SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume V - Issue #44
November 05, 2003
TOP OF THE NEWS
Microsoft To Offer Bounty On HackersNEC PCs Will Warn Users if IE Settings are Changed
Putnam Puts Bill on Hold After Negative Feedback from Businesses
Trojan Defense Successful Three Times in UK Courts
Three Critical Microsoft Vulnerabilities Patched
THE REST OF THE WEEK'S NEWS
Student Pleads Guilty to Breaking into US National Lab Computer SystemSurvey Finds European Security More Reactive Than Proactive
Woolsey Says SCADA Security Needs to be Addressed
Phishing Suspect Pleads Guilty
Library of Congress Allows Four DMCA Exemptions
Orbitz Investigating Possible Customer e-Mail Address Theft
Teen Allegedly Breached Security of ISP and University Computer Systems
Iowa State University to Develop Cyber Attack Test Bed
Windows XP Service Pack 2 Will Disable Windows Messenger Service and Activate Internet Connection Firewall
Developing Metrics for Security ROI
E-Mail BackUp Tapes Unintentionally Thrown Out
Temporary Restraining Order Sought Against Diebold
California Puts Diebold Certification on Hold
National Guard Bureau Data Sharing Suffering from Cyber Attacks
NEW SECURITY RESOURCES AND OPPORTUNITIES TO PARTICIPATE
NIST Releases Recommended Security Controls for Federal Information SystemsConsensus Security Vulnerability Alert Bulletin
RSS Feeds for Automated Security News Delivery
NRIC Best Practices List
ACME Paper Defines NetBIOS Port Security
Final Call for Papers SANS 04 - Orlando April 1 - 7, 2004
VULNERABILITY UPDATES AND EFFECTS
Mimail.C Exploits Outlook Vulnerabilities, Uses its Own SMTP Engine to SpreadMimail.D Launches DDoS Attacks on Anti-Spam Sites
Microsoft Issues Revised Patches
New Version of Mac OS X Fixes Vulnerabilities; Patches Will be Available for Older Versions
New Version of Mac OS X Corrupts External FireWire Hard Disks
*********************** Sponsored by NetIQ ****************************
Need security policies? Don't start from scratch..."Information Security Policies Made Easy" is the best security policy resource guide you can buy with 1300+ ready-to-use security policies that can be quickly customized for any company. Build best practice security policies in half the time and expense.
Download a free policy now! http://www.netiq.com/products/pub/default.asp
***********************************************************************
Highlighted Training Programs of the Week
The best east-coast security conference this year will bring six of SANS top courses to Washington in early December. It also includes a management conference and a free evening program filled with authoritative presentations. The courses are taught by the people who have won the seven-year, global competition to identify the best teachers in each security subject area. SANS instructors bring the information to life - giving you the confidence to put it to work as soon as you get back to the office.
Details: http://www.sans.org/cdieast03/
***********************************************************************
TOP OF THE NEWS
Microsoft To Offer Bounty On Hackers (04 November 2003)
Microsoft will announce today (Wednesday) that it will offer two $250,000 bounties for information that leads to the arrest of the people who released the MSBlast worm and the SoBig virus.-http://news.com.com/2102-7355_3-5102110.html?tag=st_util_print
NEC PCs Will Warn Users if IE Settings are Changed (31 October 2003)
New PCs from NEC Corp. will have two security enhancing functions enabled. Users will be warned if their Internet Explorer (IE) security settings are changed, and they will be prompted to install patches for their operating systems. NEC computers sold after October 2002 will also have these functions enabled through pre-installed support software that polls a NEC support server.-http://www.infoworld.com/article/03/10/31/HNnecbattle_1.html
[Editor's Note (Pescatore): This could be a good thing, if the "pre-installed support software" doesn't introduce new vulnerabilities - - which is a pretty big if. Of course, it would be even better if the browser did not allow programmatic changes to user "controlled" settings.
(Schneier): This sounds promising in theory, but I wonder how many viewers will view it as just another dialogue box popping up with useless information. ]
Putnam Puts Bill on Hold After Negative Feedback from Businesses (30 October 2003)
Representative Adam Putnam (R-Fla.) put a cyber security regulation bill on hold after business leaders gave the draft legislation a negative review. The bill called for all publicly traded companies to hire independent security auditors and include the results in their annual reports. Businesses that opposed the bill have said they will work on another plan for cyber security that involves "less government oversight."-http://www.theledger.com/apps/pbcs.dll/article?AID=/20031030/NEWS/310300507/1039
[Editor's Note (Schultz): I predicted that this would happen. The commercial arena as a whole wants nothing to do with government regulation.
