SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VI - Issue #44

November 11, 2004

The first story in this issue tells about a fascinating legal case.

If you have responsibility for security awareness, definitely sign up for Ouch! -- the monthly end-user letter about what criminals are doing and what to watch out for. You can sign up at the SANS portal (portal.sans.org), and it is free. If you want to help with our new Security Awareness Tool of the Month project that finds useful awareness tools and makes them available to everyone, email info@sans.org with subject Awareness Tools, and put your name, email, job title and organization in the body.

---

TOP OF THE NEWS

Company Tries to Gain Competitive Edge Through Intrusion
DHS Security Audit Finds Problems
Microsoft Revises Sender ID
Secret Service Undercover Investigation Nets 28 Alleged Identity Thieves

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Two Oxford Students Suspended for Computer Network Intrusion
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Draft Cyber Security Requirements for Industrial Control Systems
SPAM & PHISHING
Three Alleged AOL Spammers on Trial in Virginia
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
Windows Genuine Advantage Program Participation Exceeds Microsoft's Hopes
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Google Repairs Gmail Vulnerability
Bagle Variant Spreading Quickly
Zafi.C Worm
QuickTime and RealPlayer Vulnerabilities
W32/Myfip Virus
Phony Red Hat Security Alert Trojan Source Code and Analysis
MISCELLANEOUS
Opinion: Increasing Vendor Liability Would Improve Software Security
New Caller ID Spoofing Site
Voting Machine Companies to Submit Code to National Software Reference Library
Database Management Company Addresses Security After Two Cyber Break-Ins

---

********** Sponsored by LURHQ Managed Security Services *****************

LURHQ's Managed Security Services provide true protection by integrating scanning, intelligence, management and monitoring processes resulting in each process being more effective and efficient. LURHQ's OPEN Service Delivery keeps you in control and results in a partnership for Threat Management. Download "11 Elements of a Successful MSS Partnership" to see how we empower security professionals.

http://www.lurhq.com/MSS-Partnership.html

************************************************************************
Highlighted Cybersecurity Training: Washington, DC, Dec. 7-13, 2004

SANS best instructors will be in DC teaching great courses for
**Auditors who want the technical skills so critical to successful audits.
**Security Managers interested in best practices and SANS exclusive "security make-over"
**Security professionals seeking CISSP (a trademark of (ISC)2) certification who want a more effective course.
**Technical security professionals with hands-on responsibility:
Hacker Exploits; Intrusion Detection In-Depth; Introduction to Information Security; SANS Security Essentials; Firewalls, VPNs, and Perimeter Protection; Securing Windows; Securing Linux/Linux; System Forensics, Investigation & Response; .Net Security.
Early registration deadline is this Friday:
Details: http://www.sans.org/cdieast04

*************************************************************************

---

TOP OF THE NEWS

Company Tries to Gain Competitive Edge Through Intrusion (25 October 2004)

In an example of what attorney Mark Rasch says is a growing trend of cyber intrusion for profit, Getloaded.com accessed information on Truckstop.com's web site, without authorization. Truckstop.com had established a solid business of finding loads for long haul truck drivers so they don't have to make return trips with empty vehicles. Getloaded.com wanted a piece of the action. Judge Andrew J. Kleinfeld issued an opinion for the United States Court of Appeals for the Ninth Circuit.
-http://www.securityfocus.com/printable/columnists/273
-http://caselaw.lp.findlaw.com/data2/circs/9th/0235856p.pdf

DHS Security Audit Finds Problems (28 October 2004)

The Homeland Security Department's inspector general has released a report detailing the results of a security audit conducted in accordance with the Federal Information Security Management Act. The report says that while DHS has made some improvements, "
[we recommend that DHS continue to consider its information systems security program a significant deficiency." Of significant concern is the CIO's lack of authority to manage department-wide information technology programs and spending.
-http://www.fcw.com/fcw/articles/2004/1025/web-dhsig-10-28-04.asp

Microsoft Revises Sender ID (25 October 2004)

Microsoft has revised its sender ID anti-spam technology to work better with Sender Policy Framework technology. Microsoft has also narrowed the focus of their patent application for the technology, which had been a sore point with others involved in developing an anti-spam standard. Microsoft said it wouldn't charge for the use of the technology, but other entities were uncomfortable with the idea of Microsoft holding patents on the technology. Microsoft has resubmitted Sender ID to the Internet Engineering Task Force for approval.
-http://www.computerworld.com/printthis/2004/0,4814,96923,00.html

Secret Service Undercover Investigation Nets 28 Alleged Identity Thieves (28 October 2004)

A US Secret Service undercover investigation code-named Operation Firewall led to the arrest of 28 people in seven countries on charges of identity theft, computer fraud, credit card fraud and conspiracy. The group allegedly stole 1.7 million credit card numbers and forged numerous identity-related documents, such as licenses, birth certificates and passports.
-http://www.theregister.co.uk/2004/10/29/operation_firewall/print.html
-http://www.computerworld.com/printthis/2004/0,4814,97017,00.html
-http://news.com.com/2102-7348_3-5431419.html?tag=st.util.print

