SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VI - Issue #5
February 04, 2004
This week, we've added a special section on the Mydoom virus because of the many stories it has spawned. By the way, it is a virus, not a worm. A virus requires users to make active errors (opening unanticipated attachments in this case). Perhaps that's a silver lining in the Mydoom cloud. It may help educate users that opening attachments is very dangerous, even when they seem to come from friends and family and co-workers and the technical staff.
One of the useful resources that SANS provides is access to vendor white papers. Sometimes they are marketing drivel, but often they reflect solid research and contain very valuable analysis. Along with the new poster you received, we've made 15 new white papers available (free) from the poster's sponsors at http://www.sans.org/tools.php. They cover topics including DoS Protection, Security Legislation, Auditing, Event Management and more. Registration is required - that's why the vendors make them available free.
Alan
TOP OF THE NEWS
Study Finds Vulnerabilities in e-Voting HardwareFTC's Launches "Operation Secure Your Server"
DHS National Cyber Alert System Unveiled
OMB Predicts More than 50% of Agency IT Systems Will be Secure by Summer
Microsoft and SCO Offer $250,000 Rewards for Mydoom Arrest
THE REST OF THE WEEK'S NEWS
UK Teen Gets Community Service for Fermi Lab IntrusionsHeckenkamp (eBay & Qualcomm Hacker) Pleads Guilty
Peer-to-Peer Liability Case is Back in Court
NHTCU Investigating Reported Internet Protection Schemes
Sardonix Calls it Quits
NIST Releases e-Authentication Recommendation Document for Comment
University of Georgia Server Security Breach Under Investigation
Warner Bros. Files Suit Against Man For Alleged Role in Film Piracy
ISAC Officials Question New Alert System
Congressmen Davis and Putnam Address Agency IT Security
Former Microsoft Employee Convicted and Sentenced for Software Theft
Johansen Wants Compensation After Two Acquittals
SPECIAL SECTION ON MYDOOM VIRUS AND ITS EFFECTS
Mydoom Victims Hit SCO Website with Denial-of-Service Attack on SundaySCO Switches Domain Address
Mydoom Opens Ports
Mydoom Avoids Certain e-Mail Addresses
VULNERABILITY UPDATES AND EFFECTS
Microsoft Releases Cumulative IE Fix Outside of Monthly ScheduleMicrosoft Will Release IE Update to Address Flaw Exploited by Phishers
Secunia Warns of IE File-Name Spoofing Vulnerability
Mimail.S Worm the Work of Phishers
Apple Releases Patches for a Handful of Vulnerabilities, Including Two in Apache
************************ Sponsored by Symantec **************************
Symantec Gateway Security 5400 Series provides fully integrated enterprise protection at the gateway.
As the industry's most comprehensive firewall appliance, it integrates full inspection firewall technology, protocol anomaly-based intrusion prevention and intrusion detection, award-winning virus protection, URL-based content filtering, anti-spam, and virtual private networking technology.
For more information, and details on how to save up to 67% off MSRP, visit http://ses.symantec.com/USA000AWGJ10 or call 800-745-6054.
**********************************************************************
This Week's Featured Security Training Program:
Security managers and analysts, system and network administrators, auditors and forensic analysts will each find immersion training focused on their special needs, and all taught by the highest-rated instructors in the US. And it is all in Orlando Florida, in early April.
