Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume V - Issue #51

December 23, 2003

TOP OF THE NEWS

Appeals Court Says RIAA Subpoenas are Not Authorized
Stolen Bank Laptop Contains Customer Data
Homeland Security Presidential Directive-7
Bush Signs CAN-SPAM Act
Federal CIOs Developing System Configuration Benchmarks
Maine PUC Denies Verizon Maine's Request for "Slammer Worm" Waiver

THE REST OF THE WEEK'S NEWS

Cyber Thief Pleads Guilty to Stealing Data
London Teen Could Pay ?21,000 for Cyber Intrusions
NY Attorney General and Microsoft File Suits Against Spammers
NASA Web Sites Defaced
OMB to Update Circular A-130
Senate Bill Would Require Agency Security Policies for Peer-to-Peer Risks
Bangkok Court Approves Extradition of Alleged Cyber Criminal to US
Federal Judge Denies Injunction Against Pop-Up Spam Company
OMB Provides e-Authentication Risk Assessment Guidance
Board Says NIST Computer Security Division Needs More Funding
Australia's Spam Act
Former Programmer Gets Prison Sentence for Deleting Critical Applications

VULNERABILITY UPDATES AND EFFECTS

Open Source Group Releases IE Patch
Cisco: Vulnerabilities in PIX Firewall and Firewall Services Module (FWSM)


******** Sponsored by SANS2004, The First Security Mega Conference ******

Announcing: SANS2004, The First Security Mega Conference April 1 - 9, at the Dolphin at Disneyworld in Orlando, Florida

In the most substantial advance in security training in the past six years, SANS has expanded its security education programs to more than 600 hours of unique training and education programs for: - --Security Technologists (five new programs) - --Auditors (four extraordinary tracks) - --Security Managers and Security Officers (three great tracks) Plus new programs on the legal aspects of security, on ISO 17799, on, E-Warfare and many more. Even the world's only training program on the newest developments in hacker exploits. Plus evening sessions and a great vendor exposition. A complete list of the training programs is at the end of this issue. Get the full program and register before your favorite courses fill up (SANS annual conference sessions always fill faster than any of our other programs.)
http://www.sans.org/sans2004

*************************************************************************

TOP OF THE NEWS

Appeals Court Says RIAA Subpoenas are Not Authorized (19 December 2003)

A US appeals court said that the Recording Industry Association of America's (RIAA) subpoenas of Verizon and other ISPs for names of customers suspected of illegally downloading music is not authorized under current US copyright law. Copyright holders may only subpoena names from ISPs if they have already filed a formal lawsuit.
-http://www.cnn.com/2003/LAW/12/19/music.download.reut/index.html
[Editor's Note (Schneier): This doesn't, of course, say anything about the validity of the subpoenas the RIAA has been issuing directly to the peer-to-peer music sharers it's identified. I wonder what the result would be if someone had the resources to fight the RIAA instead of caving or settling. ]

Stolen Bank Laptop Contains Customer Data (19 December 2003)

A laptop stolen from Bank Rhode Island's (BankRI) principal data-processing provider contains the names, addresses and social security numbers of about 43,000 customers. BankRI CEO Merrill Sherman said the bank's IT department now plans to install encryption and fraud detection software on its computers.
-http://www.computerworld.com/printthis/2003/0,4814,88443,00.html
[Editor's Note (Ranum): Note that the laptop was stolen from RI's service provider, Fiserv. This illustrates a big issue in information sharing: transitive trust and the question of whether ones' application service providers are handling data safely. In this case, Fiserv did the right thing and told RI. How often do such things happen and nobody is told?
(Northcutt): BankRI seems to be doing all the right things. They have written letters to the folks who may have been affected, and they are working with a credit reporting company. This appears to be a case of "death by application service provider" as you can see from this link:
-http://www.projo.com/business/content/projo_20031219_bankri19.df9b4.html
If your organization is considering using an ASP or other external data processor, you might want to review the steps in the "ASP Challenge":
-http://www.sans.org/score/asp_checklist.php
(Schultz): It's tragic how so many organizations fail to adopt appropriate security measures until after they experience a catastrophic security-related incident. ]

Homeland Security Presidential Directive-7 (17/18 December 2003)

The White House has released Homeland Security Presidential Directive-7 (HSPD-7) which replaces Clinton's 1998 Presidential Decision Directive-63. The document establishes policies for assessing the security of the nation's critical infrastructure, including cyber security; it gives government agencies until July 2004 to create infrastructure plans to be submitted to the Office of Management and Budget (OMB).
-http://www.whitehouse.gov/news/releases/2003/12/20031217-5.html
-http://www.computerworld.com/printthis/2003/0,4814,88389,00.html
-http://www.govexec.com/dailyfed/1203/121703tdpm1.htm
-http://www.fcw.com/fcw/articles/2003/1215/web-directive-12-18-03.asp
-http://www.fcw.com/geb/articles/2003/1215/web-direct-12-18-03.asp

Bush Signs CAN-SPAM Act (16 December 2003)

