SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume V - Issue #32

August 13, 2003

TOP OF THE NEWS

Windows Worm Spreading
Stanford and Berkeley Computers Attacked Via Windows Vulnerability
Maryland Governor Calls for Electronic Voting Machine Risk Assessment
Linux Receives Common Criteria Certification

THE REST OF THE WEEK'S NEWS

Purchasing Plan Study Places IDS High on Lists
Scenario Depicts Cyber Attack in Critical Infrastructure
Man Pleads Guilty in ATM Skimming Case
Research Predicts Increased Security Spending
NSA Wants Congress to Fund National Software Assurance Center
Acxiom Acknowledges Database Security Breach
OMB Advises Agencies on FISMA Compliance
Many IT Execs Don't Know What's Running on Their Systems
Computer Fraud and Abuse Act Conviction Is Appealed
BSA Report Says Tide of US Software Piracy is Ebbing
Without Clear Security Policies, Cyber Crime Cases Could be Dropped
File Signature Database Would Help Establish Software Integrity
Former Employee Pleads Guilty to Computer Intrusion
Triple DES Implementation Will be Costly

---

****************** Sponsored by Internet Security Systems *************
Latest Gigabit and 100Mbps IDS Test Results Available
The NSS Group, one of the world's foremost independent security testing
facilities, has released its study of Gigabit and 100Mbps IDS solutions.
Read how ISS' RealSecure(r) and Proventia(tm) solutions came out.
http://www.iss.net/mktg/NSSGroupResults/
***********************************************************************

---

TOP OF THE NEWS

Windows Worm Spreading (11 August 2003)

A worm that exploits the widespread Windows RPC DCOM vulnerability is spreading quickly, according to the Internet Storm Center. Alternately called "Blaster" and "LovSan," the worm infects Windows 2000 and Windows XP systems and often causes them to repeatedly crash. SANS Internet Storm Center issued one of the earliest advisories about the worm. As many as 1.4 million systems have been infected as of 4 PM EDT, Tuesday. That is at least four times the number infected by Code Red.
-http://www.washingtonpost.com/wp-dyn/articles/A46233-2003Aug11.html
Useful "How-To" for cleaning it off your system:
-http://www.washingtonpost.com/wp-dyn/articles/A49251-2003Aug12.html
Technical description at SANS Internet Storm Center:
-http://isc.sans.org/diary.html?date=2003-08-11
-http://news.com.com/2102-1002_3-5062364.html?tag=ni_print
-http://www.cert.org/advisories/CA-2003-20.html

Stanford and Berkeley Computers Attacked Via Windows Vulnerability (5/7 August 2003)

About 2,000 of Stanford University's 20,000 desktop computers have been attacked via a recently discovered Windows vulnerability. Each of the machines was infected with a piece of code that could be activated at a later date. Stanford technicians have disconnected the affected computers and are working to remove the code from each of them. In a separate story, the University of California, Berkeley planned to shut down outside access to part of its network after as many as 100 computers were attacked via a Windows vulnerability. The Campus Information Systems Security Officer noted that the university was getting about 1,000 external scans daily looking for vulnerable Windows machines.
-http://www.bayarea.com/mld/mercurynews/news/local/6479603.htm?template=
contentModules/printstory.jsp
-http://www.trivalleyherald.com/cda/article/print/0,1674,86%257E10669%257E1552750
,00.html

Maryland Governor Calls for Electronic Voting Machine Risk Assessment (7 August 2003)

Maryland Governor Robert L. Ehrlich, Jr. (R) has asked Science Applications International Corp. (SAIC) to prepare a risk assessment after the company examined the hardware and software of Diebold's touchscreen voting machines. Maryland has agreed to pay $55 million to Diebold to provide the electronic voting machines for every precinct in the state in time for the 2004 election. The governor's request follows close on the heels of the release of a study from Johns Hopkins researchers that asserts Diebold's system could allow election sabotage. SAIC will also examine state and local voting procedures. Compounding Diebold's problems is evidence presented to Wired News from someone who says he broke into Diebold's computer systems and stole internal discussion-list archives, a software bug database and more company software.
-http://www.washingtonpost.com/ac2/wp-dyn/A25673-2003Aug6?language=printer
-http://www.wired.com/news/privacy/0,1848,59925,00.html

