SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VI - Issue #28
July 14, 2004
TOP OF THE NEWS
SPAM & PHISHINGSenator Proposes Anti-Phishing Act
Massachusetts Attorney General Files Civil Suit Under CAN-SPAM Act
MISCELLANEOUS
Australian Bank to Offer Customers Tokens as Added Layer of Security
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESFormer AltaVista Employee Arrested for Allegedly Stealing Source Code
UK Teen faces Penalties for Bombarding Former Employer with 5 Million eMail Messages
Chinese Citizen Pleads Guilty to Charges of Unauthorized System Access
Cabronator Author Receives 2-Year Sentence
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
Pirated Software Cost US$29 Billion Last Year, Says BSA
Piracy Ring Cracked in Hong Kong
DRM Spending Will Grow Significantly
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
NIST Released Draft Guidelines for FISMA-Required Budget Submissions
More Classified Data Storage Missing from Los Alamos National Lab
DHS Secure Network Links All 50 States to Operations Center
LEGISLATION
Legislators Fail to Limit USA PATRIOT Act's Reach
MALWARE
Site Advertises Malware
Bagle Variants Spread Source Code
Lovgate Variants Spotted
ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Mozilla Vulnerability
Botnets for Rent
IPv6 Vulnerability
Cable Company Insider Allegedly Provided Scammers with Modems
MISCELLANEOUS
Windows XP SP2 to be Available on CD
House Government Reform Subcommittee Hears Testimony on Federal IT R&D
Intel Will Support Microsoft NX Technology
Indian President Wants Military to Use Open Source
Small Storage Devices Pose Security Threat, Says Gartner
********************* Sponsored by BindView *****************************
FREE Regulatory Guide for IT
Are you trying to streamline IT policies to comply with Sarbanes-Oxley, HIPAA, GLBA, or FISMA and need a cross-reference of multiple IT standards? Download guide, https://ocp.bindview.com/Surveys/Main/EventMF.cfm?NUM=1116&AD=NS-SANS-SuperM
atrix-Q304&qr=1
REGISTER NOW: IT Audits for Regulatory Compliance Webinar Join BindView and KPMG to learn how IT managers can take the guess-work out of passing audits. http://www.bindview.com/Events/GetEvents.cfm?NUM=1109&AD=NS-SANSLtr720WBNR-Q
304-R
*************************************************************************
THIS WEEK'S HIGHLIGHTED SECURITY TRAINING CONFERENCE
SANS largest conference will be in Las Vegas this year - September 28 to October 6 - with seventeen immersion tracks taught by SANS highest-rated teachers, special one day technology update programs, plus a big vendor expo. The brochures have already arrived. If you didn't get one, you'll find the whole brochure online. Or email us and we'll send you one. http://www.sans.org/ns2004
*************************************************************************
TOP OF THE NEWS
SPAM & PHISHING
Senator Proposes Anti-Phishing Act (12 July 2004)
Senator Patrick Leahy (D-Vt.) has introduced legislation that would define phishing as a federal crime and impose a prison sentence of up to five years for those convicted of perpetrating a phishing scam. The Anti-Phishing Act of 2004 outlaws spoofing web sites and does not require that someone actually be defrauded before a phisher is prosecuted. The proposed legislation is careful to define as criminal the spoofing of a web site for the purposes of committing identity theft or other crimes, but allows for parody sites and other such spoofing.-http://www.computerworld.com/printthis/2004/0,4814,94490,00.html
Massachusetts Attorney General Files Civil Suit Under CAN-SPAM Act (6/2 July 2004)
The Massachusetts Attorney General's office has filed a civil suit against a Florida man under the federal CAN-SPAM Act. The suit is believed to be the first brought by a state under the new law. The complaint alleges that William T. Carson used an invalid business address in his email messages which advertised "pre-approved mortgage rates." According to the complaint, Carson also allegedly did not provide a way to opt out of receiving his messages, did not identify his emails as advertisements and "used a nonfunctioning sender address." At a hearing scheduled for July 21, the Massachusetts AG office "will seek a court order to stop Carson's company from sending more commercial emails."-http://www.computerworld.com/printthis/2004/0,4814,94318,00.html
-http://zdnet.com.com/2102-1104_2-5255997.html?tag=printthis
[Editor's Note (Schultz): It will be interesting to see how the case turns out. Whatever ruling or verdict results will set an important precedent in dealing with those who violate the CAN-SPAM Act. ]
MISCELLANEOUS
Australian Bank to Offer Customers Tokens as Added Layer of Security (6 July 2004)
Australia's Bendigo Bank plans to offer its customers security tokens to help guard against cyber fraud, particularly phishing scams that attempt to steal banking passwords. The tokens will generate new ID numbers for each customer log in, so phishers will not have all the details they need to access others' accounts.-http://australianit.news.com.au/common/print/0,7208,10051563%5E15331%5E%5Enbv%5E
15306%2D15318,00.html
[Editor's Note (Pescatore): Stronger user authentication really helps against password sniffer malware that lead to identity theft, not phishing attacks. Our consumer surveys showed that consumers are ambivalent about going through the complexity of using strong authentication, but if online banking and online commerce make it easy to use and don't try to pass the cost onto the consumer, they are willing to try. Given the rapid rise of spyware delivering malware to consumer PCs, moving away from reusable passwords is important for stemming consumer erosion in confidence in online services.
