SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume V - Issue #31

August 06, 2003

A Heads Up On the "Pragmatic Intrusion Prevention" Workshop
Intrusion prevention is a marketing term, but there are some new
advances and promising practices in the field. Stephen Northcutt has
been doing extensive research into what works and what doesn't and will
present SANS findings at a special workshop in Las Vegas Oct 3, 4, 2003.
If you are trying to decide where intrusion detection and intrusion
prevention fit in your organization's cyber defenses, this is a meeting
you won't want to miss.
http://www.sans.org/preventintrusions/cfp.php

---

TOP OF THE NEWS

Attack Tool Exploits Windows RPC Flaw
DHS Warns Increased Scanning May Precede Large Scale Attack
OIS Releases Disclosure Guidelines
Bill Would Require Permission to Install Spyware

THE REST OF THE WEEK'S NEWS

Potential e-Voting Vulnerabilities Prompt Call for Standards
Improving Confidence in e-Voting
MiMail Worm
Microsoft.com Hit with Denial-of-Service Attack
U of Michigan Student Arrested for Alleged Computer Crimes
Preliminary Version of GEWIS Expected in October
Kentucky Transportation Agency's Computer Compromised by Software Pirates
Microsoft Patch for NT 4.0 Causes RRAS Failure
FTC Warns of Peer-to-Peer Security Risks
Magistrate Orders Return of Computer Seized in OptusNet Break-in
50% of Systems Still Vulnerable 30 Days After Patch Release
International Nature of Cyber Crime Requires Clear Laws and Cooperation
Company Must Bear Lion's Share of Evidence Retrieval Cost
Sydney University Must Surrender Backup Tapes in File-Swapping Data Case

---

*********************** Sponsored by NetIQ ****************************
"Information Security Policies Made Easy" is the most comprehensive
security policy resource guide you can buy, with 1300+ ready-to-use
security policies that can be quickly customized for any company. Build
best practice security policies in half the time and expense. Also
available "Information Security Roles & Responsibilities Made Easy."
Download a free policy now http://www.netiq.com/order/publications.asp
***********************************************************************

---

TOP OF THE NEWS

Attack Tool Exploits Windows RPC Flaw (4 August 2003)

An attack tool, also known as an autorooter, is being used to compromise Windows servers; the tool takes commands through Internet relay chat (IRC) networks and is capable of scanning for and compromising machines vulnerable to the highly publicized recent Windows remote procedure call (RPC) flaw.
-http://zdnet.com.com/2102-1105_2-5059263.html?tag=printthis

DHS Warns Increased Scanning May Precede Large Scale Attack (31 July/1 August 2003)

The Department of Homeland Security's Information Analysis and Infrastructure Protection National Cybersecurity Division has warned that an increase in Internet scanning for a vulnerability in Microsoft Windows Remote Procedure Call (RPC) Interface could be the precursor to a large-scale attack. Microsoft is offering the patch for free on its web site. The Computer Emergency Response Team Coordination Center (CERT/CC) at Carnegie Mellon University has also issued an alert, and recommends applying patches and blocking certain services.
-http://www.msnbc.com/news/946460.asp?0dm=T217T
-http://www.gcn.com/vol1_no1/daily-updates/23025-1.html
-http://www.newsfactor.com/perl/printer/22017/
-http://www.cert.org/advisories/CA-2003-19.html
[Editor's Note (Paller) These strident warnings merely reinforce the fundamental truth taught by this vulnerability and other vulnerabilities that are found on tens of millions of systems. The current patching system is broken. Asking naive users to search out patches and load them on their systems has not worked in the past, did not work in this case, and will not work in the future. Hundreds of thousands-- perhaps as many as a million -- systems have been compromised because of this and similar vulnerabilities. That is enough systems to cause remarkable damage over extended periods of time. Only massive pressure from buyers - -- led by the US government -- can persuade the software and Internet appliance vendors to do the right thing for their customers by taking responsibility for the flaws they are putting in our computers and on our networks. The most important single act the Department of Homeland Security could do if it wants to improve cyber security is to change the way it buys systems so that its con

OIS Releases Disclosure Guidelines (30/31 July 2003)

