SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VI - Issue #35

September 01, 2004

TOP OF THE NEWS

US To Enforce Minimum Security Configuration Benchmarks for Federal and Contractor Systems
Six Charged in Connection with DDoS For Hire Case
Eleven California Counties May Use Electronic Voting Systems

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Operation Web Snare Nets More than 100 Arrests
Former Employee Faces Prison and Fine for Alleged Intrusion
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
DoJ Seizes Property in P2P Network Investigation
International Effort Breaks Worldwide Piracy Ring
MPAA Files Suits Against DVD Chip Manufacturers for Illegal Sales
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
ePassport Testing Exposes Security and Privacy Concerns
Financial Services IT Managers in NY Bolster Continuity and Recovery Plans
SPAM & PHISHING
Man Enjoined from Spamming Verizon Wireless Customers
Australian PM Admits Hiring Son's Company to Send Political Spam to Voters
Phishers Target German Banks' Customers
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Winamp Flaw Allows Spyware Onto Computers
Symantec Flaw Could Allow Denial-of-Service
Microsoft Downplays SP2 Flaw
W64.Shruggle Virus
STANDARDS AND BEST PRACTICES
Clarke's Ten Steps for Improving IT Security
STATISTICS, STUDIES AND SURVEYS
Study Says Insider Attacks Don't Require Great Technical Expertise
MISCELLANEOUS
Stephen Toulouse Q&A
Japanese Banks Using Palm Recognition Biometric Identification
Web Site Will Allow Subscribers to Spoof Caller ID Numbers
Microsoft Offers SP2 Compatibility Guide
French ISP Web Site Suffers Malicious Redirect Attack
California Company Sues Indian Police for Failing to Investigate Intellectual Property Theft
Hash Function Weaknesses No Cause for Alarm, But Having New Function Would be Wise

---

*************************** Sponsored by NetIQ **************************

Security Awareness and Protection

Does your organization have a strong ongoing security awareness and protection program that is both understood and sustained? Learn how to optimize your security coverage by aligning IT security with business goals. Join Charles Kolodgy, IDC Research Director, and a panel of experts for a webcast on "Achieving Agile Security Management: Best Practices for Security Awareness and Protection".

Register Now.
http://w.on24.com/r.htm?e=7321&s=1&k=17A6C0803534853FA7CB12F33746269A&am
p;partnerref=SANS

*************************************************************************
Featured Training Program of the Week

Back to the Future: Find the Future of Information Security in New Orleans November 1 - 4 at SANS CDI South.

That's where SANS will introduce a program of one and two day intensive technology courses on topics ranging from Cutting Edge Hacking Techniques to Ethics, from Business Law and Computer Security to Auditing Wireless Security. If you cannot afford the time for a full week of training, or if you want to focus on two to four different topics, you won't find a better security conference anywhere. In particular, if you were thinking about attending one of the twenty or thirty old security conferences run by other organizations, compare the faculty they offer against SANS teachers, the timelines and practicality of the information, and the value you will bring back to your employer (not to mention the weather) and we think it will be easy to choose SANS CDI South in New Orleans over any other security conference.

http://www.sans.org/cdisouth04/
*************************************************************************

---

TOP OF THE NEWS

US To Enforce Minimum Security Configuration Benchmarks for Federal and Contractor Systems

The Director of the US Office of Management and Budget issued instructions for federal agencies that spell out how the Federal Information Security Management Act (FISMA) will be enforced. The instructions require each agency to set minimum security configuration benchmarks for all systems and to ensure they are enforced. OMB also says that FISMA applies to all contractor owned or managed systems if those systems handle federal information. The instructions require each agency to report (by September) whether they have established minimum configuration guidance for each of more than a dozen types of systems ranging from Cisco routers to Windows 2000 to Oracle.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=27089
-http://www.fcw.com/fcw/articles/2004/0823/web-fisma-08-27-04.asp
The instructions and an excel spreadsheet to be used for reporting to OMB are identified as M-04-25 (August 23, 2004) and may be downloaded from the White House web site at
-http://www.whitehouse.gov/omb/memoranda/index.html.

