SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VI - Issue #30
July 28, 2004
TOP OF THE NEWS
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHESMyDoom Variant Slows Major Search Engines
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Work Halted at Los Alamos and Other National Laboratories While Investigation is Underway
DHS Inspector General Report Critical of National Cyber Security Division's Efforts
MISCELLANEOUS
Judge Sanctions Investment Bank for Deleting and Withholding eMail Evidence
ICANN Adds IPv6 Addresses to DNS Root Server
Many Companies Monitor Outgoing eMail
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESFlorida Man Charged in Acxiom Corp. Data Theft
Three Arrested in Internet Protection Scheme Case
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
NIST Wants Agencies to Replace DES with AES
Treasury Dept. Audit Finds Security Problems at IRS
Outsourcing Poses Security Risks for DOD
SPAM & PHISHING
Phishers Now Using IM
Microsoft To Provide Software, Analyst to Anti-Phishing Group
FTC Will Host eMail Authentication Standard Summit
Richter Settles in Spam Case, Says NY Attorney General
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
McAfee's AVERT Considers a Variety of Factors in Compiling List of Malicious Threats
RADIUS Server Exploit Circumvents 802.11i
SP2 Release Candidate Two Caused Some Headaches
Hackarmy Trojan
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
CD Piracy Market More than US$4.5 Billion
Software Pirate Sentenced to 5 1/2 Years in prison
MISCELLANEOUS
Virginia Cyber-Crime Strike Force Combines Variety of Skills
Hacked Phone System at French Bank May be Linked to Spanish Train Bombings
Eight Arrested for Phreaking in Philippines
********************** Sponsored by NetIQ *******************************
Free Security Event Management Guide
Do you need more efficient, automated log management methods and tools to manage the terabytes of information generated by your Security Event Management systems? Download our free guide, "Log Management: Closing the Loop on Security Event Management," to discover the crucial role that log management plays as part of a complete Security Event Management solution.
http://www.netiq.com/f/form/form.asp?id=2469&origin=NS_Sans_072804
*************************************************************************
Featured Security Training Program: SANS Network Security 2004 Las Vegas, NV September 28 - October 6, 2004
The largest training conference in the world with 16 immersion training tracks and a large security exposition. Great courses for security managers and CISOs, for security experts, for auditors, for forensics scientists, and even for those just starting out. And Las Vegas is a great place to visit in the fall.
Register soon to get a seat at your choice of courses. http://www.sans.org/ns2004
*************************************************************************
TOP OF THE NEWS
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
MyDoom Variant Slows Major Search Engines (27/26 July 2004)
The MyDoom.M worm, also known as MyDoom.O, has been spreading across the globe and slowing down Google, Lycos, Alta Vista and Yahoo because this variant queries these four search engines looking for email messages to spread itself.-http://www.nytimes.com/2004/07/27/technology/27attack.html?pagewanted=print&
position=
-http://www.washingtontimes.com/functions/print.php?StoryID=20040726-100246-6939r
-http://news.com.com/2102-7349_3-5283940.html?tag=st.util.print
[Editor's Note (Pescatore): Interesting how this approach skewed the virus towards business PCs, since the search engines seem to show more business email addresses. This causes the most real economic impact, but gets the least press - viruses that hit consumer (and politician and news media) PCs always get the most press attention.
(Paller) Once again, Internet Storm Center had the first analysis posted of this important virus. If you are not watching ISC, try it at
-http://isc.sans.org.
