SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VI - Issue #29

July 21, 2004

TOP OF THE NEWS

--- HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Putnam: Clinger-Cohen Amendment is Essential
Energy Officials to Oversee Security Probe at Los Alamos
--- LEGISLATION
Identity Theft Penalty Enhancement Act Becomes Law
--- WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Microsoft's July Security Release Includes Patches for Two Critical Vulnerabilities

THE REST OF THE WEEK'S NEWS

--- ARRESTS, CONVICTIONS AND SENTENCES
Second Half of Deceptive Duo Indicted
Charges Against 419 Scammers Dismissed
Lamo Sentenced for NYT Intrusion
Oxford University Students Could Face Suspension and Fines for Computer Intrusion
Man Allegedly Broke Into Verizon Computers, Posted Passwords on Internet
--- HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Missing Sandia Disk Found
Final e-Authentication Architecture Released
SPAM & PHISHING
Microsoft Wins Nearly US$4 Million in Spam and Trademark Suit
--- WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Fixes Available for Debian GNU/Linux Vulnerabilities
Proof-of-Concept Duts Worm Infects Windows CE
Fix Available for PHP Holes
New Bagle Variant Detected
Windows Update Service Release Pushed back to 2005
Atak Worm Shuts Down to Hide from Anti-Virus Tools
Backdoor-CGT Trojan
--- MISCELLANEOUS
South Korea Asks for China's Help in Tracking Down Cyber Attackers
Imminent SP2 Release Elicits Strong Responses
California Department of Insurance Suffers Cyber Intrusion
South Korea Will Work with AusCERT, Other Asian Countries to Monitor Cyber Attacks
PC Stolen from Intuit Office Contained Customer Data
Group Offers Companies' Source Code for Sale
Zero-Day Vulnerabilities Bring About Patch Management Changes
Futures Broker Plans to Offer Cyber Attacks Wagering Opportunities

---

******************** Sponsored by Symantec ******************************
Managed Security Services by Symantec. Our global intelligence network spans 40 countries and monitors threats 24 hours a day, providing your enterprise with the benefits of a world-class security infrastructure while sparing you the complications of building your own.

Click here to download our free white paper and take a virtual tour.
http://www.sans.org/info.php?id=531

******************Highlighted Training of the Week**********************
SANS now offers the highest rated courses to prepare for the CISSP examination. Extraordinary success rates of the students in passing the test, plus the nation's highest rated teachers, plus a practical dimension that makes the course more valuable, all add up to the gold standard of education for people preparing for CISSP certification.

The next two classes are in Washington, DC starting next week
http://www.sans.org/washingtondc04/description.php?tid=13

And in Las Vegas September 29 - October 4
http://www.sans.org/ns2004/description.php?tid=61

*************************************************************************

---

TOP OF THE NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

Putnam: Clinger-Cohen Amendment is Essential (19 July 2004)

Representative Adam Putnam (R-Fla.), chairman of the Government Reform Committee's Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee, explains the importance of H.R. 4570; Putnam's bill would amend the Clinger-Cohen Act to require that government agencies explicitly include cyber security in the capital planning and investment decision making process of IT system development.
-http://www.fcw.com/fcw/articles/2004/0719/oped-putnam-07-19-04.asp
[Editor's Note (Tan): Too often security is viewed as an obstacle in IT project development. This legislation will be a good means to convey the importance of security in the IT system development process. Security is not just having security products. Proper processes and procedures with management endorsement are also essential to avoid a false sense of security.
(Ranum): For as long as I can remember, security practitioners have believed that legislation would help improve security. Well, now we get to find out. ]

Energy Officials to Oversee Security Probe at Los Alamos (19/18/17/16 July 2004)

In the wake of the disappearance of two removable data storage devices, Los Alamos National Laboratory has halted all classified research in order to conduct an inventory of sensitive data. National Nuclear Security Administration Director Linton Brooks and Deputy Energy Secretary Kyle McSlarrow have arrived at Los Alamos to oversee a probe into security lapses at the facility.
-http://www.nytimes.com/2004/07/16/national/16lab.html?pagewanted=print&posit
ion=
(registration required)
-http://www.thenewmexicochannel.com/news/3544240/detail.html
-http://www.cnn.com/2004/US/Southwest/07/19/losalamos.lab.security/

LEGISLATION

Identity Theft Penalty Enhancement Act Becomes Law (16 July 2004)

