SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VI - Issue #10

March 10, 2004

TOP OF THE NEWS

Court Upholds Decision Deeming Broad e-Mail Subpoenas As Cyber Intrusions
China Urged to Reconsider Stance on WLAN Security Standard
CPAs Show Leadership in Information Security
SPYBLOCK Act Takes Aim at Spyware

THE REST OF THE WEEK'S NEWS

SCO.com Back On-Line
Inside the Defense Computer Forensics Lab
National Strategy to Secure Cyberspace Has Had Minimal Impact, Say Executives
Companies Require Customers to Waive Right to Sue if Personal Data is Compromised
Security Improvements in Windows XP SP2 Could Break Some Applications
Report on Senate Judiciary Committee Network Security
CEOs: Security's Improved Since September 11
F-Secure Improves Security After Sending Out NetSky
OMB Finds Agencies Lagging in FISMA Compliance
Phishing Scheme Gets More Subtle
OMB: Agencies' Interpretation of Security Incidents Varies
Earthlink Will Test E-Mail Sender Authentication Technology
Worms Consume Broadband Profits
Are Worm Variants Due to a Grudge Match?
Researchers Find Spyware in 5% PCs Connected to University Network
Survey: Viruses and Attacks Up 25% at UK Companies
GAO Finds Security Problems at USDA
Companies Opt for Off-the-Shelf Compliance Products

VULNERABILITY UPDATES AND EFFECTS

Microsoft Announces MSN Messenger Vulnerability and Two Others
Sober.D Poses as MyDoom Patch
Linux Kernel Vulnerability Allows Privilege Escalation
Flaw in Apple's QuickTime Player Allows Remote Code Execution

---

************************** Sponsored by NetIQ *************************
Free Security Event Management Guide
Do you need more efficient, automated log management methods and tools to manage the terabytes of information generated by your Security Event Management systems?

Download our free guide, "Log Management: Closing the Loop on Security Event Management," to discover the crucial role that log management plays as part of a complete Security Event Management solution.

http://www.netiq.com/f/form/form.asp?id=2469&origin=NS_SANS_031004

***********************************************************************
This Week's Featured Security Training Program:

Because SANS 2004 is nearly sold out, showing that employers are once again saying yes to requests for effective training, we have added six new conferences between May and July: Colorado Springs, Chicago, Baltimore, Kansas City (Overland Park), Denver and Minneapolis.
Find details at http://www.sans.org

But there's still space in most of the courses at our mega-conference in Orlando April 1-9. Security managers and analysts, system and network administrators, auditors and forensic analysts will each find immersion training focused on their special needs, and all taught by the highest-rated instructors in the US. And it is all in Orlando Florida.

http://www.sans.org/sans2004

*************************************************************************

---

TOP OF THE NEWS

Court Upholds Decision Deeming Broad e-Mail Subpoenas As Cyber Intrusions (5 March 2004)

A federal appeals court has upheld an August 2003 decision that "overly broad" subpoenas for e-mail "qualify as computer intrusions." The Justice Department has said the ruling has made it more difficult for law enforcement officials to procure private e-mail.
-http://www.securityfocus.com/printable/news/8199

China Urged to Reconsider Stance on WLAN Security Standard (4 March 2004)

Intel Chief Technology Officer (CTO) Pat Gelsinger plans to meet with Chinese government officials to discuss China's WLAN security standard, WLAN Authentication and Privacy Infrastructure (WAPI), which uses a protocol that is incompatible with the Wired Equivalent Privacy (WEP) protocol. There is also concern that foreign companies wishing to participate in the Chinese WLAN market have no choice but to partner with Chinese firms, as they are the only ones who have the details of WAPI technology. In addition, US Secretary of State Colin Powell, US Secretary of Commerce Donald Evans and White House Trade representative Robert Zoellick have written a joint letter to Chinese Deputy Prime Ministers Wu Yi and Zeng Peiyan asking them to reconsider their position on the issue.
-http://www.computerweekly.com/articles/article.asp?liArticleID=128868&liArticleT
ypeID=1&liCategoryID=2&liChannelID=22&liFlavourID=1&sSearch=&nPage=1
-http://news.com.com/2102-7351_3-5170025.html?tag=st.util.print