(Pescatore): It took Enron and Worldcom to force Sarbanes Oxley reporting. I guess it will take a similarly damaging cyber-event to force even a high level of cyber-security reporting.
(Grefer): Finding the right balance is a challenge for information security and privacy. Industry self control has so far not lived up to expectations. Consequently, a governing body is required to assist in regulation, implementation and enforcement. ]
Trojan Defense Successful Three Times in UK Courts (28 October 2003)
Three cases in UK courts have set a significant precedent for prosecuting those accused of cyber crimes. In all three cases, defendants' attorneys successfully argued that their clients' computers had been hijacked by Trojan horse programs and therefore the defendants were not responsible for the alleged crimes. While some view the precedent as a safeguard against convicting innocent people, others are concerned that it gives cyber criminals a blanket defense. The Trojan defense has not yet been used in the US court system.-http://www.computerworld.com/printthis/2003/0,4814,86600,00.html
-http://www.theregister.co.uk/content/55/33636.html
[Editor's Note (Schultz): I fear that this will become the universally-used defense in cybercrime cases. Juries are not likely to know enough to see past this type of alibi. ]
Three Critical Microsoft Vulnerabilities Patched (3 November 2003)
Microsoft Corp. released the second installment of its now monthly security bulletins, patching three software holes in Windows systems that it said were "critical" security risks and a fourth problem with Microsoft Office that the company rated "important."-http://www.computerworld.com/printthis/2003/0,4814,87058,00.html
[Editor's Note (Paller): As I read today's news stories about Microsoft's new patches, what stood out most was the lack of outrage by the reporters. Microsoft's PR people must be cheering. By moving to monthly release of new patches, they have made bad programming announcements so regular that the press is giving them a free pass. These patches fix one, or many programming errors made by Microsoft's vaunted software development team.The errors are there because that team didn't adequately check its code.Hundreds of thousands or millions of people will not install the patches, because it still takes work and expertise on the part of users.Hackers will write worms that take over those unprotected machines and use them to steal information or attack others.Some of those attacks will be low and slow so you'll never know your systems were compromised or by whom. That's the bottom line on Microsoft's patch announcements. ]
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) FREE WHITE PAPER - Spam is no longer simply a nuisance. Act to secure your email systems.
http://www.sans.org/cgi-bin/sanspromo/NB249
(2) Considering vulnerability assessment? Read the latest nCircle white paper about the ten most common pitfalls.
http://www.sans.org/cgi-bin/sanspromo/NB250
(3) Ready for the next NIMDA/CODE RED/BLASTER? Hands-On. Online Demo.
http://www.sans.org/cgi-bin/sanspromo/NB251
***********************************************************************
THE REST OF THE WEEK'S NEWS
Student Pleads Guilty to Breaking into US National Lab Computer System (31 October 2003)
A British university student has pleaded guilty to breaking into a number of computer systems at the Fermi National Accelerator laboratory in Illinois. 18-year-old Joseph James McElroy used the compromised computers to store movie and music files.-http://www.computerweekly.com/articles/article.asp?liArticleID=126141&liArti
cleTypeID=1&liCategoryID=2&liChannelID=28&liFlavourID=1&sSearch=
&nPage=1
Survey Finds European Security More Reactive Than Proactive (29/30 October 2003)
A McAfee-sponsored survey of European companies found that nearly half of European organizations view security as fixing the vulnerabilities exploited by malware. 84% of respondents, however, said that "security is a critical concern" in their organizations. The percentage of companies that have measures in place to deal with blended threats varies from country to country; this is probably due to language differences and the fact that the majority of worms and viruses are created with English speaking targets in mind.-http://news.bbc.co.uk/1/hi/technology/3223887.stm
-http://www.vnunet.com/News/1146438
Woolsey Says SCADA Security Needs to be Addressed (29 October 2003)
Speaking at the Maritime Security Expo in New York, former CIA director James Woolsey said the war on terrorism will probably last for decades and is likely to involve attacks on critical physical and cyber systems. Woolsey says the infrastructure should be built to be resilient in order to prevent cascading failures. Woolsey called attention to the need to improve SCADA (Supervisory Control and Data Acquisition) systems' security.-http://www.computerworld.com/printthis/2003/0,4814,86638,00.html
[Editor's Note (Pescatore): Most holes in most SCADA systems are not that hard to close. I bet if you took all the fees paid to speakers at security conferences where "protect SCADA" makes headlines, you'd have enough to solve the problem and maybe even trim a few trees away from the power lines. ]
Phishing Suspect Pleads Guilty (29 October 2003)
