SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume V - Issue #25

June 25, 2003

TOP OF THE NEWS

Guess Settles FTC Charges, Agrees to Invest In Improved Security
Hatch is in Favor of Destroying Copyright Violators' Computers, if Necessary
McCain Promises Hearings on DMCA Subpoena Provision

THE REST OF THE WEEK'S NEWS

Vulnerability Management
Student Breached University Computer System and Disrupted Election
Fortnight Worm Exploits Old Vulnerability
Stumbler Trojan
Senate Bill Would Have FBI Address P2P Piracy
Cash Machines Exploited in 9/11 Aftermath
RIAA Warns Individual File Traders
Brokerages Must Retain IM Logs
Companies Need to Establish E-Mail Retention Policies
Japanese Police Systems Sustained More than 160,000 Attacks
VPNs Offer Advantages Over Frame-Relay Networks
DHS To Build Secure Network
EU Security Agency to Begin Work in January
Interview With GAO Infosec Director Robert Dacey

---

*************** Sponsored by Internet Security Systems ****************
New whitepaper from Internet Security Systems!
ISS' new, easily deployed appliances dynamically protect
regardless of network speed or threat type, without requiring
separate firewalls, antivirus and intrusion detection. Find out how:
http://www.iss.net/ad/appliance_sansappliancewp062503
***********************************************************************

---

TOP OF THE NEWS

Guess Settles FTC Charges, Agrees to Invest In Improved Security (18/19 June 2003)

Guess, Inc. has settled charges brought by the Federal Trade Commission (FTC) regarding security on its Guess.com web site. The FTC said that Guess had promised its customers that their personal information, including credit card numbers, would be protected, but the site was vulnerable to known exploits, including the SQL injection attack. Guess has agreed to create a security program, which must be certified annually. The company must also refrain from making false claims about the security of customer information. The FTC has also released a fact sheet for guidance called "Security Check: Reducing Risks to Your Computer System."
-http://www.washingtonpost.com/ac2/wp-dyn/A12397-2003Jun19?language=printer
-http://www.computerworld.com/printthis/2003/0,4814,82309,00.html
-http://www.securityfocus.com/news/5968
FTC Settlement Announcement:
-http://www.ftc.gov/opa/2003/06/guess.htm
Security Check Fact Sheet:
-http://www.ftc.gov/bcp/conline/pubs/buspubs/security.htm
[Editor's Note (Paller): The Federal Trade Commission demonstrated that there are legal consequences for organizations that have weak security. Tens of thousands of organizations doing business on the Internet are in the same (weak) position that Guess was in. Expect a surge of security audits, demand for better training for system administrators and application developers, and a quest for "minimum standards of due care" in security. ]

Hatch is in Favor of Destroying Copyright Violators' Computers, if Necessary (19 June 2003)

At a hearing on the dangers of peer-to-peer filesharing services, Senate Judiciary Committee chairman Orrin Hatch (R-Utah) suggested that the computers of people who download material in violation of US copyright laws should be destroyed. Senator Patrick Leahy (D-Vermont) called the proposal "Draconian," and Hatch took a few steps back from his stance, saying that something has to be done to stop Internet piracy and that "extreme measures" should be taken only if other measures do not work. Such action would violate current federal law. Ironically, Senator Hatch has been found to be using unlicensed software on his web site.
-http://news.com.com/2102-1028_3-1018845.html?tag=ni_print
-http://www.computerworld.com/printthis/2003/0,4814,82317,00.html
-http://www.wired.com/news/print/0,1294,59298,00.html
-http://www.wired.com/news/print/0,1294,59305,00.html
[Editor's Note (Schultz): It's downright hilarious that Sen. Hatch not only apparently has unlicensed software on his Web site, but also that at least until late last week his site definitely had a link to pornographic pages (
-http://www.senate.gov/~hatch/index.cfm?Fuseaction=Students.Utah).
Perhaps Sen. Hatch should do some local housecleaning before going on his witch hunts. ]

McCain Promises Hearings on DMCA Subpoena Provision (19 June 2003)

Senator John McCain (R-Ariz.), chairman of the US Senate Commerce, Science and Transportation committee, has promised to hold hearings on the section of the Digital Millennium Copyright Act (DMCA) that allows copyright holders to subpoena the identities of those they suspect of violating their copyrights. There is some concern that people pretending to be copyright holders could take advantage of the process and violate individuals' privacy.
-http://www.idg.net/ic_1322296_9719_1-5448.html