CPAs Show Leadership in Information Security

The American Institute of Certified Public Accountants Inc. (AICPA) is integrating the Center for Internet Security technical benchmarks into its Trust Services auditing guidelines. This positions AICPA's audit guidelines as the only ones that enable different auditors to get comparable and consistent results in their security audits.
-http://www.computerworld.com/printthis/2004/0,4814,90866,00.html

SPYBLOCK Act Takes Aim at Spyware (2 March 2004)

Three US Senators have introduced the Software Principles Yielding Better Levels of Consumer Knowledge (SPYBLOCK) Act which would make it illegal to download software onto people's computers from the Internet without their permission, and would require companies that offer software for downloading to disclose what their programs do and what type of information they collect. Advertisements generated by spyware would have to be clearly labeled as such. Furthermore, the proposed legislation would allow states to sue violators in federal court and the FTC to impose fines and civil penalties.
-http://www.washingtonpost.com/ac2/wp-dyn/A23307-2004Mar2?language=printer
[Editor's Note (Ranum): Much spyware already hides "user permission" in a click license of some form. SPYBLOCK is going to be as helpful about spyware as CAN-SPAM has been for spam. Anyone still getting spam now that it's illegal? ;)
(Schultz): This bill appears to be exactly what is need to stem the proliferation of spyware. ]

---

************************ SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.

(1) WHITE PAPER - Spam threatens network security. Learn how to protect your enterprise.
REQUEST: http://www.sans.org/click.php?id=351

(2) Best Practices for Incident Response - Sign up for the practitioner's guide at
http://www.sans.org/click.php?id=352

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

SCO.com Back On-Line (8 March 2004)

The SCO.com web site is back on the Internet after a month-long distributed denial-of-service attack launched by computers infected with MyDoom. The attack was supposed to begin on February 1 and end on February 12, but because some computers' clocks were set incorrectly, it lasted several weeks longer.
-http://zdnet.com.com/2102-1105_2-5171499.html?tag=printthis

Inside the Defense Computer Forensics Lab (8 March 2004)

The Defense Computer Forensics Lab (DCFL) accepts, stores and analyzes digital evidence gathered in cases involving the military. This article describes the Lab's process for extracting and analyzing digital evidence, which can include damaged hard drives, tapes and cell phones; it also details the intrusion analysis squad's involvement in the investigation of Defense Department network intrusions. DCFL investigators receive special training to preserve the integrity of the data.
-http://www.nwfusion.com/research/2004/0308dod.html

National Strategy to Secure Cyberspace Has Had Minimal Impact, Say Executives (8 March 2004)

Corporate executives say the National Strategy to Secure Cyberspace (NSSC) has had little or no impact on the way their companies plan for and invest in security. Many companies have implemented security plans for other reasons, including compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act.
-http://www.computerworld.com/printthis/2004/0,4814,90863,00.html

Companies Require Customers to Waive Right to Sue if Personal Data is Compromised (5 March 2004)

Companies are increasingly requiring customers to waive their right to sue if their information is stolen from the company's networks regardless of what security measures the company has in place. The trend is likely motivated by several recent high-profile cases in which the Federal Trade Commission took action against companies that failed to adequately secure customer data despite assurances that the information would be protected.
-http://www.washingtonpost.com/ac2/wp-dyn/A31874-2004Mar4?language=printer

Security Improvements in Windows XP SP2 Could Break Some Applications (4/5 March 2004)

Microsoft wants software developers to test their code against the upcoming Windows XP Service Pack 2 beta; it contains security improvements that could prevent some applications from working correctly. Microsoft is also offering an online training course designed to educate developers about the implications of the changes. The Service Pack will also allow customers to opt in to automatic security updates.
-http://www.computerworld.com/printthis/2004/0,4814,90849,00.html
-http://www.washingtonpost.com/ac2/wp-dyn/A29328-2004Mar4?language=printer
-http://www.internetnews.com/ent-news/print.php/3322381

Report on Senate Judiciary Committee Network Security (5 March 2004)

