SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VI - Issue #19
May 12, 2004
A lot of Sasser worm news this week, so we broke it out in a separate section. And, if you read this before 2 PM EDT (1800 UTC), please join us for today's Wednesday Internet Threat Update Webcast. It features the directors of SANS Internet Storm Center analyzing the most recent attacks and offers time for Q&A. It is another free service. http://www.sans.org/webcasts/show.php?webcastid=90488
SASSER NEWS
Admitted Sasser Author ArrestedNew Sasser Variant Warns of Flaw, Urges Update
Sasser and NetSky Could Present Dangerous Blended Threat
Sasser Cleanup Tool Available
Sasser Hits American Express, Delta Airlines, Universities
Message in Code Hints NetSky Author Responsible for Sasser
OTHER TOP NEWS STORIES
Election Assistance Commission Hears eVoting Machine TestimonySecurity Incidents Cost Companies Business
THE REST OF THE WEEK'S NEWS
German Police Arrest Phatbot CreatorSecurity Policies Fail Because They Are Ignored
Automated Compliance Tools Ensure Policies Are Enforced New Wi-Fi Standard May Require New Hardware
NIST Releases Draft Guidelines for VoIP Security
British MPs Won't Have Wireless Until Security is Assured
Security Breach at Four UCSD Financial Services Department Computers
Stock-Trading Fraudster Gets Prison Sentence
Federal Geographic Data Committee Creates Data Review Guidelines
Many Companies Don't Maintain Adequate Log Files
Microsoft to Advise German Government on Cyber Security
VULNERABILITY UPDATES AND EFFECTS
Exploits Circulating for Windows Internet Information Server 5.0 VulnerabilityUpgrade for Check Point VPN Software Addresses ISAKMP Vulnerability
Eudora Vulnerability Permits Remote System Access
Apple Releases Fixes for Mac OS X Vulnerabilities
************** Highlighted Training Program Of The Week ***************
SANSFIRE 2004, on the Ocean in Monterey, California, July 5-13, 2004
SANSFIRE offers you 14 immersion training tracks in one of the most beautiful and romantic places in America -- Monterey California - in early July. Phenomenal training for auditors who want to master the challenges of security auditors, for managers who want to build a great security program, for beginners who want to get a fast start, and, of course, the only place to go for technologists who want to master the most current methods for protecting systems and networks. SANSFIRE also offers lots of evening programs and birds-of-a-feather sessions, extra one-day classes ranging from Cybersecurity Business Law to Cyberwarrior training, and vendor exhibits, too.
Register soon to get a seat at your choice of courses. http://www.sans.org/sansfire2004
*************************************************************************
SASSER NEWS
Admitted Sasser Author Arrested (10/8 May 2004)
Police say 18 year-old Sven Jaschan of Rotenburg, Germany, has admitted to creating the Sasser worm. The people who came forward with technical evidence implicating Jaschan will receive a $250,000 reward from Microsoft if he is successfully prosecuted. Jaschan is also allegedly the author of some versions of NetSky.-http://www.washingtonpost.com/wp-dyn/articles/A11160-2004May8.html
-http://news.bbc.co.uk/2/hi/europe/3695857.stm
-http://www.cnn.com/2004/TECH/internet/05/08/sasser.arrest.ap/index.html
-http://www.cnn.com/2004/TECH/internet/05/10/sasser.arrest.reut/index.html
-http://news.com.com/2102-1009_3-5208655.html?tag=st.util.print
-http://www.newscientist.com/news/print.jsp?id=ns99994973
-http://www.theregister.co.uk/2004/05/10/sasser_more_confusion/print.html
[Editor's Note (Pescatore): Most forms of deterrence are better than no deterrence at all, but it is important not to let the focus shift away from the vulnerabilities that enable the worms to damage businesses. As long as software has glaring holes, someone will exploit them, much the way car thieves continue to steal cars where the key is left in the ignition. ]
New Sasser Variant Warns of Flaw, Urges Update (10/9 May 2004)
A new version of the Sasser worm, Sasser.E, has emerged after the arrest of Sven Jaschan. This version warns recipients that their computers are vulnerable to the MS04-011 vulnerability and urges them to update their systems with a patch from Microsoft. Microsoft believes the variant was released four days before Jaschan's arrest.-http://www.infoworld.com/article/04/05/09/HNnewsasser_1.html
-http://news.com.com/2102-7349_3-5209459.html?tag=st.util.print
Sasser and NetSky Could Present Dangerous Blended Threat (6 May 2004)
Some experts are concerned that Sasser and NetSky could be combined to create a more dangerous, blended threat.-http://news.com.com/2102-7349_3-5207634.html?tag=st.outil.print
-http://www.computerworld.com/printthis/2004/0,4814,92936,00.html
Sasser Cleanup Tool Available (5 May 2004)
Nearly 1.5 million people downloaded a Sasser cleanup tool from Microsoft in the two days after the tools release.-http://www.computerworld.com/printthis/2004/0,4814,92912,00.html
Sasser Hits American Express, Delta Airlines, Universities (7/4 May 2004)
-http://www.techweb.com/wire/story/TWB20040507S0008
-http://www.computerworld.com/printthis/2004/0,4814,92892,00.html
Message in Code Hints NetSky Author Responsible for Sasser (4/3 May 2004)
A message hidden in the code of NetSky.AC suggests that the author of that worm is also responsible for Sasser. "The message is attributed to "the SkyNet" a virus-writing group that also claimed responsibility for other NetSky variants." In addition, Netsky and Sasser call the same set of functions in the same order, suggesting the existence of a private code library.-http://www.computerworld.com/printthis/2004/0,4814,92871,00.html
-http://asia.cnet.com/newstech/security/printfriendly.htm?AT=39177957-39001150t-3