Helen Carr of Ohio has pleaded guilty to federal conspiracy charges for conducting a phishing operation, a scheme in which bank or ISP customers are spammed with fraudulent e-mail asking for verification of account and other personal information. Ms.Carr was apprehended after an off-duty FBI cyber crime agent received one of her phony e-mails. She could face up to five years in prison.-http://www.securityfocus.com/news/7329
[Editor's Note (Pescatore): A lot of companies who outsource IT operations are contributing to the brand spoofing/phishing problem. It isn't unusual to get legitimate email from a well known vendor that has an HTML link in the email that appears to be "www.foobarco.com" but when you look at the source you see something like "99.299.99.9:1066" which, after doing a reverse DNS lookup, you find out is really a site at "www.outsourceco.com" While I'd just like to ban HTML email, that'll probably never happen. This practice needs to be one of the top 10 email no-nos. ]
Library of Congress Allows Four DMCA Exemptions (28/30 October 2003)
The Library of Congress has specified four exemptions to the Digital Millennium Copyright Act (DMCA). The exemptions cover four classes of work: censorware blacklists, software protected by obsolete dongles, software protected by obsolete media, and e-books that prevent the use of read-aloud or large print options for visually and hearing impaired people. The exemptions will remain in effect through October 27, 2006-http://www.theregister.co.uk/content/4/33668.html
-http://www.copyright.gov/1201/
[Editor's Note (Schneier): Not enough, alas. Fair use is being chipped away. ]
Orbitz Investigating Possible Customer e-Mail Address Theft (28/30 October 2003)
On-line travel company Orbitz said that someone had likely breached security at their web site and stolen customers' e-mail addresses. The theft became apparent when customers began complaining that they were receiving spam at e-mail addresses they used to conduct business with Orbitz. There is no evidence that personal account information or credit card numbers were compromised. Orbitz has notified the FBI of the incident and assembled an internal security team to investigate the matter.-http://news.com.com/2102-1038_3-5098644.html?tag=st_util_print
-http://www.computerworld.com/printthis/2003/0,4814,86665,00.html
-http://www.cnn.com/2003/TECH/internet/10/30/orbitz.security.ap/index.html
Teen Allegedly Breached Security of ISP and University Computer Systems (29/31 October 2003)
A Brisbane, Australia teenager has been arrested for allegedly breaking into the computer systems of an Australian ISP and a UK university. He is the first person to be arrested under Australia's Criminal Code Act 1995. The teen will appear in court later this month. Alastair MacGibbon, director of the Australian High Tech Crime Center (AHTCC) is pleased that the ISP came forward and provided information that led to the arrest of the suspect.-http://www.theage.com.au/articles/2003/10/29/1067233208022.html
-http://www.zdnet.com.au/printfriendly?AT=2000048600-20280271
-http://zdnet.com.com/2102-1105_2-5100364.html?tag=printthis
Iowa State University to Develop Cyber Attack Test Bed (29 October 2003)
Iowa State University has received a Justice Department grant of approximately $500,000 to build the Internet-Scale Event and Attack Generation Environment (ISEAGE), which will be used as a test bed for defenses against cyber attacks. It will also be used to conduct distributed attacks so their effects on other systems can be examined. ISEAGE will begin operations next year.-http://www.internetwk.com/shared/printableArticle.jhtml?articleID=15800124
Windows XP Service Pack 2 Will Disable Windows Messenger Service and Activate Internet Connection Firewall (29 October 2003)
-http://www.theregister.co.uk/content/55/33654.html
-http://www.newsfactor.com/perl/printer/22589/
[Editor's Note (Pescatore): While this is pretty much nothing but a good thing for consumer desktops, it raises some problems for enterprise desktops. Many large enterprises already have installed personal firewall software, and may be using Windows Messenger for internal LAN operations. The default setting for those enterprises will need to look quite different than that of consumers and small businesses. ]
Developing Metrics for Security ROI (29 October 2003)
Lew Wagner, CISO of the M.D. Anderson Cancer Center at the University of Texas has developed return on investment (ROI) metrics that he has used successfully to request funding for security measures. The tools that Wagner has deployed generate more metrics for him to use in future business cases.-http://www.internetweek.com/shared/printableArticle.jhtml?articleID=15600902
E-Mail BackUp Tapes Unintentionally Thrown Out (4 November 2003)
Staff of IT contractor Telstra Enterprise Services apparently dug through trash in order to recover Australian government department and agency e-mail backup tapes that had been inadvertently thrown out. Telstra regulatory and corporate director Bill Scales said that his company told the security agencies about the security problem as soon as they discovered it.-http://news.com.au/common/story_page/0,4057,7759335^15319,00.html
Temporary Restraining Order Sought Against Diebold (4 November 2003)