Investigators say a "significant lack of security" allowed Republican Senate Judiciary Committee staffers to access Democratic documents on a committee's network. Senate Sergeant-at-Arms William H. Pickle hired an outside forensics team to investigate the matter. The security problems were attributed to the administrator's "lack of experience, training and oversight." Since the discovery of the problem, Republican and Democratic committee staffs have been put on their own LANs, each with its own administrator. The report recommended security improvements, including establishing technical skills assessment, certification and education for administrators and requiring that all new employees be given ethics and computer security training.
-http://www.washingtonpost.com/ac2/wp-dyn/A31803-2004Mar4?language=printer
-http://zdnet.com.com/2102-1105_2-5170987.html?tag=printthis
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id
=25196
Report:
-http://judiciary.senate.gov/print_testimony.cfm?id=1085&wit_id=2514
-http://judiciary.senate.gov/print_testimony.cfm?id=1085&wit_id=3088

CEOs: Security's Improved Since September 11 (5 March 2004)

A recently released survey for 100 CEOs from "leading US companies" says that nearly all have improved both physical and cyber security since the September 11 attacks. Cyber security spending has increased 10% and most CEOs expect spending to remain steady or increase slightly in 2004. About 90% of those surveyed said they test their emergence response plans once a year; 40% test at least twice a year.
-http://www.computerworld.com/printthis/2004/0,4814,90852,00.html

F-Secure Improves Security After Sending Out NetSky (4 March 2004)

F-Secure has increased security for its customer mailing lists after inadvertently sending out a version of NetSky in late February. F-Secure director of antivirus research Mikko Hypponen said the company will no longer accept outside e-mail to its list and will block attachments.
-http://news.com.com/2102-7349_3-5170277.html?tag=st.util.print
[Editor's Note (Grefer): Please use this incident as a reminder to check the settings of your mailing lists. If your mailing list is intended for one way communication, i.e. a newsletter or alerts, make sure that you allow content only from a trusted source - typically from a specific account within your company - to be sent out, after it has passed a validation process. If you are operating a discussion list, consider running it as a moderated list, preferably with scanning of attachments. ]

OMB Finds Agencies Lagging in FISMA Compliance (3/4 March 2004)

An Office of Management and Budget (OMB) review of nearly 8,000 agency computer systems found that just 62% have been certified and accredited by an inspector general or a third-party entity. The OMB had set a goal of having 80% of systems certified by December 2003. Only 78% of systems evaluated had undergone risk assessment and 73% have up-to-date IT security plans. OMB will require agencies to address these problems before they're allowed to spend money on development, enhancement or modernization in fiscal 2004. Despite having missed OMB targets, agencies did improve in each of the seven categories OMB evaluated.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id
=25149
-http://www.fcw.com/fcw/articles/2004/0301/web-fisma-03-03-04.asp
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id
=25156
OMB's Annual Report to Congress (Fiscal 2003):
-http://www.whitehouse.gov/omb/inforeg/fy03_fisma_report.pdf

Phishing Scheme Gets More Subtle (3 March 2004)

An especially artful phishing scheme aimed at Westpac on-line banking customers even goes so far as to include an oft-repeated caveat: the bank will never ask for personal or log-in details in e-mail. The link in the phony e-mail opens a fake Westpac website in front of the real Westpac site. Customers are instructed to log on to the site and "verify their credentials." After the information has been entered, the customer receives a phony error message and is sent to the bank's actual web site.
-http://news.zdnet.co.uk/internet/security/0,39020375,39147979,00.htm

OMB: Agencies' Interpretation of Security Incidents Varies (3 March 2004)

Disparate levels of security incident reporting from various US government agencies have prompted Office of Management and Budget (OMB) officials to step back and figure out how to understand reporting requirements. Last year, the Department of Health and Human Services reported 348.9 million incidents while the Department of Housing and Urban Development reported just one.
-http://www.fcw.com/fcw/articles/2004/0308/news-crash-03-08-04.asp
[Editor's Note (Shpantzer): It seems like HHS is reporting security events rather than security incidents, whereas HUD is underreporting altogether. ]

Earthlink Will Test E-Mail Sender Authentication Technology (3 March 2004)

Earthlink plans to start testing technology to reduce the amount of spam and malicious e-mail its users receive.
-http://www.computerworld.com/printthis/2004/0,4814,90746,00.html

Worms Consume Broadband Profits (3 March 2004)

According to a study from Internet traffic management form Sandvine, worms will cost Broadband ISPs as much as USD $370 million worldwide. At any given moment, between 2 and 12% of all Internet traffic on ISP networks is malicious.
-http://news.com.com/2102-7355_3-5169232.html?tag=st.util.print
-http://www.theregister.co.uk/content/56/35963.html
-http://www.theglobeandmail.com/servlet/story/RTGAM.20040303.gtsandmar2/BNPrint/T
echnology/

