SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume V - Issue #48

December 03, 2003

Two new SANS research projects in which your assistance could help the whole community:
(1) Top Ten Cisco Security Vulnerabilities - a project to identify the weaknesses that allow systems and networks to be exploited through Cisco network devices and software. If you have knowledge in this area and are willing to share, please send your suggestion to info@sans.org with subject "Cisco Top Ten". We have an initial list that we will share with everyone who provides a solid suggestion.
(2) Security Products That Actually Work - a project to gather case studies of how commercial tools actually improve security and post them on the web and print and mail them to 300,000 people. If you have used a commercial tool and the tool has actually made a difference in improving security, we would love to include your story. We can even keep your company's name confidential. Categories for which we will publish What Works books include: intrusion prevention, intrusion detection, vulnerability management, VPNs, identity and access management, policy management and compliance, discovery, spam or email filtering, firewalls, intrusion detection, security awareness, and we will be adding several other categories. Please send a one or two sentence summary to info@sans.org with subject "what works."

Alan

---

TOP OF THE NEWS

New Cyber Security Czar Interviewed
Hatch Staffer on Administrative Leave After Computer Document Theft Allegations Surface
Tech Industry Executives Try To Slow Federal Computer Security Rules
Vendor Lobby Pushes For Policy Placing Cyber Security Burden on Users

ARRESTS AND SENTENCES

Minnesota Law Enforcement Database Cracker Testifies Before State Legislature
Wells Fargo Customer Data Thief Arrested
American Eagle Outfitters Hacker Sentenced to 18 Months and Fined $64,000
Belgian Hacker Given Suspended Sentence and Fined 50,000 Euros
Wireless Hijacking Arrest Raises Question of Liability

THE REST OF THE WEEK'S NEWS

Debian Attacker Exploited Linux Kernel Vulnerability
Sobig.F Still Spreading
PricewaterhouseCoopers Survey of "Trendsetter" Companies
Microsoft Will Beta Test Security Update CDs
NSF Grants Two Universities $750,000 to Study Computer Monocultures
Sysbug Trojan
Industry Leery of Including Cyber Security Plans in SEC Filings
Healthcare Security Workgroup to Develop HIPAA Compliance Guidelines

VULNERABILITY UPDATES AND EFFECTS

Critical Vulnerability in GnuPG Encryption program
Mac OS X Dynamic Host Configuration Protocol Vulnerability
Microsoft Investigating Report of Active Scripting Flaw in Internet Explorer 6.0

---

*********************** Sponsored by NetIQ ****************************

Policy-Based Vulnerability Management White Paper from NetIQ

Are you relying on ineffective approaches as you battle a constant barrage of worms, viruses and attacks? Why not take a holistic policy-based approach to vulnerability management? Register now for NetIQ's free white paper, "From Project to Process: Policy-Based Vulnerability Management" to get the critical, step-by-step methods you need. You'll discover how to leverage policies and standards for vulnerability management and institute them as a routine business process instead of periodic projects.

http://www.netiq.com/f/form/form.asp?id=2421&;origin=NS_Sans_120303

*************************************************************************
Highlighted Immersion Training Conference of the Week
Assuming you cannot get to Washington for SANS CDI East starting on Monday, you can enjoy exactly the same high quality training program in San Diego at SANS CDI West January 26-31. Both of the Cyber Defense Initiative conferences stand out in the SANS schedule because they have vendor expositions and extensive evening programs, but the class sizes are smaller than the big national conferences. Besides San Diego in the winter is lovely.
Washington: http://www.sans.org/cdieast03/
San Diego: http://www.sans.org/cdiwest04

*********************************************************************

---

TOP OF THE NEWS

New Cyber Security Czar Interviewed (2 December 2003)

Amit Yoran, the new Director of the National Cyber Security Division at the US Department of Homeland Security, was interviewed about his goals for his new job.
-http://zdnet.com.com/2100-1105_2-5112456.html

Hatch Staffer on Administrative Leave After Computer Document Theft Allegations Surface (28 November 2003)

Senate Judiciary Committee Chairman Orrin Hatch (R-Utah) has placed a member of his staff on administrative leave after an investigation indicated that the staff member in question obtained confidential documents from the servers of two Democratic senators. As of November 21, steps had been taken to preserve data related to the alleged breach. In addition, a third-party forensic examination will determine whether or not documents were accessed without authorization.
-http://www.washingtonpost.com/ac2/wp-dyn/A17502-2003Nov27?language=printer
-http://informationweek.securitypipeline.com/news/showArticle.jhtml?articleId=164
01094

Tech Industry Executives Slow Federal Computer Security Rules

Technology executives, represented by the Information Technology Association of America and the Business Software Alliance, are very effective in shaping federal policy, according to James Lewis of the Center of Strategic and International Studies. They argue costly new computer security rules aren't needed, arguing their companies are already taking aggressive steps to defend against hackers
-http://www.foxnews.com/story/0,2933,104635,00.html

