Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VI - Issue #3

January 21, 2004

TOP OF THE NEWS

Bagle Worm
Malware Responsible for $55 Billion in Losses Worldwide
Microsoft Patch Pack Doesn't Fix IE Flaw Used by Phishers
NIST Releases Computer Security Incident Handling Guide

THE REST OF THE WEEK'S NEWS

Congressman Putnam Plans 22 Hearings for This Session
Northwest Airlines Admits it Gave Passenger Information to Government
Trial of Alleged Blaster-F Author Set to Commence
UK Teen to be sentenced for Fermi Lab Computer Break-Ins
Using Managed Security Service Providers
Securing Networks from Remote User Threats
The Weakest Link
Australian Man to be Tried for Accessing and Modifying Girlfriend's e-Mail Account
14 Arrested in Spanish Software Piracy Raid
Sentencing Commission Wants Input on Spammer Sentencing Guidelines
House Democrats Critical of DHS Cybersecurity Efforts
New AMD Chips Help Prevent Malicious Code Execution
Public Safety Wireless Network Now Part of Project SafeCom
Commerce Requests Comments on Switching to IPv6
Users Say Trustworthy Computing Initiative Favors New Products
Budget and Interoperability Problems Contribute to Stagnating PKI Implementation at Government Agencies
Stolen Computer Contains Airline Ticketing Data
Word Document Divulges Origins of Danish PM's Speech; Office Switches to PDF
Gone Phishing

VULNERABILITY UPDATES AND EFFECTS

HP Patches Tru64 Unix Vulnerabilities
Red Hat Issues Alerts and Fixes for Vulnerabilities in Apache, elm, cvs, and KDE
Critical Flaws in H.323 Protocol-based VoIP
Symantec Fixes LiveUpdate Flaw
New Sun Service Pack Fixes Buffer Overflow Flaw in Sun ONE/iPlanet Web Server


******************* Sponsored by Check Point *********************

Introducing the world's first and only complete Internal Security Gateway: Check Point InterSpect to transparently block the spread of worms and attacks inside the network.

Built specifically to protect internal networks, Check Point InterSpect provides intelligent worm defense, network zone segmentation, quarantine capabilities, and LAN protocol protection all in one easy to deploy appliance that protects your network from threats within.

View a FREE Analyst webinar on Internal Network Security CLICK HERE NOW

http://ad.doubleclick.net/clk;7011504;8757623;h?http://www.accelacomm.com/jlp/cp
60/0/10001345/


************************************************************************
Highlighted Security Training Opportunity

Security managers and analysts, system and network administrators, auditors and forensic analysts will each find immersion training focused on their special needs, and all taught by the highest-rated instructors in the US. And it is all in Orlando Florida, in early April.
http://www.sans.org/sans2004
*************************************************************************

TOP OF THE NEWS

Bagle Worm (19/20 January 2004)

The Bagle worm arrives as an attachment, and uses its own SMTP engine to send itself to addresses it finds on the hard drive. Machines become infected after users open and run the attachment; it also installs a back door on infected machines. It is designed to stop spreading on January 28, 2004.
-http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/1/hi/technology/
3410209.stm

-http://www.smh.com.au/articles/2004/01/20/1074360733517.html
-http://www.washingtonpost.com/ac2/wp-dyn/A29926-2004Jan19?language=printer
-http://www.theregister.co.uk/content/56/34958.html
-http://www.sarc.com/avcenter/venc/data/w32.beagle.a@mm.html
-http://www.f-secure.com/v-descs/bagle.shtml

Malware Responsible for $55 Billion in Losses Worldwide (16 January 2004)

Businesses worldwide lost an estimated $55 billion due to computer worms in 2003, according to Trend Micro. Losses in 2002 were between $20 and $30 billion, up from $13 billion in 2001. Trend Micro predicts that figure will increase again in 2004; the company also believes that blended threats will continue to be the attack of choice.
-http://news.com.com/2102-7349_3-5142144.html?tag=st_util_print

Microsoft Patch Pack Doesn't Fix IE Flaw Used by Phishers (13 January 2004)

