SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VI - Issue #2
January 14, 2004
Top Ten Cisco Security Vulnerabilities Project Update. The project team has identified seventeen vulnerabilities that appear to be critical. You can help with the next step of prioritizing the 17 to help the team select the Top 10. Then the team will develop a guide organizations can use to protect themselves against exploits of the Top Ten. If you are willing to help by rating the 17 candidates, send email to info@sans.org with the subject Cisco Top 10.
Alan
TOP OF THE NEWS
Banks Warn Customers About Phishing ScamsAlmost Half of KaZaA Files Contain Malware
Microsoft Announces January Vulnerabilities: One In ISA Is Critical
THE REST OF THE WEEK'S NEWS
Microsoft Extends Support for Older Versions of WindowsNSA Funds Insider Threat Project
ICANN Recommends Redundant Servers be Separated
Adobe Adds Anti-Counterfeiting Technology
Expired VeriSign Certificates Cause Minor Problems
Australian Police Investigating Internet Banking Thefts
Lamo Pleads Guilty to Computer Damage
Japanese Government Investigating Alleged Cyber Intruder
Mississippi Man Pleads Not Guilty to Cyber Extortion
Microsoft Says Word's Password Protection is Not a Security Feature
DARPA to Sponsor Ad-Hoc Mobile Network Workshop
Middle School Student Suspended for Using DOS Messaging System
Fax Spammer Fined $5.4 Million
VULNERABILITY UPDATES AND EFFECTS
Dloader-L or Xombe Trojan Pretends to be XP UpdateRed Hat Ethereal Update Fixes Buffer Overflow Vulnerabilities
MiMail Variants Phish for PayPal Information
Bugbros-A Worm Masquerades as Fix from Microsoft Support
Microsoft Releases MSBlast Remover Tool
************* Sponsored by LURHQ Managed Security Services *************
LURHQ empowers security professionals. Download our "SOC War Stories" to see how our Managed Security Services deliver the effective Threat Management you need to protect, detect and respond against cyber attacks.
Visit: http://www.lurhq.com/sans-ih.html
************************************************************************
TOP OF THE NEWS
Banks Warn Customers About Phishing Scams (12/13 January 2004)
With phishing scams on the rise, banks are warning their customers to be wary of suspicious e-mail, especially if it guides them to a site that asks for personal details that could be used by identity thieves.-http://www.theage.com.au/articles/2004/01/13/1073877805257.html
-http://www.forbes.com/business/newswire/2004/01/12/rtr1207254.html
-http://news.zdnet.co.uk/0,39020330,39119033,00.htm
[Editor's Note (Pescatore): Warning users is mostly just a way to avoid liability. We really need to see the basic Internet infrastructure support a "Caller ID" function to give consumers at least the equivalent defense of what they have on telephone solicitations. This would need innovation at the browser end, which has been sorely lacking for the past several years.
(Grefer): Banks could take a step toward eliminating this problem by cryptographically signing all communicating with their customers. ]
Almost Half of KaZaA Files Contain Malware (6/9 January 2004)
Research from TruSecure, a company specializing in risk management, found that 45% of files downloaded from KaZaA contained malware. TruSecure senior analyst Bruce Hughes encourages companies to educate their employees about the security risks involved in peer-to-peer file sharing.-http://www.zdnet.co.uk/print/?TYPE=story&AT=39118915-39020330t-10000025c
-http://www.wired.com/news/print/0,1294,61852,00.html
[Editor's Note (Pescatore): I'd rather see companies first block programs like KaZaA, and then educate their employees why they shouldn't be trying to download potentially stolen intellectual property. If more universities implement things like the University of Florida's ICARUS software, maybe the next generation of college hires will not take stolen music for granted. ]
Microsoft Announces January Vulnerabilities:
One In ISA Is Critical Microsoft released three vulnerability versions. The one involving Internet Security and Acceleration (ISA) Server (ISA) is a buffer overflow that could allow malicious code to be run by a remote attacker. The problem is widespread because Small Business Server 2000 and Small Business Server 2003 are both vulnerable.-http://www.techweb.com/wire/story/TWB20040113S0015
************************ SPONSORED LINKS ******************************
Privacy notice: Most of these links redirect to non-SANS web pages.
