SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VI - Issue #49

December 08, 2004

TOP OF THE NEWS

Court Rules Interior May Remain Connected to Internet
California Bill Would Restrict Researchers' Access to State Agency Data
Lycos Anti-Spam Screensaver Taken Off Line
Universities Warn of Spyware-Like Application; Some Block Network Connections to its Servers

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Australia Plans Critical Infrastructure Security Assessment Panel
SPAM & PHISHING
Ohio Legislature Passes Bill That Would Establish Penalties for Spammers
Microsoft Files Lawsuits Against Alleged Spammers
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Microsoft Fixes IFrame Flaw with Out-of-Cycle Patch
Apple Security Update Released
Netscape PNG Vulnerability
Skulls.B Trojan Contains Cabir.B Worm
STATISTICS, STUDIES AND SURVEYS
Unprotected Computers Compromised Within Minutes
MISCELLANEOUS
Business Continuity/Disaster Recovery Benchmark Developed
Microsoft Files Lawsuits Against Alleged Certificate of Authenticity Dealers
Google Desktop Search Reveals Vulnerabilities

---

*********************** Sponsored by Check Point ************************

Learn how Check Point Connectra delivers secure SSL VPN access, protecting your network from worms, Trojan horses, and other malware threats. Download this free, fact-filled Web Security Informational Kit.

Includes informative new white papers from Stratecast Partners and Ziff-Davis, plus Connectra product details.

Get a wealth of information-free! Download now. http://www.sans.org/info.php?id=677 *************************************************************************
Highlighted Cybersecurity Training of the Week

Highlighted SANS Cybersecurity Training: December 6, 7 and 9 FREE Programs to Help You Find WhatWorks Among Security Tools
WhatWorks in Intrusion Prevention and
WhatWorks in Stopping Spam and Email Viruses
Sign up for these user case studies at http://www.sans.org/webcasts
Immersion Training Courses
**Washington DC, December 7 - 14 [14 Hands-On Immersion tracks] http://www.sans.org/cdieast04
**Orlando FL, February 3 - 9 [15 Hands-On Immersion Tracks] http://www.sans.org/orlando05
**Houston TX, March 10 - 16 [12 Hands-On Immersion Tracks] http://www.sans.org/lonestar05
**Sydney Australia, February 21-26 [6 Hands-On Immersion Tracks] http://www.sans.org/darlingharbour05 *************************************************************************

---

TOP OF THE NEWS

Court Rules Interior May Remain Connected to Internet (3 December 2004)

The US Court of Appeals for the District of Columbia has ruled that the Department of the Interior may keep its computer systems connected to the Internet. In the ruling, the court said that a lower court did not give the department adequate time to present its case before ordering its systems be taken off line. Despite the fact that Indian trust funds are vulnerable to cyber attacks, there is no evidence that the accounts have been tampered with. Interior Department computers have been ordered shut off from the Internet three times since 2001.
-http://www.reuters.com/newsArticle.jhtml?storyID=6992188

California Bill Would Restrict Researchers' Access to State Agency Data (2 December 2004)

California state senator Debra Bowen has proposed legislation that would prohibit state agencies from providing researchers with data that personally identifies California citizens. The bill comes in the wake of a breach of a University of California, Berkeley computer system on which a researcher had gathered names, and social security numbers of more than one million people involved in a California in-home care program. Researchers say than meaningful analysis requires unique identifiers, such as social security numbers. Presently, researchers are required to create "pseudo-identifiers" for the data they use; state agencies do not have the resources to "sanitize" the data.
-http://www.securityfocus.com/printable/news/10053
[Editor's Note (Schultz): This story once again shows that the best impetus for improving security (in this case through legislation) is often a nasty security-related incident. ]

Lycos Anti-Spam Screensaver Taken Off Line (6/3/2 December 2004)

Lycos, which last week released a screensaver designed to consume bandwidth of spamming web sites has had the tables turned; at least one of the targeted sites has redirected traffic back to the Lycos site. Despite claims that the screensaver was causing denial-of-service against the spamming sites, Lycos maintained its program was careful not to completely shut down the sites it targeted. The Lycos site associated with the screensaver has been taken off line and replaced with a message stating simply "STAY TUNED." Some Internet backbone providers and ISPs have been blocking access to the Lycos web site in an effort to prevent further attacks.
-http://www.computerworld.com/printthis/2004/0,4814,97990,00.html
-http://www.theregister.co.uk/2004/12/03/lycos_antispam_site_offline/print.html
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39206979-39037064t-39000
005c
[Editor's Note (Schultz): What has been reported in this news item is only the start of many problems that Lycos appears to have created for itself.
(Tan): It just opens another can of worms. Now we have faked Lycos screensaver.
-http://www.f-secure.com/weblog/#00000382]