(Schneier): This is a good idea, as long as the implementation is simple enough that it doesn't stop customers from using the technology entirely. ]
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Best Practices for Incident Response - Sign up for the
practitioner's guide at
http://www.sans.org/info.php?id=516
(2) ALERT: Learn about the software tools spammers use. You'll be
amazed. **FREE White Paper **
http://www.sans.org/info.php?id=517
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Former AltaVista Employee Arrested for Allegedly Stealing Source Code (12/9 July 2004)
Laurent Chavet, a former AltaVista employee who is currently employed at Microsoft, has been arrested on charges that he stole source code from his former employer after he stopped working there. According to an anonymous source, Chavet had been working on Microsoft's MSN search.-http://www.computerworld.com/printthis/2004/0,4814,94486,00.html
-http://www.eweek.com/article2/0%2C1759%2C1622194%2C00.asp
-http://www.msnbc.msn.com/id/5403025/
UK Teen faces Penalties for Bombarding Former Employer with 5 Million eMail Messages (12 July 2004)
A teenager who was fired from a UK insurance company faces a six-month jail sentence or a fine of as much as 5,000 GBP under the Computer Misuse Act for sending his former employer 5 million email messages. The company was forced to shut down its web site while it attended to the deluge, and reportedly lost 18,000 GBP as a result.-http://www.theregister.co.uk/2004/07/12/clerk_bombards_bosses/print.html
Chinese Citizen Pleads Guilty to Charges of Unauthorized System Access (8 July 2004)
Yan Ming Shan, a Chinese citizen, has pleaded guilty in San Jose Federal Court to charges that he accessed 3DGeo development Inc.'s computer system without authorization in order to obtain proprietary software and source code. If convicted, he could face 5 years in prison and a $250,000 fine.-http://sanfrancisco.bizjournals.com/sanfrancisco/stories/2004/07/05/daily31.html
?t=printable
Cabronator Author Receives 2-Year Sentence (5 July 2004)
Oscar Lopez Hinarejos received a two year jail sentence for creating the Cabronator Trojan, which allowed attackers to take control of infected machines, harvesting personal data and using the machines as zombies to launch denial-of-service attacks. Lopez Hinarejos is the first person in Spain to be jailed for writing malware.-http://www.theregister.co.uk/2004/07/05/spanish_vxer_jailed/print.html
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
Pirated Software Cost US$29 Billion Last Year, Says BSA (7 July 2004)
A Business Software Alliance (BSA) survey says that global trade in pirated software was nearly US$29 billion in 2003, about 60% of the US$51 billion in legitimate desktop software sales worldwide.-http://www.cnn.com/2004/TECH/biztech/07/07/software.piracy.reut/
[Editor's Note (Grefer): While trade in pirated software totaled the equivalent of $29 billion in regular sales, it is questionable if all "purchasers" would have procured such software at regular prices. ]
Piracy Ring Cracked in Hong Kong (7 July 2004)
Hong Kong's Customs and Excise Department says it has broken a large software piracy ring and is trying to freeze the group's assets which are valued at 20 million Hong Kong dollars, or US$2.6 million. Eight people have been arrested but not yet charged.-http://www.eweek.com/print_article/0,1761,a=130942,00.asp
DRM Spending Will Grow Significantly (1 July 2004)
Market research firm JupiterResearch says that corporate spending on digital rights management products is set to grow nearly eight-fold in five years, from $36 million last year to $287 million in 2008.-http://www.internetweek.com/shared/printableArticle.jhtml?articleID=22103402
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
NIST Released Draft Guidelines for FISMA-Required Budget Submissions (9 July 2004)
The National Institute of Standards and Technology has released Special Publication 800-65: Integrating Security into the Capital Planning and Investment Control Process. The draft guidelines are designed to help agencies comply with Federal Information Security Management Act (FISMA) requirements regarding information technology budget submissions.-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=26530
