SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume V - Issue #34

August 27, 2003

Microsoft Patch Hoax Alert and Security Awareness Opportunity.
Stephen Northcutt just forwarded me an email that was sent from a
spoofed Microsoft address (security.microsoft.com, but that may change
as this attack matures) asking the recipient to install a fake patch.
He used the opportunity to educate SANS' less technical staff on
recognizing and avoiding such hoaxes, by sending them the following
note. Please feel free to rewrite it or use the text as you see fit and
share it with your family, neighbors, and non-technical users with whom
you work.


"I received an email message that claims to be from Microsoft that
says to install a patch. I hope you are aware this is a hoax, but
wanted to make sure. The way to get a patch from Microsoft is
through Windows Update."


Alan

---

TOP OF THE NEWS

FBI On the Trail of Sobig.F
Sobig.F Spreads Aggressively, but Potential Attack is Thwarted
Worm Affects CSX System; Train Signals Affected
Microsoft Mulls Enabling Auto Update in Windows
Slammer Crashed Monitoring System at Ohio Nuclear Plant
Welchia/Nachi Hits Navy/Marine Corps Intranet and State Dept.
Welchia/Nachi Worm Hits Hospital

THE REST OF THE WEEK'S NEWS

Premium Pay for Certifications is Down (But Not for Security)
Used BlackBerry Contained Proprietary Information
CA Supreme Court Reverses Appeal Ruling in DeCSS Case
SCO Website Hit with Denial-of-Service Attack
Los Alamos National Lab Whistleblower Receives Settlement
Flash Memory Devices Pose Security Risk
Microsoft Issues Patches for IE and MDAC Vulnerabilities
Court Orders Back-Door in Java Anonymous Proxy
House Committees Exploring Northeast Blackout and Cyber Vulnerabilities
Web Application Penetration Testing, Part 3
Poll Shows 25% of Small UK Businesses Don't See Need for Security Software
Chinese Ministries Urged to Buy Domestic Software

SANS READING ROOM NEW PAPER OF THE WEEK

Case Study in Implementing Security for HIPAA Privacy Compliance

---

****** This Issue Sponsored By LURHQ Managed Security Solutions *******
MSBlast demonstrated the importance of narrowing the gap between
vulnerability announcements and remediation. Time is of the essence
when attempting to defend your organization against these new threats.
Read this case study to see how an integrated Threat Management solution
delivers rapid response to emerging threats:
http://www.lurhq.com/blaster.html
***********************************************************************

---

TOP OF THE NEWS

FBI On the Trail of Sobig.F (25 August 2003)

The Sobig.F worm may have originated on an adult Usenet newsgroup. Phoenix Usenet access provider EasyNews was served with a subpoena from the FBI regarding an account that may have been used to post the worm. That account was established with a stolen credit card number just minutes before the worm was posted.
-http://www.computerworld.com/printthis/2003/0,4814,84326,00.html
-http://zdnet.com.com/2102-1105_2-5067462.html?tag=printthis

Sobig.F Spreads Aggressively, but Potential Attack is Thwarted (20/21/22/23 August 2003)

Security researchers worked along with Microsoft and the FBI to stave off what could have been a massive attack launched by computers infected with the Sobig.F worm. Infected machines were supposed to download a code at 3:00 PM EDT on Friday (8/22) from one of 20 servers. Varying reports indicated that between 16 and all of those machines were taken off line, blocked or secured before the scheduled download time. Auto-respond systems, which send e-mail back to a sender when they detect infected messages, have added to the significant increase in e-mail volume.
-http://www.wired.com/news/print/0,1294,60150,00.html
-http://news.com.com/2102-1009_3-5067311.html?tag=ni_print
-http://www.cnn.com/2003/TECH/internet/08/22/sobig.virus/index.html
-http://www.computerworld.com/printthis/2003/0,4814,84293,00.html
-http://www.theregister.co.uk/content/56/32434.html
-http://www.washingtonpost.com/wp-dyn/articles/A34422-2003Aug22.html
-http://www.cnn.com/2003/TECH/internet/08/25/virus.slows.reut/index.html

Worm Affects CSX System; Train Signals Affected (21 August 2003)