---

************************** SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Free Whitepaper - Roadmap to Risk & Responsibilities for Secure Messaging Strategy http://www.sans.org/info.php?id=639

(2) ALERT: Hackers New Trick- LDAP Injection Attacks- FREE White Paper http://www.sans.org/info.php?id=640

(3) Download a free White Paper, by Osterman Research, "The advantages of Using a Managed Service Provider to Protect Your Messaging System." http://www.sans.org/info.php?id=641

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Two Oxford Students Suspended for Computer Network Intrusion (29 October 2004)

Oxford University's Court of Summary Jurisdiction has suspended two students on charges of breaking into the school's computer network. Patrick Foster and Roger Waite wrote of their activities in the Oxford Student newspaper, maintaining they wanted to expose the security weaknesses in the computer system. The two feel the punishment is too harsh and say they will appeal the decision.
-http://news.bbc.co.uk/2/hi/uk_news/education/3966045.stm

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

Draft Cyber Security Requirements for Industrial Control Systems (29 October 2004)

The Process Control Security Requirements Forum has published a draft of cyber security requirements for industrial control systems, which are used in much of the nation's critical infrastructure. Industrial control system vendors worked with the Forum for two years to develop the document, "System Protection Profile for Industrial Control Systems".
-http://www.fcw.com/fcw/articles/2004/1025/web-pcfrs-10-29-04.asp
-http://www.isd.mel.nist.gov/projects/processcontrol/SPP-ICSv1.0.pdf
[Editor's Note (Pescatore): This is written as a Protection Profile towards an EAL-3 Common Criteria evaluation. It has the same blind spot that many PPs have - it focuses on the security mechanisms built into the product, vs. trying to drive the actual security level of the product higher. One of the biggest security issues in these systems is that many of them have moved to Windows which needs to be patched frequently, often monthly. In real use, patch management and intrusion prevention for these devices is much more important to overall security of control systems than mandatory access controls and the like.
(Paller): Once again we have vendors "spinning" the Common Criteria program and government being duped into going along. They are not paying attention to the underlying security configuration problem that far outweighs the criteria chosen for inclusion in the protection profiles. This problem will go away when the buyers of unsafe SCADA systems decide they have had enough and act jointly to ensure the security of the systems on which they rely to run the world's critical infrastructure. Somewhere there must be security people at a utility who have the technical talent to set security configuration standards for their SCADA systems? If you have done the initial work, we'll help you get wider adoption. ]

SPAM & PHISHING

Three Alleged AOL Spammers on Trial in Virginia (26 October 2004)

Three people are on trial in Virginia for allegedly using false identities to send millions of unsolicited commercial emails to AOL customers. Though the defendants are from North Carolina, the trial is in Virginia the physical location of AOL's servers. Virginia has the harshest anti-spam law in the country; if the three are convicted of the charges against them, they could face up to 15 years in prison.
-http://www.securitypipeline.com/showArticle.jhtml;jsessionid=2D1JARLSNIZ5CQSNDBC
CKH0CJUMEKJVN?articleId=51200542&printableArticle=true

COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT

Windows Genuine Advantage Program Participation Exceeds Microsoft's Hopes (28 October 2004)

According to Microsoft officials, more than 800,000 people have agreed to participate in the optional Windows Genuine Advantage program, which checks to see if users are running legitimate versions of Microsoft software on their computers. Microsoft had initially hoped for 20,000 participants. Visitors to Microsoft's Download Site are asked if they wish to participate when they ask to download a "Genuine Microsoft" product from the site. Site visitors who choose not to opt in or who are found to be using counterfeit software are still permitted to download content from the site.
-http://www.microsoft-watch.com/article2/0,1995,1684754,00.asp

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

Google Repairs Gmail Vulnerability (1 November 2004)

Google has fixed a vulnerability in its webmail service, known as Gmail, which could have allowed attackers to access a user's email account with no more information than just the user's name. The flaw was originally disclosed in Nana NetLife magazine.
-http://www.theregister.co.uk/2004/11/01/gmail_bug_fixed/print.html
-http://net.nana.co.il/Article/?ArticleID=155025&sid=10
[Editor's Note (Pescatore): Certainly more vulnerabilities to come in Gmail, as their desktop search product has seen several security flaws, as well. Gmail does claim to completely block all executables - a great thing from a security perspective, unless they don't live up to the claim.]