Six Charged in Connection with DDoS-For-Hire Case (27/26 August 2004)

Six men have been indicted on charges stemming from an alleged distributed-denial-of-service (DDoS) attack-for-hire scheme. Jay Echouafni, CEO of satellite television company Orbit Communication, and a business partner allegedly hired four people to launch DDoS attacks against competitors' web sites. The attacks, which began in October 2003, caused $2 million USD in lost revenue and direct costs to three Orbit competitors and an ISP. Echouafni posted $750,000 USD bail this spring and is believed to have fled to his native Morocco. The charges in this case were brought as the result of the US Justice Department's Operation Web Snare (see below).
-http://www.techweb.com/wire/story/TWB20040827S0003
-http://www.securityfocus.com/printable/news/9411

Eleven California Counties May Use Electronic Voting Systems (24 August 2004)

California Secretary of State Kevin Shelley says that eleven counties will be allowed to use touch screen voting machines in the upcoming elections after the counties took steps to mitigate security concerns presented by the systems. The eleven counties in question upgraded their voting systems to meet certification requirements. The four California counties that have Diebold electronic voting systems will not be permitted to use them in the election because the machines have been decertified as a result of problems in the March election.
-http://www.reuters.com/newsArticle.jhtml?storyID=6060229

---

************************** SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Dorian Software Provides Serious Event Log Management. Without the Bull. http://www.sans.org/info.php?id=567

(2) SANS/SPI Dynamics Webcast: Hacking Web Applications - Real Examples of the Top Web App Hacking Methods http://www.sans.org/info.php?id=568

(3) Earn a Norwich University Master's Degree in Information Security in 24 months. http://www.sans.org/info.php?id=569

*************************************************************************

*********RESOURCES AND OPPORTUNITIES DIRECTLY FROM SANS***************

(1) SANS is pleased to announce we have just released version 2.0 of the malware FAQ edited by Jason Lam, available at: http://www.sans.org/resources/malwarefaq/

(2) In support of the various initiatives for Security Awareness, including Awareness Day September 10, we offer Security Awareness Train The Trainer, a one day, NIST SP 800-50 compliant course taught by Dr. Eric Cole:
http://www.sans.org/nova_cissp04/description.php?tid=98

(3) We are in the research phase for version 2.0 of Awareness Train The Trainer, if you have any suggestions for something you feel should be included in a turn-key, how-to-implement-or-improve a security awareness program at your organization, please let us know. Also, we continue to receive a large number of requests for a "how to write security policy" course and are building the outline for that, if you have any suggestions for either research project, please write npierce@sans.org

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Operation Web Snare Nets More than 100 Arrests (27/26 August 2004)

The US Department of Justice has reported the arrest of more than 100 people as a result of Operation Web Snare, a three-month crackdown on intellectual property theft and other cyber crimes including identity theft, software piracy and computer intrusions. The crackdown involved law enforcement agents at the federal, state and local levels. Operation Web Snare resulted in 160 investigations.
-http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=6082393
-http://www.theregister.co.uk/2004/08/27/operation_web_snare/
-http://www.computerworld.com/printthis/2004/0,4814,95526,00.html
-http://www.nytimes.com/2004/08/27/technology/27spam.html?pagewanted=print&po
sition=
(note: this site requires free registration)

Former Employee Faces Prison and Fine for Alleged Intrusion (24 August 2004)

Patrick Angle of Columbus, Indiana has been charged with breaking into the computer system of his former employer, Varian Semiconductor Equipment Associates Inc. Angle allegedly broke into the system when he discovered his contract was going to be terminated, then allegedly deleted source code for software he had been developing. He also allegedly altered log information. Varian was able to recover the lost data from backup systems at a cost of USD 26,455. If he is convicted of the charges against him, Angle could face a ten-year prison sentence as well as a fine of up to USD 250,000 plus restitution.
-http://www.computerworld.com/printthis/2004/0,4814,95450,00.html

COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT

DoJ Seizes Property in P2P Network Investigation (26 August 2004)

The Justice Department executed search warrants in three states and seized computers and other equipment as part of a investigation into a peer-to-peer network that was sharing copyrighted movies. music and games. The Underground Network, which is the focus of this investigation, is managed by hub computers that restricted who could participate.
-http://www.eweek.com/print_article/0,1761,a=134097,00.asp
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=27066

International Effort Breaks Worldwide Piracy Ring (24 August 2004)

More than 100 people have been arrested worldwide in connection with an on-line piracy ring. The arrests were the result of a cooperative effort between the UK, the US, Australia, Poland and Slovakia. Ring members apparently broke into computers at academic institutions and used their disk space to serve the pirated content.
-http://www.theregister.co.uk/2004/08/24/anti-piracy_swoop/
-http://www.reuters.com/newsArticle.jhtml?storyID=6056939

MPAA Files Suits Against DVD Chip Manufacturers for Illegal Sales (23 August 2004)

The Motion Picture Association of America (MPAA) has filed lawsuits against two DVD-chip manufacturers, Sigma Designs and MediaTek, for allegedly selling chips to companies that are breaking copy protection rules. The products in question include features that are not allowed under the general DVD technology license. Furthermore, selling the chips to those companies violates the terms of the license Sigma and MediaTek had to sign in order to manufacture the chips in the first place.
-http://news.com.com/2102-1025_3-5321084.html?tag=st.util.print