9000005c
************************ SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.
(1) FREE White Paper: "Outsmart the Top 10 Web Application Attacks!"
http://www.sans.org/click.php?id=435
(2) Better perimeter protection with the Symantec Gateway Security 5400
Series.
Click here. http://www.sans.org/click.php?id=436
***********************************************************************
OTHER TOP NEWS STORIES
Election Assistance Commission Hears eVoting Machine Testimony (6/5 May 2004)
The newly formed Election Assistance Commission last week heard testimony regarding the security of electronic voting machines. California Secretary of State Kevin Shelley, who recently decertified all touch-screen voting machines in his state, said such machines are, at present, too unreliable to use in elections. There was also heated debate over the implementation of paper receipts or a paper trail for the machines. Proponents say it offers better security, while opponents/detractors say it adds complexity and cost to the process and adds another thing that could go wrong.-http://www.computerworld.com/printthis/2004/0,4814,92950,00.html
-http://www.fcw.com/fcw/articles/2004/0503/web-evote-05-05-04.asp
-http://www.computerworld.com/printthis/2004/0,4814,92968,00.html
Security Incidents Cost Companies Business (5 May 2004)
According to a study of more than 100 large UK companies and government agencies, those that had experienced a security breach saw a 47% attrition rate in their business-to-business sector. The companies that did not take their business elsewhere spent slightly less with the company than they had been previous to knowledge of the breach.-http://www.zdnet.co.uk/print/?TYPE=story&AT=39153693-39020375t-10000025c
[Editor's Note (Pescatore): This is the holy grail for justifying security, and we are starting to see it come true. Phishing attacks are undermining consumer confidence in online business, causing growth to flatten. Supply chain integration doesn't look so attractive when your supplier passes on MSBlast to all your servers.
(Schneier): It's not clear whether it's the actual breach and attendant problems that cause the customer attrition, or whether it's the customer losing faith in the company merely because of the knowledge of the breach -- which encourages companies to keep breaches secret. ]
THE REST OF THE WEEK'S NEWS
German Police Arrest Phatbot Creator (10/8 May 2004)
German police have arrested a 21-year-old man from Baden-Wuerttemberg who admitted to creating the Agobot or Phatbot worm. Five other possible accomplices are being investigated, according to authorities.-http://www.computerworld.com/printthis/2004/0,4814,93036,00.html
-http://www.securitynewsportal.
com/cgi-bin/cgi-script/csNews/csNews.cgi?database=JanEE%2edb&command=viewone&id=15&op=t
-http://reuters.com/newsArticle.jhtml?type=internetNews&storyID=5080788
Security Policies Fail Because They Are Ignored (10 May 2004)
Security manager reports that security policies are routinely ignored in the real world. Even incident handling policies are ignored, "No one uses these documents. They just sit in a binder on a bookshelf or in a shared disk...." A single page Incident Handling step by step guide reference card he created seems to help.-http://www.computerworld.com/printthis/2004/0,4814,92946,00.html
[Editor's Note (Paller): If you need a single page "emergency step-by-step guide" to incident handling, there's one in "Computer Security Incident Handling: Step-by-Step" available for purchase from the SANS School Store. It is discounted to $22.50 this week.