The Organization for Internet Safety (OIS), a group of eleven security companies and software developers including Microsoft, Oracle, Bindview and Symantec, has released the first version of its Guidelines for Security Vulnerability Reporting and Response. According to the guidelines, vendors would establish a point of contact so researchers know whom to inform about vulnerabilities they discover. Additionally, vendors would acknowledge receiving the vulnerability report within seven days; if they fail to do so, researchers may make public statements about the vulnerabilities. Finally, the guidelines propose a 30-day grace period after a fix has been released before researchers can release "supplementary data" about the vulnerability. Critics of the plan have voiced concern that it benefits those companies who offer paid vulnerability early-warning lists, and that the plan is vendor-centered, offering no incentive for researchers to abide by the guidelines.
-http://news.com.com/2102-1002_3-5057914.html?tag=ni_print
-http://www.computerworld.com/printthis/2003/0,4814,83609,00.html
-http://www.oisafety.org/reference/process.pdf

Bill Would Require Permission to Install Spyware (29 July 2003)

Representative Mary Bono (R-Calif.) has introduced the Safeguard Against Privacy Invasions Act, which would require businesses to obtain explicit permission before installing spyware on people's computers. Spyware monitors people's Internet habits and gathers information on them; often, spyware disclosures are included in software licensing agreements, which many users do not read carefully.
-http://news.com.com/2102-1028_3-5057094.html?tag=ni_print

---

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Best Practices for Incident Response - Sign up for the
practitioner's guide at
http://www.sans.org/cgi-bin/sanspromo/NB206
(2) NEW ALERT: "How a Hacker Launches a LDAP Injection Attack
Step-by-Step"
http://www.sans.org/cgi-bin/sanspromo/NB207
(3) MAKE YOUR FIREWALL DYNAMIC. Accurately block attackers in realtime.
FREE Demo.
http://www.sans.org/cgi-bin/sanspromo/NB208
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Potential e-Voting Vulnerabilities Prompt Call for Standards (4 August 2003)

The release of a paper from Johns Hopkins University researchers showing that touch-screen voting machines contain security vulnerabilities which could allow election manipulation has prompted the National Association of Secretaries of State to ask the National Institute of Standards and Technology (NIST) to create a white paper addressing security standards for electronic voting machines.
-http://www.wired.com/news/print/0,1294,59874,00.html

Improving Confidence in e-Voting (31 July 2003)

The author of this piece says that confidence in computer voting systems could be strengthened if the code were opened to public scrutiny and if the systems could provide a "voter verifiable audit trail" through the use of printed receipts for voters to check.
-http://slate.msn.com/id/2086455

MiMail Worm (1/3/4 August 2003)

The MiMail mass mailer worm is spreading rapidly, according to a number of sources. It arrives as an e-mail message purporting to be from the local network's system administrator, informing the recipient that his or her e-mail account is due to expire. MiMail exploits a known buffer overflow vulnerability in Internet Explorer to run code on infected machines. MiMail sends itself out to addresses harvested from files on infected computers; its mass mailing capabilities can clog e-mail servers and degrade network performance.
-http://www.msnbc.com/news/947145.asp?0dm=C228T
-http://new.zdnet.co.uk/print/?TYPE=story&AT=39115436-39020645t-10000025c
-http://www.cnn.com/2003/TECH/internet/08/02/worm/index.html
-http://news.bbc.co.uk/1/hi/technology/3122633.stm

Microsoft.com Hit with Denial-of-Service Attack (1 August 2003)

Microsoft.com was hit with a denial-of-service attack for about an hour and a half on Friday afternoon; the attack is under control and the company has contacted authorities.
-http://www.computerworld.com/printthis/2003/0,4814,83677,00.html
-http://www.microsoft-watch.com/article2/0,4248,1209059,00.asp

U of Michigan Student Arrested for Alleged Computer Crimes (1/2/4 August 2003)

Authorities have arrested a University of Michigan graduate student who allegedly broke into university computer systems. Ning Ma, a Chinese citizen with a student visa, allegedly used keystroke loggers to obtain others' usernames and passwords; he also allegedly stole a student's credit card and PIN number, and accessed two professors' network storage areas, where they kept exams and answer sheets. If he is convicted, Ma could face five years in prison.
-http://www.washingtonpost.com/ac2/wp-dyn/A12994-2003Aug1?language=printer
-http://www.cnn.com/2003/TECH/internet/08/02/accused.hacker.ap/index.html
-http://www.michigandaily.com/vnews/display.v/ART/2003/08/04/3f2e12e7790b0

Preliminary Version of GEWIS Expected in October (31 July 2003)

A preliminary version of the Global Early Warning Information System (GEWIS) should be working by October of this year; a final version should be up and running by March 2004. GEWIS is intended to alert the Department of Homeland Security to suspicious network behavior by analyzing the flow of information. It will not look inside packets where private or sensitive information may reside.
-http://zdnet.com.com/2102-1105_2-5058578.html?tag=printthis
[Editor's Note (Northcutt): A much better article about GEWIS was written seven months ago by Brian Krebs of the Washington Post:
-http://www.washingtonpost.com/ac2/wp-dyn?pagename=article&node=&contentI
d=
A3409-2003Jan30 ]

