SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #19

May 11, 2005

TOP OF THE NEWS

Cisco Source Code Theft Was Part of a Much Larger Operation
Microsoft To Provide Early Alerts For Bugs
FCC "Broadcast Flag" Digital Piracy Technology Rule Rejected
Tape Loss Spurs Time Warner to Encrypt Back Up Data

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
DrinkorDie Piracy Ring Members Receive Jail Time
Chinese Student Arrested for Alleged Industrial Espionage
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Edited Portions of Pentagon Report Still Readable
Interior IG: Bureau of Land Management Security Weak, American Indian Trust Data Vulnerable
SPAM & PHISHING
Phishers Increasingly Using Keystroke Loggers
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
Microsoft to Offer Legitimate Windows XP to Certain Users of Counterfeit Software
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Fixes Not Yet Available for Firefox Vulnerabilities
Microsoft Releases Patch for Internet Explorer
Apple Releases OS X Fixes
Sober Variant Disguises Itself as News About Soccer Tickets
Symantec Addresses ICMP Flaw in Several Products
All Computer Users Would benefit From Information in SANS Vulnerability Report
MISCELLANEOUS
Michigan State University Arts Center Patrons Notified of Cyber Security Breach
Air Canada Alleges Industrial Espionage Against WestJet
Fending Off Cyber Extortionists

---

*********************** Sponsored by Shavlik ****************************
Now Available! Introducing Shavlik HFNetChkPro(tm) 5, the next generation of security patch management. With over 50 awesome new features including detailed reporting, advanced reboot options, email notification, and distribution servers, staying up to date on patches has never been easier and your network has never been more secure. Keep your world in Chk with Shavlik. Download the trial version today at

http://www.sans.org/info.php?id=771
*************************************************************************
Why Professionals Always Attend SANS Training If They Have A Choice

(1) " SANS courses balance the why and the how-to of security. Not only will you learn something, you learn how to do something." (Greg Kotula, Wall Street On Demand)

(2) " SANS never fails to provide top level training that is worth every penny." (Tyler Hudak, Yellow Roadway Tech)

(3) "SANS training gives me the tools I need to do my job." (Michael Hiramoto, NCI)
*************************************************************************

---

TOP OF THE NEWS

Cisco Source Code Theft Was Part of a Much Larger Operation (10 May 2005)

Federal officials confirmed that the theft of source code from Cisco servers (first reported in April 2004) was a small part of a broad series of attacks that compromised computers at the Pentagon, NASA and research laboratories, as well as Cisco and universities. A Swedish youth was charged.
-http://www.nytimes.com/2005/05/10/technology/10cisco.html
-http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=8444181

Microsoft To Provide Early Alerts For Bugs (9 May 2005)

Microsoft announced a new service that provides advance warning and suggests workarounds for security flaws "within one business day of becoming aware of a problem." This new service will help users respond quickly to problems that may become public before a patch is ready.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39229386-39037064t-39000
005c
[Editor's Note (Tan): Microsoft is to be applauded for this new service. Given interval between vulnerability disclosure and exploit has been cut to days, this new program providing an official recommendation from Microsoft is necessary to mitigate the threat. ]

FCC "Broadcast Flag" Digital Piracy Technology Rule Rejected (8/6 May 2005)

The US Court of Appeals for the District of Columbia Circuit has rejected a November 2003 Federal Communications Commission (FCC) ruling requiring manufacturers of digital media devices to build in anti-piracy technology as of July 1, 2005. The ruling had required that manufacturers enable devices to recognize "broadcast flags" that would limit the ways in which digital media could be recorded. The three-judge panel said the FCC had overstepped its bounds.
-http://www.earthtimes.org/articles/show/2720.html
(please note the New York Times site requires free registration)
-http://www.nytimes.com/2005/05/06/technology/06cnd-tele.html?pagewanted=print&am
p;position=
-http://www.pcmag.com/article2/0,1759,1813741,00.asp

Tape Loss Spurs Time Warner to Encrypt Back Up Data (6 May 2005)

Following the disappearance/loss of 40 backup tapes containing current and former employee data, Time Warner has announced that it will begin encrypting all the data it saves to backup tapes. The container holding the tapes was lost during shipment to an off-site records and storage facility managed by a third party.
-http://www.computerworld.com/printthis/2005/0,4814,101589,00.html

---

************************** Sponsored Links ******************************
Note: These links may take you to sites outside SANS:

1) Secure storage and access control for all your ADMINISTRATIVE PASSWORDS: UNIX/Linux, Windows, databases, routers and firewalls
http://www.sans.org/info.php?id=772

2) Best Practices for Incident Response - View New Webcast at
http://www.sans.org/info.php?id=773

3) Earn your Master's degree in Information Security online from an NSA-approved program.
http://www.sans.org/info.php?id=774

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

DrinkorDie Piracy Ring Members Receive Jail Time (6 May 2005)

