SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VI - Issue #37

September 15, 2004

SANS does not Telemarket
We have been receiving reports that people are being called by people claiming to offer SANS training. Today we heard a report that an organization received a phone call from a person claiming to be an analyst for the SANS Institute, asking about their DMZ architecture. SANS does not employ telemarketers or tele-analysts. If you get such a call please write down as much information as possible about the caller and what they said and contact Stephen@sans.org

Also, since September is Awareness and Preparedness month, this might be a good time to send out an awarenessgram to all of your employees reminding them there are exactly two types of information in your organization. Information specifically approved for release to the public and everything else.

Stephen Northcutt

---

TOP OF THE NEWS

Technology Vendors Prove Incapable Of Acting To Protect Their Users
OMB Directs Agencies to Implement P2P Policies
Microsoft Doubles the Length of Time Update Users Can Block SP2
Nevada is the First State to Use Touchscreen Voting Machines with Paper Audit Trails

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Sasser Author Arrested
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Navy CIO Lauds NMCI's Performance
HSARPA Seeks Critical Infrastructure Security R & D
Financial Trading Systems Security
Nasdaq Sponsored Disaster Recovery Tests for Customers
LEGISLATION
House Committee Approves Anti-Piracy and -Spyware Measures
SPAM & PHISHING
Spammers Using eMail Authentication
Savvis Shuts Down Spammers' Service
Singapore Bank is Latest Phishing Mark
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
MIME Vulnerabilities
New MyDoom Variants Suggest a Larger Attack is in the Works
Amus Worm
McAfee Says it Will Release Updated Signatures to Remedy ISPWizard Misidentification
Mac OS X Update Fixes Kerberos Vulnerability
STATISTICS, STUDIES AND SURVEYS
PWC/CIO Magazine 2004 State of Information Security Study
Survey: ISP Customers Want More Security Features
MISCELLANEOUS
Longhorn Will Allow Companies to Control Portable Storage Device Connections to Machines
Neglecting Security will Significantly Increase Downtime, says Gartner
Q & A with Bruce Schneier
Botnet Shut Down
Case Study: PA Medical Center's Electronic Medical Records System
Debian Rejects SenderID Because of Microsoft's Licensing Requirements
The HTTP Elephant on the Table: One Week with an Open Proxy Server

---

************************ Sponsored by Symantec **************************
Managed Security Services by Symantec. Our global intelligence network spans 40 countries and monitors threats 24 hours a day, providing your enterprise with the benefits of a world-class security infrastructure while sparing you the complications of building your own.

Click here to download our free white paper and take a virtual tour.
http://www.sans.org/info.php?id=531

*************************************************************************
Featured Training Program of the Week

Back to the Future: Find the Future of Information Security in New Orleans November 1 - 4 at SANS CDI South. That's where SANS will introduce a program of one and two day intensive technology courses on topics ranging from Cutting Edge Hacking Techniques to Ethics, from Business Law and Computer Security to Auditing Wireless Security. If you cannot afford the time for a full week of training, or if you want to focus on two to four different topics, you won't find a better security conference anywhere. In particular, if you were thinking about attending one of the twenty or thirty old security conferences run by other organizations, compare the faculty they offer against SANS teachers, the timelines and practicality of the information, and the value you will bring back to your employer (not to mention the weather) and we think it will be easy to choose SANS CDI South in New Orleans over any other security conference.
http://www.sans.org/cdisouth04/

*************************************************************************

---

TOP OF THE NEWS

Technology Vendors Prove Incapable Of Acting To Protect Their Users (9 September 2004)

In the second part of their investigative report on who is responsible for the wave of security problems, the answer becomes clear.
-http://www.usatoday.com/tech/news/computersecurity/2004-09-09-zombie-response_x.
htm

OMB Directs Agencies to Implement P2P Policies (10 September 2004)