Storm Center processes more than one billion events a month, and has handlers on duty at all times to react to large scale attacks found by the security community. Since it is funded entirely by SANS (no federal or vendor money), it doesn't have to worry about who it may displease, it can and does publish information quickly. ]
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Work Halted at Los Alamos and Other National Laboratories While Investigation is Underway (22/20 July 2004)
Days after Los Alamos National Laboratory Director Pete Nanos halted almost all work at the facility, 19 people have been placed on leave, 15 of them in connection with an investigation that was spurred by the disappearance of two removable storage devices containing classified information. In addition, lab spokesman Kevin Roark confirmed a report that a number of email messages containing classified information were sent over a non-classified email system.-http://www.msnbc.msn.com/id/5490093/
-http://www.computerworld.com/printthis/2004/0,4814,94638,00.html
[Editor's Note: According to reliable sources, work has stopped at Sandia and Lawrence Livermore, as well. ]
DHS Inspector General Report Critical of National Cyber Security Division's Efforts (23 July 2004)
A report from the Department of Homeland Security's inspector general speaks critically of the National Cyber Security Division's efforts to fight computer network and Internet attacks. The report says that NCSD "suffers from lack of coordination, poor communication and a failure to set priorities." The DHS is apparently not leading by example: it has failed to adopt certain strategies it recommends government agencies employ to protect their own cyber assets. The report urges NCSD to address the problems it has found to protect the nation's critical infrastructure from cyber attacks. The report did offer praise for some DHS efforts, including the creation of the US-CERT to coordinate cyber security information.-http://www.washingtonpost.com/ac2/wp-dyn/A7192-2004Jul22?language=printer
-http://www.securitypipeline.com/news/showArticle.jhtml;jsessionid=YGLSSHKRG2REUQ
SNDBCCKHY?articleId=25600186&printableArticle=true
MISCELLANEOUS
Judge Sanctions Investment Bank for Deleting and Withholding eMail Evidence (22 July 2004)
Investment bank USB AG has been sanctioned by a federal judge for failing to preserve and produce in a timely manner email needed as evidence in a lawsuit against the company. Some of the emails had been deleted and were recovered from backup tapes; others were lost altogether. The case underscores the importance of having clear, up-to-date policies regarding back-up tapes, particularly if the tapes contain information that may be necessary in legal cases.-http://www.messagingpipeline.com/showArticle.jhtml?articleID=23904995
ICANN Adds IPv6 Addresses to DNS Root Servers (21 July 2004)
The Internet Corporation for Assigned Names and Numbers (ICANN) has begun adding IPv6 addresses to the DNS root server system. IPv6 supports a 128-bit address space, offering a vastly larger number of addresses than the currently used IPv4, which supports a 32-bit address space. IPv6 also offers improved security. Support will be initially limited to Japan (.jp) and Korea (.kr); France (.fr) is expected to be added soon.-http://www.eweek.com/print_article/0,1761,a=131985,00.asp
-http://www.internetnews.com/infra/print.php/3384791
Many Companies Monitor Outgoing eMail (19 July 2004)
According to research from Forrester Consulting, 44% of large companies in the US employ someone to monitor outgoing electronic communication, and nearly half conduct regular audits of company email. The impetus for the monitoring stems from fears that employees are leaking trade secrets or intellectual property. Smaller companies were more likely to be concerned about attachments and whether or not their company's communications were in compliance with Sarbanes-Oxley and other such legislation.-http://management.silicon.com/government/print.htm?TYPE=story&AT=39122384-39
024673t-40000033c
************************** SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) ALERT: How Hackers Use LDAP Injection to Steal Your Data and
Bypass Authentication
http://www.sans.org/info.php?id=539
(2) Download a free eBook on Active Directory Security from
ScriptLogic today.
http://www.sans.org/info.php?id=540
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Florida Man Charged in Acxiom Corp. Data Theft (23/22/21 July 2004)
Scott Levine of Boca Raton, Florida has been indicted on charges of breaking into Acxiom Corp.'s computer system, stealing personal, financial and company data, and hiding evidence. Levine allegedly stole more than 8 gigabytes of data and caused US$7 million in damages. The information was apparently placed on Levine's company's system and sold to customers; Levine runs Snipermail.com, a bulk mailing concern. Six Snipermail.com employees who were not named in the indictment have reached agreements with prosecutors, some of which will result in guilty pleas. In a separate case last year, Daniel Baas of Ohio pleaded guilty to breaking into Acxiom's computer system.-http://www.internetweek.com/shared/printableArticle.jhtml?articleID=23905033
-http://www.computerworld.com/printthis/2004/0,4814,94673,00.html
-http://news.com.com/2102-7348_3-5278839.html?tag=st.util.print
-http://www.msnbc.msn.com/id/5481403/
-http://www.usatoday.com/tech/news/computersecurity/2004-07-23-six-for-axciom_x.h
tm
Three Arrested in Internet Protection Scheme Case (22/21 July 2004)
The UK's National Hi-Tech Crime Unit (NHTCU) worked with Russian police to track down three men suspected of masterminding an Internet protection scheme. They allegedly threatened web sites with DDoS attacks during peak hours unless they were paid off. The men have been arrested.-http://news.com.com/2102-7348_3-5278046.html?tag=st.util.print
-http://www.theregister.co.uk/2004/07/21/cyber_shakedown_taken_down/print.html
-http://networks.silicon.com/lans/print.htm?TYPE=story&AT=39122524-39024663t-
40000017c
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
NIST Wants Agencies to Replace DES with AES (26 July 2004)