Are Worm Variants Due to a Grudge Match? (2/3 March 2004)

Text in the code of recently released multiple variants of MyDoom, NetSky and Bagle appear to indicate that the rash of malware is the result of a battle between competing virus-writing groups.
-http://www.eweek.com/print_article/0,1761,a=120716,00.asp
-http://zdnet.com.com/2102-1105_2-5168983.html?tag=printthis
-http://www.computerworld.com/printthis/2004/0,4814,90767,00.html
-http://www.eweek.com/print_article/0,1761,a=120741,00.asp
-http://www.newsfactor.com/story.xhtml?story_title=Worm_Writers_Continue_Verbal_W
arfare&story_id=23291&category=netsecurity

Researchers Find Spyware in 5% PCs Connected to University Network (4 March 2004)

A study conducted by computer scientists at the University of Washington in Seattle found that just over 5% of computers connected to the university's network contained one of four specific spyware programs. They estimate that the real world figure may be larger because students are more tech savvy than ordinary home users and because there are more spyware programs than just the four the study searched for. The researchers also discovered that two of the programs could be exploited to run unauthorized code on the computers.
-http://www.newscientist.com/news/print.jsp?id=ns99994745
[Editor's Note (Ranum): This is on the low side, by my experience. Even corporate networks are greatly infested with the stuff. One company I know had a 90% spyware infestation on user desktops. The presence of so much spyware indicates one thing: corporate users don't look at their outgoing firewall logs anywhere NEAR as much as they ought to. ]

Survey: Viruses and Attacks Up 25% at UK Companies (2 March 2004)

The UK's Department of Trade and Industry will publish a survey showing that half of UK businesses fell victim to viruses or distributed denial-of-service attacks last year, a 25% increase over last year's statistics.
-http://news.zdnet.co.uk/0,39020330,39147959,00.htm
-http://www.pcpro.co.uk/front_frameset/front_ad_tr.php

GAO Finds Security Problems at USDA (1/2 March 2004)

A General Accounting Office (GAO) report says that the US Department of Agriculture (USDA) has "critical, pervasive information security control weaknesses" which could leave the agency's proprietary data, financial, agricultural and marketing data vulnerable to exposure or modification. The GAO's recommendations include implementing a comprehensive security management program; despite several initiatives, USDA has taken to improve its security, the GAO says it is not progressing quickly enough.
-http://www.govexec.com/dailyfed/0304/030104tdpm2.htm
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id
=25107
-http://www.fcw.com/fcw/articles/2004/0301/web-usda-03-01-04.asp
-http://www.computerworld.com/printthis/2004/0,4814,90709,00.html
-http://www.gao.gov/new.items/d04154.pdf

Companies Opt for Off-the-Shelf Compliance Products (1 March 2004)

Large companies seeking to comply with Section 404 requirements of the Sarbanes-Oxley Act are choosing off-the-shelf products in lieu of developing their own, in-house software. The companies say they save time and money by purchasing the software; the vendors will customize and maintain the products. The Securities and Exchange Commission (SEC) has granted a one-year extension on compliance for companies that meet certain criteria.
-http://www.computerworld.com/printthis/2004/0,4814,90595,00.html
-http://www.computerworld.com/printthis/2004/0,4814,90611,00.html

---

VULNERABILITY UPDATES AND EFFECTS

Microsoft Announces MSN Messenger Vulnerability and Two Others (9 March 2004)

In its monthly vulnerability announcement, Microsoft told users that two security patches should be applied immediately, including one that patches the first vulnerability in MSN Messenger 6.0.
-http://news.com.com/2100-1002-5171898.html

Sober.D Poses as MyDoom Patch (8 March 2004)

-http://zdnet.com.com/2102-1105_2-5171243.html?tag=printthis
-http://www.eweek.com/print_article/0,1761,a=121095,00.asp
-http://www.computerworld.com/printthis/2004/0,4814,90899,00.html

Linux Kernel Vulnerability Allows Privilege Escalation (8 March 2004)

-http://www.theregister.co.uk/content/55/36097.html

Flaw in Apple's QuickTime Player Allows Remote Code Execution (3 March 2004)

-http://www.computerworld.com/printthis/2004/0,4814,90765,00.html

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/