SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume V - Issue #9

March 05, 2003

One of SANS' most important gifts to the community is the joint
project with the Center for Internet Security (CIS) that creates
consensus best practice security guides and audit checklists. We call
the project SCORE. More than a dozen audit guides have been developed
jointly and then grown and perfected by CIS who also add automated
testing tools. Plans for the following topics are being formalized:
ISO 17799, Mac OS X, Linksys broadband routers, Microsoft Xbox
systems, and Responsible Dial-In Computing. Four existing checklists
(generic UNIX, handhelds, generic firewalls and web applications)
are also planned for update, with new topics to be added based on
recommendations from the security community.


If you have substantial expertise in implementing and/or securing
these products and want to help develop the checklists, contact Algis
Kibirkstis at score@sans.org.

---

TOP OF THE NEWS

Sendmail Vulnerability Demonstrates New DHS Capabilities
China Signs Up for Microsoft's Government Security Program
EU Cybercrime Law Approved
Monster.com Warns Customers About Perils of False Job Postings
NIPC Moves to DHS, Joins Other Security Organizations in Directorate

THE REST OF THE WEEK'S NEWS

Survey Shows IT Salaries Holding Steady
Indiana University School of Medicine Informs Patients of Security Breach
Company Shuts Down After Serious Security Breach
BSA Apologizes to University for Erroneous Accusation
MessageLabs Virus Statistics for February
Jon Johanssen to be Tried Again on Appeal
Lexmark Case a Boost for DMCA
Sixth Grader Who Changed Grade Won't be Expelled, Will Participate in Diversionary Program
Bloomberg Extortionist Found Guilty
Proposed Legislation in UK Addresses Financial System Attacks
Intrusion Prevention Systems
China Has Intelligence Signal Stations in Cuba
Patch Available for Windows ME Vulnerability
Gartner Urges Credit Card Companies to Notify Customers of Security Breaches
e-Commerce Site Flaws
Singapore Raid Nets $1 Million in Pirated Software
UK Businesses Aren't Keeping Up With Virus protection
Defense Department Wireless Policy Due by April
Microsoft Releases Security Operations Guide for Windows 2000 Server
Hacker Convicted, Ordered to Pay Reparation and Perform Community Service
Manufacturers Place Security at Top of List
Canadian Firm Informed Customers of Security Breach
Company Recovers Server Data
Microsoft Developing Windows Rights Management Services
TK Worm Still Spreading

---

**************** This Issue Sponsored by Tripwire, Inc ****************
TRIPWIRE PRESENTS: THE ART OF HACKING AND THE ART OF DEFENSE ONLINE
SEMINARS
Tripwire's FREE online seminar series is proud to present The Art
of Hacking and The Art of Defense. One will show you common hacking
techniques and the other will demonstrate how to protect your systems
against attacks.
Register for these seminars today!
http://www.tripwire.com/events/online_seminars/index.cfm?djinn=964
***********************************************************************

---

TOP OF THE NEWS

Sendmail Vulnerability Demonstrates New DHS Capabilities (3 March 2003)

A vulnerability was reported in Sendmail that allows root access simply by sending a specially crafted email. Action by the Department of Homeland Security and affected vendors led to a coordinated program for patch development, early warning for critical infrastructure industries and government agencies, and broad information dissemination, while maintaining secrecy until the
-http://www.washingtonpost.com/wp-dyn/articles/A41859-2003Mar4.html
-http://www.cert.org/advisories/CA-2003-07.html
-http://www.msnbc.com/news/880094.asp?0cv=CB10
-http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78991,0
0.html
-http://news.com.com/2100-1009-990802.html
SANS web broadcast features people from sendmail.com, ISS, SourceFire, and the SANS faculty experts answering questions about the vulnerability, what systems are vulnerable, and what can be done to protect Sendmail beyond patching. Also includes a brief discussion of the new Snort vulnerability.
-http://www.sans.org/webcasts/030303.php
Free, requires registration