---

******** Announcing An Australian Executive Security Conference********
Preliminary Announcement - SANS Australian Information Assurance
Leadership at the National Conference Centre Canberra 6 - 7 November
2003.
http://www.sans.org/aial03
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Purchasing Plan Study Places IDS High on Lists (8 August 2003)

Meta Group conducted a study of companies' purchasing plans and found that there is strong interest in network and host intrusion detection systems (IDS). Meta group vice president Tom Scholtz said companies that purchase the products without first having a security policy in place may justifiably feel they have not received their money's worth, "Causing a false sense of security can actually harm the security effort."
-http://www.vnunet.com/News/1142888
[Editor's Note (Schultz): It's good to see that Meta (unlike Gartner) is not proverbially throwing the baby out with the bath water when it comes to intrusion detection technology. Granted, intrusion detection technology has not delivered as much ROI as it should, but this technology is constantly improving and many organizations are learning to deploy it more cost effectively. Furthermore, given that there is currently more hype than reality to "intrusion prevention" (even though this area is very, very promising!), count on intrusion detection technology being with us for a long, long time. (Northcutt) All the research I have been doing for the intrusion detection/prevention workshop October in Las Vegas (
-http://www.sans.org/preventintrusions/cfp.php
) seems to indicate Meta is correct and the Gartner "IDS is Dead" report was off the beam. One indicator that IDS is still hot is that the new Snort 2.0 book is flying off the shelves. The Amazon sales rank was 1,821 which is pretty good for a security book.
-http://www.amazon.com/exec/obidos/tg/detail/-/1931836744/ref=pd_sim_books_3/
104-2257878-2059938?v=glance&s=books#product-details ]

Scenario Depicts Cyber Attack in Critical Infrastructure (11 August 2003)

In a paper, Roelof Temmingh, technical director of a South African computer security company, described a scenario in which a worm attack could be designed to target a country's critical infrastructure. The attack would involve getting people at certain companies or government agencies to click on a link embedded in an e-mail message; the link would take them to a site that would contain malicious code. The key to launching such an attack is finding actual e-mail addresses at those institutions; Temmingh demonstrated scripts he has developed that scour the Internet for the domains of targeted institutions.
-http://www.zdnet.com/anchordesk/stories/story/0,10738,2914453,00.html
-http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-sensepost/
bh-us-03-sensepost-paper.pdf
[Editor's Note (Schultz): I question how responsible publicly disseminating ideas like these is. Just as in the case of the paper that so boldly predicted the emergence of an "uberworm," these "how to write a devastating worm" papers provide would-be attackers with ideas that they themselves are incapable of coming up with, and also increases the motivation within the black hat community and others for perpetrating attacks of this nature. ]

Man Pleads Guilty in ATM Skimming Case (11 August 2003)

Kok Meng Ng has pleaded guilty in NSW (New South Wales, Australia) district court to four charges of violating the Commonwealth Financial Transactions Act and computer offenses. Ng was involved with an operation that "skimmed" information from ATM users; a device installed in the ATMs obtained the cards' magnetic strip contents, while a camera positioned above the machine recorded customers' PINs. Ng's accomplices have apparently fled the country. There is a fascinating disparity in the amount of money allegedly stolen. The first link was 643k; then 500k
-http://www.smh.com.au/articles/2002/11/17/1037490056082.html
And there are several news stories with 200k
-http://www.themercury.news.com.au/common/story_page/0,5936,5519299%255E421,00.ht
ml
-http://heraldsun.news.com.au/common/story_page/0,5478,5519299%255E421,00.html

Linux Receives Common Criteria Certification (5/6 August 2003)