-http://csrc.nist.gov/publications/drafts.html#sp800-65
More Classified Data Storage Missing from Los Alamos National Lab (9 July 2004)
An inventory check at Los Alamos National Laboratory (LANL) last week revealed that two Classified Removable Electronic Media (CREM) items were missing from the facility's Weapons Physics Directorate. The laboratory director plans to launch a full inquiry. Another classified removable electronic media item was reported missing from LANL in May of this year as well, though that item had been scheduled to be destroyed; the information discovered to be missing last week was to be used in forthcoming experiments.-http://www.abqjournal.com/cgi-bin/print_it.pl?page=/north/aplanl07-09-04.htm
DHS Secure Network Links All 50 States to Operations Center (9/8 July 2004)
The Homeland Security Information Network is operational five months ahead of schedule, according to DHS Secretary Tom Ridge. The network, known as the Joint Regional Information Exchange System (JRIES), is a secure, unclassified network that links first responders, local officials, homeland security advisors and governors in all 50 states to the Homeland Security Operations Center, which provides homeland security monitoring and incident management.-http://www.computerworld.com/printthis/2004/0,4814,94443,00.html
-http://www.fcw.com/fcw/articles/2004/0705/web-hsin-07-08-04.asp
LEGISLATION
Legislators Fail to Limit USA PATRIOT Act's Reach (9/8 July 2004)
US legislators narrowly defeated an attempt to amend the USA PATRIOT Act to limit the powers of the Justice Department in searching bookstore and library records.-http://www.washingtonpost.com/ac2/wp-dyn/A37480-2004Jul8?language=printer
-http://www.wired.com/news/print/0,1294,64144,00.html
[Editor's Note (Schultz): Sooner or later provisions of the PATRIOT Act will be replaced by more moderate, less invasive ones--it's just a matter of time.
(Schneier): I'm disappointed but not surprised by the tactics used. ]
MALWARE
Site Advertises Malware (8 July 2004)
Chinese malware writers have established a web site on which people can purchase their wares. The writers are apparently altering existing malware rather than writing something completely new. While selling malware on line is not a new phenomenon, what is surprising is the openness of the advertising. China's Ministry of Public Security is investigating.-http://www.interfax.com/com?item=Chin&pg=0&id=5738976
Bagle Variants Spread Source Code (7/6 July 2004)
A pair of new Bagle variants have been detected; W32/Bagle-AD and AE place the worm's source code on infected computers, suggesting that the author may be afraid that the authorities are closing in; if the code appears on many machines, it will be harder to law enforcement to prove authorship. In addition, the source code is written in assembly language, suggesting that the author is a serious programmer rather than a script kiddie.-http://www.computerworld.com/printthis/2004/0,4814,94367,00.html
-http://asia.cnet.com/newstech/security/printfriendly.htm?AT=39185909-39001150t-3
9000005c
Lovgate Variants Spotted (7 July 2004)
Three new variants of the Lovgate worm have surfaced; they scan infected PCs for executable files and replace them with copies of themselves; the payload could eventually render machines unusable.-http://zdnet.com.com/2102-1105_2-5260304.html?tag=printthis
ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Mozilla Vulnerability (9/8 July 2004)
A flaw in Mozilla's browser could allow attackers to run programs on Windows XP systems; a patch is available. The affected products are Mozilla Version 1.7.0 and earlier, Firefox 0.9.1 and earlier and Thunderbird 0.7.1 and earlier. Full new versions are available on Mozilla's web site. There is also a flaw in the Opera web browser that could be exploited by phishers.-http://www.techworld.com/security/news/index.cfm?NewsID=1885&Page=1&page
Pos=4
-http://zdnet.com.com/2102-1105_2-5262676.html?tag=printthis
-http://www.eweek.com/print_article/0,1761,a=131090,00.asphttp://www.mozilla.org/
security/shell.html
Botnets for Rent (7 July 2004)
Large networks of zombie computers, also called botnets, are being rented on the Internet to people who want to use them for spamming, phishing and launching distributed denial-of-service attacks.-http://reuters.com/newsArticle.jhtml?type=internetNews&storyID=5605810&p