China Signs Up for Microsoft's Government Security Program (28 February 2003)

The Chinese government has joined those of Russia and the UK, as well as NATO in signing up for Microsoft's Government Security Program (GSP). The agreement allows participating governments to view Windows source code. It is hoped that the governments will evaluate Windows' security and be able to create secure applications to run on the operating system. Thirty other governments are working with Microsoft to sign on to the agreement.
-http://news.com.com/2100-1007-990526.html
-http://www.cnn.com/2003/TECH/02/28/china.microsoft.ap/index.html
-http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=2305396

EU Cybercrime Law Approved (28 February 2003)

European Union justice ministers have approved a new cybercrime law. People found guilty of accessing computer networks or servers illegally face sentences of between two and five years, as would those who are found guilty of spreading worms and viruses.
-http://news.com.com/2100-1002-990669.html

Monster.com Warns Customers About Perils of False Job Postings (28 February 2003)

Monster.com has sent an e-mail to its active customers warning them of false job postings that are being used to gather personal information that could be used to steal identities. Information being sought may include credit card data and social security numbers. This problem faces all job sites, though only Monster.com announced the hazard.
-http://www.cnn.com/2003/TECH/internet/02/28/monster.theft.ap/index.html

NIPC Moves to DHS, Joins Other Security Organizations in Directorate (27 February 2003)

As of March 1, the National Infrastructure Protection Center (NIPC) moved from the FBI to the newly formed Department of Homeland Security (DHS). NIPC is now part of the Directorate for Information Analysis and Infrastructure Protection (IAIP), along with the Critical Infrastructure Assurance Office and the Federal Computer Incident Response Center (FedCIRC). IAIP still needs to fill many senior positions. Many of the agents who were to be transferred from the FBI to DHS have chosen to take other assignments within the FBI.
-http://www.idg.net/go.cgi?id=788764

---

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) STOP INTRUSIONS with preventive countermeasures. Automatically
block intruders. FREE DEMO shows how.
http://www.sans.org/cgi-bin/sanspromo/NB140
(2) 30% of the Global 100 use Permeo to secure their applications.
Do you?
http://www.sans.org/cgi-bin/sanspromo/NB141
(3) STOP SPAM and unwanted email. Take control. FREE WHITE PAPER!!!
http://www.sans.org/cgi-bin/sanspromo/NB142
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

Survey Shows IT Salaries Holding Steady (3 March 2003)

Statistics from the Dice 2002 Annual Salary Survey show that last year, US salaries for IT remained relatively stable; workers in government and defense saw an average salary increase of 7%. The study also cites cities with the greatest salary growth and geographic areas with the highest average salary.
-http://www.computerworld.com/careertopics/careers/labor/story/0,10801,78978,00.h
tml

Indiana University School of Medicine Informs Patients of Security Breach (28 February/3 March 2003)

Indiana University (IU) has send letters of apology to about 7,000 patients of their Center for Sleep Disorders after it became apparent that a hacker had gained access to the system. While medical records weren't exposed, patients' names, social security numbers and dates of birth might have been viewed. An IU School of Medicine spokesman said that the hacker planted a program in the computer that attempted to break into other University computers.
-http://www.indystar.com/print/articles/3/025875-2223-093.html
-http://www.sagamore.iupui.edu/32/32-24/24hacker.html
[Editor's Note (Schultz): The many compromises of personal data in the U.S. over the past few years show that it is time for the government to intervene. The U.S. desperately needs privacy protection legislation similar to Germany's Datenschutz law. ]

Company Shuts Down After Serious Security Breach (28 February 2003)

Janteknology, a company that distributes software to customers in New Zealand and Australia electronically, has shuttered operations due to an employee entering their computer system and stealing and corrupting data files, according to one source. The company was already facing tough market conditions, and the attack proved to be "devastating."
-http://www.zdnet.com.au/newstech/security/story/0,2000024985,20272494,00.htm
[Editor's Note (Grefer): It appears to me that this incident was a welcome excuse to shut down the company. This incident may still serve as a reminder to have and apply a minimal privilege policy, and to consider background checks - especially of staff performing business critical function and/or equipped with increased privileges. ]