Microsoft's patch release for January fails to address an Internet Explorer (IE) flaw that has been exploited by phishers to fool people into believing they are visiting legitimate web sites and they dupe them into revealing their credit card numbers and other sensitive data.
-http://www.washingtonpost.com/ac2/wp-dyn/A13587-2004Jan13?language=printer

NIST Releases Computer Security Incident Handling Guide (16 January 2004)

The National Institute of Standards and Technology (NIST) has released Special Publication 800-61, Computer Security Incident Handling Guide. NIST was directed to publish the guide by the Federal Information Security Management Act (FISMA) of 2002.
-http://www.csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf


************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) FREE WEB SEMINAR - Spam is a security threat. Learn more with Gartner and CipherTrust.
http://www.sans.org/cgi-bin/sanspromo/NB282

(2) Invest in the best network protection. Introducing the Microsoft(r) Security Readiness Kit.
http://www.sans.org/cgi-bin/sanspromo/NB283

(3) Better Security: Yes -- Even in Today's Economy. Free BindView Webinar:
http://www.sans.org/cgi-bin/sanspromo/NB284

***********************************************************************

THE REST OF THE WEEK'S NEWS

Congressman Putnam Plans 22 Hearings for This Session (19 January 2004)

Representative Adam Putnam (R-Fla.), chairman of the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, has scheduled 22 hearings to be held during the next 4-week session. The committee plans to address systems security and FISMA compliance, SCADA security in the nation's critical infrastructure, information security and information sharing analysis centers (ISAC) and patch management.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id
=24657

Northwest Airlines Admits it Gave Passenger Information to Government (19 January 2004)

Following JetBlue Airways' admission that it gave passenger records to a defense contractor, Northwest Airlines said it gave passenger information to the US government, as part of a security project, in the months following the September 11 attacks. Northwest also said that company spokesman Kurt Ebenhoch and chief executive Richard Anderson were unaware of the company's participation in the secret government project when they denied the company had provided passenger information to the government.
-http://www.eweek.com/print_article/0,3048,a=116813,00.asp
-http://www.eweek.com/print_article/0,3048,a=116814,00.asp

Trial of Alleged Blaster-F Author Set to Commence (19 January 2004)

The trial of the Romanian man accused of creating the Blaster-F worm begins on Friday, January 23. Dan Dumitru Ciobanu could face between three and fifteen years in prison under new Romanian cyber crime laws.
-http://www.theregister.co.uk/content/56/34976.html

UK Teen to be sentenced for Fermi Lab Computer Break-Ins (19 January 2004)

Sentencing for UK teenager Joseph McElroy, who in October pleaded guilty to breaking into 17 computers at the Fermi National Accelerator Laboratory in Illinois, is set for February 2. The US government is seeking $37,000 compensation, for damage and disruption.
-http://www.theregister.co.uk/content/55/34972.html
[Editor's Note (Shpantzer): One of the interesting aspects of this case was how the Fermi lab personnel detected this intruder. The backup administrators noticed that some machines were taking very long to save to tape, and started to wonder what was going on. That's when they discovered the cache of media files planted by an outsider.
-http://www.securityfocus.com/news/6352]

Using Managed Security Service Providers (19 January 2004)

Security professionals weigh in on the benefits of using managed security service providers (MSSPs). Some prefer using a single vendor, while others favor a multi-vendor approach. The article addresses liability issues, and how to hold outsourcing vendors accountable."
-http://www.computerworld.com/printthis/2004/0,4814,89100,00.html
If you are considering outsourcing IT security, here are ten questions to ask your potential MSSPs.
-http://www.computerworld.com/securitytopics/security/story/0,10801,89101,00.html

Securing Networks from Remote User Threats (19 January 2004)

Advice on securing networks from threats posed by remote users. Includes defining who should be able to access what, setting rules to enforce those decisions, and protecting data in transit with VPN encryption.
-http://www.computerworld.com/printthis/2004/0,4814,89121,00.html
Securing Remote Workers: A Quiz
-http://www.computerworld.com/printthis/2004/0,4814,89085,00.html

The Weakest Link (19 January 2004)