SuSE Linux Enterprise Server 8 running on certain IBM servers has been granted Common Criteria Evaluation Assurance Level 2 (EAL2), meaning that it can now be used on military and government systems. IBM expects that SuSE Linux will receive EAL3 by the end of the year, and EAL4 in about 18 months.
-http://news.com.com/2102-7252_3-5059846.html?tag=ni_print
-http://www.computerworld.com/printthis/2003/0,4814,83731,00.html
-http://www.fcw.com/fcw/articles/2003/0804/web-linx-08-06-03.asp
-http://www.eweek.com/print_article/0,3668,a=45888,00.asp
[Editor's Note (Paller): Sadly, this recognition for Linux doesn't tell buyers anything about the safety of the system, just as Common Criteria evaluation told us nothing about how many vulnerabilities would be found in Microsoft's Common Criteria evaluated operating system and Oracle's Common Criteria evaluated database. Unless secure configuration standards are integrated into Common Criteria measurement, the program's funding should be dropped in favor of using the money to help secure the systems government has already purchased. ]

Research Predicts Increased Security Spending (8/11 August 2003)

Research from Datamonitor indicates that worldwide spending on enterprise security products will grow to $13.5 billion in 2006; spending on security products in 2002 was $7.1 billion. Companies spend the most on intrusion protection, vulnerability assessment and security management tools. The predicted increase in spending is attributable to companies moving toward layered security, meaning they use a variety of products.
-http://zdnet.com.com/2102-1105_2-5062169.html?tag=printthis
-http://www.vnunet.com/News/1142897
[Editor's Note (Grefer): This approach has been around for quite a while, with widespread use in Germany and other parts of Europe over the last decade. One common variation includes a transparent "protective cover" placed over the ATM's keypad, allowing to capture the actual keystrokes in combination with an ultra-thin card reader attached right in front of the ATMs reader, capturing card information while the card is passed through. ]

NSA Wants Congress to Fund National Software Assurance Center (8 August 2003)

The National Security Agency (NSA) is asking Congress to fund a National Software Assurance Center, which would develop methods for detecting backdoors and logic bombs in large software applications. The Center would include representatives from academia, industry, government, national laboratories and the security community.
-http://www.securityfocus.com/printable/news/6671

Acxiom Acknowledges Database Security Breach (7/8 August 2003)

Data integration software provider Acxiom Corp. has acknowledged that sensitive data belonging to some of its clients' customers was accessed during a breach that involved an FTP server outside the company's firewall. A former employee of one of Acxiom's clients has been arrested in connection with the breach; the person allegedly cracked server passwords and had legitimate access to the server at the time of the data theft. Acxiom has changed those passwords and is informing affected customers of the breach.
-http://www.computerworld.com/printthis/2003/0,4814,83854,00.html
-http://www.washingtonpost.com/ac2/wp-dyn/A31921-2003Aug7?language=printer

OMB Advises Agencies on FISMA Compliance (7 August 2003)

Office of Management and Budget (OMB) director Joshua Bolten has sent a letter to agency executives describing how they should implement the Federal Information Security Management Act (FISMA). The letter also lists the criteria necessary for agencies to receive a score of green on the stoplight scoring system used to measure compliance with the President's Management Agenda.
-http://www.gcn.com/vol1_no1/daily-updates/23078-1.html
[Editor's Note (Paller): In the letter, Director Bolten reminded agencies that FISMA "requires that each agency develop specific system configuration requirements
[... ]
and ensure compliance with them." The letter goes on to say that this requirement includes specific system security settings and must be accompanied by "adequate ongoing monitoring and maintenance." It suggests agencies would be well served if they use the consensus security configuration benchmarks developed by the National Security Agency, NIST, and other groups (the Center for Internet Security). If the government follows through on this initiative, it will be showing remarkable leadership in improving security. If it also helps to create consensus security configuration benchmarks for all popular operating systems and applications, and test beds for ensuring applications work effectively on safely configured and patched systems, government will go along way toward helping protect the rest of the critical infrastructure. ]

Many IT Execs Don't Know What's Running on Their Systems (7 August 2003)

According to a survey of 190 network IT executives conducted by network software company Packeteer, only 25% said they know exactly which applications are running on their systems and how much bandwidth each consumes. 59% said they would increase bandwidth to address network traffic congestion and degraded application performance, which Packeteer says is expensive and can be ineffective; the company recommends the use of network monitoring tools.
-http://www.theregister.co.uk/content/5/32218.html
-http://www.packeteer.com/news/pr.cfm?pr_ID=216
[Editor's Note (Ranum): They asked the wrong people. Ask network administrators and you'll get the truth: fewer than 1% of the organizations in the world probably have even a cursory idea what's going on in their networks. ]