http://www.sans.org/sans2004
*************************************************************************
TOP OF THE NEWS
Study Finds Vulnerabilities in e-Voting Hardware (29 January/1 February 2004)
A study conducted by RABA Technologies found that the Diebold electronic voting system slated to be used in Maryland's March Presidential primary elections found that while the system tabulated votes accurately, it remained vulnerable to tampering that could affect the authenticity of each vote. The study, which was commissioned by Maryland's legislative services department, focused on the system's hardware.-http://www.wired.com/news/print/0,1294,62109,00.html
-http://tn01.com/usatoday/sbct.cgi?s=906902457&i=932220&m=1&d=5392237
RABA's Report:
-http://www.raba.com/press/TA_Report_AccuVote.pdf
FTC's Launches "Operation Secure Your Server" (29 January 2004)
The Federal Trade Commission (FTC) and other similar entities around the world are sending e-mail messages to owners of servers, asking them to check their servers' configurations for open relays or open proxies, which spammers can exploit to disguise their identities. The e-mail messages also contain a link to information about fixing these server vulnerabilities.-http://www.computerworld.com/printthis/2004/0,4814,89548,00.html
-http://news.com.com/2102-7355_3-5150455.html?tag=st_util_print
-http://www.cnn.com/2004/TECH/internet/01/30/ftc.spam.ap/index.html
DHS National Cyber Alert System Unveiled (28/29 January 2004)
The Department of Homeland Security's National Cyber Security Division has launched a National Cyber Alert System, a program that will send e-mail security alerts of worms and viruses to anyone who chooses to subscribe. The alerts will be digitally signed to distinguish them from phony alerts used by attackers to spread malware.-http://www.wired.com/news/print/0,1294,62078,00.html
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id
=24773
-http://www.washingtonpost.com/ac2/wp-dyn/A58255-2004Jan28?language=printer
-http://news.com.com/2102-7348_3-5148877.html?tag=st_util_print
-http://www.fcw.com/fcw/articles/2004/0126/web-mydoom-01-29-04.asp
[Editor's Note (Grefer): Out of band communication would improve safety of this type of communication. This could be as simple as sending a fax or using an instant messaging service to direct subscribers to point their browsers to a specific web page for further details. I am sure that Akamai would gladly assist with caching such information, as they already do for the Government Printing Office's publications. ]
OMB Predicts More than 50% of Agency IT Systems Will be Secure by Summer (28 January 2004)
The Office of Management and Budget (OMB) expects that just over half of government agency IT systems will be accredited and certified secure when it releases its annual report this summer. The OMB is developing FISMA implementation guidelines for the agencies.-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id
=24777
[Editor's Note (Paller): Progress on security should be applauded, and the 50% mark certainly is progress. However, as the Department of Defense has discovered, the C&A process is a snapshot in time that completely ignores the critical impact of constant change that make active networked systems vulnerable hours or days after a C&A has been completed. The US Department of Defense is about to change the way it does C&A. Civilian agencies should change to the continuous monitoring method, as well, and soon. ]
Microsoft and SCO Offer $250,000 Rewards for Mydoom Arrest (27/28/29/30 January 2004)
Microsoft and SCO are each offering a $250,000 reward for information leading to the arrest and prosecution of the worm's author. Mydoom.B also apparently blocks infected computers from accessing web sites that could help them by overwriting host files and pointing them to non-existent IP addresses.-http://news.bbc.co.uk/1/hi/technology/3439959.stm
-http://www.theage.com.au/cgi-bin/common/popupPrintArticle.pl?path=/articles/2004
/01/30/1075340816440.html
-http://www.washingtonpost.com/ac2/wp-dyn/A60995-2004Jan29?language=printer
-http://www.computerworld.com/printthis/2004/0,4814,89584,00.html
-http://www.eweek.com/print_article/0,3048,a=117666,00.asp
-http://www.wired.com/news/print/0,1294,62082,00.html
-http://www.nwfusion.com/news/2004/0128variantb.html
-http://zdnet.com.com/2102-1105_2-5148571.html?tag=printthis
THE REST OF THE WEEK'S NEWS
UK Teen Gets Community Service for Fermi Lab Intrusions (2/3 February 2004)
Joseph McElroy, the UK teen who broke into computers at the Fermi National Accelerator Laboratory in Illinois, has been sentenced to 200 hours of community service for his actions. The judge did not sentence him to prison time because he did not access classified information, nor did he intend to cause any damage. McElroy used the computers to download and store copyrighted material. In addition, the court waived a fine of 21,000 GBP (approximately US$38,500) because McElroy does not have the means to pay it.-http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/1/hi/technology/
3452923.stm
-http://www.theage.com.au/articles/2004/02/03/1075570391739.html
-http://www.theregister.co.uk/content/55/35280.html
Heckenkamp (eBay and Qualcomm Hacker) Pleads Guilty (2 February 2004)
Jerome Heckenkamp has pleaded guilty to breaking into eBay and Qualcomm computers; he has also admitted to a number of other intrusions and to having caused $70,000 in losses. Prosecutors agreed to ask for no more than two years in prison and "not to seek" job-related computer use restrictions during his supervised release. Sentencing is set for May 10.-http://www.securityfocus.com/news/7959
[Editor's Note (Schneier): And thus ends the Heckencamp case, at least for now. While the actual intrusions may have caused real damage, watching the progress of this case has made me think more of terms like "farce" and "comedy of errors" than "serious hacker."