Vendor Lobby Pushes For Policy Placing Cyber Security Burden on Users

Vendor lobbying groups, including the Information Technology Association of America, the Business Software Alliance, the TechNet alliance of CEOs and the U.S. Chamber of Commerce are coming under increased scrutiny for pushing an agenda that would place the burden of security on the government and users rather than on the vendors that sell the products. A Computerworld review of the public policy statements of these groups found nothing to indicate that they have ever taken a position that calls on IT vendors to improve the security and quality of their products.
-http://www.computerworld.com/printthis/2003/0,4814,87614,00.html

---

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Stop Network Attacks versus just Detecting. Intrusion Prevention Essentials White Paper
http://www.sans.org/cgi-bin/sanspromo/NB263

(2) FREE WHITE PAPER - Spam is no longer simply a nuisance. Act to secure your email systems.
http://www.sans.org/cgi-bin/sanspromo/NB264

(3) Considering vulnerability assessment? Read the latest nCircle white paper about the ten most common pitfalls.
http://www.sans.org/cgi-bin/sanspromo/NB265

***********************************************************************

---

ARRESTS AND SENTENCES

Minnesota Law Enforcement Database Cracker Testifies Before State Legislature (2 December 2003)

A man used his knowledge of web query syntax to gain unauthorized access to the Multiple Jurisdiction Network Organization law enforcement database owned by the Minnesota Chiefs of Police Association. The database contains 8 million records of detailed information about individuals who have been suspects, witnesses, or victims of crimes, and even included unverified claims of infractions made by angry neighbors. The hacker disclosed what he had learned to a Minnesota State legislator who allowed the hacker to testify anonymously in a legislative hearing. According to the legislator, Mary Liz Holberg, a law enforcement investigation of the breach has been closed.
-http://www.startribune.com/stories/462/4245418.html
[Editor's Note (Paller): Rep. Holberg handled this exactly the wrong way. By allowing the hacker to testify and ensuring he has a "get out of jail free" card, she sent a message to people in Minnesota, at least, that breaking federal law by hacking into computers is OK as long as you give a legislator a chance to embarrass someone and get press coverage for it. She could have accomplished her goal of correcting the problem and getting press by simply demonstrating the vulnerability herself with the permission of the organization that was vulnerable, but without giving the hacker the unnecessary notoriety.
(Special Guest Comment from SANS Windows Security Program Director Jason Fossen): The sketchy description of the hack makes it appear that the website redirected successfully authenticated users to the search page URL without further authentication or stateful tracking of the user. This is a dreadfully obvious design flaw, but a common flaw nonetheless. It is one of the specific flaws we include in our "do not do this" list in SANS IIS security course which also shows students how to avoid the problem. ]

Wells Fargo Customer Data Thief Arrested (27 November 2003)

Police in California have arrested a man who confessed to having stolen computers from a Wells Fargo bank analyst's office. Edward Jonathan Krastov was arrested after he logged onto AOL using a stolen computer and the owner's account. The computers contained customer account and other personal data. Wells Fargo says they found no evidence the stolen information was abused, but plans to monitor affected accounts and has offered to buy affected customers a one-year subscription to a consumer credit watchdog service.
-http://www.cnn.com/2003/TECH/ptech/11/27/wellsfargo.theft.ap/index.html
-http://www.theregister.co.uk/content/55/34234.html
-http://www.bayarea.com/mld/mercurynews/business/7362537.htm?template=contentModu
les/printstory.jsp

American Eagle Outfitters Hacker Sentenced to 18 Months and Fined $64,000 (2 December 2003)

Kenneth Patterson had admitted to posting user names, passwords, and information on how to break into his ex-employer's system, and to conducting a series of denial of service attacks. He was sentenced to 1 and a half years in jail and ordered to pay $64,000 in restitution.
-http://www.zwire.com/site/news.cfm?newsid=10603022&BRD=2212&PAG=461&
dept_id=465812&rfi=6

Belgian Hacker Given Suspended Sentence and Fined 50,000 Euros (2 December 2003)

Frans Davaere pleaded not guilty to hacking into five company websites, but was convicted. He was given a one year suspended sentence, fined 15,000 Euros and required to compensate other parties 35,000 Euros.
-http://www.expatica.com/source/site_article.asp?subchannel_id=48&story_id=27
80

Wireless Hijacking Arrest Raises Question of Liability (28 November 2003)

Toronto police arrested a man who was using his laptop to download illicit web content via a hijacked wireless Internet connection. While the company whose connection he used is not being charged in the case, it is conceivable that individuals and businesses with wireless hubs could be held liable for unauthorized users' activity that takes place on that network if they were negligent in setting up security.
-http://zdnet.com.com/2102-1105_2-5112000.html?tag=printthis

---

THE REST OF THE WEEK'S NEWS

Debian Attacker Exploited Linux Kernel Vulnerability (1 December 2003)