Three members of the DrinkorDie Internet piracy group have received jail sentences of between 18 months and two years for their roles in a massive software piracy ring that defrauded major companies, including Microsoft, of millions of dollars in revenue. The group allegedly stole software and allowed people to download it from the Internet at no cost. A fourth defendant received a suspended sentence.
-http://www.computerworld.com/printthis/2005/0,4814,101579,00.html

Chinese Student Arrested for Alleged Industrial Espionage (4/3 May 2005)

Police in Versailles, France have arrested a Chinese student who is suspected of stealing proprietary information from her job at Valeo, a car parts manufacturer. Law enforcement officials who raided her house found computer equipment containing information about Valeo products, including "confidential" designs. A Valeo executive became suspicious when the woman, Li Li, was noticed walking around the office with a portable computer. She has denied the charges.
-http://www.forbes.com/work/feeds/afx/2005/05/03/afx1997262.html
-http://www.wpherald.com/Europe/storyview.php?StoryID=20050504-102921-2009r
-http://www.thecouriermail.news.com.au/common/story_page/0,5936,15162906%255E1702
,00.html

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

Edited Portions of Pentagon Report Still Readable (5/3 May 2005)

When the Pentagon posted a redacted version of a report regarding the shooting of Italian secret agent Nicola Calipari in Iraq, the .pdf document had large sections blacked out; however, the document was not saved with the edit lines in place, making it trivial for people to copy the text and paste it into a word processing application to read the report in its entirety. The Pentagon has since pulled the report, but not before it was widely downloaded.
-http://www.theregister.co.uk/2005/05/03/military_report_secrets/print.html
-http://atimes.com/atimes/Middle_East/GE05Ak04.html
[Editor's Note (Pescatore): Anyone doing redaction should never depend on Microsoft Word or Adobe Acrobat for electronic copy redaction. There are third party tools and plug-ins that really do it - if you are in the FOIA request fulfillment business, you really should be using one.
(Shpantzer): The old method of redaction (blacked out details on paper photocopies) doesn't transfer well to the digital realm, due to the latent metadata that still resides in the document. This certainly applies to classified information in the .gov world but the .com folks should take heed as well: Documents, spreadsheets and presentations have metadata that can reveal who helped edit the information, as well as 'hidden' formulas, cost models, profit margins and comments that the presenting party did not intend to go to the receiving party. ]

Interior IG: Bureau of Land Management Security Weak, American Indian Trust Data Vulnerable (4 May 2005)

According to a report from the Interior Department's inspector general, certain computer systems housing American Indian trust data are rife with security holes. The auditors were able to penetrate two servers and access the Bureau of Land Management's internal networks without being detected. The auditors have recommended a number of specific measures to shore up cyber security and advised that if steps are not taken quickly, BLM should disconnect its computers from department networks.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=35743

SPAM & PHISHING

Phishers Increasingly Using Keystroke Loggers (6 May 2005)

According to the Anti Phishing Working Group (APWG), the use of keystroke loggers to steal computer users' personal and financial information has increased tenfold in the past six months. The keystroke logging software is surreptitiously placed on users' computers via browsers with unpatched known vulnerabilities.
-http://www.vnunet.com/news/1162890
[Editor's Note (Dhamankar): Programs like Perfect Keylogger and Advanced Keylogger have been reported in the Top-10 spyware programs for past few months. Some of these programs periodically (every few minutes or so) send emails to the attacker with all the recorded keystrokes. Really nasty stuff. ]

Turning the Tide on Phishing Attacks (2 May 2005)

Reports from the Anti Phishing Working Group and Postini Inc. indicate that the tide of phishing may be receding. Postini statistics indicate that phishing attempts fell 45% between March and April of this year, while APWG notes a 2% increase in reports of phishing email in March, the second straight month of slowing growth after nearly a year of double-digit growth.
-http://www.eweek.com/print_article2/0,2533,a=151083,00.asp
[Editor's Note (Schultz): One set of statistics showed that phishing increased; another showed that it decreased. This is yet another indication that infosec professions need to view the statistics with which we are constantly bombarded with a healthy dose of skepticism.
(Pescatore): you have to look at this item and the previous one together: phishing emails are changing from trying to get you to go to a bogus web site and enter your password to tricking you into downloading a keystroke logger. The end result is the same and reusable passwords are the common problem. ]

COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT

Microsoft to Offer Legitimate Windows XP to Certain Users of Counterfeit Software (4 May 2005)

Microsoft has begun testing a program that offers free copies of legitimate software to certain users running fraudulent versions of Windows XP. Windows XP users found to be running fraudulent versions of the software on their computers will be offered a licensed copy of the software at no cost if they are able to provide Microsoft with the disk of their current program and a receipt for purchase and are willing to fill out a counterfeit report. This is part of Microsoft's Genuine Advantage Program which offers benefits to users who have legitimate copies of the company's software. The program is voluntary, but Microsoft has begun requiring users to verify the legitimacy of their programs in order to obtain certain downloads.
-http://news.com.com/2102-1016_3-5695302.html?tag=st.util.print