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

ePassport Testing Exposes Security and Privacy Concerns (30 August 2004)

A three-day Homeland Security Department test of e-passport interoperability found a number of problems. Of special concern was the discovery that some readers could gather personal data from a distance of 30 feet. The International Civil Aviation Organization's e-passport specification does not require personal data encryption, but does specify a proximity chip that can be read from only a few inches away.
-http://www.eetimes.com/article/printableArticle.jhtml?articleID=45400010&url
_prefix=&sub_taxonomyID=4217

Financial Services IT Managers in NY Bolster Continuity and Recovery Plans (30 August 2004)

Mindful of the possibility of attacks on critical infrastructure while the Republican National Convention is in town, IT managers at New York financial services firms have taken steps to protect important data and provide for continuity of operations.
-http://www.eweek.com/print_article/0,1761,a=134257,00.asps

SPAM & PHISHING

Man Enjoined from Spamming Verizon Wireless Customers (30 August 2004)

Verizon Wireless has won a permanent injunction against a Rhode Island man who allegedly sent a plethora of spam text messages to the company's customers. According to the ruling, Jacob Brown is prohibited from sending any more messages to Verizon Wireless customers.
-http://zdnet.com.com/2102-1105_2-5329820.html?tag=printthis

Australian PM Admits Hiring Son's Company to Send Political Spam to Voters (27 August 2004)

Australian Prime Minister John Howard admitted he hired his son's company to send out political spam to voters. Some are saying that Howard has violated the country's anti-spam laws. While the laws prohibit the sending of unsolicited commercial email, charities and political groups are exempt. However, Howard's use of his son's company, which is commercial, violated "the spirit, if not the letter of the anti-spam laws," according to opposition spokeswoman Kate Lundy.
-http://www.theregister.co.uk/2004/08/27/pm_spam_slam/

Phishers Target German Banks' Customers (26/25/24 August 2004)

Phishers have begun targeting customers of German banks; there have been reports that customers of Postbank and Deutsche Bank have received phony email messages that try to trick them into revealing account and PIN numbers. No bank customers have lost money though some have come close. Two Postbank customers nearly lost 21,000 Euros between them, but the transactions were caught one by a customer and the other by the bank.
-http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=6080450
-http://www.computerworld.com/printthis/2004/0,4814,95471,00.html
-http://www.computerweekly.com/articles/article.asp?liArticleID=132861&liArti
cleTypeID=1&liCategoryID=6&liChannelID=22&liFlavourID=1&sSearch=
&nPage=1#

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

Winamp Flaw Allows Spyware Onto Computers (26 August 2004)

Adware makers can exploit a flaw in Winamp to place their stealth programs on people's computers. The problem stems from the fact that Winamp allows skin files to run programs. Winamp is a digital music player made by Nullsoft, an AOL subsidiary. The company is aware of the vulnerability but has not yet come up with a fix.
-http://asia.cnet.com/newstech/security/printfriendly.htm?AT=39191393-39000005c

Symantec Flaw Could Allow Denial-of-Service (25 August 2004)

Symantec has released patches for a vulnerability in several of its products that could be exploited to cause denial-of-service. The vulnerable products are VelociRaptor 1.5, Gateway Security 1.0 and 2.0, and Enterprise Firewall/VPN 7.0 and 7.0.4 for Solaris and Windows NT/2000.
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1002514,0
0.html
-http://www.symantec.com/techsupp/enterprise/products/sym_gateway_security/sym_gw
_security_2_5400/files.html

Microsoft Downplays SP2 Flaw (26/25 August 2004)

A vulnerability in the Windows Security Center feature of Microsoft's Windows XP Security Pack 2 (SP2) could allow someone to spoof security status. Microsoft downplayed the significance of the flaw, saying attackers could find better things to do.
-http://www.pcmag.com/print_article/0,1761,a=133959,00.asp
-http://www.internetweek.com/security02/showArticle.jhtml?articleID=38100003

W64.Shruggle Virus (24 August 2004)

W64.Shruggle is a proof-of-concept virus that targets 64-bit Windows files. Shruggle would not spread if it were released on the Internet because the software it is designed to exploit has not yet been released.
-http://asia.cnet.com/newstech/security/printfriendly.htm?AT=39191095-39000005c

STANDARDS AND BEST PRACTICES

Clarke's Ten Steps for Improving IT Security (27 August 2004)