(Ranum): Allowing him to use his computer is a good idea. If Heckenkamp's computer use was restricted, he'd no doubt have to pursue becoming an author or lecturer and we'd have to deal with another smug self-serving screed by a hacker-turned-security-visionary. ]
Peer-to-Peer Liability Case is Back in Court (2 February 2004)
The 9th US Circuit Court of Appeals is reviewing a lower court decision that said that the parent companies of decentralized peer-to-peer file sharing networks were not liable for copyright infringement that occurred on those networks; the judge in that case also ruled that such decentralized file-swapping tools were legal.-http://news.com.com/2102-1027_3-5152269.html?tag=st_util_print
NHTCU Investigating Reported Internet Protection Schemes (30 January 2004)
The UK's National Hi-Tech Crime Unit (NHTCU) is investigating reports that organized crime groups are targeting Internet betting sites with protection schemes in the days before the Superbowl. Internet crime gangs are demanding money from sites for "protection" from denial-of-service attacks.-http://www.theage.com.au/cgi-bin/common/popupPrintArticle.pl?path=/articles/2004
/01/30/1075340816525.html
Sardonix Calls it Quits (30 January 2004)
The Sardonix project, which hoped to provide structure for open source code review, will be closing down because it didn't attract the necessary volume of volunteer auditors. Sardonix was initially funded by a Defense Advanced Research Projects Agency (DARPA) grant.-http://www.securityfocus.com/news/7947
NIST Releases e-Authentication Recommendation Document for Comment (30 January 2004)
The National Institute of Standards and Technology (NIST) has released Special Publication 800-63: Recommendation for Electronic Authentication. The document supplements the Office of Management and Budget's (OMB) E-Authentication Guidance for Federal Agencies. NIST is accepting comments on the document through March 15, 2004.-http://www.fcw.com/fcw/articles/2004/0126/web-nist-01-30-04.asp
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id
=24796
-http://csrc.nist.gov/publications/drafts/draft-sp800-63.pdf
[Editor's Note (Schneir): I wrote about my concerns with electronic signatures several years ago, and I don't see that much has changed since then.
-http://www.schneier.com/crypto-gram-0011.html#1]
University of Georgia Server Security Breach Under Investigation (29/30 January 2004)
Federal and state officials are investigating a security breach of a server at the University of Georgia. The intruders could possibly have gained access to the social security and credit card numbers of individuals who applied to the university since August 2002. There is as yet no evidence that the information has been used; the server was apparently being used to probe other systems for potential attacks.-http://www.ledger-enquirer.com/mld/ledgerenquirer/news/7826698.htm?template=cont
entModules/printstory.jsp
-http://www.computerworld.com/printthis/2004/0,4814,89590,00.html
Warner Bros. Files Suit Against Man For Alleged Role in Film Piracy (29 January 2004)
The Warner Brothers film studio has filed a lawsuit against Carmine Caridi, the Academy of Motion Picture Arts and Sciences member who allegedly sent screener copies of films to a man in Illinois, who subsequently digitized them and put them on the Internet. Ten other unnamed defendants listed in the suit are alleged to have been involved with a scheme to distribute movies on the Internet.-http://www.wired.com/news/print/0,1294,62102,00.html
[Editor's Note (Schultz): This superficially sounds great, but I wonder how many users will know how to verify a digital signature when most users do not even know what a digital signature is. ]
ISAC Officials Question New Alert System (29 January 2004)
Senior officials from IT and financial services Information Sharing and Analysis Centers (ISACs) have spoken critically of the Department of Homeland Security's (DHS) decision to launch a national Cyber Alert System without making clear how the private sector fits into the picture. They say that the alert program appears to be geared toward home users and small businesses instead of the medium and large companies that comprise much of the nation's critical infrastructure.-http://www.computerworld.com/printthis/2004/0,4814,89550,00.html
[Editor's Note (Grefer): ISAC should keep in mind that medium and large sized companies typically already have information security savvy staff who stay up-to-date on IT security issues, including alerts. The DHS initiative can help tens of thousands of organizations that are not connected with ISACs and may not have such strong in-house talent. ]
Congressmen Davis and Putnam Address Agency IT Security (28 January 2004)
Congressmen Tom Davis (R-Va.) and Adam Putnam (R-Fla.) take the need for improving federal agency IT security seriously. Davis, who chairs the House Government Reform Committee, says he plans to hold a hearing this spring on at least two contracts that did not take the Federal Information Security Management Act (FISMA) into account. Putnam has sent letters to agency secretaries requesting to meet with their CIOs to discuss their IT security action plans.-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id
=24775
[Editor's Note (Paller): Congressman Davis' Congressional oversight initiative is exactly what is needed to kick start the implementation of critical elements of FISMA. For example, prior to a December meeting, many agencies were completely unaware that FISMA requires them to establish minimum security configuration benchmarks and to ensure that their computers comply with those requirements. Similar oversight hearings by either Congressman Davis or Congressman Putnam on how that requirement is being implemented will result in rapid improvement of security configurations in federal agencies.