Office of Management and Budget CIO Karen Evans has sent a memo to agency CIOs, directing them to establish a P2P use policy for their employees. Personnel should be trained in appropriate use of file sharing systems, and should be aware of what constitutes inappropriate use. Agency CIOs will also be required to use National Institute of Standards and Technology cyber security standards to "detect and prevent improper file sharing systems." The agencies have until December 1, 2004 to implement the new policies.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=27232
-http://www.fcw.com/fcw/articles/2004/0906/web-p2p-09-10-04.asp

Microsoft Doubles the Length of Time Update Users Can Block SP2 (8 September 2004)

Microsoft has extended the period of time it will allow Windows Update and Automatic Update users to prevent SP2 from being automatically downloaded onto their computers. Initially, the company wanted to limit that time frame to 120 days, but on September 7th, doubled the amount of time people will be able to block the upgrade's download to 240 days, or April 12, 2005. People were complaining that they lacked adequate time to test SP2 to ensure it would be compatible with applications already on their systems.
-http://www.microsoft-watch.com/article2/0,1995,1643908,00.asp
-http://software.silicon.com/security/print.htm?TYPE=story&AT=39123819-390246
55t-40000024c
-http://www.computerworld.com/printthis/2004/0,4814,95748,00.html

Nevada is the First State to Use Touchscreen Voting Machines with Paper Audit Trails (7 September 2004)

On September 7, Nevada became the first US state to use touchscreen voting machines that provide a paper audit trail in a statewide election. The state's voting system cost USD$9.3 million and includes 2600 computers and printers deployed statewide. County election offices will keep the printouts for 22 months and they will be used in the event of a recount.
-http://www.securityfocus.com/printable/news/9461
[Editor's Note (Schultz): This is truly a landmark event, setting an example for every state as well as other countries in the world.
(Shpantzer): If a hacker really gets control of the voting machine, then he can have the software spit out a paper receipt for the vote for one candidate, despite actually counting the vote for another. Providing the paper receipt may give the voters a sense of confidence that their vote was correctly counted, but is it a false sense of confidence? ]

---

************************** SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) What SPF Really Means to E-Mail Security - View Statistics & FREE Whitepaper
http://www.sans.org/info.php?id=585

(2) Pen Tester Tools: SPI ToolKit includes; SQL Injector, Cookie Cruncher,& SPI Fuzzer
http://www.sans.org/info.php?id=586

(3) ALERT: Learn about the latest spam tools and techniques in **FREE white paper**
http://www.sans.org/info.php?id=587

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Sasser Author Arrested (9/8 September 2004)

Sven Jaschan, the German teenager who says he wrote the Sasser worm, has been arrested. He has also admitted to writing the original NetSky worm. Sasser allegedly caused an estimated $157,000 in damages. Whether Jaschan will be tried in a juvenile court or a regular court remains undecided. He could face a maximum prison sentence of five years.
-http://www.computerworld.com/printthis/2004/0,4814,95787,00.html
-http://www.theregister.co.uk/2004/09/08/sasser_charges/print.html
[Editor's Note (Schultz): The damage estimate here seems extremely low, but I suspect that law enforcement came up with a figure that would stand in a court of law rather than a global estimate. ]

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

Navy CIO Lauds NMCI's Performance (10 September 2004)

Navy CIO Dave Wennergren said the Navy Marine Corps Intranet (NMCI) has proven to be quite durable. Wennergren cited the NMCI's round-the-clock performance during the San Diego area wildfires in 2003 and the fact that during January's MyDoom outbreak, only 20 of 120,000 workstations were affected.
-http://www.fcw.com/fcw/articles/2004/0906/web-nmci-09-10-04.asp

HSARPA Seeks Critical Infrastructure Security R & D (10 September 2004)