---

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) ALERT: "How a Hacker Launches a SQL Injection Attack
Step-by-Step"- White Paper
http://www.sans.org/cgi-bin/sanspromo/NB186
(2) Simplify secure file transfer! Download a white paper and free
evaluation software.
http://www.sans.org/cgi-bin/sanspromo/NB187
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Vulnerability Management

Good vulnerability management is, at the core, effective identification of and response to vulnerabilities. Organizations would be well-advised to employ tiered defenses, to keep current with patches and maintain an effective patch deployment system and to use an automated vulnerability assessment tool. In addition, security should be a factor in purchasing decisions.
-http://img.cmpnet.com/nc/1412/graphics/1412f1_file.pdf
[Editor's Note (Northcutt): It is actually a good article. I suggest readers ignore the initial two screens, which are poorly laid out, and go for the meat. ]

Student Breached University Computer System and Disrupted Election (23 June 2003)

Shawn Nematbakhsh, a computer science major at the University of California at Riverside allegedly broke into a university computer system and cast 800 votes for a fake candidate in a student election. He has been arrested. If convicted of charges, Nematbakhsh could face three years in prison and a $10,000 fine; he claims his actions were intended to prove that the university network was vulnerable.
-http://www.cnn.com/2003/TECH/internet/06/23/us.hacker.ap/index.html

Fortnight Worm Exploits Old Vulnerability (23 June 2003)

The Fortnight JavaScript worm redirects Explorer browsers to a pornographic web site. While the worm's payload is more annoying than malicious, its spread is significant because it exploits an old vulnerability in Microsoft VM Active X; a patch has been available since October 2000.
-http://zdnet.com.com/2102-1105_2-1019929.html?tag=printthis
[Editor's Note (Grefer): If the patch has been available since October 2000, users who regularly visit
-http://windowsupdate.microsoft.com
should already be protected. Also, if automation of regular upgrades to MS Internet Explorer is desired, this can be achieved through accessing the "Internet Options" in the "Tools" menu. On the "Advanced" tab, under the "Browsing" heading, place a check mark in front of "Automatically check for Internet Explorer updates." ]

Stumbler Trojan (20/23 June 2003)

The Stumbler Trojan, also known as Trojan 55808, does not spread itself; it is manually installed on computers running Linux operating systems. The Trojan then acts as a "distributed port scanner." Stumbler is likely responsible for a spike in Internet traffic over the last few weeks. It is possible that the program is a proof-of-concept for a passive scanning technique that could later be used in conjunction with a worm.
-http://www.computerworld.com/printthis/2003/0,4814,82362,00.html
-http://www.internetweek.com/shared/printableArticle.jhtml?articleID=10700746
-http://news.com.com/2102-1002_3-1019759.html?tag=ni_print
-http://www.theregister.co.uk/content/55/31341.html
[Editor's Note (Northcutt): I would advise you not to take what is said in the news about this Trojan too seriously. There appears to be some trickery afoot. Here's a relevant note from Guest Editor and SANS Faculty member, Mike Poor: The most unusual aspect of the "mystery" traffic generated by the 55808 trojan is that we have not seen people reporting that they found traffic leaving their networks. If you have TCPdump, put the filter 'tcp
[14:2 ]
= 55808' on your egress route, and if you see outgoing traffic, please contact us at isc@sans.org. The incoming traffic that we have captured appears to be coming from unallocated address space, from thousands of different spoofed sources. ]

Senate Bill Would Have FBI Address P2P Piracy (20/23 June 2003)

HR-2517, the Piracy Deterrence and Education Act of 2003, was introduced last week in Congress. The bill would have the FBI develop a program to tackle the problem of peer-to-peer sharing of copyrighted material. One of the bill's sponsors is Representative Howard Berman (D-Calif.), who last year introduced a bill that would have allowed copyright holders to break into computers belonging to suspected content pirates.
-http://news.com.com/2102-1028_3-1019811.html?tag=ni_print
-http://www.theregister.com/content/6/31374.html

Cash Machines Exploited in 9/11 Aftermath (19 June 2003)

As many as 118 people allegedly took advantage of bank machines that were not working properly after the September 11, 2001 terrorist attacks; as much as $15 million may have been stolen. Seventy-four individuals have been arrested and 44 others are being sought; nearly 4,200 others are being investigated.
-http://www.nzherald.co.nz/latestnewsstory.cfm?storyID=3508252&thesection=new
s&thesubsection=world