A worm penetrated CSX Corp.'s computer system, shutting down train signaling and dispatching systems in the eastern US, according to a CSX spokesman. It is unclear which worm caused the problems.
-http://www.washingtonpost.com/wp-dyn/articles/A23020-2003Aug20.html
[Editor's Note (Ranum): Repeat after me: Mission critical systems should be on isolated networks that are not connected to the Internet. There is no amount of web surfing fun that justifies the cost and labor downside of an incident such as the one above. (Paller) I don't believe people set up network connections primarily to allow operators to do web surfing or email. Rather, mission critical systems are connected to the Internet almost entirely for monitoring and remote management. Marcus is right about the danger. Either the systems must be isolated on a subnet with a closed firewall that allows a port to be opened and a few packets to go out, or they need to be completely disconnected from the general network and allow management data to be sent entirely through out of band communication (dedicated link or telephone - but no auto answer modems). ]

Microsoft Mulls Enabling Auto Update in Windows (19/21/22 August 2003)

Microsoft is considering enabling its Auto Update feature in new versions of Windows. The feature is presently an option that users choose to enable; users were unhappy with the idea of Microsoft having seemingly unfettered access to their computers. However, in light of the recent spate of prolific worms, an automatic update system might be the best form of protection against something like this happening again, according to some experts. Concerns about an automated update system include the possibility of its being compromised and the fact that some people want to test patches before applying them to their systems.
-http://www.securityfocus.com/news/6761
-http://news.com.com/2102-1009_3-5066612.html?tag=ni_print
[Editor's Note (Ranum): Apparently, SOMEONE is going to have unfettered access to users' computers: either hackers or Microsoft. What scares me is that we'll end up with the worst of both worlds: both the hackers AND Microsoft will have unfettered access to our computers. ]

Slammer Crashed Monitoring System at Ohio Nuclear Plant (19 August 2003)

In January, the Slammer worm apparently made its way into the computer network at Ohio's Davis-Besse nuclear power plant, crashing an important monitoring system. The plant had been off-line for nearly a year, and the monitoring system's redundant analog backup was not infected. Slammer first infected a Davis-Besse contractor's network, then gained a foothold in the plant's network through a T1 line, bypassing a firewall which blocked the port exploited by Slammer. This and other similar incidents underscore computer security issues facing the energy industry.
-http://www.securityfocus.com/news/6767
[Editor's Note (Ranum): Repeat after me: Mission critical systems should be on isolated networks that are not connected to the Internet. ]

Welchia/Nachi Hits Navy/Marine Corps Intranet and State Dept. (19/22 August 2003)

The Navy says it has contained the Welchia/Nachi worm which hit an unclassified section of the Navy/Marine Corps Intranet (N/MCI); infected systems are being scrubbed. The N/MCI was never completely down, and users were still able to access desktop applications. Sobig.F also tried to infiltrate the system, but the N/MCI anti-virus software removed the attachments, rendering it harmless. Welchia also hit State Department's computer systems, affecting some embassies and passport offices, as well as a headquarters building. Some of the systems were taken off-line until the infection was cleaned up.
-http://www.gcn.com/vol1_no1/daily-updates/23195-1.html
-http://www.fcw.com/fcw/articles/2003/0818/web-nmci-08-19-03.asp
-http://www.computerworld.com/securitytopics/security/story/0,10801,84158,00.html
-http://federaltimes.com/index.php?S=2153745

Welchia/Nachi Worm Hits Hospital (22 August 2003)

The Welchia/Nachi worm hit Yorkhill Hospital in Glasgow, Scotland last week. Hospital staff was unable to access medical records and resorted to using paper files. A hospital spokesman said patients were never at risk due to the worm, and that essential systems were restored within 16 hours after the worm was detected.
-http://news.bbc.co.uk/2/hi/uk_news/scotland/3174173.stm
[Editor's Note (Ranum): Repeat after me: Mission critical systems should be on isolated networks that are not connected to the Internet. ]

---

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) ALERT: Hackers New Trick- LDAP Injections- FREE White Paper
http://www.sans.org/cgi-bin/sanspromo/NB216
(2) EVERY NETWORK ATTACK BEGINS WITH AN ATTACKER. Neutralize the
source. FREE WP.
http://www.sans.org/cgi-bin/sanspromo/NB217
(3) WHITE PAPER - 10 leading enterprise techniques to control spam
***request paper
http://www.sans.org/cgi-bin/sanspromo/NB218
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Premium Pay for Certifications is Down (But Not for Security)(19 August 2003)