Homeland Security Advanced Research Projects Agency (HSARPA) officials have released an announcement seeking research and development in a variety of areas to improve the security of U.S. critical infrastructure. The areas of interest listed include improved vulnerability protection in existing and emerging systems and networks, tools and methods to identify latent vulnerabilities and cyber security assessments of information systems. HSARPA officials expect to have USD$4.5 million to award; bidders will need to submit a white paper by October 6 and a complete proposal by December 1. Awards will be announced January 18, 2005.
-http://www.fcw.com/fcw/articles/2004/0906/web-hsarpa-09-10-04.asp
[Editor's Note (Pescatore): Being against more security research is sort of like being against rescuing abandoned puppies, but having multiple agencies spend small amounts of R&D funding (most of which gets dissipated in overhead) on problems where the private sector is selling hundreds of millions of product already is not a very effective use of homeland security funding. ]

Financial Trading Systems Security (8 September 2004)

Government officials and lower Manhattan financial company executives spoke before the House Financial Services Committee, detailing their efforts to safeguard financial trading systems against physical and cyber attacks. The New York Stock Exchange has spent USD$100 million to bolster its security; improvements include a remote network operations center, and development of the Secure Financial Transaction Infrastructure (SFTI), a "geographically dispersed fiber-optic routing backbone," that will allow brokers to connect to trading markets in the event of an attack like September 11, 2001.
-http://www.computerworld.com/printthis/2004/0,4814,95765,00.html

NASDAQ Sponsored Disaster Recovery Tests for Customers (7 September 2004)

Earlier this year, NASDAQ sponsored two disaster recovery tests for broker and service providers. In the first test, customers tested their connectivity from their backup sites to NASDAQ'S primary site. The second test allowed customers to test their primary or backup trading systems' connectivity to NASDAQ'S backup site.
-http://www.computerworld.com/printthis/2004/0,4814,95734,00.html

LEGISLATION

House Committee Approves Anti-Piracy and -Spyware Measures (8 September 2004)

The House Judiciary Committee has approved the Piracy Deterrence and Education Act of 2004 which, if enacted, would impose a sentence of up to five years for people convicted of illegally sharing copyrighted music and movies over the Internet. The bill will next head to the House for debate. The committee also approved the Internet Spyware Prevention Act of 2004, a measure which criminalizes the act of placing spyware on people's computers without their express permission.
-http://www.washingtonpost.com/ac2/wp-dyn/A6091-2004Sep8?language=printer
-http://www.techweb.com/article/printableArticle.jhtml;jsessionid=ISWG5BINJOAZUQS
NDBGCKHY?articleID=47101903

SPAM & PHISHING

Spammers Using eMail Authentication (8 September 2004)

According to email services provider MX Logic, spammers are increasingly turning to Sender Policy Framework to make their emails seem more legitimate. SPF works well to prevent domain spoofing, and thus thwart phishers' efforts, but does little to stop other spam that doesn't try to disguise its origins.
-http://news.com.com/2102-1029_3-5357269.html?tag=st.util.print
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=47102042
[Editor's Note (Pescatore): They are missing the point. Strong mail domain authentication isn't intended to stop spam, it is intended to allow enterprises and consumers to be sure that the mail they want to read doesn't get blocked by spam filters. Strong sender domain authentication allows white lists to work and have lighter spam filtering (fewer false blocks) while email from untrusted domains go through full filtering. Without this, today much email from online merchants ends up blocked by spam filters, meaning spam filtering can't be cranked up as high as is needed.]

Savvis Shuts Down Spammers' Service (8 September 2004)

St. Louis, MO-based Savvis Communications, an international Internet service provider, says it will cancel service for about 40 customers who are known to be using the network to send spam. Savvis made the decision only after pressure from anti-spam organizations. The company had, according to leaked internal memos, known about the problem for several months but had dragged its feet about doing something to remedy the situation because it would feel a financial pinch.
-http://www.computerworld.com/printthis/2004/0,4814,95769,00.html
-http://www.infoworld.com/article/04/09/08/HNleakedmemos_1.html
-http://news.com.com/2102-1030_3-5357445.html?tag=st.util.print
[Editor's Note (Schultz): If all or most ISPs would act in the way Savvis Communications has, the spam problem would be a fraction of what it is now. ]