A medley of security gaffes demonstrates that people are still the weakest link.
-http://www.computerworld.com/printthis/2004/0,4814,88303,00.html

Australian Man to be Tried for Accessing and Modifying Girlfriend's e-Mail Account (16 January 2004)

A man from Berrimah, Darwin (Australia) has been charged "with unlawfully accessing a computer intending to cause loss and unlawfully causing modification of data." Craig Henry Griffis allegedly accessed his girlfriend's e-mail account, deleted some messages and copied others; he also allegedly changed her password so she could not access her e-mail. It is apparently the first case of its kind in Australia's Northern Territory.
-http://www.themercury.news.com.au/printpage/0,5942,8404915,00.html

14 Arrested in Spanish Software Piracy Raid (16 January 2004)

Police have arrested 14 people in Spain on intellectual piracy charges; police found 3,000 phony copies of Windows XP Professional along with more than 4,000 forged "certificates of authentication".
-http://www.infoworld.com/article/04/01/16/HNspanishmspiracy_1.html

Sentencing Commission Wants Input on Spammer Sentencing Guidelines (16 January 2004)

The United States Sentencing Commission (USSC) has published a request for comments on sentencing guidelines for those convicted under the CAN-SPAM Act. In particular, the commission wants feedback on how the use of deceptive techniques, various methods of address-gathering and the commission of more serious crimes should figure into the sentencing formula.
-http://www.securityfocus.com/news/7846
-http://www.ussc.gov/FEDREG/fedr0104.htm

House Democrats Critical of DHS Cybersecurity Efforts (16 January 2004)

Democrats on the House Homeland Security Select Committee issued a report critical of the current administration's homeland security efforts. Some of the criticism focused on the Homeland Security Department's (DHS) critical infrastructure cyber security efforts; the study points out that because the Critical Infrastructure Protection Board no longer exists, the top cybersecurity position in the government is now buried deep within DHS.
-http://www.gcn.com/vol1_no1/daily-updates/24652-1.html
-http://www.fcw.com/fcw/articles/2004/0112/web-turner-01-16-04.asp
[Editor's Note (Schultz): You don't have to be a Democrat to be critical of the DHS's cyber security efforts (or lack thereof). This department needs at a minimum to drastically elevate the priority of cyber security.
Schneier): I agree with most of the conclusions presented, even though they're doubtless motivated more by politics than facts. ]

New AMD Chips Help Prevent Malicious Code Execution (15 January 2004)

New technology in Advanced Micro Devices' Opteron and Athlon 64 processors can detect buffer overflows and thwart the possibility of malicious code being executed. Like most other processors, AMD's detect buffer overflows and trigger overflow exceptions. What makes the chips different is that any code that enters the processor after the overflow exception is labeled "nonexecutable.""
-http://www.computerworld.com/printthis/2004/0,4814,89091,00.html

Public Safety Wireless Network Now Part of Project SafeCom (15 January 2004)

The Public Safety Wireless network has become part of Project SafeCom, the umbrella program overseeing all the initiatives related to public safety communications and interoperability.
-http://www.fcw.com/fcw/articles/2004/0112/web-safecom-01-15-04.asp

Commerce Requests Comments on Deployment of IPv6 (15 January 2004)

The Commerce Department has issued a request for public comments regarding moving from IP Version 4 to IP Version 6 (IPv6).
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id
=24641

-http://www.ntia.doc.gov/ntiahome/frnotices/2004/IPv6RFCFinal.htm

Users Say Trustworthy Computing Initiative Favors New Products (15 January 2004)

In the six months following the release of Windows 2000, Microsoft had issued 32 security advisories that included a total of 21 critical vulnerabilities. Six months after the release of Windows Server 2003, Microsoft had warned of 14 flaws, only 6 of which were deemed critical, a change that can be attributed in large part to the company's Trustworthy Computing Initiative. Some customers, however, have expressed concern that while the company may be making strides in releasing new software with fewer flaws, they aren't doing a very good job of securing widely used products that predate the Trustworthy Computing Initiative.
-http://news.com.com/2102-7355_3-5141765.html?tag=st_util_print
[Editor's Note (Schultz): Critics questioned whether Microsoft's Trusted Computing Initiative was anything more than a publicity ploy. The statistics in this news item show that Microsoft was indeed on track in making the bold decision to integrate sound software engineering practices in the code development process and to hold developers responsible for the security of the code they produce. Hopefully, the results Microsoft seems to have obtained will serve as an impetus for other software vendors to improve their software engineering practices, too. ]