-https://store.sans.org/store_category.php?category=stepxstep]
Automated Compliance Tools Ensure Policies Are Enforced (10 May 2004)
New compliance enforcement tools from multiple vendors enable enterprises to ensure computers are safely configured before allowing them to be connected to enterprise networks. That's an increasingly popular and effective method of keeping infected systems off your network.-http://www.computerworld.com/printthis/2004/0,4814,92943,00.html
New Wi-Fi Standard May Require New Hardware (7/6/5 May 2004)
802.11i and 802.11e wireless standards should be out by the end of the year. 802.11e will make wireless voice over IP more realistic and 802.11i is expected to radically improve security of wireless communications. However the latter may require hardware upgrades, especially for systems purchased more than three months ago.-http://www.pcworld.com/news/article/0,aid,115999,00.asp
">
-http://www.pcworld.com/news/article/0,aid,115999,00.asp
-http://www.infoworld.com/article/04/05/07/HNwifi_1.html
-http://www.computerworld.com.au/index.php/id;237300318;fp;16;fpid;0
-http://www.pcworld.com/news/article/0,aid,115999,00.asp
">
-http://www.pcworld.com/news/article/0,aid,115999,00.asp
NIST Releases Draft Guidelines for VoIP Security (6 May 2004)
The National Institute of Standards and Technology (NIST) has released draft guidelines for securing Voice Over IP technology. The suggestions include putting voice and data traffic on logically different networks and denying access to the voice gateway from the data network. NIST is accepting comments on the draft through June 18.-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=25844
-http://csrc.nist.gov/publications/drafts/NIST_SP800-58-040502.pdf
British MPs Won't Have Wireless Until Security is Assured (6 May 2004)
British Members of Parliament (MP) will not have wireless capabilities at Westminster until their security can be assured. Parliamentary authorities made the decision shortly after the release of a report from the Times about Bluesnarfing vulnerabilities in mobile phones. The House of Commons advised MPs to turn off Bluetooth functionality on their phones.-http://www.vnunet.com/News/1154965
Security Breach at Four UCSD Financial Services Department Computers (6 May 2004)
The University of California San Diego is informing approximately 380,000 students, alumni, applicants, faculty and staff that their personal details may have been compromised. Four computers at the school's Business and Financial Services Department experienced security breaches. The case is being investigated by campus police and other law enforcement agencies.-http://www.thesandiegochannel.com/technology/3276449/detail.html
Stock-Trading Fraudster Gets Prison Sentence (6 May 2004)
Van T. Dinh has been sentenced to 13 months in prison for computer intrusion and identity theft. Dinh tricked someone with an on-line brokerage account into downloading a Trojan horse program, which allowed Dinh to log the man's keystrokes and steal his account information. Dinh then logged into that account and purchased options that he had placed to sell at an inflated price, hoping to offset a potential loss of nearly $90,000. After he was caught, Dinh pleaded guilty to unauthorized access to a protected computer and securities fraud; he has also repaid his victim.-http://www.securityfocus.com/printable/news/8564
Federal Geographic Data Committee Creates Data Review Guidelines (5 May 2004)
The Federal Geographic Data Committee has developed a set of non-binding guidelines for reviewing geospatial data. The guidelines are designed to help agencies decide whether or not to make their geospatial data public. Agencies are asked to consider if the information would provide terrorists with information needed to plot an attack, whether the information is available elsewhere and whether or not the benefits of making it public outweigh the risks. FGDC is accepting comments on the guidelines through June 2.-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=25834
Many Companies Don't Maintain Adequate Log Files (4 May 2004)
Research from NTA Monitor, a European security testing company, shows that companies often do not adequately maintain log files that could be used as evidence in the event of an intrusion or other security breach. Some errors companies make include not turning on logging for various reasons, keeping logs for just a short period of time, storing log data in public folders and neglecting time synchronization.-http://www.vnunet.com/News/1154909
[Editor's Note (Tan): When responding to incidents, some don't even know where the log files are stored. In many cases, log files are alien to them.
(Paller) Log monitoring is a defense that very few people are trained to do, so most people do it very badly. If you don't have an expert on staff, one of the few ways to know whether your machines have been compromised is to use an outsourced service. NewsBites editorial board member Bruce Schneier notes that his company, Counterpane Internet Security (
-http://www.counterpane.com)
provides an outsourced log monitoring services. (Yes, that was a plug; it is also solid advice.) ]
Microsoft to Advise German Government on Cyber Security (3 May 2004)
Microsoft has signed an agreement with Germany's federal government to provide cyber security advice. As part of the agreement, Microsoft will support a German secure legal transaction standard and Germany will license Office 2003 XML dialects.-http://zdnet.com.com/2102-1105_2-5204643.html?tag=printthis
-http://washingtontimes.com/upi-breaking/20040503-010736-5696r.htm
[Editor's Note (Grefer): This is in stark contrast to the attitude towards Microsoft displayed years ago by the German government. After the infamous "NSAKEY" allegations had surfaced, Germany's government had deemed Microsoft's closed source operating systems and applications too much of a risk and evaluated a lot of alternative solutions.
(Paller): Actually the German program is part of a global Microsoft initiative to weave and enhance complex support relationships with the security elements of national governments. If the German and other government agencies are as disciplined, firm, and technically savvy as the US and UK have been, the entire community of users will be greatly benefited. The US and UK partnerships with Microsoft have already led to many of the most important security improvements you will see in Microsoft's next operating system, Longhorn. ]
VULNERABILITY UPDATES AND EFFECTS
Exploits Circulating for Windows Internet Information Server 5.0 Vulnerability (10 May 2004)
-http://news.bbc.co.uk/2/hi/technology/3699965.stm
Upgrade for Check Point VPN Software Addresses ISAKMP Vulnerability (7 May 2004)
-http://security.itworld.com/4343/040507checkpointhole/pfindex.html
Eudora Vulnerability Permits Remote System Access (7 May 2004)
-http://www.techworld.com/security/news/index.cfm?newsid=1516
Apple Releases Fixes for Mac OS X Vulnerabilities (4 May 2004)
The company has been criticized for downplaying the flaws seriousness.-http://news.com.com/2102-7355_3-5205912.html?tag=st.util.print
-http://docs.info.apple.com/article.html?artnum=61798
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