In an RSA-sponsored Internet presentation, former presidential cyberspace security advisor Richard Clarke listed ten steps for organizations to take to improve IT security. He also recommended that managers including CEOs, CIOs, CFOs, board directors, internal auditors and HR heads should meet monthly to discuss security. Clarke's ten steps include establishing automatic compliance monitoring, using a patch management system and service, and encrypting data "in sensitive areas."
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=45400035
[Editor's Note (Northcutt): Clarke's number 2 and 3 suggestions are not ground breaking, but they are ground truth: Acquire a patch-management system and service. Noting that 50 or 60 patches are issued each week by software providers, Clarke called patching "the No. 1 headache of CIOs." ]

STATISTICS, STUDIES AND SURVEYS

Study Says Insider Attacks Don't Require Great Technical Expertise (26 August 2004)

A Secret Service and CERT Coordination Center study of insider attacks at financial institutions found that most attacks did not require much "technical sophistication"; in fact, 87% of the attacks were made using "simple, legitimate user commands." In addition, most attacks were driven by desire for financial gains and were planned in 85% of the cases, someone else knew about the plan to launch an attack. The study took into account 26 attacks at financial services providers that occurred between 1996 and 2003.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=27074
-http://www.vnunet.com/news/1157662

MISCELLANEOUS

Stephen Toulouse Q&A (September 2004)

Microsoft security program manager Stephen Toulouse talks with Wired magazine about Internet Explorer security.
-http://www.wired.com/wired/archive/12.09/view.html?pg=3

Japanese Banks Using Palm Recognition Biometric Identification (27 August 2004)

Fujitsu has developed biometric technology that identifies users based on the unique patterns of veins in their palms. One Japanese bank is already using the identification system; another plans to deploy it within the next month.
-http://www.theregister.co.uk/2004/08/27/palm_biometrics/
-http://www.computerworld.com/printthis/2004/0,4814,95545,00.html

Web Site Will Allow Subscribers to Spoof Caller ID Numbers (27 August 2004)

Jason Jepson plans to launch a website that will, for a price, allow customers to spoof the telephone number that appears on others' caller ID readouts. He declined to elaborate on the details of his system for fear someone would copy it. Jepson hopes his service will appeal to collection agencies and private detectives, although collection agencies may be barred from using the service under two laws: the Fair Debt Collection Practices Act, which prohibits false or misleading representation, and the FTC Act, which prohibits deceptive trade practices.
-http://www.securityfocus.com/printable/news/9419

Microsoft Offers SP2 Compatibility Guide (26 August 2004)

Microsoft has created a guide that administrators can use to "test and mitigate application compatibility" with Windows XP Service Pack 2. The guide also offers advice on reconfiguring XP to help applications run smoothly, but points out that it is really the applications that should be changed to work with SP2, and that security settings should remain at their highest levels.
-http://asia.cnet.com/newstech/applications/printfriendly.htm?AT=39191397-3900000
1c
-http://www.microsoft.com/downloads/details.aspx?FamilyId=9300BECF-2DEE-4772-ADD9
-AD0EAF89C4A7&displaylang=en

French ISP Web Site Suffers Malicious Redirect Attack (26 August 2004)

Someone broke into and altered a French ISP's web site, www.wanadoo.com, so that visitors would be redirected to another site that would try to install a Trojan horse program on their computers. Wanadoo has identified the network from which the attack came and has issued a complaint to that ISP.
-http://www.computerworld.com/printthis/2004/0,4814,95492,00.html

California Company Sues Indian Police for Failing to Investigate Intellectual Property Theft (26 August 2004)

San Carlos, California-based Jolly Technologies has sued the Mumbai, India police for negligence for refusing to investigate source code theft at the company's Indian subsidiary. An employee at the R&D facility in Mumbai allegedly uploaded company source code and design documents and sent it out through her Yahoo email account.
-http://www.siliconvalley.com/mld/siliconvalley/9500402.htm?template=contentModul
es/printstory.jsp
[Editors Note (Schultz): Incidents such as this one might prompt US companies that outsource much of their IT function to re-evaluate the wisdom of doing so. ]

Hash Function Weaknesses No Cause for Alarm, But Having New Function Would be Wise (19 August 2004)

Bruce Schneier discusses the recent announcements of weaknesses found in common hash functions. While there is no cause for alarm, Schneier observes that someday there could be viable attacks based on the weaknesses the researchers described. Schneier would like to see the National Institute of Standards and Technology hold a competition to develop a new hash function so there will be something more secure to use when we need it.
-http://www.computerworld.com/printthis/2004/0,4814,95343,00.html
[Editor's Note (Schultz): The only really troubling finding was the fact that MD5 had collisions. MD5 is widely used both in authentication and in checking the integrity of files and directories. MD5's collisions probably will not have much effect upon authentication, but the opposite is true with integrity checking because MD5 is one of the most frequently used integrity checking algorithms. ]

---

===end===
NewsBites Editorial Board:

Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/