Budget and Interoperability Problems Contribute to Stagnating PKI Implementation at Government Agencies (15 January 2004)

A General Accounting Office (GAO) study of government agency Public Key Infrastructure (PKI) implementation found that the level of participation in the Federal Bridge Certification Authority is the same as in 2001. Of 89 PKI projects undertaken, just 35 are operational; 6 were terminated due largely to funding problems. Other problems that dog PKI implementation include a lack of government-wide policy and guidance, interoperability issues and training and administration problems.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id
=24644

-http://www.govexec.com/dailyfed/0104/011504tdpm1.htm
-http://www.informationweek.com/story/showArticle.jhtml?articleID=17301563
GAO Report:
-http://www.gao.gov/new.items/d04157.pdf
[Editor's Note (Schneier): The only surprise is that it's taken so long for the problems to surface, or at least become public. Even under the best of circumstances, there's no real way to have working PKI in bits and pieces. ]

Stolen Computer Contains Airline Ticketing Data (14 January 2004)

Two computers were stolen from airline-owned financial transaction processing company Airlines Reporting Corp. (ARC). Though one of the computers was used to store airline ticketing information, a company statement says it believes the crime was one of property theft, not data theft. There is no indication the information has been abused.
-http://www.computerworld.com/printthis/2004/0,4814,89062,00.html

Word Document Divulges Origins of Danish PM's Speech; Office Switches to PDF (13 January 2004)

The Danish Prime Minister's office will no longer distribute his speeches as Word documents; instead, the text of Anders Fogh Rasmussen's speeches will be made available as .pdf documents. The switch was made after a recently published speech was found to have been authored by a political ultra-liberalist; Rasmussen has been trying to distance himself from extremist politics.
-http://www.smh.com.au/articles/2004/01/13/1073877800625.html

Gone Phishing (13/14/15 January 2004)

Customers banks and other businesses continue to be targeted by phishing scams. Westpac Bank (New Zealand/Australia):
-http://www.smh.com.au/cgi-bin/common/popupPrintArticle.pl?path=/articles/2004/01
/15/1073877955031.html

Barclays:
-http://www.vnunet.com/News/1152038
AT&T Worldnet:
-http://computerworld.com/printthis/2004/0,4814,89029,00.html

VULNERABILITY UPDATES AND EFFECTS

HP Patches Tru64 Unix Vulnerabilities (16 January 2004)


-http://www.zdnet.co.uk/print/?TYPE=story&AT=39119149-39020330t-10000004c

Red Hat Issues Alerts and Fixes for Vulnerabilities in Apache, elm, cvs, and KDE (15 January 2004)


-http://searchenterpriselinux.techtarget.com/originalContent/0,289142,sid39_gci94
4702,00.html

Critical Flaws in H.323 Protocol-based VoIP (13/16 January 2004)

Microsoft has issued a related security bulletin.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id
=24631

-http://www.computerworld.com/printthis/2004/0,4814,89041,00.html
-http://zdnet.com.com/2102-1105_2-5142132.html?tag=printthis
-http://www.microsoft.com/technet/security/bulletin/ms04-001.asp
-http://www.cert.org/advisories/CA-2004-01.html

Symantec Fixes LiveUpdate Flaw (13 January 2004)


-http://zdnet.com.com/2102-1105_2-5140165.html?tag=printthis

New Sun Service Pack Fixes Buffer Overflow Flaw in Sun ONE/iPlanet Web Server (12 January 2004)


-http://www.esecurityplanet.com/prodser/print.php/3298031
Alert:
-http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57464
Service Pack:
-http://wwws.sun.com/software/download/products/3f186391.html


===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Bruce Schneier, Eugene Schultz, Gal Shpantzer

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/