Singapore Bank is Latest Phishing Mark (8 September 2004)

Phishers have targeted customers of Singapore's OCBC Bank Internet banking service. OCBC said that the phony site which was being used to try to steal customers' account information has been shut down. OCBC has notified the police and the Monetary Authority of Singapore.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39192847-39037064t-39000
005c

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

MIME Vulnerabilities (13 September 2004)

The UK's National Infrastructure Security Co-ordination Centre (NISCC) has released a series of advisories describing vulnerabilities in the MIME Internet email protocol extension that affect a variety of email clients, web browsers, antivirus products and mail- and web-content checkers. The flaws could let attackers evade content filters and antivirus tools.
-http://www.theregister.co.uk/2004/09/13/mime_vuln/print.html
-http://software.silicon.com/malware/print.htm?TYPE=story&AT=39123925-3800003
100t-40000041c
-http://www.uniras.gov.uk/l1/l2/l3/alerts2004/alert-3304.txt

New MyDoom Variants Suggest a Larger Attack is in the Works (13/10 September 2004)

Four new MyDoom variants appeared on the Internet in rapid succession late last week, leading some researchers to speculate that a more virulent variant is being developed. They are speaking from recent experience: in July, four Bagle variants were released and were followed by a particularly malicious version. Another reason for increased vigilance is the anniversary of 9/11 and the fact that MyDoom variant names are approaching the end of the alphabet.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39193426-39037064t-39000
005c
-http://www.techweb.com/article/printableArticle.jhtml?articleID=47204123
-http://www.eweek.com/print_article/0,1761,a=135009,00.asp

Amus Worm (13 September 2004)

The Amus worm uses Windows Speech Engine to deliver an audio message to users of infected computers. The worm changes IE settings and has received a low risk rating.
-http://www.theregister.co.uk/2004/09/13/amus_worm/print.html

McAfee Says it Will Release Updated Signatures to Remedy ISPWizard Misidentification (9 September 2004)

On Wednesday, September 8, McAfee said it planned to release updated antivirus signatures which will correct a problem in the September 1 release that mistakenly identified ISPWizard as a Trojan horse program. The problem prevented some people from connecting to their ISPs. In fact, the update was available earlier than the 8th to customers who update signatures daily. In addition, customers can contact McAfee's support/AVERT for an immediate fix. Mark Griffiths, the man who developed ISPWizard, says he has not ruled out the possibility of filing a lawsuit against McAfee.
-http://www.theregister.co.uk/2004/09/08/mcafee_ispwizard_snafu/print.html
-http://news.com.com/2102-7350_3-5361660.html?tag=st.util.print

Mac OS X Update Fixes Kerberos Vulnerability (7 September 2004)

Apple has released an update for Mac OS X that fixes 15 security vulnerabilities, including a flaw in the Kerberos authentication system which has received a highly critical rating.
-http://news.com.com/2102-1002_3-5350010.html?tag=st.util.print

STATISTICS, STUDIES AND SURVEYS

PWC/CIO Magazine 2004 State of Information Security Study (11 September 2004)

The 2004 State of Information Security study from PricewaterhouseCoopers and CIO Magazine found that North America and Europe led South America and Asia in security and best practice implementation. 64% of the companies surveyed said they expected security spending to increase this year. The study was conducted online in late March and April 2004; more than 8,000 CIOs, CFOs, CEOs, VPs and directors of IT and security from 62 countries responded to the survey.
-http://www.itsecurity.com/tecsnews/sep2004/sep143.htm

Survey: ISP Customers Want More Security Features (8 September 2004)

