SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VI - Issue #4
January 28, 2004
TOP OF THE NEWS
Treasury Inspector General Report Slams IRS SecurityPhisher Sentenced to Nearly Four Years in Prison
Judge Rules KaZaA Owner May Sue Music and Movie Companies
DVD Copy Control Association Drops DeCSS Case
MyDoom Virus Spreading Rapidly - Targets SCO
THE REST OF THE WEEK'S NEWS
Banking Group Issues Outsourcing GuidelinesFilters Force Spammers to Use Gibberish
FDIC Warns of Phishers Preying on Terrorism Fears
Alleged Movie Pirate Arrested
NIST Releases Two Draft Documents for Comment
Panel Critical of Pentagon's Internet Voting System
eBay Suspends Sellers for Altering Feedback
Senate Judiciary Committee Server "Glitch" Allowed Unauthorized Document Access
SUSE Linux Gets CAPP/EAL3+ Certification
EPIC Files Complaint Against Northwest Airlines
Software Could Predict What Future Attacks Will Look Like
VULNERABILITY UPDATES AND EFFECTS
W32/Mydoom WormDumaru Worm
Cisco Issues Advisory on Voice Product Vulnerabilities on IBM Servers
Microsoft Releases MBSA 1.2
********************* Sponsored by Check Point ************************
Check Point Software presents InterSpect, the first and only complete Internal Security Gateway that blocks the spread of worms and attacks inside the network.
Built specifically to protect internal networks, Check Point InterSpect provides intelligent worm defense, network zone segmentation, quarantine capabilities, and LAN protocol protection all in one easy to deploy appliance that protects your network from threats within.
Download your FREE whitepaper on Internal Network Security
CLICK HERE NOW
http://www.sans.org/cgi-bin/sanspromo/NB285
**********************************************************************
This Week's Featured Security Training Program:
Security managers and analysts, system and network administrators, auditors and forensic analysts will each find immersion training focused on their special needs, and all taught by the highest-rated instructors in the US. And it is all in Orlando Florida, in early April.
http://www.sans.org/sans2004
*************************************************************************
TOP OF THE NEWS
Treasury Inspector General Report Slams IRS Security (20 January 2004)
A report from the Treasury Department's Inspector General (IG) found computer security measures at the Internal Revenue Service (IRS) in need of improvement. Among the problems: - Many employees have not received sufficient training, - Vendor patches have not been applied to systems, leaving them open to known vulnerabilities, and - Baseline configurations were not maintained so there is no way to tell if something has been altered without authorization.-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id
=24661
Phisher Sentenced to Nearly Four Years in Prison (21 January 2004)
The Ohio woman who pleaded guilty to conspiracy in a phishing scheme has been sentenced to 46 months in prison. Helen Carr tried to trick AOL members into divulging their credit card numbers. George Patterson of Pennsylvania, who also played a part in the scheme, received a 37-month sentence last summer. Their undoing was largely due to the fact that one of their targets was an off-duty FBI agent who specializes in cyber crime.-http://www.securityfocus.com/news/7871
-http://home.hamptonroads.com/stories/print.cfm?story=64935&ran=83091
Judge Rules KaZaA Owner May Sue Music and Movie Companies (24/25 January 2004)
Sharman Networks, which owns the KaZaA peer-to-peer file sharing software, may pursue copyright infringement claims against music and movie companies. A federal judge has ruled that Sharman may proceed with the suit that alleges the companies used versions of KaZaA to find out who was downloading music from others and put corrupted files on the network. Sharman also alleges that the companies violated the software's licensing agreement by sending warnings to people on the network.-http://www.mercurynews.com/mld/mercurynews/news/local/7784479.htm?template=conte
ntModules/printstory.jsp
-http://zdnet.com.com/2102-1105_2-5147037.html?tag=printthis
DVD Copy Control Association Drops DeCSS Case (23 January 2004)