The attacker who breached security of several Debian group servers last month exploited an integer overflow flaw in the brk( ) system call. The vulnerability can allow local users with shell level access to elevate privileges to root; the vulnerability exists in Linux kernel release versions 2.4.0 through 2.5.69; it has been fixed in 2.4.23-pre7 and 2.6.0-test6. An exploit for the vulnerability is apparently circulating among crackers.
-http://www.eweek.com/print_article/0,3048,a=113591,00.asp
-http://www.theage.com.au/articles/2003/12/01/1070127318372.html
-http://www.zdnet.com.au/newstech/security/story/0,2000048600,20281486,00.htm

Sobig.F Still Spreading (1 December 2003)

Despite the fact that it was designed to stop propagating on September 10, the Sobig.F worm was still quite active in November, according to MessageLabs.
-http://www.silicon.com/software/security/0,39024655,39117134,00.htm

PricewaterhouseCoopers Survey of "Trendsetter" Companies (24/28 November 2003)

According to a PricewaterhouseCoopers (PwC) survey of more than 400 "trendsetter" company CEOs, 46% have recently experienced an information security breach. Of those, 83% said they had a monetary loss and 24% experienced network downtime because of the breach. PwC senior manager for security and privacy services Mark Lobel is concerned that these companies are not spending enough on information security; the average security spending increased from 1.8% in 2002 to just 1.9% in 2003.
-http://www.techweb.com/wire/story/TWB20031124S0008
-http://www.theregister.co.uk/content/55/34254.html
[Editor's Note (Ranum): It always sets my Capt Kelly B.S. detector ringing when someone who sells security solutions does a survey that leads them to conclude people should buy more security solutions. ]

Microsoft Will Beta Test Security Update CDs (26 November 2003)

Microsoft will begin beta testing a security update CD for users whose computers run Windows 98, 98 Second Edition and Millennium. The CD is targeted at users who have slow Internet connections and who do not regularly visit the Microsoft web site for security updates.
-http://www.internetweek.com/shared/printableArticle.jhtml?articleID=16400937
[Editor's Note (Grefer): Microsoft tested a similar approach in Japan earlier this year, distributing CDs for free to attendants of a computer trade show. ]

NSF Grants Two Universities $750,000 to Study Computer Monocultures (25 November 2003)

With the help of a $750,000 National Science Foundation grant, Carnegie Mellon University and the University of New Mexico will study computer "monocultures" and the benefits of diverse computing environments. "The researchers intend to create an application that could generate diversity in key aspects of software programs, thus making the same vulnerability less effective as a means of attack against the population as a whole."
-http://news.com.com/2102-7355_3-5111905.html?tag=st_util_print

Sysbug Trojan (25 November 2003)

The Sysbug Trojan horse program arrives in an attachment purporting to be pictures of a woman named Mary. The program affects Windows 2000, 95, 98, Me, NT and XP.
-http://news.com.com/2102-7349_3-5111940.html?tag=st_util_print

Industry Leery of Including Cyber Security Plans in SEC Filings (24 November 2003)

Recent proposed legislation that would have required public companies to include cyber-security plans in their Securities and Exchange Commission (SEC) filings was laid aside in response to industry objections. Companies are skeptical of the proposed requirement because the reporting required eats up budgets and the SEC "lacks cyber-security expertise." The Federal Trade Commission (FTC) might be better suited to the position.
-http://www.eweek.com/print_article/0,3048,a=113076,00.asp

Healthcare Security Workgroup to Develop HIPAA Compliance Guidelines (24 November 2003)

The National Institute of Standards and Technology (NIST), the Workgroup for Electronic Data Interchange and URAC, a healthcare industry accreditation agency have created the Healthcare Security Workgroup, which will develop HIPAA (Health Insurance Portability and Accountability Act) compliance guidelines. Organizations are expected to be in compliance by April 15, 2005.
-http://www.computerworld.com/printthis/2003/0,4814,87492,00.html
[Editor's Note (Schultz): It's amazing to me that HIPAA compliance guidelines have still not been issued, but then again, I suppose late is better than never. ]

---

VULNERABILITY UPDATES AND EFFECTS

Critical Vulnerability in GnuPG Encryption program (28 November 2003)

-http://www.theage.com.au/articles/2003/11/28/1069825963994.html

Mac OS X Dynamic Host Configuration Protocol Vulnerability (27 November 2003)

The man who found the vulnerability published details about it on the Internet because Apple was dragging its feet about "developing a fix."
-http://www.theregister.co.uk/content/55/34240.html
-http://www.zdnet.com.au/printfriendly?AT=2000048600-20281434

Microsoft Investigating Report of Active Scripting Flaw in Internet Explorer 6.0 (25/26 November 2003)

Other versions of IE may also be affected.
-http://www.computerworld.com/printthis/2003/0,4814,87582,00.html
-http://www.newsfactor.com/perl/printer/22765/
-http://www.theregister.co.uk/content/55/34186.html

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/