Kentucky Transportation Agency's Computer Compromised by Software Pirates (30 July 2003)

A routine audit of Kentucky's Transportation Cabinet's computer system showed that people have been using it to store pirated content, including movies, songs and video games. The state auditor has provided the agency with practical advice to prevent this from recurring. Responsibility for Transportation cabinet routers has been transferred to the Governor's Office for Technology.
-http://www.gcn.com/vol1_no1/daily-updates/22965-1.html
-http://www.kentucky.com/mld/kentucky/news/local/6415369.htm

Microsoft Patch for NT 4.0 Causes RRAS Failure (30 July 2003)

Microsoft has acknowledged that a recently released patch (see Microsoft Security Bulletin MS03-029) for a denial-of-service vulnerability in Windows NT 4.0 is flawed; users have reported a number of problems after installing the patch, including failure of the Routing and Remote Access Service (RRAS). The Microsoft bulletin has been amended to acknowledge the problem. Microsoft plans to release a fix soon; meanwhile, a "loosely tested" hot fix is available.
-http://www.computerworld.com/printthis/2003/0,4814,83584,00.html
-http://www.microsoft.com/technet/security/bulletin/MS03-029.asp
[Editor's Note (Northcutt): I went to the Microsoft web site Friday to validate the URL for the patch and got the "service unavailable" response. I realized then that this is a potentially interesting information warfare scenario. Since most people wait to install the patch until a worm starts running, the attacker could use some of the compromised systems from the worm to execute a DDOS to keep people from getting to the patch. ]

FTC Warns of Peer-to-Peer Security Risks (30 July 2003)

The Federal Trade Commission (FTC) has issued a consumer privacy alert describing the risks that accompany the use of peer-to-peer file sharing software. The risks include accidentally downloading viruses or pornography and sharing copyrighted files, which could lead to prosecution.
-http://news.com.com/2102-1029_3-5057814.html?tag=ni_print

Magistrate Orders Return of Computer Seized in OptusNet Break-in (30 July 2003)

A local court magistrate has ordered that a computer seized during the investigation of Stephen Craig Dendtler be returned to his mother. Dendtler was given a two-year good behavior bond and a AUS$4,000 fine for breaking into the OptusNet and accessing account details of more than 400,000 of the Internet network's customers. Dendtler's attorney said that the computer in question belonged to Dendtler's mother; the magistrate said there was no evidence that the computer was used in the commission of the crime.
-http://www.news.com.au/common/printpage/0,6093,6834229,00.html

50% of Systems Still Vulnerable 30 Days After Patch Release (30 July 2003)

Data from a study conducted by Qualys, a vulnerability assessment company, shows that patching has a 30-day half-life. After thirty days, 50% of systems remain unpatched; that number decreases by 50% every 30 days after that. The study also found that the more serious vulnerabilities are fixed more quickly. In addition, 80% of vulnerability exploits are released within the first sixty days after the flaw is announced.
-http://news.com.com/2102-1009_3-5058058.html?tag=ni_print
-http://www.securityfocus.com/news/6568

International Nature of Cyber Crime Requires Clear Laws and Cooperation (29 July 2003)

Delegates at a conference sponsored by the Asia-Pacific Economic Corporation (APEC) e-Security task group agreed that in order to combat cybercrime, countries must enact laws that criminalize cyber crime and also must be willing to cooperate with other countries.
-http://www.infoworld.com/article/03/07/29/HNcombatcrime_1.html

Company Must Bear Lion's Share of Evidence Retrieval Cost (29 July 2003)

A decision from a federal judge requires financial firm UBS to bear 75% of the cost involved in retrieving electronic evidence in a gender discrimination case brought by a former employee. UBS must also pay the entire cost of "producing" the documents. The plaintiff is required to pay the remaining 25% of the retrieval cost.
-http://zdnet.com.com/2102-1105_2-5056365.html?tag=printthis

Sydney University Must Surrender Backup Tapes in File-Swapping Data Case (30 July 2003)

An Australian federal judge has ruled that Sydney University must turn over back-up tapes to record companies, which allege that file-swapping data were on the University's computer system. The school must also bear the cost of recovering the data, which it says has been overwritten.
-http://news.com.com/2102-1029_3-5057849.html?tag=ni_print

---

==end==
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, Marcus
Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/