BSA Apologizes to University for Erroneous Accusation (28 February 2003)

The Business Software Alliance (BSA) apologized to the University of Muenster after erroneously accusing the University of distributing unlicensed copies of Microsoft Office. In fact, the BSA had detected OpenOffice files and mistaken them for Microsoft Office files.
-http://www.theinquirer.net/?article=8054

MessageLabs Virus Statistics for February (28 February 2003)

Monthly statistics from MessageLabs indicate that Klez-H was the most prevalent in February, followed by two Yaha variants, Sobig-A, BugBear-A and SirCam-A.
-http://www.theregister.co.uk/content/56/29523.html

Jon Johanssen to be Tried Again on Appeal (28 February/3 March 2003)

Jon Johanssen, the Norwegian teenager who was recently acquitted of theft charges regarding his creation of the DeCSS, will be tried again on appeal in Oslo. The DeCSS utility can be used to pass the copy protection on DVDs.
-http://www.msnbc.com/news/878950.asp
-http://www.theregister.co.uk/content/6/29543.html

Lexmark Case a Boost for DMCA (28 February 2003)

In a lawsuit filed by printer maker Lexmark International Inc., a federal judge has issued an injunction against Static Control Components Inc. of North Carolina, prohibiting it from manufacturing and selling computer chips that can be used in refilled printer cartridges. Lexmark's suit maintained that the company's actions violated the Digital Millennium Copyright Act (DMCA).
-http://www.informationweek.com/story/IWK20030228S0041

Sixth Grader Who Changed Grade Won't be Expelled, Will Participate in Diversionary Program (28 February 2003)

The Florida sixth grader who changed his grade in his teacher's open computer grade book will participate in a diversionary program for first-time, non-violent offenders. He was suspended for 10 days, but will not be expelled. He may also be ordered to perform community service or write an apology.
-http://www.gopbi.com/partners/pbpost/epaper/editions/friday/news_e3e53f3fe551216
310b0.html

Bloomberg Extortionist Found Guilty (27 February 2003)

Oleg Zezov of Kazakhstan has been found guilty of trying to extort $200,000 from Michael Bloomberg's financial company. Zezov and an accomplice tried to get Bloomberg to pay them the money so they wouldn't go public with the computer system's flaws. Zezov's attorney maintains his client was asking for payment for finding a vulnerability in the system; he faces up to 20 years in prison when he is sentenced on May 23.
-http://www.theregister.co.uk/content/55/29501.html
-http://www.cnn.com/2003/TECH/internet/02/27/internet.extortion.ap/index.html

Proposed Legislation in UK Addresses Financial System Attacks (27 February 2003)

The UK government is considering legislation that addresses the operation of the country's financial system in the event of a physical or computer attack.The Treasury has published a "green paper" addressing the reliance of the financial sector on IT systems. In the event of a physical attack, proposed legislation would allow the banks to channel their efforts to rebuilding or securing the necessary infrastructure so that they may resume conducting business.
-http://www.vnunet.com/News/1139090

Intrusion Prevention Systems (27 February 2003)

This article describes five types of intrusion prevention systems (IPS): Network Intrusion Detection Systems (NIDS), Seven Layer Switches, Application Firewalls/IDS, Hybrid Switches and Deceptive Applications. Businesses and other entities should examine their needs and choose the best fit from the available technology.
-http://www.securityfocus.com/infocus/1670

China Has Intelligence Signal Stations in Cuba (27 February 2003)

Since 1999, the Chinese military has been operating two intelligence signal stations in Cuba. The stations' are largely dedicated to intercepting US telephone and satellite-based military communications. A cyber warfare unit also monitors data traffic.
-http://www.theage.com.au/articles/2003/02/26/1046064102910.html

Patch Available for Windows ME Vulnerability (26/27 February 2003)

