htm

McQueary Questioned About Private Sector Critical Cyber-Infrastructure Subsidies (22 May 2003)

Members of the cyber-security subcommittee of the House Select Committee on Homeland Security asked Charles McQueary, DHS undersecretary of the Science and Technology Directorate, if the government should subsidize privately owned critical cyber-infrastructure security. In his testimony, McQueary explained that cyber-security is one of seven priorities for his directorate.
-http://www.eweek.com/article2/0,3959,1101707,00.asp
[Editor's Note (Grefer): When too many things become "priorities," none of them is a priority anymore. ]

Disgruntled Former Employee Computer Intrusion Cases on the Rise (22 May 2003)

Approximately 75% of federal computer intrusion cases in Massachusetts involve former employees, according to Assistant US Attorney Allison D. Burroughs. The US attorney's office in Boston is presently working on eleven such cases. They include the case of a fired travel agency employee who later broke into the company's computers and canceled customers' airline reservations.
-http://www.boston.com/dailyglobe2/142/metro/
Workers_vengeance_makes_its_way_on_Web+.shtml

Spammers Could Exploit Sobig-B (Formerly Palyh) Worm (21 May 2003)

The Palyh worm, which has been identified as a variant of the Sobig worm and hence renamed Sobig-B, could be used by spammers to install proxy servers on infected machines and use them to send out large quantities of unsolicited e-mail.
-http://www.theregister.co.uk/content/56/30808.html

Seized PDAs Encrypted with PGP (21 May 2003)

Italian police have been unable to access information on 2 PDAs seized from members of Italy's Red Brigades; the devices are protected by PGP encryption. Phil Zimmerman, who developed PGP, said investigators would not be able to break the encryption using traditional techniques. The situation once again raises the question of encryption and privacy vs. security.
-http://www.infoworld.com/article/03/05/21/HNpdapgp_1.html

Fear of Poor Security Keeps People from Internet Banking (21 May 2003)

An RSA Security-commissioned study found that UK citizens are reluctant to utilize Internet banking because they do not trust that the on-line banks employ adequate security. 38% of those who do not use Internet banking said they might be encouraged to switch if security measures were improved.
-http://www.vnunet.com/News/1141079

Man Ordered to Pay More than $500,000 in Internet Stock Manipulation Case (21 May 2003)

Refal Shaoulian has been ordered to pay the US government more than $500,000 for allegedly posting false stock information on the Internet, to manipulate the stock's price, while he was a student at the University of California at Los Angeles (UCLA). Shaoulian allegedly made profits of more than $400,000.
-http://www.nandotimes.com/technology/story/894152p-6229326c.html

Alleged Cyber Criminal Arrested in Thailand (21 May 2003)

A Ukrainian man wanted in the US for alleged software piracy and Web-spoofing has been arrested in Thailand. Maksym Kovalchuk, also known as Maksym Vysochanskyy, has denied charges against him. The US is expected to file an extradition request.
-http://www.hindustantimes.com/news/181_258316,00030010.htm

Wormhole Attacks on Wireless Networks Could be Mitigated with Help of GPS (20 May 2003)

Researchers from Carnegie Mellon University and Rice University presented a paper at the Twelfth World Wide Web Conference in Romania that described how a wormhole attack could adversely affect wireless networks; the paper also describes a method for remediating the vulnerability. A wormhole attack would involve intercepting wireless data packets traveling on one part of a network and inserting them at a different point. The suggested solution is to tag packets with global positioning system (GPS) information or timestamps.
-http://www.newscientist.com/news/news.jsp?id=ns99993747

Get Legal Advice Before Reverse Engineering Malware (20 May 2003)

In an interview with ZDNet Australia, the Computer Emergency Response Team's (CERT) Jeff Carpenter said Australian researchers should obtain legal advice before reverse engineering malware so they can make sure they are not running afoul of copyright laws like the US's Digital Millennium Copyright Act (DMCA).
-http://www.zdnet.com.au/printfriendly?AT=2000048600-20274678

Demand for Workers with Security Clearances Outstrips Supply (19 May 2003)

The number of people with federal security clearances is lagging far behind the demand. Background checks can take as long as a year, and there are 237,816 clearance applications pending at the Defense Security Service.
-http://www.washingtonpost.com/ac2/wp-dyn/A4598-2003May17?language=printer

---

==end==
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/