President Bush has signed the Identity Theft Penalty Enhancement Act, which increases the federal penalty for identity theft from three to five years; it also adds five years to prison sentences for those convicted of using another person's identity to commit terrorism. In addition, the act makes aggravated identity theft a crime; people convicted of using others' identity in the commission of a felony will have an additional two years tacked on to their sentences.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=23901861
[Editor's Note (Schultz): This legislation was late in coming, but better late than never. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

Microsoft's July Security Release Includes Patches for Two Critical Vulnerabilities (13 July 2004)

Microsoft's monthly security release includes seven patches for both known and unknown vulnerabilities; two of the patches are for vulnerabilities with "critical" ratings. MS04-022 fixes a buffer overflow flaw in Windows Task Scheduler that could allow attackers to place and execute code on unprotected machines. MS04-023 addresses two holes in the Windows HTML help feature which could allow attackers to execute malicious code on vulnerable machines.
-http://www.computerworld.com/printthis/2004/0,4814,94516,00.html
-http://www.washingtonpost.com/ac2/wp-dyn/A47383-2004Jul13?language=printer
-http://www.microsoft.com/security/bulletins/200407_windows.mspx

---

************************** SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) CIPHERTRUST WHITE PAPER DOWNLOAD: E-mail security - stop spam, enforce corporate policies.
http://www.sans.org/info.php?id=524

(2) ALERT: Learn about the software tools spammers use. You'll be amazed. **FREE White Paper **
http://www.sans.org/info.php?id=525

(3) ALERT: How Hackers Use LDAP Injection to Steal Your Data and Bypass Authentication
http://www.sans.org/info.php?id=529

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Second Half of Deceptive Duo Indicted (19/16 July 2004)

Rob Lyttle has been indicted on charges of breaking into government computers and defacing web sites. If convicted of the charges against him, Lyttle could face up to 10 years in prison and a fine of as much as US$250,000. Benjamin Stark, Lyttle's partner and the other half of the Deceptive Duo, was charged in May and pleaded guilty to 11 offenses.
-http://www.theregister.co.uk/2004/07/19/feds_charge_hacker/print.html
-http://reuters.com/newsArticle.jhtml?type=internetNews&storyID=5695999

Charges Against 419 Scammers Dismissed (16 July 2004)

A Dutch court has ruled that there is insufficient evidence against 52 accused Nigerian email scammers, so charges against them have been dismissed. An insider at UPC (United Pan-Europe Communications) allegedly provided cable modems used in the scams.
-http://www.theregister.co.uk/2004/07/16/amsterdam_419_charges/print.html

Lamo Sentenced for NYT Intrusion (16/15 July 2004)

A federal judge has sentenced Adrian Lamo to two years of probation, six months of which will be served in home detention for breaking into the New York Times' computer system. Lamo will also have to pay a fine of $65,000.
-http://www.computerworld.com/printthis/2004/0,4814,94600,00.html
-http://www.informationweek.com/story/showArticle.jhtml?articleID=23901163&_l
oopback=1

Oxford University Students Could Face Suspension and Fines for Computer Intrusion (16/15 July 2004)

Two first-year Oxford University students could be fined GBP 500 or suspended from their school for breaking into the university's computer and writing a story about it for a student newspaper. The two say they used a program they obtained on Google to break into university IT systems, view live CCTV and access systems that contained sensitive data.
-http://www.theregister.co.uk/2004/07/16/oxford_uni_hackers/print.html
-http://news.bbc.co.uk/2/hi/uk_news/education/3897755.stm

Man Allegedly Broke Into Verizon Computers, Posted Passwords on Internet (13 July 2004)

William Quinn of Eastchester, NY, has been indicted on charges he broke into Verizon Communications computers for the company's Direct Access testing Units (DATU); Quinn also allegedly posted the passwords to the system he had obtained on the Internet along with instructions for using them. Verizon spent US$120,000 to address the problems Quinn allegedly created. If he is convicted on all charges against him, Quinn could face five years in prison and a fine of as much as US$250,000.
-http://www.nytimes.com/2004/07/13/nyregion/13hacker.html
(registration required)
-http://www.computerworld.com/printthis/2004/0,4814,94512,00.html

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

Missing Sandia Disk Found (17 July 2004)