A buffer overflow vulnerability in the Windows Millennium Edition (ME) Help and Support Center could be exploited to run code and access and delete files. Microsoft has issued a patch for ME users.
-http://zdnet.com.com/2100-1105-986292.html
-http://www.eweek.com/article2/0,3959,904633,00.asp
-http://www.microsoft.com/technet/security/bulletin/MS03-006.asp
[Editor's Note (Schultz): Microsoft's bulletin (as well as numerous response team bulletins patterned after Microsoft's bulletin) concerning this vulnerability was inaccurate and misleading. It stated that privilege elevation was possible if the vulnerability was exploited, when in fact there are no levels of privilege in Windows Me. The real problem is that a remote attacker could gain the same type of access that a local user could obtain, that is, could see and interact with the system the way someone who is locally logged on can. ]

Gartner Urges Credit Card Companies to Notify Customers of Security Breaches (27 February 2003)

Gartner has published a report critical of credit card companies' efforts to inform customers of security breaches. Customers are often not informed of security breaches; the card companies reason that the consumers are not responsible for fraudulent charges; however, the information could be used to steal identities. The report recommends that credit card companies encrypt the databases containing customer information, and that card issuers notify customers quickly in the event of a security breach.
-http://www.wired.com/news/privacy/0,1848,57823,00.html

e-Commerce Site Flaws (27 February 2003)

A recent study of e-commerce site security published by NTA Monitor says that the sites are not doing enough to protect customers' information. Among the most frequently found problems are flaws that allow root access to the server, logout functions not working properly, and flaws that let sensitive information be transmitted across the Internet in clear text.
-http://www.vnunet.com/News/1139101
-http://www.theregister.co.uk/content/55/29511.html

Signature- and Behavior-Based Detection Systems (26 February 2003)

This article recommends using a combination of signatures and behavioral rules to detect malicious activity on computer networks. Signature based detection systems cannot detect new attacks but don't generate as many false positives as behavior based systems do. The article lists the benefits and drawbacks of each detection method.
-http://www.idg.net/ic_1187705_9677_1-5046.html

Singapore Raid Nets $1 Million in Pirated Software (26 February 2003)

In a 10-hour raid, police in Singapore arrested 17 people and seized an estimated $1 million in pirated software, the largest yield ever in a single raid. If found guilty, the people arrested could face jail terms of up to five years and fines of as much as $58,000.
-http://news.com.com/2100-1046-986078.html

UK Businesses Aren't Keeping Up With Virus protection (26 February 2003)

A Sophos survey of small and medium sized businesses in the UK found that only 46% had virus protection at network gateways, and just 42% updated anti-virus software more than once a week, a practice a Sophos senior technology consultant likened to "brushing your teeth only once a week."
-http://www.vnunet.com/News/1139077

Defense Department Wireless Policy Due by April (25 February 2003)

The wireless device policy for the Defense Department will be released in March or April; a policy released in October 2002 addressed wireless device usage at the Pentagon. That policy requires wireless devices to use authentication and encryption to protect information. The policy is being created by the NSA, DISA and information assurance staff from the Defense Department CIO's staff.
-http://www.fcw.com/fcw/articles/2003/0224/web-wire-02-25-03.asp

Microsoft Releases Security Operations Guide for Windows 2000 Server (25 February 2003)

Microsoft has released the Security Operations Guide for Windows 2000 Server, which addresses patch management, auditing, intrusion detection, and hardening. The guide follows a fictional company through the process, and describes the consequences of each choice that is made. Guides for other operating systems should be out later this year.
-http://www.eweek.com/article2/0,3959,903377,00.asp
-http://www.microsoft.com/technet/security/prodtech/
windows/windows2000/staysecure/Default.asp

Hacker Convicted, Ordered to Pay Reparation and Perform Community Service (25 February 2003)