The National Institute of Standards and Technology (NIST) is proposing that agencies phase out the use of the 56-bit Data Encryption Standard (DES), also known as Federal Information Processing Standard (FIPS) 46-3, because technological advances have rendered it insufficient "to adequately protect federal government information." NIST would like to encourage agencies to adopt the Advanced Encryption Standard (AES), also known as FIPS 197, which is a stronger algorithm. NIST is accepting comments on withdrawing FIPS 46-3 through September 9.-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=26721
[Editor's Note (Schultz): NIST's proposal here seems long overdue. Given the relative ease with which it can be cracked, DES (but not 3DES) has long outlived its usefulness. ]
Treasury Dept. Audit Finds Security Problems at IRS (23/21/19 July 2004)
A report from Treasury Department auditors found that "lax security policies" regarding contractors at the Internal Revenue Service (IRS) placed taxpayer data at risk. Contractors were often provided with outdated systems which were insecure; in some instances, contractor employees were granted root access privileges. The report recommends giving contractors updated workstations and allowing them access with only the minimum required access privileges. The report also noted the lack of documentation that all contractor employees had undergone the necessary background checks. Another report from auditors took the IRS to task over the unauthorized use of PDAs at the agency.-http://www.fcw.com/fcw/articles/2004/0719/web-irs-07-21-04.asp
-http://www.computerworld.com/printthis/2004/0,4814,94741,00.html
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=23902174
Outsourcing Poses Security Risks for DOD (19 July 2004)
In recent years, the US Department of Defense has been purchasing commercial, off-the-shelf (COTS) software rather than developing custom systems in house. While the approach saves money, it presents problems because software coding is increasingly being outsourced to other nations and there are no safeguards in place to ensure its security.-http://www.fcw.com/fcw/articles/2004/0719/pol-outsource-07-19-04.asp
[Editor's Note (Grefer): Where does the presumption come from that locally developed software is any more secure than that developed abroad?
(Pescatore): There were no safeguards in place to ensure security of the software DoD was paying defense contractors to build, either, and there is certainly no evidence that those legacy systems had fewer defects per line of code. In fact, since most such code was developed assuming security through obscurity would protect it, when exposed to the Internet those custom systems tend to make commercial code look bulletproof. ]
SPAM & PHISHING
Phishers Now Using IM (22 July 2004)
Some people running phishing scams are now using instant messaging to lure people to their phony sites. Many instant messaging systems use weak authentication schemes.-http://www.crn.com/showArticle.jhtml;jsessionid=V2MQOQ5MGG4VWQSNDBGCKHY?articleI
d=23904957&printableArticle=true
Microsoft To Provide Software, Analyst to Anti-Phishing Group (22 July 2004)
Microsoft has announced that it will provide an anti-phishing organization with a full-time analyst and US$46,000 worth of software. The National Cyber-Forensics and Training Alliance, a joint effort of the FBI, the National White Collar Crime Center, Carnegie Mellon University and West Virginia University, was established to share information about consumer fraud and phishing.-http://asia.cnet.com/newstech/applications/printfriendly.htm?AT=39187640-3900109
4t-39000001c
FTC Will Host eMail Authentication Standard Summit (21 July 2004)
The Federal Trade Commission plans to host a summit this fall at which experts will share ideas about creating requirements for an email authentication standard to fight phishing.-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=26674
[Editor's Note (Pescatore): A converged standard is a very good thing but hard to figure why the FTC would be the lead government agency here.
(Paller): The FTC has been one of the two federal agencies that have done the most to improve security. The FTC has the best processes and people in government to develop information that leads to standards. ]
Richter Settles in Spam Case, Says NY Attorney General (19 July 2004)
New York State Attorney General Eliot Spitzer announced that a suit his office brought against Scott Richter for sending unsolicited email messages has been settled. Richter and his company, OptInRealBig.com, paid US$40,000 in penalties and US$10,000 for investigative costs. As part of the agreement, the company will also give Spitzer's office a list of all its customers and advertisements it sends. If Richter's company fails to live up to the agreement, he and his company will face stiff penalties.-http://www.usatoday.com/tech/news/2004-07-19-anti-spam-win_x.htm
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
McAfee's AVERT Considers a Variety of Factors in Compiling List of Malicious Threats (26 July 2004)
The Download.Ject or Scob Trojan topped McAfee's Anti-virus and Vulnerability Emergency Response Team (AVERT) list of the most malicious threats in the first half of 2004. In compiling the list, AVERT looked not only at how frequently each threat was reported, but also at whether or not it hit corporations, whether or not it represented a new approach in malware and whether or not a patch was available that could protect systems from the threat.-http://www.infoworld.com/article/04/07/26/HNattack_1.html
RADIUS Server Exploit Circumvents 802.11i (26 July 2004)
Aruba Wireless Networks Inc. plans to present details of a RADIUS server security exploit at the Internet Engineering Task Force meeting in San Diego. The exploit "thwarts" the recently ratified 802.11i protocol and WLANs that keep encryption keys in access points instead of a central switch.-http://www.eweek.com/article2/0%2C1759%2C1627206%2C00.asp
[Guest Editor Tutorial (Josh Wright, SANS): While dictionary attacks against RADIUS have been well-known and documented for some time, few vendors have fully conformed with the RFC's that were designed specifically to protect organizations from attack.