RIAA Warns Individual File Traders (19 June 2003)

The Recording Industry Association of America (RIAA) has sent cease-and-desist letters to five people it suspects of offering vast quantities of copyrighted music through peer-to-peer filesharing networks. The RIAA obtained the names of the four Verizon subscribers and one EarthLink subscriber after an appeals court panel ordered Verizon to provide the RIAA with the subscribers' identities. The RIAA has not said whether it will pursue further legal action.
-http://news.com.com/2100-1027_3-1019184.html

Brokerages Must Retain IM Logs (19 June 2003)

US securities regulators are now requiring brokerages to retain instant messaging (IM) records for at least three years, putting the use of the communication tool in line with e-mail requirements. The companies were also advised to monitor employee use of IM.
-http://www.infoworld.com/article/03/06/19/HNfinancialim_1.html

Companies Need to Establish E-Mail Retention Policies (17 June 2003)

The 2003 E-Mail Rules, Policies, and Practices Survey from the American Management Association, the ePolicy Institute, and Clearswift found that while more companies are being asked for e-mail records to be used in lawsuits, only 34% of the 1,100 responding companies have written e-mail retention and deletion policies. In December, a number of Wall Street firms were fined $8.3 million for not retaining their e-mail records.
-http://www.informationweek.com/story/showArticle.jhtml?articleID=10700336
[Editor's Note (Northcutt): They tell us a problem, but don't give a solution. So I took a crack at defining a first draft of a policy. It is posted at
-http://www.sans.org/resources/policies/#email.
If you will take a look and send feedback (to info@sans.org with subject Email Policy Comments), I will incorporate your consensus into an updated sample policy for the community. (Shpantzer): A recent federal court ruling may help set the standard for email records discovery. It might be prudent to go over this with your corporate counsel and work out an email policy that works for your organization. Article about the ruling:
-http://www.abanet.org/journal/ereport/j6discovr.html
The decision:
-http://www.nysd.uscourts.gov/rulings/02cv1243_051803.pdf]

Japanese Police Systems Sustained More than 160,000 Attacks (19 June 2003)

A report from Japan's National Police Agency (NPA) indicates that police computer systems were the targets of more than 160,000 attacks between July 2002 and March 2003. Approximately 39% were "ping" attacks, while about 34% were port scans. According to the report, more than 25% of the attacks originated in the US.
-http://www.ds-osac.org/view.cfm?KEY=7E44534B4253&type=2B170C1E0A3A0F162820
[Editor's Note (Shpantzer): Sure the Japanese Police have some sophisticated enemies that actually target them for 'attack' but these figures are a little weak when examined closely: "In March, the virus (SQL worm) accounted for 65 percent of all the attacks." Using this metric, my home network is attacked hundreds of times a day. ]

VPNs Offer Advantages Over Frame-Relay Networks (19 June 2003)

This article describes the advantages of a virtual private network (VPN) over a frame-relay network. Traffic on frame-relay networks is not encrypted, all offices must use the same service provider, and the networks are limited by geography. A VPN can offer twice the capacity of a frame-relay network for the same amount of money. Some VPNs offer encryption and do not require offices to use the same service provider. The author concludes that VPNs offer more flexibility and cost less than frame-relay networks while providing comparable performance and reliability.
-http://idg.net/ic_1322305_9677_1-5044.html

DHS To Build Secure Network (19 June 2003)

Computer experts will be developing a secure network for all 190,000 workers in the Department of Homeland Security. The new network will take years to develop; among the challenges it presents is the task of keeping existing networks operational and secure. The networks are tested regularly to ensure they are safe from attackers.
-http://www.informationweek.com/story/showArticle.jhtml?articleID=10700486

EU Security Agency to Begin Work in January (16 June 2003)

The European Union's (EU) forthcoming Network and Information Security Agency (NISA) will have 6 representatives from the European Council and 6 from the Commission on its board; however, plans call for only one industry member. NISA plans to start in January, and will focus on analyzing IT threats, fostering cooperation between security agencies and promoting risk assessment within businesses.
-http://www.vnunet.com/News/1141650

Interview With GAO Infosec Director Robert Dacey (16 June 2003)

In an interview with Government Computer News, General Accounting Office (GAO) director of information security Robert F. Dacey discusses the GAO's role in assuring information security at government agencies, the biggest challenges those agencies face in addressing cybersecurity and elements of good security program management.
-http://www.gcn.com/22_15/security/22435-1.html

---

==end==
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/