Bagle Variant Spreading Quickly (1 November/29 October 2004)

A new version of the Bagle worm, known as Bagle.AT, .BB or a variety of other names, is now spreading quickly. It uses email addresses from Microsoft Outlook on infected computers to spread itself. It also attempts to turn off security measures on infected machines. Users must open an attachment to become infected. The virus copies itself to the Windows directory and opens TCP port 81 to allow remote access to infected computers.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39199512-39037064t-39000
005c
-http://news.bbc.co.uk/2/hi/technology/3965721.stm
-http://www.theregister.co.uk/2004/10/29/bagle_zafi_email_worms/print.html

Zafi.C Worm (29 October 2004)

The Zafi.C worm uses its own SMTP engine to send itself to email addresses it finds on infected computers. The worm aims to launch denial of service attacks against Google.com, Microsoft.com and the Hungarian Prime Minister's web site.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39199268-39037064t-39000
005c
[Editor's Note (Imrey): Throttling allowed SMTP connections (perhaps 12/hour) from computers not running email servers would dramatically lower the spread of malicious email with virtually no impact on legitimate email. This could be accomplished at the personal firewall, the gateway, or at the ISP. ]

QuickTime and RealPlayer Vulnerabilities (29/28 October 2004)

Both QuickTime and RealPlayer have security flaws that could allow attackers to take control of vulnerable machines remotely. Apple's has released QuickTime version 6.5.2 to address the vulnerability; updates are also available for RealPlayer 10, 10.5 and RealOne Player.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39199272-39037064t-39000
005c
-http://www.internetnews.com/security/print.php/3428281
-http://security.itworld.com/4345/041028mediabug/pfindex.html

W32/Myfip Virus (25 October 2004)

The W32/Myfip virus arrives as an attachment to an email purporting to come from eBay's webmaster, suggesting the company is conducting market research among its customers and that participants could win prizes. Because it uses an unusual packer, one not seen before in email malware, it could be harder to detect. One security industry executive says antivirus firms are using scare mongering tactics to boost revenues and that there should be simple rules at email gateways to block unexpected code.
-http://www.vnunet.com/news/1158981
-http://www.vnunet.com/news/1159008

Phony Red Hat Security Alert Trojan Source Code and Analysis (25 October 2004)

This page includes the source code and analysis of the Trojan horse program that was circulating under the guise of being a Red Hat security alert last week.
-http://www.k-otik.com/news/FakeRedhatPatchAnalysis.txt

MISCELLANEOUS

Opinion: Increasing Vendor Liability Would Improve Software Security (28 October 2004)

In this opinion piece, Bruce Schneier observes that "Information security is not a technological problem; it's an economics problem." Unsecure software costs us plenty of money, but the problem does not seem to be going away; we pay "to deal with the problem rather than fix it." Software security will not improve, says Schneier, until it is in the vendors' financial best interests to develop more secure products. One way to do this is to make the vendors liable for flaws in their products. The entire cost presently rests with the network owners; the cost should be more equitably distributed.
-http://www.computerworld.com/printthis/2004/0,4814,96948,00.html
[Editor's Note (Schultz): Bruce is correct in saying that vendors' financial interests and flawed software are tied together. What he overlooks, however, is the possibility that the public may at some point in time become fed up with the all the flaws in commercial software to the point that legislators may feel pressure to pass legislation that either holds vendors responsible for the consequences of bug-riddled software or requires minimum software standards. A catastrophic event such as the crash of an airplane due to software bugs could be the impetus for such a change. ]

New Caller ID Spoofing Site (27 October 2004)

A new Caller ID spoofing site called Camophone allows anyone with a PayPal account to use its services; people can make their call appear to be coming from any phone number of their choosing. A similar site, Star38.com, opened earlier this year, but the owner received harassing phone calls and a death threat; Camophone's ownership remains a mystery because its domain name was registered though a proxy service. Star38.com has been relaunched exclusively for law enforcement officials and intelligence agencies.
-http://www.securityfocus.com/printable/news/9822

Voting Machine Companies to Submit Code to National Software Reference Library (27/26 October 2004)

Five voting machine companies have agreed to submit copies of their code to the National Software Reference Library in an attempt to appease those skeptical of electronic voting's inherent security. The companies have stopped short of providing the library with their proprietary source code. The library, which is maintained by the National Institute of Standards and Technology, will create a hash of each code which election supervisors can use to check that software they plan to install on voting machines matches the certified code in the library.
-http://www.eweek.com/print_article/0,1761,a=138154,00.asp
-http://www.wired.com/news/print/0,1294,65490,00.html

Database Management Company Addresses Security After Two Cyber Break-Ins (25 October 2004)

After database management company Acxiom was hit twice by an alleged spammer searching for the company's mailing list, it changed its computer security approach. Acxiom created the position of chief security leader, changed password structures and reduced the amount of time data stays on its FTP servers. In addition, 75% of data transmitted between Acxiom and its clients is now encrypted; the company aims to raise that figure to 100%.
-http://www.informationweek.com/story/showArticle.jhtml?articleID=51000113

---

===end===

NewsBites Editorial Board:
Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/