The DVD Copy Control Association (DVD CCA) requested the dismissal of a case it had brought against Andrew Bunner for posting the DeCSS DVD decryption code on the Internet. Association attorney Robert Sugarman said the decision to drop the case marks a shift in their legal strategy. Sugarman claims the DVD CCA's decision was not influenced by the recent acquittal of Norwegian teen Jon Johansen, who originally cracked the DeCSS crypto scheme.-http://www.eweek.com/print_article/0,3048,a=117296,00.asp
-http://news.com.com/2102-1025_3-5145809.html?tag=st_util_print
MyDoom Virus Spreading Rapidly - Targets SCO
The MyDoom virus is spreading rapidly in part because of its effective social engineering. It masquerades as a technical email from someone known to the victim, then spreads rapidly, installs a back door and begins to attack SCO.com.-http://www.washingtonpost.com/ac2/wp-dyn/A54778-2004Jan27?language=printer
-http://www.mercurynews.com/mld/mercurynews/business/7814716.htm
***********************************************************************
FEEDBACK NEEDED ON SITE SECURITY INITIATIVE
SANS would like to invite you to participate in a community based initiative for the definition of site security specification and certification. Based on the results of this feedback, SANS will be releasing a SANS Site Security Specification with a view toward offering a Site Security Certification for organizations wishing to achieve a high degree of information security assurance. To participate please go to:
http://www.sans.org/surveys/sitecert.php
*************************************************************************
THE REST OF THE WEEK'S NEWS
Banking Group Issues Outsourcing Guidelines (26 January 2004)
The Banking Industry Technology Secretariat (BITS) has released guidelines for those in the industry to use when considering the security of outsourcing IT services.-http://www.computerworld.com/printthis/2004/0,4814,89381,00.html
[Editor's Note (Pescatore): To paraphrase Alexander Pope, "Corporations rush in where security folks fear to tread." A lot of outsourcers are selected through detailed RFP evaluation processes - without any security criteria being included. It is common to hear "Corporate decided to outsource function X to vendor Y and told us to make sure they are secure." CSOs and security managers need to sniff out any outsourcing efforts in their early stages and get security to be a heavily weighted evaluation factor. ]
Filters Force Spammers to Use Gibberish (25 January 2004)
Though the incidence of spam may not be decreasing, the coherence of the messages is definitely decreasing. Spammers who wish to evade filters must garble their messages; most people are unlikely to open e-mail with subject lines full of gibberish.-http://news.com.com/2102-1024_3-5147038.html?tag=st_util_print
[Editor's Note: Ranum): My p.r.e.d.i.c.t.i.0.n. is that spa8mmers will have to f1nd 0ther v3nues s00n. E-m8il, as a batch service, is too 3asy to add pr0cessing into its d8ta path. L00k f0r future s.p.a.m.m.er.s. to f0cus on inst8nt messag3ing and p33r to p33r. ]
FDIC Warns of Phishers Preying on Terrorism Fears (23/26 January 2004)
The Federal Deposit Insurance Corporation (FDIC) issued an advisory last week warning that phishers have been sending out e-mails telling people that their FDIC bank account deposit insurance has been suspended as a result of an investigation conducted under the USA-PATRIOT Act. People are told that their accounts will lose FDIC protection unless they provide their account details for verification. The phishers have exploited a known Internet Explorer vulnerability that allows them to spoof web sites; while the link appears to lead to an FDIC site, it actually leads to a server in Pakistan.-http://news.com.com/2102-7349_3-5146716.html?tag=st_util_print
-http://www.computerworld.com/printthis/2004/0,4814,89425,00.html
-http://www.cnn.com/2004/TECH/internet/01/26/email.scam/index.html
Alleged Movie Pirate Arrested (23 January 2004)
FBI agents have arrested Russell Sprague of Illinois for allegedly using the Internet to distribute screener versions of films that were intended for the members of the Academy of Motion Pictures Arts and Sciences (AMPAS). The screener films have been traced back to an AMPAS member who is a friend of the suspect who says he believed Sprague was just someone who enjoyed watching movies.-http://www.washingtonpost.com/ac2/wp-dyn/A40923-2004Jan23?language=printer