President George W. Bush has signed the CAN-SPAM Act. The new law places penalties of up to $250 per e-mail for violations, which include falsifying header information and not providing opt-out instructions. CAN-SPAM critics observe that the law does not affect spammers outside the United States and that it overrides state laws that are, in some cases, more stringent than the new federal law.
-http://www.computerworld.com/printthis/2003/0,4814,88306,00.html
-http://www.washingtonpost.com/ac2/wp-dyn/A4437-2003Dec16?language=printer

Federal CIOs Developing System Configuration Benchmarks (15 December 2003)

Federal CIOs and IT officials are collaborating to develop benchmarks for system configurations that could be used when purchasing hardware and software. The Federal Information Security Management Act (FISMA) requires that agencies develop benchmarks and comply with them, but does not specify what those benchmarks are.
-http://www.eweek.com/print_article/0,3048,a=114599,00.asp
[Editor's Note (Paller): Few events in security will have more far reaching impact than the agreement by federal purchasers of what constitutes safe configuration of popular software products. Their combined buying power ($57 billion) can then be focused on ensuring that vendors deliver safely configured systems, if they want to sell to the government. And when that happens, all but the most inept vendors will move quickly to offer safely configured systems to all their other clients. ]

Maine PUC Denies Verizon Maine's Request for "Slammer Worm" Waiver (30 April 2003)

The Maine Public Utilities Commission (PUC) denied Verizon Maine's request for a waiver of wholesale service performance metric results from January 2003. Verizon Maine requested the waiver because it maintained that the Slammer worm, which caused them to take their OSS interfaces off-line temporarily, was beyond their control. The PUC found that Verizon Maine did not act in a timely and prudent manner to take measures which would have protected its computers from Slammer. Patches for the vulnerability Slammer exploit had been available for at least three months prior to the attack; their accompanying bulletins gave them "critical" ratings. Had Verizon Maine been granted the waiver, rebates it is required to pay to Competitive Local Exchange Carriers (CLECs) would have been reduced from $62,000 to $18,000.
-http://www.state.ma.us/dpu/telecom/03-38/56attcomne.pdf
[Editor's Note (Schultz): This news item provides an almost too perfect example of the need for due care in the practice of infosec. ]


************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Enhanced Security Posture. Improved Efficiency. Download LURHQ's whitepaper "Reducing Risk with Effective Threat Management."
http://www.sans.org/cgi-bin/sanspromo/NB272

(2) Invest in the best network protection. Introducing the Microsoft(r) Security Readiness Kit.
http://www.sans.org/cgi-bin/sanspromo/NB273

***********************************************************************

THE REST OF THE WEEK'S NEWS

Cyber Thief Pleads Guilty to Stealing Data (19 December 2003)

Daniel J Baas, of Milford Ohio pleaded guilty in federal district court to breaking into Arkansas-based Acxiom Corp.'s computers and stealing customer data. He is being held without bond until his sentencing, when he could face a prison term as well as court-ordered restitution.
-http://www.boston.com/business/technology/articles/2003/12/19/ohio_hacker_pleads
_guilty_to_data_theft

London Teen Could Pay ?21,000 for Cyber Intrusions (18 December 2003)

London teenager Joseph McElroy could face paying restitution of x9c21,000 (approximately US$37,000) for allegedly breaking into 17 computers at the Fermi National Accelerator Laboratory. McElroy was granted bail and will be sentenced in 2004.
-http://news.bbc.co.uk/2/hi/uk_news/england/london/3331723.stm

NY Attorney General and Microsoft File Suits Against Spammers (18 December 2003)

New York Attorney General Eliot Spitzer, along with Microsoft, has filed lawsuits against a group of spammers. 8,000 messages (caught) by Microsoft "spam traps" contained a total of 40,000 fraudulent messages; the lawsuits seek $5000 for each phony statement for a total of $20 million. (Please note: this site requires free registration)
-http://www.nytimes.com/2003/12/18/technology/18spam.html?th
-http://www.washingtonpost.com/ac2/wp-dyn/A12895-2003Dec18?language=printer
-http://msnbc.msn.com/id/3747034
[Editor's Note (Schultz): I predict that the outcome of this court case will be a precedent setter with respect to spam control. ]

NASA Web Sites Defaced (17/18 December 2003)

Internet vandals defaced 13 NASA web sites, each a subdomain of NASA.gov, last week. The sites were taken off line pending identification and repair of the vulnerabilities that were exploited.
-http://www.gcn.com/vol1_no1/daily-updates/24475-1.html
-http://www.computerworld.com/printthis/2003/0,4814,88348,00.html

OMB to Update Circular A-130 (17 December 2003)

The Office of Management and Budget (OMB) will rewrite Circular A-130 to include new guidance on security, privacy and other areas.
-http://www.fcw.com/fcw/articles/2003/1215/web-omb-12-17-03.asp

Senate Bill Would Require Agency Security Policies for Peer-to-Peer Risks (17 December 2003)

Next year the senate will consider the Government Network Security Act of 2003 (HR 3159), which would require government agencies to establish security policies to protect their computer systems from the security risks posed by peer-to-peer file sharing. The House passed an identical version of the bill in early October.
-http://www.gcn.com/vol1_no1/daily-updates/24468-1.html