According to a survey from J.D. Power and Associates, Internet users are by and large pleased with the way their ISPs handle spam, but are dissatisfied with the way they handle viruses and cyber attackers. J.D. Power analyst Steve Kirkeby says Internet users want their ISPs to provide "one-stop shopping" for security protections.
-http://www.securitypipeline.com/showArticle.jhtml;jsessionid=N4UAABXAVBPXEQSNDBC
SKHY?articleId=46802767&printableArticle=true
[Editor's Note (Shpantzer): Automobile safety went through the cycle of violent resistance, forced acceptance, then all the way to becoming a strong selling point for the manufacturers, who now tout their NHTSA crash ratings in their advertising. So goes with information security. If consumers are asking for security, maybe the ISPs will take their money and give them what they want. ]

MISCELLANEOUS

Longhorn Will Allow Companies to Control Portable Storage Device Connections to Machines (13 September 2004)

In a nod to concerns that portable storage devices have become capable of holding greater and greater amounts of data, Microsoft has announced that Longhorn, its new operating system, due to be released in 2006, will include technology to allow companies control over the extent to which cell phones, PDAs and other portable storage devices may connect to PCs. The technology exists to an extent in SP2, but will be "more refined" in Longhorn.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=47204404
-http://news.com.com/2102-1016_3-5356485.html?tag=st.util.print
[Editor's Note (Pescatore): Much better to see actual operating system functions get improved in new operating systems, rather than seeing more applications (browsers, servers, media players) jammed under the covers. Secure paths to peripherals are an important part of a trustable computing environment, key to success is the ability of enterprises to manage policy that gets pushed out to PCs.
(Shpantzer): This is an interesting security issue. I've heard of some organizations literally taking soldering irons to the USB ports to guarantee that they are not used for offloading information to portable storage devices. ]

Neglecting Security will Significantly Increase Downtime, says Gartner (13 September 2004)

According to a Gartner report, companies that do not attend to the security of their IT systems face an increase in downtime due to vulnerabilities. The present rate is 5%, but that figure will grow to 15% in 2008 for companies that have not taken security into consideration. Gartner recommends companies focus on security in their own development and demand secure commercial software from vendors.
-http://www.techweb.com/article/printableArticle.jhtml;jsessionid=CQDFRV3WOI4CKQS
NDBCSKHY?articleID=47204480

Q & A with Bruce Schneier (10 September 2004)

In a question and answer format with CIO Update, Bruce Schneier offers security advice for CIOs. Schneier touches on such issues as estimating the cost of a potential attack and the importance of impressing on vendors the need for secure products. In conclusion, Schneier offers the reminder that "security is a process, not a product."
-http://www.cioupdate.com/trends/article.php/3406571

Botnet Shut Down (10/9 September 2004)

Authorities in Singapore shut down a server that controlled a network of more than 10,000 zombie PCs after Norwegian telecommunications company Telenor traced IRC communications from compromised machines. The network, sometimes called a botnet, could be used to send spam or launch distributed denial of service attacks. While the controlling server is no longer functional, infected machines remain zombies; the Internet Storm Center recommends that users with network traffic logs check for connections to the server, which was listening on IP 203.81.40.172 tcp port 10009.
-http://www.theregister.co.uk/2004/09/09/telenor_botnet_dismantled/print.html
-http://www.computerworld.com/printthis/2004/0,4814,95847,00.html

Case Study: PA Medical Center's Electronic Medical Records System (7 September 2004)

Geisinger Medical Center, outside Danville, Pennsylvania, has been developing an electronic medical records system including a number of web-based services for patients and staff. The article describes the medical centers efforts to balance security and privacy concerns with the development of their system.
-http://www.infoworld.com/article/04/09/07/HNmedicalrecord_1.html

Debian Rejects SenderID Because of Microsoft's Licensing Requirements (7 September 2004)

The Debian Linux Group says it will not use the SenderID anti-spam standard because Microsoft's licensing requirements to not fit with Debian's open source, free software guidelines.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39192641-39037064t-39000
005c

The HTTP Elephant on the Table: One Week with an Open Proxy Server

This article is an "extended abstract" for Ryan Barnett's research paper on running an open proxy server honeypot; a link to the full paper is provided in the abstract.
-http://www.sans.org/rr/special/http_elephant.php

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/