-http://www.msnbc.msn.com/id/4037016/
[Editor's Note (Shpantzer): This is a case of a successful implementation of 'traitor-tracing' in the digital realm. The individualized coding in the movies given to the AMPAS member traced the violations back to him via Srague's copies of the encoded originals. Min Wu at University of Maryland is a subject matter expert in this field:
-http://www.ece.umd.edu/%7Eminwu/research/ACC_fingerprint.html
As is Amos Fiat. For a very technical 50 minute lecture on these types of protections, see
-http://www.uwtv.org/programs/displayevent.asp?rid=952]
NIST Releases Two Draft Documents for Comment (23 January 2004)
The National Institute of Standards and Technology (NIST) has released two drafts for comment: The Risk Management Guide for Information Technology Systems (Special Publication 800-30 Rev A) and Engineering Principles for Information Technology Security (Special Publication 800-27 Rev A). NIST is accepting comments on the draft documents until March 20, 2004.-http://www.fcw.com/fcw/articles/2004/0119/web-nist-01-23-04.asp
-http://csrc.nist.gov/publications/drafts/SP800-30-RevA-draft.pdf
-http://csrc.nist.gov/publications/drafts/SP800-27-RevA-Draft.pdf
Panel Critical of Pentagon's Internet Voting System (22/26 January 2004)
A panel of security analysts has published a report critical of the Pentagon's Secure Electronic Registration and Voting Experiment (SERVE) system, which was designed to allow members of the Armed Forces and other US citizens living abroad to participate in elections. The panel's report says the pilot Internet voting system is not secure enough to be used in elections and recommends the project be shut down immediately. Nonetheless, the Pentagon is standing by SERVE and seven states plan to use the system for collecting absentee votes in upcoming elections.-http://news.bbc.co.uk/1/hi/technology/3419775.stm
-http://www.computerworld.com/printthis/2004/0,4814,89290,00.html
-http://www.washingtonpost.com/ac2/wp-dyn/A36875-2004Jan21?language=printer
-http://www.fcw.com/fcw/articles/2004/0119/web-evoting-01-22-04.asp
-http://www.govexec.com/news/index.cfm?mode=report2&articleid=27478&printerfriend
lyVers=1&
-http://www.wired.com/news/print/0,1294,62041,00.html
Text of the panel's report:
-http://www.servesecurityreport.org/
[Editor's Note (Schultz): It's disturbing to see so little attention paid to security-related concerns in electronic voting systems. On the other hand, security-related threats are generally deprecated, anyway, so perhaps what is happening with voting systems is really not so surprising.
(Pescatore): The key line in the report is really "There really is no good way to build such a voting system without a radical change in overall architecture of the Internet and the PC, or some unforeseen security breakthrough" - and there lies the rub. The PC architecture needs to migrate to providing a trusted execution environment before something like voting from a home PC is feasible. The Trusted Computing Group (www.trustedcomputinggroup.org), driven by AMD, HP, IBM, Intel, Microsoft and others is moving towards such an architecture for PCs that will be shipping in 2006. However, there needs to be a lot of open review of the TCG architecture and components if market suspicion is to be overcome. ]
eBay Suspends Sellers for Altering Feedback (23 January 2004)
eBay has suspended several sellers for uploading a program that allowed them to remove negative comments from the feedback on their member profile pages.-http://www.washingtonpost.com/ac2/wp-dyn/A42780-2004Jan23?language=printer
Senate Judiciary Committee Server "Glitch" Allowed Unauthorized Document Access (22 January 2004)
The Office of the Senate Sergeant-at-Arms is investigating allegations that Republican US Senate Judiciary Committee staffers have been accessing confidential Democratic documents for more than a year. A technician's error allowed files on the Senate Judiciary Committee's server to be accessed without passwords. The Office of the Senate Sergeant-at-Arms has seized several computers and hard drives.-http://www.eweek.com/print_article/0,3048,a=117189,00.asp