A computer disk reported missing at Sandia National Laboratory at the end of June has been found, but officials are not releasing any further details.
-http://www.cbsnews.com/stories/2004/07/19/tech/printable630585.shtml

Final e-Authentication Architecture Released (13 July 2004)

The General Services Administration (GSA) has released the final architecture for a federated e-authentication portal, which will use Security Assertion Markup Language (SAML) to authenticate remote users.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=26561

SPAM & PHISHING

Microsoft Wins Nearly US$4 Million in Spam and Trademark Suit (16/15 July 2004)

The US District Court for the Central District of California has ordered Daniel Khoshnood to pay Microsoft US$3.95 million for trademark infringement, false advertising and cybersquatting. Khoshnood sent out spam messages that claimed an affiliation with Microsoft, but had none.
-http://www.pcworld.com/resource/printable/article/0,aid,116920,00.asp
-http://zdnet.com.com/2102-1104_2-5272776.html?tag=printthis

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

Fixes Available for Debian GNU/Linux Vulnerabilities (19 July 2004)

Debian has released fixes for a format string vulnerability, a buffer overflow vulnerability and a handful of denial-of-service vulnerabilities.
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci993845,00
.html
-http://www.debian.org/security/2004/dsa-529
-http://www.debian.org/security/2004/dsa-530
-http://www.debian.org/security/2004/dsa-528

Proof-of-Concept Duts Worm Infects Windows CE (19/17 July 2004)

A Romanian company says it has detected a proof-of-concept worm called Duts, Dust or Dtus, that targets the Windows CE operating system for handheld computers. The worm asks permission to spread.
-http://asia.cnet.com/newstech/security/printfriendly.htm?AT=39187213-39001150t
-
-http://news.bbc.co.uk/2/hi/technology/3906823.stm39000005c
-http://www.theregister.co.uk/2004/07/19/pocketpc_virus/

Fix Available for PHP Holes (16/15 July 2004)

The PHP group has released a fix for vulnerabilities that could allow the execution of arbitrary code on remote PHP servers. The affected versions are PHP 4.3.7 and earlier and 5.0.0RC3 and earlier. The problems are addressed in PHP 4.3.8.
-http://www.internetnews.com/security/print.php/3382181
-http://security.itworld.com/4348/040715phpholes/pfindex.html
-http://www.php.net/release_4_3_8.php

New Bagle Variant Detected (16 July 2004)

The new version of Bagle, alternately called Bagle.AF or Beagle.AB, arrives as a password-protected .zip file with the password included. This variant was apparently created using source code distributed with another version of Bagle that spread earlier in July.
-http://zdnet.com.com/2102-1105_2-5271930.html?tag=printthis
-http://www.theregister.co.uk/2004/07/16/copycat_bagle_worm/print.html
-http://www.computerworld.com/printthis/2004/0,4814,94583,00.html
Bagle.AG was also launched, using various subjects including "Re:".
-http://www.infoworld.com/article/04/07/19/HNbagleag_1.html

Windows Update Service Release Pushed back to 2005 (15/14 July 2004)

Microsoft has announced that its Windows Update Service patch management tool will be released in the first half of 2005, several months later than the anticipated autumn 2004 release.
-http://asia.cnet.com/newstech/applications/printfriendly.htm?AT=39186700-3900109
4t-39000001c
-http://www.computerworld.com/printthis/2004/0,4814,94532,00.html
-http://www.networkitweek.co.uk/News/1156661

Atak Worm Shuts Down to Hide from Anti-Virus Tools (16/13 July 2004)

The Atak worm detects when anti-virus tools are scanning and goes to sleep to avoid being detected. Atak may possibly try to destroy other worms like MyDoom and Bagle. A variant of Atak, Atak.B, has also been detected.
-http://news.com.com/2102-7349_3-5267258.html?tag=st.util.print
-http://zdnet.com.com/2102-1105_2-5272328.html?tag=printthis

Backdoor-CGT Trojan (13 July 2004)

The Backdoor-CGT Trojan spreads through spam; machines become infected when users click on a web link embedded in the email message. The click takes them to a series of web sites, each of which has its own part to play in downloading the malware onto the users' computers. Backdoor-CGT exploits the Outlook IFRAME vulnerability. Machines with current versions of Outlook and up to date virus signatures are protected.
-http://www.computerworld.com/printthis/2004/0,4814,94515,00.html