The Electronic Frontier Foundation (EFF) and the Stanford Law School's Center for Internet and Society have filed for a temporary restraining order against electronic voting machine maker Diebold, demanding that they stop sending cease and desist letters to people and organizations that have posted internal Diebold documents of their web sites.An EFF attorney says they maintain that hosting the documents constitutes fair use under US copyright laws.-http://www.usatoday.com/tech/news/techpolicy/2003-11-04-suing-diebold_x.htm
-http://zdnet.com.com/2102-1104_2-5101623.html?tag=printthis
California Puts Diebold Certification on Hold (3 November 2003)
The California Secretary of State's office has put certification of new Diebold electronic voting machines on indefinite hold pending the outcome of an investigation into allegations that the company installed uncertified software on machines used in Alameda county.-http://www.wired.com/news/politics/0,1283,61068,00.html?tw=wn_tophead_5
National Guard Bureau Data Sharing Suffering from Cyber Attacks (4 November 2003)
National Guard Bureau CIO Maureen Lischke said numerous cyber attacks have made it harder for her organization to share information for disaster planning and first response.Currently, the Guard installs patches manually on every PC.-http://www.gcn.com/vol1_no1/daily-updates/24059-1.html
[Editor's Note (Ranum): If you read the article, it will make you weep. Is this really the way that government agencies think security should be done for information sharing?]
NEW SECURITY RESOURCES AND OPPORTUNITIES TO PARTICIPATE
NIST Releases Recommended Security Controls for Federal Information Systems (3 November 2003)
The National Institute for Standards and Technology (NIST) has released a draft version of "Special Publications 800-53: Recommended Security Controls for Federal Information Systems." NIST is accepting comments on the draft document until January 31, 2004.-http://www.fcw.com/fcw/articles/2003/1103/web-nist-11-03-03.asp
-http://csrc.nist.gov/publications/drafts.html
[Editor's Note (Paller): The draft document has an overwhelming catalogue of controls even for the low risk systems. NIST had to put everything in, but that means every agency will be forced decide which controls to emphasize and which to meet with minimum effort. The security community can help a great deal by providing the critically important prioritization. Without it, hundreds of millions of dollars could be wasted by people who do not have the benefit of operational security experience. We would love to have your help. If you are willing to complete a simple prioritization form, please email info@sans.org with the subject NIST controls prioritization. We will try to have the result reflect input from each government agency and from many large commercial and academic organizations. Please tell us your role and your employer. We'll keep your personal input confidential. ]
Consensus Security Vulnerability Alert Bulletin (4 November 2003)
Open subscription period until November 15. More than 190,000 people have subscribed to the new, free, consensus security vulnerability bulletin: @RISK: The Consensus Security Vulnerability Alert. Delivered every Thursday morning, @RISK first summarizes the three to eight vulnerabilities that matter most, tells what damage they do and how to protect yourself from them, and then adds a unique feature: a summary of the actions 15 giant organizations have taken to protect their users. @RISK adds to the critical vulnerability list a complete catalog of all the new security vulnerabilities discovered during the past week. Thus in one bulletin, you get the critical ones, what others are doing to protect themselves, plus a complete list of the full spectrum of newly discovered vulnerabilities. This is also the subscription list that receives SANS Flash Alerts when they come out two or three times a year. Current facilities allow us to distribute @RISK to up to 250,000 subscribers, so approximately the first 60,000 additional people who sign up will be included on the list. There is no cost. Let the system administrators and security folks in your organization know they can subscribe as long as they do it in the next couple of weeks. Subscribe at-http://www.sans.org/newsletters/
RSS Feeds for Automated Security News Delivery (4 November 2003)
SANS now offers two RSS news feeds to help you get security information even quicker. The SANS Information Security Reading Room feed will alert you as new papers are added to the Reading Room. The SANS Reading Room features over 1200 original computer security white papers in 70 different security-related categories. By using the RSS feed you will be among the first to read new additions to this important resource. The SANS NewsBites RSS feed will provide direct links to the individual stories in our weekly newsletter. If you don't already have an RSS viewer, go to download.com or versiontracker.com and search for 'RSS' under your operating system.Then add these links to the RSS viewer:
Reading Room:
-http://www.sans.org/rr/rss/
NewsBites:
-http://www.sans.org/newsletters/newsbites/rss
We'll be adding more RSS services in the near future to bring the latest security news right to your desktop.