(1) ALERT! "Outsmart Web Application Attackers"- FREE 15-day WebInspect Download
http://www.sans.org/cgi-bin/sanspromo/NB279
(2) Ready for the next NIMDA/CODE RED/BLASTER? Hands-On. Online Demo.
http://www.sans.org/cgi-bin/sanspromo/NB280
(3) Invest in the best network protection. Introducing the Microsoft(r) Security Readiness Kit.
http://www.sans.org/cgi-bin/sanspromo/NB281
(4) Check Out SANS New School Store With Current Specials! Just released books on Business Law, Securing Solaris, Computer Security Incident Handling, books by SANS faculty, and Step-By-Step Guides. Current special: Oracle Security, 7 Pack Guides, and T-shirts.
https://store.sans.org
***********************************************************************
THE REST OF THE WEEK'S NEWS
Microsoft Extends Support for Older Versions of Windows (12 January 2004)
In an "effort to respond to customers' needs around the world," Microsoft has announced that it will continue extended support for Windows 98, 98 Second Edition and Me through June 2006. Microsoft had previously announced it would discontinue support for Windows 98 and 98 SE on January 16, 2004; support for Me was scheduled to end on December 16, 2004 Continuing support for these operating systems will also make it reasonably certain that hotfixes that repair security-related vulnerabilities will continue to be created and released.-http://www.eweek.com/print_article/0,3048,a=116205,00.asp
-http://www.computerworld.com/printthis/2004/0,4814,89010,00.html
[Editor's Note (Schultz): This is really not good for security. These operating systems are for the most part devoid of security capabilities. ]
NSA Funds Insider Threat Project (12 January 2004)
The National Security Agency's Advanced Research and Development Activity (ARDA) is funding a project aimed at protecting computer networks from insider threats. The Voltaire system plans to integrate existing technology to detect suspicious activity and enforce access control. Voltaire is being designed for the intelligence community and should be ready for testing this summer.-http://www.gcn.com/vol1_no1/daily-updates/24622-1.html
More information on ARDA:
-http://www.ic-arda.org/
ICANN Recommends Redundant Servers be Separated (12 January 2004)
The Internet Corporation for Assigned Names and Numbers (ICANN) has recommended that top-level domains run two servers to answer queries, and these two servers must be in different physical locations and on different networks.-http://www.gcn.com/vol1_no1/daily-updates/24616-1.html
-http://www.icann.org/committees/security/dns-recommendation-01nov03.htm
Adobe Adds Anti-Counterfeiting Technology (9/10 January 2004)
At the request of government regulators and bankers, Adobe has added anti-counterfeiting technology to its Photoshop graphics software. The code came from the Central Bank Counterfeit Deterrence Group, which represents banks in many Western European countries, Japan, the UK, the US and Canada. Adobe admitted it had added the software only after a customer complained about the program's behavior when he tried to open an image of a $20 bill. People are displeased that a private company is acting as an agent for governmental powers.-http://www.washingtonpost.com/ac2/wp-dyn/A4798-2004Jan9?language=printer
-http://zdnet.com.com/2102-1104_2-5138816.html?tag=printthis
-http://www.miami.com/mld/miamiherald/news/breaking_news/7674024.htm
Expired VeriSign Certificates Cause Minor Problems (9 January 2004)
Certain versions of VeriSign's Intermediate Certificate Authority expired last week, causing glitches for people trying to access some sites. The expired certificates caused error messages, but did not prevent people from viewing the sites.-http://news.com.com/2102-1029_3-5138356.html?tag=st_util_print
Australian Police Investigating Internet Banking Thefts (9 January 2004)
Australian Federal Police are investigating a scheme in which cyber thieves are using Trojan horse programs to steal people's banking details and transfer money out of their accounts. The people who were targeted had used computers with inadequate anti-virus protection.-http://www.theaustralian.news.com.au/printpage/0,5942,8354034,00.html
Lamo Pleads Guilty to Computer Damage (8 January 2004)
Adrian Lamo has pleaded guilty to one count of computer damage resulting in more than $5,000 in losses for breaking into the New York Times' computer network in early 2002. Lamo's plea deal includes an agreement to serve a 6-12 month prison sentence; his sentencing hearing is set for April 8.-http://www.computerworld.com/printthis/2004/0,4814,88904,00.html