(Schultz and other editors): Rep. Putnam is a particularly strong advocate of information security within the US government. He has repeatedly faced tough opposition, but has heroically persevered in his efforts. ]
Former Microsoft Employee Convicted and Sentenced for Software Theft (28 January 2004)
Former Microsoft employee Wilson Delancy has been sentenced to 21 months in prison and ordered to pay $4 million in restitution for his part in a software theft and reselling scheme.-http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=4234017
Johansen Wants Compensation After Two Acquittals (27/28 January 2004)
After being acquitted twice for his role in the creation and Internet posting of the DeCSS DVD decryption utility, Jon Johansen of Norway is seeking approximately $21,800 from Norway's economic crime police for economic losses, court costs and compensation.-http://tn01.com/usatoday/sbct.cgi?s=906902457&i=931586&m=1&d=5380258
-http://zdnet.com.com/2102-1105_2-5148882.html?tag=printthis
SPECIAL SECTION ON MYDOOM VIRUS AND ITS EFFECTS
Mydoom Victims Hit SCO Website with Denial-of-Service Attack on Sunday (1/2 February 2004)
The first version of the MyDoom virus carried a payload that attacked the SCO website. The B variant of the worm is programmed to launch an attack on Microsoft's web site starting Tuesday, February 3.-http://www.computerworld.com/printthis/2004/0,4814,89662,00.html
-http://news.com.com/2102-7349_3-5151572.html?tag=st_util_print
-http://www.theregister.co.uk/content/55/35274.html
SCO Switches Domain Address (2 February 2004)
SCO has temporarily changed the domain address of its web site because the large number of packets sent by Mydoom victims overwhelmed the original site. The attack is programmed to continue through February 12.-http://www.computerworld.com/printthis/2004/0,4814,89666,00.html
-http://tn01.com/usatoday/sbct.cgi?s=906902457&i=932220&m=1&d=5392227
Mydoom Opens Ports (28 January 2004)
The Mydoom worm leaves open ports 3127 to 3198. Attackers have been scanning for these open ports; they could potentially upload code to compromised computer systems.-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci946423,00
.html
Mydoom Avoids Certain e-Mail Addresses (27 January 2004)
The Mydoom worm appears to avoid sending itself to government, military and software company e-mail addresses, probably in an attempt to gain some time before anti-virus signatures are created to protect computers from its spread.-http://www.fcw.com/fcw/articles/2004/0126/web-virus-01-27-04.asp
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id
=24765
VULNERABILITY UPDATES AND EFFECTS
Microsoft Releases Cumulative IE Fix Outside of Monthly Schedule (2 February 2004)
-http://zdnet.com.com/2102-1104_2-5151957.html?tag=printthis
-http://www.microsoft.com/technet/security/bulletin/MS04-004.asp
Microsoft Will Release IE Update to Address Flaw Exploited by Phishers (29/30 January 2004)
The change will violate some URL formatting specifications, but will benefit customers by thwarting phishers' attempts to disguise true addresses of web pages. The modification could prove problematic for web sites that use clear text for user name and password authentication; Microsoft has published a knowledge base article that describes workarounds for the problem.-http://www.computerworld.com/printthis/2004/0,4814,89544,00.html
-http://www.eweek.com/print_article/0,3048,a=117789,00.asp
-http://news.com.com/2102-7355_3-5150321.html?tag=st_util_print
-http://www.theregister.co.uk/content/55/35253.html
-http://www.internetnews.com/ec-news/print.php/3306451
Secunia Warns of IE File-Name Spoofing Vulnerability (28 January 2004)
-http://www.eweek.com/print_article/0,3048,a=117762,00.asp
-http://www.internetnews.com/dev-news/article.php/3304951
-http://news.com.com/2102-1002_3-5149583.html?tag=st_util_print
-http://www.secunia.com/advisories/10736/
Mimail.S Worm the Work of Phishers (30 January 2004)
-http://www.vnunet.com/News/1152401
Apple Releases Patches for a Handful of Vulnerabilities, Including Two in Apache (27 January 2004)
-http://www.internetnews.com/dev-news/print.php/3304281
-http://www.info.apple.com/
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Bruce Schneier, Eugene Schultz, Gal Shpantzer
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/