Research from Foote Partners LLC shows that premium pay for IT certifications has fallen nearly 6% over the past year. However, people who keep their certifications current are more likely to receive pay raises than are those who allow their certifications to lapse. Managers also note that they are more likely to receive money for training if the outcome will be certification.
-http://www.computerworld.com/printthis/2003/0,4814,84147,00.html
[Editor's Note (Paller): David Foote (the study's author) told us in a separate communication that security certifications are an exception to the trend. He's also offered NewsBites readers a free copy of some of the charts showing the patterns and trends. If you would like a copy, email him at dfoote@footepartners.com. (Northcutt): We have been in a very slow economy that appears to be heating up. As companies seek to grow their workforce a respected certification, a line in the sand that proves the employee meets a minimum standard will rapidly grow in importance. ]

Used BlackBerry Contained Proprietary Information (25 August 2003)

A man who bought a BlackBerry on eBay for $15.50 found that the wireless device contained a database of over 1,000 names, e-mail addresses and phone numbers of Morgan Stanley executives, as well as more than 200 internal Morgan Stanley e-mails. The seller is a former VP of mergers and acquisitions who had left the company. He said he had removed the battery months before selling the BlackBerry and assumed the data had been erased. Departing employees normally hand over their BlackBerries to be erased before they leave the company as a part of a company policy, even though the employees, not the company, own the devices.
-http://www.wired.com/news/print/0,1294,60052,00.html

CA Supreme Court Reverses Appeal Ruling in DeCSS Case (25 August 2003)

The California Supreme Court reversed a court of appeal ruling that allowed Andrew Bunner, a programmer, to post on the Internet code that can be used to crack encryption on DVD movies. Bunner was initially sued under California's Uniform Trade Secrets Act, and a judge ordered him to remove the code from the Internet. However, the court of appeal ruled that the First Amendment right to freedom of speech was more important than the protection of trade secrets. The Supreme Court ruling on August 25 said that an order to remove the code in question was not a violation of "free speech clauses of the United States and California constitutions."
-http://www.washingtonpost.com/ac2/wp-dyn/A42668-2003Aug25?language=printer
-http://zdnet.com.com/2102-1105_2-5067665.html?tag=printthis
[Editor's Note (Schneier): Bad sign, but not altogether surprising, since every other ruling in the DeCSS-related cases has gone in favor of limiting speech. ]

SCO Website Hit with Denial-of-Service Attack (25 August 2003)

The SCO Group's website was the target of a denial-of-service (DoS) attack over the weekend. The attack was the handiwork of someone angry about SCO's claims of copyright violation by those in the open source community. OPEN Source Initiative President Eric S. Raymond confirmed the suggestion, saying the person he believes is behind it, a member of the open source community, had agreed to stop the attack. Mr. Raymond says he is "ashamed for all of us
[in the open source community ]
", and exhorts people never to stoop to this level again.
-http://news.com.com/2102-1002_3-5067743.html?tag=ni_print
-http://linuxtoday.com/news_story.php3?ltsn=2003-08-25-010-26-NW-CY-LL

Los Alamos National Lab Whistleblower Receives Settlement (22 August 2003)

Glenn Walp, who was fired from his job as Head of Los Alamos' Security Inquiries after investigating missing computers and other infractions, has received a $930,000 settlement from the University of California, which manages the laboratory for the Energy Department. The university reached a settlement with another whistleblower in March.
-http://gcn.com/vol1_no1/security/23282-1.html

Flash Memory Devices Pose Security Risk (22 August 2003)

Portable flash memory storage devices could pose security threats to organizations because administrators cannot control data transfer between networks and the devices. The devices could be used to steal corporate data or release malware into a company network inside the firewall. One way to address the problem would be to restrict users' file access.
-http://news.com.com/2102-1009_3-5067246.html?tag=ni_print
[Editor's Note (Grefer): Many of the claimed vulnerabilities are present in almost all portable storage devices or media. The claim of a lack of control, however, is not valid. It is possible to disable auto-mounting features, prevent auto-installation of necessary drivers, and restrict user access to existing devices. It boils down to making a decision balancing security and usability. ]