-http://www.securityfocus.com/news/7771
Japanese Government Investigating Alleged Cyber Intruder (8 January 2004)
The Japanese government is investigating a "self-appointed IT security researcher" who allegedly used a CGI vulnerability to access a private area of a government web site. The "researcher" allegedly copied information from the site and shared it with others.-http://www.ds-osac.org/view.cfm?KEY=7E455245475C&type=2B170C1E0A3A0F162820
Mississippi Man Pleads Not Guilty to Cyber Extortion (7 January 2004)
Thomas E. Ray III of Jackson, Mississippi pleaded not guilty to federal charges of extortion; Ray allegedly threatened to divulge a computer vulnerability on Best Buy's web site unless the company paid him $2.5 million. Ray also allegedly threatened to post customers' names and credit card numbers on the web site if his demands were not met-http://zdnet.com.com/2102-1105_2-5136932.html?tag=printthis
-http://www.startribune.com/stories/535/4304797.html
Microsoft Says Word's Password Protection is Not a Security Feature (7 January 2004)
Microsoft Word's password protection feature can be circumvented with a hex editor. According to Microsoft UK's product marketing manager, users should employ digital certificates or applications capable of locking down documents if they want to ensure secure document transfers.-http://zdnet.com.com/2102-1104_2-5136646.html?tag=printthis
-http://news.com.com/2102-1029_3-5136913.html?tag=st_util_print
[Editor's Note (Pescatore): Funny, I don't remember hearing the marketing guy say "Word has a new password feature that is totally useless" *before* people bought the product. ]
DARPA to Sponsor Ad-Hoc Mobile Network Workshop (7 January 2004)
The Defense Advanced Research Projects Agency (DARPA) plans to sponsor a workshop on defending mobile ad-hoc networks. DARPA's interest stems from the Defense Department's "emerging network-centric warfare systems" and the likelihood that those networks will experience attacks and software failures. The workshop is scheduled for February 18 in Arlington, VA.-http://www.fcw.com/fcw/articles/2004/0105/web-darpa-01-07-04.asp
Middle School Student Suspended for Using DOS Messaging System (6 January 2004)
A thirteen-year-old Texas middle school student was suspended for three days because he sent a message saying "Hey" to every computer in the school using an old messaging system his father taught him while tutoring him about DOS (the operating system). The columnist feels that the punishment was far too harsh for the student's actions, particularly because his actions were not forbidden by any written school policy.-http://www.dfw.com/mld/dfw/news/columnists/dave_lieber/7643262.htm
Fax Spammer Fined $5.4 Million (6 January 2004)
The Federal Communications Commission (FCC) has fined Fax.com $5.4 million for sending unsolicited marketing faxes on behalf of its clients.-http://www.silicon.com/research/specialreports/thespamreport/print.htm?TYPE=stor
y&AT=39117629-39025001t-40000011c
VULNERABILITY UPDATES AND EFFECTS
Dloader-L or Xombe Trojan Pretends to be XP Update (9/12 January 2004)
-http://www.computerworld.com/printthis/2004/0,4814,88940,00.html
-http://www.eweek.com/print_article/0,3048,a=115948,00.asp
-http://www.theregister.co.uk/content/56/34819.html
Red Hat Ethereal Update Fixes Buffer Overflow Vulnerabilities (8 January 2004)
-http://searchenterpriselinux.techtarget.com/originalContent/0,289142,sid39_gci94
3719,00.html
MiMail Variants Phish for PayPal Information (7/8 January 2004)
-http://www.internetweek.com/shared/printableArticle.jhtml?articleID=17200628
-http://esecurityplanet.com/alerts/article.php/3297071
Bugbros-A Worm Masquerades as Fix from Microsoft Support (7 January 2004)
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci943545,00
.html
Microsoft Releases MSBlast Remover Tool (6/7 January 2004)
Machines will remain vulnerable if the original patch has not been applied.-http://zdnet.com.com/2102-1104_2-5136260.html?tag=printthis
-http://www.theregister.co.uk/content/56/34751.html
-http://www.microsoft.com/downloads/details.aspx?FamilyID=e70a0d8b-fe98-493f-ad76
-bf673a38b4cf&displaylang=en
NewsBites Editorial Board: Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Bruce Schneier, Eugene Schultz, Gal Shpantzer
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/