Universities Warn of Spyware-Like Application; Some Block Network Connections to its Servers (6 December/30 November 2004)

IMesh, which makes a filesharing program, has begun bundling the Marketscore application along with its product. Marketscore routes all traffic through its servers where it is analyzed in order to create research reports; it also claims to speed up users' Internet interaction. Marketscore is able to view encrypted traffic, such as passwords and account numbers, which presents security concerns. Several universities around the United States have blocked connections from school networks to Marketscore servers, angering some students.
-http://www.computerworld.com/printthis/2004/0,4814,97936,00.html
-http://www.wired.com/news/print/0,1294,65906,00.html
[Editor's Note (Pescatore): It is a no-brainer that any random 3rd party site that is proxying SSL connections should be on the banned list. There is absolutely no way they are doing any caching that is improving SSL sessions, they can't even claim that as a benefit. ]

---

************************** SPONSORED LINKS ******************************
Privacy notice: Sponsored links redirect to non-SANS web pages.

(1) Worms, viruses cost businesses $2 million per incident. Read full benchmark report. http://www.sans.org/info.php?id=678
(2) ALERT! Hackers Gain Access to Backend Data Via Web Applications-FREE WHITE PAPER http://www.sans.org/info.php?id=679
(3) Download this free White Paper, by Osterman Research, "The advantages of Using a Managed Service Provider to Protect Your Messaging System." http://www.sans.org/info.php?id=680

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

Australia Plans Critical Infrastructure Security Assessment Panel (30 November 2004)

The Australian government plans to spend AU$8 million on the Computer Network Vulnerability Assessment (CNVA) program, which will aim to identify and fix security flaws in the networks supporting country's critical infrastructure. Under the CNVA program, the government will create a panel of security experts to conduct risk assessments and identify vulnerabilities.
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39168444-20000
61744t-10000005c

SPAM & PHISHING

Ohio Legislature Passes Bill That Would Establish Penalties for Spammers (2 December 2004)

The Ohio state legislature has passed a bill that, if singed into law by Governor Bob Taft, would establish criminal and civil penalties for those convicted of sending spam. Under the bill, people would face felony charges for sending more than 250 deceptive emails in one day, 2,500 in one month or 25,000 in one year. Those convicted of sending spam would face prison sentences of between 6 and 18 months, as well as forfeiture of their equipment.
-http://www.securitypipeline.com/showArticle.jhtml;jsessionid=MMTQT1E5Z4N30QSNDBC
CKHSCJUMEKJVN?articleId=54201642&printableArticle=true

Microsoft Files Lawsuits Against Alleged Spammers (2 December 2004)

Microsoft has filed seven lawsuits against individuals who have allegedly violated the CAN-SPAM Act by sending out unsolicited, sexually explicit email. The seven defendants have allegedly violated the "brown paper wrapper" rule, which requires that sexually explicit material be clearly labeled as such. They have also allegedly violated other rules, including those requiring accurate subject lines, physical mail addresses for senders and easy unsubscribe directions.
-http://www.computerworld.com/printthis/2004/0,4814,97991,00.html

-http://www.theregister.co.uk/2004/12/02/ms_cans_spammers/print.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

Microsoft Fixes IFrame Flaw with Out-of-Cycle Patch (2 December 2004)

Microsoft has released an out-of-cycle patch for the IFrame vulnerability in Internet Explorer; the Bofra worm exploited the flaw which Microsoft has rated critical. The vulnerability affects users of Windows XP SP1, Windows 2000 (SP3 and SP4) and Windows NT4.
-http://www.theregister.co.uk/2004/12/02/ie_iframe_fix/print.html
-http://www.computerworld.com/printthis/2004/0,4814,97957,00.html
-http://www.microsoft.com/technet/security/bulletin/MS04-040.mspx

Apple Security Update Released (2 December 2004)

Apple's most recent security update, released on December 2, 2004, includes fixes for a total of 17 flaws in the Apache Web server, OS X mail servers, Safari Web browser and QuickTime media server.
-http://news.com.com/2102-1002_3-5475341.html?tag=st.util.print