Microsoft Issues Patches for IE and MDAC Vulnerabilities (21 August 2003)

Microsoft recently released two security bulletins; both exhort users to apply patches. The first is a cumulative patch for Internet Explorer (IE) and addresses two critical flaws in IE versions 5.01, 5.5, 6.0 and 6.0 with Service Pack 1; the flaws could allow attackers to execute code on vulnerable machines. The vulnerability also exists for IE 6.0 on Windows Server 2003, but has a rating of moderate because that version of IE is delivered in default configuration, "which prevents exploitation of those flaws." The second Microsoft advisory addresses an "important" vulnerability in (Windows MDAC) that could allow an attacker to run arbitrary code after setting up a phony SQL server on the same subnet as the vulnerable system. That flaw affects MDAC versions 2.5 - 2.7, which are included with Windows XP, 2000 and Me.
-http://www.computerworld.com/printthis/2003/0,4814,84211,00.html
-http://www.newsfactor.com/perl/story/22135.html
-http://www.microsoft.com/technet/security/bulletin/MS03-032.asp
-http://www.microsoft.com/technet/security/bulletin/MS03-033.asp

Court Orders Back-Door in Java Anonymous Proxy (21 August 2003)

As the result of a court order, the Java Anonymous Proxy (JAP) has had a back door installed in order to provide German police with the IP addresses of those who attempt to access a certain, unnamed website. JAP operator initially said they had taken the service down "for a few days" "due to a hardware failure" and required users to install an upgraded version. Only after someone examined the upgrade, discovered the backdoor and posted information on the Internet did JAP acknowledge that their product contained a court-mandated "crime-detection function."
-http://www.theregister.co.uk/content/55/32450.html

House Committees Exploring Northeast Blackout and Cyber Vulnerabilities (20 August 2003)

The House Committee on Energy and Commerce is planning to hold hearings early next month to examine the massive blackout that hit the northeast and mid-west along with parts of Canada. Committee chairman Billy Tauzin (R-La.) has asked utility companies and industry councils to supply any pertinent information. The House Committee on Government Reform also wants to examine the power grid's Supervisory Control and Data Acquisition (SCADA) systems. Though SCADA systems used to be proprietary, they are becoming increasingly dependent on "off-the-shelf" technology.
-http://www.computerworld.com/printthis/2003/0,4814,84203,00.html

Web Application Penetration Testing, Part 3 (20 August 2003)

This last in a series of three articles on web application penetration testing examines cookies, session security and Session-IDs, logic flaws and binary attacks.
-http://www.securityfocus.com/infocus/1722

Poll Shows 25% of Small UK Businesses Don't See Need for Security Software (20 August 2003)

A poll of 300 small to medium-sized UK businesses found that 28% of the businesses felt security software "was of no practical use." This point of view was especially prevalent among companies with five or fewer employees. The poll was conducted on behalf of BT Openworld.
-http://www.vnunet.com/News/1143125

Chinese Ministries Urged to Buy Domestic Software (18 August 2003)

China's State Council has crafted a policy directing all government ministries to purchase domestically produced software at their next upgrade. The policy was created to shed Chinese dependence on Microsoft products, and on security considerations. The new policy is designed to remain in effect until 2010. China is a member of the World Trade Organization (WTO) and it has not yet been determined if the policy violates that group's charter.
-http://news.com.com/2102-1012_3-5064978.html?tag=ni_print

---

SANS READING ROOM NEW PAPER OF THE WEEK

SANS Reading Room New Paper of the Week

Case Study in Implementing Security for HIPAA Privacy Compliance A useful model for anyone trying to comply with the privacy requirements in HIPAA. It is the third paper at
-http://www.sans.org/rr/
last.php">
-http://www.sans.org/rr/
last.php
PS. The newly updated SANS Reading Room has more than 1,100 original and in-depth research papers in more than 60 categories of security, plus two new features: "Most Popular 25 Papers", "Newest 25 Papers" If you haven't visited lately, check it out:
-http://www.sans.org/rr/

---

==end==
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, Marcus
Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/