ageNumber=0
[Editor's Note (Schneier): I suppose it was the next obvious step. And it's a marriage made in heaven between these guys and spammers. ]
IPv6 Vulnerability (6 July 2004)
The US Computer Emergency Readiness Team (US CERT) along with Secunia, a security advisory company, have warned of a memory leak vulnerability in IPv6 which could be exploited to cause a denial-of-service attack.-http://asia.cnet.com/newstech/security/printfriendly.htm?AT=39185910-39001150t-3
9000005c
Cable Company Insider Allegedly Provided Scammers with Modems (5 July 2004)
An insider at cable company UPC reportedly gave Nigerian 419 scammers cable modems that they used in their schemes.-http://www.theregister.co.uk/2004/07/05/dutch_419_inside_job/print.html
MISCELLANEOUS
Windows XP SP2 to be Available on CD (9 July 2004)
Microsoft's XP Service Pack 2 could be as large as 120 MB, prompting the company to offer the upgrade on free CDs to help ensure dial-up customers are able to install it efficiently. XP SP2 makes significant improvements in the OS's security and simplifies security setting controls.-http://www.zdnet.co.uk/print/?TYPE=story&AT=39160099-39020375t-10000003c
[Editor's Note (Pescatore): The sheer size of SP2 will slow down the migration cycle, especially in the market segments that need to improve PC security the most: home users and small businesses. Microsoft could really advance the cause of security by having separate patch-only releases of the badly needed IE browser fixes that will be in SP2. ]
House Government Reform Subcommittee Hears Testimony on Federal IT R&D (8 July 2004)
A variety of witnesses testified last week at a House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census hearing on "Defining Federal Information Technology Research and Development: Who? Where? What? Why? and How Much?" Peter Freeman, assistant director of the National Science Foundation's computer and information science and engineering directorate said his agency is able to fund only 10% of the cyber security proposals it receives. Policy expert Edward Lazowska pointed out that DHS is using only 2% of its budget for cyber security research.-http://reform.house.gov/TIPRC/Hearings/EventSingle.aspx?EventID=1187
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=26526
-http://www.govexec.com/story_page.cfm?articleid=28939&printerfriendlyVers=1&
amp;
Intel Will Support Microsoft NX Technology (8 July 2004)
According to reports, Intel's P4 CPUs will support Microsoft's NX (No Execute) security technology beginning in Q4.-http://www.theregister.co.uk/2004/07/08/intel_nx_support/print.html
[Editor's Note (Pescatore): In order to take advantage of the NX technology to help block buffer overflow attacks., enterprises have to be on Windows XP SP2 *and* on the new AMD and Intel processors *and* have gotten their applications compatible with the XP update and NX restriction. So, NX isn't likely to be a meaningful factor until the 2006 timeframe but will provide an effective baseline for preventing buffer overflows that show up after that. ]
Indian President Wants Military to Use Open Source (7 July 2004)
Indian President A.P.J. Abdul Kalam has called for his country's military to develop and implement cyber security defenses on open-source platforms. Kalam observed that using open-source software would promote self-reliance rather than dependence upon proprietary products.-http://news.com.com/2102-7344_3-5259836.html?tag=st.util.print
Small Storage Devices Pose Security Threat, Says Gartner (6 July 2004)
A study from Gartner maintains that iPods and other small, portable storage devices pose a serious security threat to businesses. Not only can they introduce malware into company networks, but they could also be used to steal proprietary information. Gartner advises companies to forbid the use of privately owned storage devices with company machines.-http://www.computerworld.com/printthis/2004/0,4814,94319,00.html
[Editor's Note (Schneier and Grefer): This is ridiculous. Any computer that has a CD burner is just as vulnerable as it would be with an iPod or USB drive. Either you trust your employees or you don't; it's not the technology that causes the risk. ]
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