Bangkok Court Approves Extradition of Alleged Cyber Criminal to US (17 December 2003)

A Bangkok criminal court has approved the extradition of Ukrainian Maskym Kovalchuk to the United States for alleged cyber crimes. A criminal complaint filed in California in 2000 includes charges of trafficking in counterfeit goods and possession of unauthorized credit card information.
-http://star-techcentral.com/tech/story.asp?file=/2003/12/17/technology/6939785&a
mp;sec=technology

Federal Judge Denies Injunction Against Pop-Up Spam Company (16 December 2003)

D Squared Solutions, a company that has been accused of sending pop-up spam that advertises pop-up blocking software, may continue to send its unsolicited advertisements until the case goes to trial in early March of 2004. A federal judge denied the Federal Trade Commission's (FTC) request for an injunction against the California-based company because he said there was insufficient evidence that customers had been injured by D Squared's actions.
-http://www.internetnews.com/xSP/print.php/3289801

OMB Provides e-Authentication Risk Assessment Guidance (16 December 2003)

The Office of Management and Budget (OMB) has given government agencies guidance on assessing the authentication risks of on-line transactions, determining the appropriate assurance levels for each transaction and selecting the suitable technology. Assessments of major systems should be completed by December 15, 2004.
-http://www.fcw.com/fcw/articles/2003/1215/web-omb-12-16-03.asp

Board Says NIST Computer Security Division Needs More Funding (16 December 2003)

The Information Security and Privacy Advisory Board says the National Institute of Standards and Technology's (NIST) Computer Security Division is underfunded in the fiscal 2004 budget. The division received nearly $15 million in fiscal 2003; it is slated to receive about $10 million in fiscal 2004.
-http://www.fcw.com/fcw/articles/2003/1215/web-nist-12-16-03.asp

Australia's Spam Act (19 December 2003)

Australia's Spam Act, which goes into effect April 11, 2004, carries penalties of up to AUS$1.1 million (approximately $800,000) a day for offenders.
-http://news.zdnet.co.uk/business/legal/0,39020651,39118686,00.htm
[Editor's Note (Northcutt): The gist of this law is that it is an offense if the unsolicited commercial email contains a .au link. As nations enact these foundational laws, they are preparing for the invitation-only OECD meeting next February. That is where the rubber is going to meet the road. ]

Former Programmer Gets Prison Sentence for Deleting Critical Applications (15 December 2003)

Jesus C. Diaz, who once worked as an AS/400 programmer for Hellmann Worldwide Logistics, has been convicted of accessing the company's computer system remotely and deleting critical OS/400 applications. A Hellmann IT staff member who had recently attended SANS security conference followed the protocol he learned there and was able to preserve evidence. Diaz received a one-year sentence, half of which he may serve at home, and was ordered to pay more than $80,000 restitution.
-http://www.midrangeserver.com/tfh/tfh121503-story03.html

VULNERABILITY UPDATES AND EFFECTS

Open Source Group Releases IE Patch (19 December 2003)

Openwares.org, an open source development group, has posted on it is web site a patch for an IE vulnerability. Analysts advise waiting until Microsoft releases a patch for the vulnerability.
-http://www.computerworld.com/printthis/2003/0,4814,88445,00.html
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39118696-39020375t-10000025c
The patch apparently includes a buffer overflow vulnerability and other security problems.
-http://www.theregister.co.uk/content/55/34618.html

Cisco: Vulnerabilities in PIX Firewall and Firewall Services Module (FWSM) (16 December 2003)


-http://www.computerworld.com/printthis/2003/0,4814,88309,00.html
-http://www.cisco.com/warp/public/707/cisco-sa-20031215-pix.shtml
-http://www.cisco.com/warp/public/707/cisco-sa-20031215-fwsm.shtml


===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Bruce Schneier, Eugene Schultz, Gal Shpantzer

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/


SANS 2004 Course List

Announcing: SANS2004, The First Security Mega Conference April 1-9, at the Dolphin at Disneyworld in Orlando, Florida

In the most substantial advance in security training in the past six years, SANS has expanded its security education programs to more than 600 hours of unique training and education programs for:

- --Security Technologists
SANS Security Essentials and CISSP 10 Domains
Firewalls, Perimeter Protection and VPNs
Intrusion Detection In-Depth
Incident Handling and Hacker Exploits
Securing Windows
Securing Linux and UNIX
System Forensics, Investigation an Response
Reverse Engineering Malware
Securing Apache
Securing Solaris Using the Center for Internet Security Benchmarks
Securing Windows Using the Gold Standard
(Just Announced) Hacker Techniques Update

- --Auditors
IT SecuritY Audit Essentials
Auditing Networks, Perimeters and Systems
SANS ISO 17799 Security and Audit Framework

- --Security Managers, Security Officers, and Consultants
Introduction to Information Security
SANS Security Leadership for Managers
SANS CISSP 10 Domains + Special Security Extras
(Just Announced) Security Consultant

Plus new programs
Business Law and Computer Security
Legal Issues in Information Technology: InfoSec
E-Warfare

Get complete details at http://www.sans.org/sans2004

==end==