MISCELLANEOUS

South Korea Asks for China's Help in Tracking Down Cyber Attackers (16/15/14/13 July 2004)

South Korea's National Intelligence Agency says that attacks on government computers came via China; the computers were infected with the Peep Trojan and Backdoor Revacc, which can steal data. South Korea has asked the Chinese government for help tracking down those responsible. 211 government computers were attacked; 67 computers at private businesses, universities and media companies were also attacked.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39160420-39020375t-10000025c
-http://news.ninemsn.com.au/article.aspx?id=12626
-http://joongangdaily.joins.com/200407/15/200407152222548709900090409041.html
-http://australianit.news.com.au/common/print/0,7208,10142701%5E15322%5E%5Enbv%5E
15306,00.html
-http://times.hankooki.com/lpage/200407/kt2004071316410952820.htm
-http://english.chosun.com/w21data/html/news/200407/200407130036.html

Imminent SP2 Release Elicits Strong Responses (19 July 2004)

The upcoming release of Microsoft's SP2 has elicited a range of reactions. Companies whose applications may be broken by the update are expressing concern and frustration; security experts are saying that anything that is broken by SP2 wasn't doing security right in the first place.
-http://www.informationweek.com/story/showArticle.jhtml?articleID=23902063
[Editor's Note (Schultz): I can sympathize with those who are concerned. At the same time, however, I am fascinated by Microsoft's sudden shift from the "open by default" to the "closed by default" security stance. It will be interesting to learn what happens when users install SP2 for WXP; I, for one, don't intend to install it until many "lessons learned" are available. ]

California Department of Insurance Suffers Cyber Intrusion (15 July 2004)

The California Department of Insurance has begun informing nearly 600 people that their personal information was contained on a server that was accessed without authorization. Those affected were in the process of applying for insurance provider licenses. The data on the server was encrypted.
-http://www.insurancenewsnet.com/article.asp?a=top_news&id=22774

South Korea Will Work with AusCERT, Other Asian Countries to Monitor Cyber Attacks (15 July 2004)

South Korea's Ministry of Information and Communication has announced that it plans to work with other Northeast Asian countries, Australia's Computer Emergency Response Team and more than 200 private cyber security companies within South Korea to establish a cyber event monitoring system.
-http://times.hankooki.com/lpage/200407/kt2004071516314510440.htm

PC Stolen from Intuit Office Contained Customer Data (14 July 2004)

Intuit has informed 47,000 customers that a computer stolen from a company office in Omaha, Nebraska, contained password-protected customer data such as names and credit card information. A company spokesperson says there has been no evidence that any of the information has been used to steal identities; the thieves were more likely after the hardware than the PC's data. The company is offering those affected three months of free personal information and credit monitoring.
-http://news.com.com/2102-1029_3-5269821.html?tag=st.util.print

Group Offers Companies' Source Code for Sale (14/15 July 2004)

A group that calls itself the Source Code Club had a web site on which it offered for sale what it claimed were files containing the source code for Enterasys Networks' Dragon intrusion detection system. The group claims to have source code for other products as well. Late last week, the group's web site displayed a message saying it had temporarily stopped business due to customer concerns, but promising that it would reemerge after it "redesigned" its business model. The group has apparently reopened for business over the Usenet network.
-http://www.eweek.com/print_article/0,1761,a=131371,00.asp
-http://www.techworld.com/security/news/index.cfm?NewsID=1914
-http://www.computerworld.com/printthis/2004/0,4814,94552,00.html
-http://www.informationweek.com/story/showArticle.jhtml?articleID=23900981
-http://www.infoworld.com/article/04/07/19/HNstolencodeshopback_1.html

Zero-Day Vulnerabilities Bring About Patch Management Changes (13 July 2004)

The advent of the zero-day vulnerability has brought the issue of patch management into the forefront; patching must be completed more quickly than in the past. Where it was once the domain of small security organizations, patch management is increasingly becoming the responsibility of those charged with network infrastructure management.
-http://www.securityfocus.com/printable/news/9100

Futures Broker Plans to Offer Cyber Attacks Wagering Opportunities (12 July 2004)

Online futures market broker Tradesports.com, known for allowing people to wager on events such as bin Laden's capture, plans to add cyber attacks to its roster of things people can bet on. People will be able to wager on the timing of DDoS attacks and virus infections.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39160188-39020369t-10000025c

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/