A hacker in New Zealand has pleaded guilty to a charge of "willful damage" for breaking into a local ISP's network. The man exploited a vulnerability in SSH to gain access to ISP customers' financial information. He has been ordered to perform 100 hours of community service and to pay $3,000 in reparation.
-http://www.nzherald.co.nz/storydisplay.cfm?storyID=3197605&thesection=techno
logy&thesubsection=general
-http://www.nzherald.co.nz/storydisplay.cfm?storyID=3197764&thesection=techno
logy&thesubsection=general

Manufacturers Place Security at Top of List (24 February 2003)

Gartner's Dataquest survey of people who make IT decisions in the manufacturing sector found that they considered security a top priority. Security was followed by enterprise resource planning, web services, data warehousing and IT architecture design.
-http://www.infosecuritymag.com/2003/feb/digest24.shtml#news5

Canadian Firm Informed Customers of Security Breach (24 February 2003)

After a hard drive containing sensitive information about its customers was reported stolen from IBM Canada's Information Systems Management (ISM), the Canadian firm Co-operators Life Insurance Company informed all affected customers that there had been a security breach and that their information may have been accessed. An ISM employee has been arrested and charged in the case, and investigators are hopeful that the data was not used for malicious purposes; the suspect may have wanted the physical hard drive, not the information it contained. Canadian law does not require companies to inform customers in the event of a security breach.
-http://www.computerworld.com/securitytopics/security/story/0,10801,78746,00.html

Company Recovers Server Data (24 February 2003)

Russian hackers took control of five servers belonging to Grafix Softech, F.A., encrypted the data on all of them and demanded a ransom in return for the encryption key. The company allegedly paid the ransom, and used the key on the servers. It worked on the four support servers, but on the fifth, which contained operational data, it appeared to have the effect of having erased all the information on the hard drive. CBL Data Recovery Technologies was called in to help address the situation; they figured out that because SQL servers contain data in 32-kb pages, what they needed to was find all the pages and put them in order.
-http://www.ds-osac.org/view.cfm?KEY=7E4454404050&type=2B170C1E0A3A0F162820

Microsoft Developing Windows Rights Management Services (23 February 2003)

Windows Rights Management Services, a technology under development at Microsoft, is being deigned to help companies control who may see, copy, print and forward internal documents. Critics fear that the technology will allow companies to get away with breaking laws because employees who would be whistleblowers would never see the incriminating documents.
-http://www.wired.com/news/infostructure/0,1377,57780,00.html
[Editor's Note (Shpantzer): In cases where the government is being defrauded, the would-be whistleblower may be sufficiently motivated by the reward money that waits at the end of the "qui tam" litigation process. This, in addition to their good conscience, is often sufficient for whistleblowers to come forward. If so, the 'secret society' argument in the wired article is overridden by the need for organizations to maintain control of their intellectual property. ]

TK Worm Still Spreading (21 February 2003)

This article provides a detailed account of the TK worm's evolution, method of propagation and payload. The worm is still spreading, though its DDoS (distributed denial of service) component is no longer a threat.
-http://www.idefense.com/Intell/CI022103.html

SURVEY ARTICLE

U.S. Information Security Law, Part One: Protecting Private Sector Systems, and Information Security Professionals and Trade Secrets

This is the first article in a four-part series exploring the law of information security in the United States. The series is designed to be a resource for information security professionals in two respects. First, a legal perspective on security is valuable in itself, as an aid to defining the assets and interests to be protected and as the source of the prerequisites for and types of recovery available when breaches of security occur. Second, information about the intersection of law and information security will help information security professionals and their counsel work together more effectively.
-http://www.securityfocus.com/infocus/1669
[Editor's Note (Paller): SANS has a Legal Liability project underway that will lead to a training track. We are looking for attorneys who want to help create a high standard of excellence in the materials. Email legalliability@sans.org if you have the legal credentials and a desire to help create the consensus. ]

---

===end===
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit https://portal.sans.org/preferences.php/
To update your address, visit http://www.sans.org/sansurl and enter
your SD number (from the header of this email.) You will receive your
personal URL via email.