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

Fixes Not Yet Available for Firefox Vulnerabilities (9 May 2005)

Two vulnerabilities in the Firefox web browser could allow attackers to gain control of users' computers just by getting them to visit a maliciously crafted web site. Mozilla is recommending that Firefox users disable Javascript or lock down the browser to prevent it from installing additional software. There is no a patch available, although information about the vulnerabilities and proof-of-concept exploit code have already been released. Mozilla plans to release an update, Firefox 1.0.4, as soon as possible.
-http://informationweek.com/story/showArticle.jhtml?articleID=163100338
-http://www.vnunet.com/news/1162904
[Editor's Note (Schultz): The number of vulnerabilities in Firefox recently has been alarming. At first Firefox appeared to be an attractive alternative to Internet Explorer (IE) for security reasons, but IE is now looking better and better in comparison.
(Shpantzer): There's so much hacking at the application layer, at some point we'll have to actually lock down configurations for all browsers, regardless of the security mythology that surrounds the project's code and architecture. If you have a supposedly 'secure' browser that's insecurely configured, well, it's not very secure. ]

Microsoft Releases Patch for Internet Explorer (10 May 2005)

Microsoft released an "important" patch for Internet Explorer that affects Windows 2000 and Windows 2003 users but not XP users. It allows remote code execution but requires the user to act in order to become infected.
-http://www.computerworld.com/softwaretopics/software/story/0,10801,101643,00.html

Apple Releases OS X Fixes (4 May 2005)

Apple has released patches for 20 vulnerabilities in its Mac OS X operating system. The flaws include problems in the operating system's HTTP proxy service and the way it handles Javascript in its help viewer. The flaws could allow a variety of remote and local attacks, including code execution, privilege elevation and denial of service.
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39190491-20000
61744t-10000005c

Sober Variant Disguises Itself as News About Soccer Tickets (4/3 May 2005)

A new variant of the Sober worm has emerged. This one purports to be ticket confirmations from the 2006 World Cup organizing committee. It is particularly effective because it coincides with the availability of tickets for the tournament. The messages about the soccer tickets are in German; English messages accompanying the worm are related to passwords and undeliverable messages.
-http://news.bbc.co.uk/1/hi/technology/4512421.stm
-http://www.theregister.co.uk/2005/05/03/world_cup_virus/print.html

Symantec Addresses ICMP Flaw in Several Products (3 May 2005)

Symantec has released hotfixes and upgrades for an Internet Control Message Protocol (ICMP) flaw that could allow denial-of-service attacks in a variety of products, including the Symantec Gateway Security Series, the Symantec Enterprise Firewall, the Symantec Firewall/VPN Appliance, the Nexland Firewall Appliance and the Symantec VelociRaptor.
-http://www.eweek.com/print_article2/0,2533,a=151152,00.asp

All Computer Users Would benefit From Information in SANS Vulnerability Report (2 May 2005)

A SANS report identifies more than 600 new Internet vulnerabilities found in the first three months of 2005. To be included on the list, vulnerabilities must affect a large number of users, exist on a large number of unpatched systems, allow the unauthorized remote takeover of infected computers and have been discovered or patched during the first three months of 2005. In addition, there must be enough readily available information about the vulnerability to allow it to be exploited.
-http://www.businessweek.com/technology/content/may2005/tc2005052_2731_tc024.htm

MISCELLANEOUS

Michigan State University Arts Center Patrons Notified of Cyber Security Breach (6 May 2005)

Michigan State University's Wharton Center for the Performing Arts has begin notifying approximately 40,000 patrons that their personal data, including names, addresses and credit card numbers, may have been compromised after a security breach of a server at the Center. The intrusion was discovered on April 26, 2005; the Wharton Center has added an intrusion FAQ page to their web site to provide additional information to concerned patrons.
-http://www.freep.com/news/statewire/sw115435_20050506.htm
-http://www.whartoncenter.com/FAQ/default.htm

Air Canada Alleges Industrial Espionage Against WestJet (3 May 2005)

Court documents allege that WestJet Airlines Ltd. stole confidential data from Air Canada that gave WestJet the impetus to move its eastern hub from Hamilton to Toronto. Forensic auditors analyzed seven WestJet computers and allegedly found flight comparison reports as well as information about AirCanada's load factor -- the percentage of available seating capacity filled by travelers.
-http://www.fftimes.com/print_version.php/21147

Fending Off Cyber Extortionists (May 2005)

This article offers a detailed account of how Barrett Lyon fought off distributed denial-of-service attack extortionists who threatened to take down on-line betting site BetCris. Lyon ultimately helped track down those responsible for the attacks and then started his own company offering protection from attacks.
-http://www.csoonline.com/read/050105/extortion.html?action=print

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/