-http://gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=247
02
-http://www.boston.com/news/nation/articles/2004/01/22/infiltration_of_files_seen
_as_extensive?mode=PF
[Editor's Note (Ranum): What amazes me is that the staffers who were accessing the files appear to be preparing to defend their actions on the basis that it was OK because the files weren't protected. "It was the system administrator's fault" is not an excuse. ]
SUSE Linux Gets CAPP/EAL3+ Certification (21 January 2004)
SUSE Enterprise Server 8 software with Service Pack 3 on IBM servers is now compliant with Controlled Access Protection Profile under the Common Criteria for Information Security Evaluation, also known as CAPP/EAL3+. The certification could open the door for governments and other entities requiring high levels of information security assurance to use the open source products. SUSE and IBM plan to pursue CAPP/EAL4+ sometime later this year.-http://www.computerworld.com/printthis/2004/0,4814,89250,00.html
-http://www.eweek.com/print_article/0,3048,a=117047,00.asp
-http://news.com.com/2102-7344_3-5144459.html?tag=st_util_print
EPIC Files Complaint Against Northwest Airlines (21 January 2004)
The Electronic Privacy Information Center (EPIC) has filed a complaint with the Department of Transportation against Northwest Airlines after the company admitted that it shared passenger data with NASA researchers. The complaint calls for sanctions against Northwest; EPIC also wants Northwest to inform all customers whose data was shared with NASA.-http://www.wired.com/news/print/0,1294,61985,00.html
-http://tn01.com/usatoday/sbct.cgi?s=906902457&i=929698&m=1&d=5360524
Software Could Predict What Future Attacks Will Look Like (21 January 2004)
A Cambridge engineering company has developed software that can predict attacks by mutating known attack code. The mutations maintain grammatical and syntactic integrity so that the new code is still viable. However, the increased number of signatures this method may generate could slow down intrusion detection systems in signature-based intrusion detection systems.-http://www.newscientist.com/news/news.jsp?id=ns99994588
VULNERABILITY UPDATES AND EFFECTS
W32/Mydoom Worm (26/27 January 2004)
The Mydoom worm, also known as the Novarg worm, is spreading quickly via e-mail and KaZaA. The worm reportedly will launch a distributed denial-of-service (DDoS) attack against SCO.com.-http://www.computerworld.com/printthis/2004/0,4814,89449,00.html
-http://www.eweek.com/print_article/0,3048,a=117441,00.asp
-http://www.theage.com.au/cgi-bin/common/popupPrintArticle.pl?path=/articles/2004
/01/27/1075087993734.html
-http://news.com.com/2102-7349_3-5147605.html?tag=st_util_print
-http://www.msnbc.msn.com/id/4065701/
-http://www.theregister.co.uk/content/56/35127.html
Dumaru Worm (26 January 2004)
This worm arrives in a user's inbox as an email with the subject line of "Important information for you. Read it immediately!" It opens a back door and may be listening for passwords. Security companies are rating it as a high risk worm.-http://www.theregister.co.uk/content/56/35105.html
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39143708-39020330t-10000025c
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci946167,00
.html
Cisco Issues Advisory on Voice Product Vulnerabilities on IBM Servers (21/22 January 2004)
-http://www.internetnews.com/dev-news/print.php/3302271
-http://www.cisco.com/warp/public/707/cisco-sa-20040121-voice.shtml
[Editor's Note (Pescatore): VoIP will be as much a source of vulnerabilities over the next five years as sendmail was in the early nineties and as Microsoft's Internet Information Server was in the early 2000's. ]
Microsoft Releases MBSA 1.2 (21 January 2004)
The newest version of Microsoft Baseline Security Analyzer includes support for some new Microsoft products, including Exchange 2003.-http://www.computerworld.com/printthis/2004/0,4814,89267,00.html
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Bruce Schneier, Eugene Schultz, Gal Shpantzer
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/