NRIC Best Practices List (27 October 2003)
The Network Reliability and Interoperability Council (NRIC) has compiled a list of 300 best practices for network operators, equipment manufacturers and service providers to "boost... security" in the event of a disaster.-http://www.gcn.com/22_31/tech-report/23927-1.html
All NRIC Best Practices:
-http://www.bell-labs.com/cgi-user/krauscher/bestp.pl?allrecords=allrecords
NRIC Best Practices Selector Tool:
-http://www.bell-labs.com/cgi-user/krauscher/bestp.pl
ACME Paper Defines NetBIOS Port Security (5 November 2003)
Thank you for all the comments on the "ACME" paper about a large enterprise trying to decide if netbios ports should be allowed to pass between segments of the enterprise network. An updated paper based on your response is available at-http://www.sans.org/rr/special/acme.pdf
Final Call For Papers SANS 04 - Orlando April 1 - 7, 2004 (4 November 2003)
SANS 04 will be the first Information Security mega conference -- the biggest information security event in history, by far, with over 600 hours of advanced technical training. The conference is being held right on the Disney property so bring the family at least for part of the time. In addition to 14 SANS training tracks, we are further enriching the program with a selection of technical short courses and this note is inviting your participation. Presenting a paper at a prestigious conference is one of the best ways to persuade management to allow you to attend a conference. We have started early so there is plenty of time for authors to develop great talks. Stephen Northcutt, author of seven information security books, is serving as the writing coach. There is still room in the program for a couple more presentations. We are primarily seeking two hour - 60 slide, technical presentations so please only write if you are serious and willing to work. To submit a proposal contact Stephen@sans.org with subject SANS2004 Paper.VULNERABILITY UPDATES AND EFFECTS
Mimail.C Exploits Outlook Vulnerabilities, Uses its Own SMTP Engine to Spread (3 November/31 October 2003)
The worm also launches a denial-of-service (DoS) attack against two domain names.-http://www.pcworld.com/resource/printable/article/0,aid,113228,00.asp
-http://www.eweek.com/print_article/0,3048,a=111135,00.asp
-http://www.newsfactor.com/perl/printer/22612/
Mimail.D Launches DDoS Attacks on Anti-Spam Sites (3 November 2003)
-http://www.theregister.co.uk/content/56/33721.html
Microsoft Issues Revised Patches (30 October 2003)
Microsoft has revised patches for two vulnerabilities: one for a Windows Messenger flaw and the other for a Windows Troubleshooter ActiveX control problem. Some customers were unable to install the original versions of the patches; users who successfully installed the original patches do not need to reinstall new versions.-http://www.techweb.com/wire/story/TWB20031030S0007
-http://www.microsoft.com/technet/security/bulletin/ms03-043.asp
-http://www.microsoft.com/technet/security/bulletin/ms03-042.asp
New Version of Mac OS X Fixes Vulnerabilities; Patches Will be Available for Older Versions (30/31 October 2003)
-http://www.newsfactor.com/perl/printer/22594/
-http://zdnet.com.com/2102-1104_2-5098688.html?tag=printthis
New Version of Mac OS X Corrupts External FireWire Hard Disks (30/31 October 2003)
-http://www.infoworld.com/article/03/10/31/HNappleresponds_1.html
-http://news.com.com/2102-1045_3-5099878.html?tag=st_util_print
----end----
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/