Netscape PNG Vulnerability (1 December 2004)

Sun Microsystems has issued an advisory warning of a critical vulnerability in the Netscape 7.x; the flaw lies in the way the browser handles PNG (portable network graphic) images. Users of the vulnerable versions of Netscape could be at risk for remote code execution attacks.
-http://www.eweek.com/print_article2/0,2533,a=140191,00.asp
-http://sunsolve.sun.com/search/document.do?assetkey=1-26-57683-1

Skulls.B Trojan Contains Cabir.B Worm (1 December/30 November 2004)

A new version of the Skulls Trojan horse program, Skulls.B, infects mobile phones and contains the Cabir.B worm. The worm makes it capable of spreading to other Bluteooth-enabled phones in the area. Skulls.B does not replace menu icons with skulls and crossbones as its predecessor did, but uses Symbian default icons. It still carries a malicious payload that wipes out applications, but users have to press the Skulls.B icon in the menu in order to become infected, as a bug prevents it from running automatically after it installs itself on phones. Users are advised to set their handsets to nondiscoverable Bluetooth mode.
-http://www.computerworld.com/printthis/2004/0,4814,97935,00.html
-http://www.theregister.co.uk/2004/12/01/cabir_skulls_combo/print.html
[Editor's Note (Pescatore): Big sigh: should the default on phones be nondiscoverable Bluetooth mode? I hope the mobile industry doesn't re-invent every broken wheel the PC industry did. For example, since nothing gets to a cell phone that doesn't come through the network, malicious software blocking should be built into wireless data networks vs. depending on reactive client side software to deal with the problem. In-the-cloud security is just starting on the Internet - consumer wireless data should begin there. ]

STATISTICS, STUDIES AND SURVEYS

Unprotected Computers Compromised Within Minutes (30 November 2004)

Avantegarde, a marketing communications company, tested six systems with default security measures in a honeypot setting. Though most of the systems fared well, a Windows XP SP1 fell prey to cyber attacks within four minutes of its connection to the Internet.
-http://www.techweb.com/article/printableArticle.jhtml;jsessionid=4KQFHPWRDVZ02QS
NDBCCKH0CJUMEKJVN?articleID=54201306&site_section=700028
[Editor's Note (Tan): Systems without firewalls are often compromised even before users can finish downloading the patches. (Pescatore): In related research, blind puppies released onto the streets of Manhattan were turned into roadkill within 90 seconds of release. No actual puppies were harmed in this test - Furbies from Overstock.com were used. ]

MISCELLANEOUS

Business Continuity/Disaster Recovery Benchmark Developed (2 December 2004)

Infocomm Development Authority of Singapore and Business Continuity/Disaster Recovery Working Group of the Information Technology Standards Committee have developed a certification program for businesses. The program, which is believed to be the world's first business continuity/disaster recovery benchmark, is aimed in part at enhancing Singapore's desirability as a location for business process outsourcing.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39203480-39037064t-39000
005c

Microsoft Files Lawsuits Against Alleged Certificate of Authenticity Dealers (30 November 2004)

Microsoft has filed eight lawsuits against defendants who have allegedly sold either counterfeit certificate of authenticity (COA) labels or genuine COAs that could be used on pirated software. The lawsuits follow a sting operation and cease-and-desist letters sent to hundreds of resellers who appeared to be dealing in the COAs.
-http://www.internetnews.com/bus-news/print.php/3441351
[Editor's Note (Shpantzer): Counterfeiting is a global plague that affects everything from baby food to cellphone batteries to cancer medicines. Some organized crime and terrorist groups that have dealt with narcotics are slowly switching to counterfeiting cigarette tax stamps and other white collar crime, including software counterfeiting, to make lucrative profits, while avoiding the tough drug sentencing laws. ]

Google Desktop Search Reveals Vulnerabilities (29 November 2004)

By doing exactly what it is supposed to do, Google Desktop Search exposes some existing security problems on users' computers. GDS creates a searchable index of all the files on users' computers, including browser caches and encrypted files. The problems lie not with GDS, but with the software already on users' machines; web browsers should not store SSL encrypted pages, and encryption programs should not leave decrypted copies of files in the cache.
-http://www.eweek.com/print_article2/0,2533,a=139657,00.asp

Correction:

In last week's edition we reported that the county government phone system breached by phreakers was in Linn County, New York; the affected system is actually in Linn County, Oregon.

---

NewsBites Editorial Board: Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/