With the recent ratification of the IEEE 802.11i specification, wireless networks can benefit from strong encryption mechanisms designed to protect the wireless network. Unfortunately, one of the remaining weak links in wireless networks are RADIUS clients (AP's) that are susceptible to attacks that reveal the RADIUS shared secret. Once attackers compromises the RADIUS shared secret, they can decrypt all wireless traffic, regardless of your EAP type or encryption mechanism.
While waiting for a better solution, organizations are encouraged to make use of very complex RADIUS secrets, 16 characters or longer, with a different RADIUS secret for each AP or other RADIUS client device. Organizations should also audit their wireless networks for the presence of rogue and misconfigured access points, while devoting dedicated VLAN's for the management interfaces of AP's that do not include client systems. ]
SP2 Release Candidate Two Caused Some Headaches (23 July 2004)
The CRN Test Center found that when SP2 release candidate two was installed on five system, three of them blue-screened and gave a message stating that "winserv" was missing. Uninstalling SP2 brought its own complications, including uninstalling all devices installed on the PC and completely removing SP1.-http://www.crn.com/sections/breakingnews/breakingnews.jhtml;jsessionid=QELCBYYZH
SUB0QSNDBGCKHY?articleId=23905071&printableArticle=true
Hackarmy Trojan (23 July 2004)
The Hackarmy Trojan horse program spreads by feeds on people's morbid curiosity; it purports to be pictures or information relating to the alleged death of Osama bin Laden or, in some cases, Arnold Schwarzenegger. The email messages direct users to a web site that supposedly has information on it, but actually downloads the program which gives attackers control over their computers.-http://www.theregister.co.uk/2004/07/23/hackarmy_trojan/
-http://www.theregister.co.uk/2004/07/26/arnie_trojan
-http://www.vnunet.com/news/1156861
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
CD Piracy Market More than US$4.5 Billion (22 July 2004)
A study from the International Federation for the Phonographic Industry (IFPI) indicates that CD piracy was a US$4.5 billion market last year, approximately 15% of the global recorded music market.-http://www.computerworld.com/printthis/2004/0,4814,94688,00.html
Software Pirate Sentenced to 5 1/2 Years in prison (22 July 2004)
A German judge has sentenced Ralph Blasek to 5 1/2 years in prison for running Europe's largest pirated software ring. Blasek's actions cost Microsoft US$4.5 million, according to a court spokesman. Blasek's sentence does not include the possibility of parole.-http://www.infoworld.com/article/04/07/22/HNswpirate_1.html
[Editor's Note (Grefer): A minor correction to the article: the Bundeskriminalamt is the German equivalent of the Federal Bureau of Investigations (investigating crimes on a national and interstate level), rather than an equivalent of the CIA. ]
MISCELLANEOUS
Virginia Cyber-Crime Strike Force Combines Variety of Skills (23 July 2004)
The newly formed Virginia Cyber-Crime Strike Force will combine the expertise of FBI agents, investigators and attorneys from the Attorney General's office, a Virginia State Police investigator and an assistant US attorney with experience in cyber crime investigation. The group will investigate and prosecute child pornography, fraud and other computer and Internet crimes.-http://www.crime-research.org/news/23.07.2004/514
[Editor's Note (Shpantzer): This is good news. The bad news is that experience in cyberspace crime investigation is a rare and valuable commodity in law enforcement and that makes this item newsworthy. Perhaps one reason why so few resources are given to train and equip cyber-detectives is that police executives are often unaware of the positive impact that digital forensics can have on traditional 'meatspace' crimes, from murder to racketeering to arson and many others.]
Hacked Phone System at French Bank May be Linked to Spanish Train Bombings (23 July 2004)
French authorities are looking into the possibility that those responsible for the March 11 train bombings in Madrid made phone calls through a French bank's telephone exchange. French police have established that the phone calls were made by phreaking.-http://www.alertnet.org/thenews/newsdesk/L23274421.htm
Eight Arrested for Phreaking in Philippines (20 July 2004)
Authorities in the Philippines have arrested eight people suspected of breaking into the country's main phone company and stealing access which they then sold to others. The company became aware of the problem only after customers began complaining about being billed for long distance calls they didn't make.-http://www.theregister.co.uk/2004/07/20/filipino_phone_phreakers/print.html
-http://www.reuters.com/newsArticle.jhtml?storyID=5712619
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/