Computer Fraud and Abuse Act Conviction Is Appealed (7 August 2003)

Jennifer Granick has filed an appeal on behalf of Bret McDanel, who served 16 months in prison for violating the Computer Fraud and Abuse Act. In early September, 2000, McDanel sent 5,600 e-mail messages to customers of Tornado Development, Inc., his former employer. The messages warned customers of a vulnerability in the messaging business' e-mail system that exposed network identifiers (NIDs). The prosecutors alleged that McDanel intended to overwhelm Tornado's e-mail server, and compounded the problem by creating a public relations headache. The appeal brief states that McDanel did not cause denial-of-service and that the systems were in fact taken down to address the vulnerability. In addition, Granick's brief maintains that the law was misinterpreted in McDanel's prosecution; the government's assertion that McDanel transmitted damaging data when he sent the e-mails "is not supported by case law."
-http://www.securityfocus.com/printable/news/6643

BSA Report Says Tide of US Software Piracy is Ebbing (5 August 2003)

Statistics in a report recently released by the Business Software Alliance (BSA) indicate that the rate of software piracy in the US is declining. Though the incidence of software piracy dropped two percentage pointed between 2001 and 2002, the estimated costs associated with software piracy increased from $1.8 billion to $1.9 billion.
-http://news.com.com/2102-1012_3-5060288.html?tag=ni_print

Without Clear Security Policies, Cyber Crime Cases Could be Dropped (5 August 2003)

According to Steve Santorelli, detective sergeant at Scotland Yard's Computer Crime Unit, many cases involving cyber crime at UK businesses have to be abandoned because the companies have not implemented clear security policies. If employees are not well informed about what constitutes improper behavior regarding computers, prosecution can become difficult. Companies should design their own policies, tailored to fit their own needs, and should ensure certain employees are aware of the policies.
-http://www.computerweekly.com/articles/article.asp?liArticleID=123928

File Signature Database Would Help Establish Software Integrity (5 August 2003)

Tripwire, Inc., together with IBM, Hewlett-Packard, RSA Security and other vendors have announced their intention to create a file signature database (FSDB). The database would include such information as "born-on" date, file name and hash value so that customers can "verify the identity and integrity of the software on their systems."
-http://www.computerworld.com/printthis/2003/0,4814,83742,00.html
-http://www.nwfusion.com/news/2003/0805tripwire.html

Former Employee Pleads Guilty to Computer Intrusion (4 August 2003)

A former Telecast Fiber Systems, Inc. employee has pleaded guilty to breaking into the company's computer system and deleting files. John Corrado will pay the Worcester, MA company $10,360, the estimated amount of their losses. Corrado apparently remotely accessed the computer system about a month after he left the company; he will be sentenced in early October and faces up to a year in prison and a fine of $100,000.
-http://boston.bizjournals.com/boston/stories/2003/08/04/daily11.html?t=printable

Triple DES Implementation Will be Costly (4 August 2003)

Starting in 2004, the banking and retail industries will be required to convert electronic fund networks to the Triple Data Encryption Standard (DES). As computing power has increased over recent years, the current DES standard has become increasingly vulnerable. The upgrades will require many hours of labor and large amounts of money. For example, Chicago's Bank One Corp. plans to replace its 4,000 ATMs with Triple DES-compliant machines over the next three years, at a cost of at least $150 million.
-http://computerworld.com/printthis/2003/0,4814,83685,00.html
[Editor's Note (Grefer): TripleDES is simply a piece of code that could be included as part of a software (or worst case: firmware) upgrade. The estimate reported in this article appears rather to be a roll-out of new equipment under using the excuse of fixing a security issue. {Northcutt} I would have expected they would be thinking about AES. I found a banking newsletter with additional information on this subject:
-http://www.icbnd.com/data/newsletter/community%20banker%20feb%2003%20.pdf]

---

==end==
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, Marcus
Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/