SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #2

January 12, 2005

TOP OF THE NEWS

Hacker Gets Data on 32,000 Students and Staff at George Mason University
AntiSpyware Legislation Reintroduced in House
Cyber Scams Prey on Tsunami Donors
Google Search Leads to Security Webcams

THE REST OF THE WEEK'S NEWS

PRISON SENTENCES
Software Pirate Sentenced to 18 Months in Prison
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
NIST Mulls WLAN Standard
SPAM & PHISHING
eBay Launches Private Mail Service For Customers
"Spam King" to Refrain From Sending Ads
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
BSA Wants Copyright Law Revamped to Facilitate Prosecution of Pirates
Bogus Windows Media Files Contaminated with Adware
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Microsoft's January Security Update Includes Three Windows Patches
Mozilla and Firefox Vulnerabilities
New Skulls Variant Detected
Probes Against WINS Servers are Increasing
MISCELLANEOUS
Microsoft Releases Anti-Spyware, Malware Removal Applications
NIST Issues Report on VoIP Security Concerns
Sims 2 Hacks Travel With Shared Houses

---

******************** Sponsored by Check Point ***************************
Learn how Check Point Connectra delivers secure SSL VPN access, protecting your network from worms, Trojan horses, and other malware threats. Download this free, fact-filled Web Security Informational Kit. Includes informative new white papers from Stratecast Partners and Ziff-Davis, plus Connectra product details. Get a wealth of information-free! Download now.
http://www.sans.org/info.php?id=702

************* Also Sponsored by SANS Orlando 2005 ***********************
The largest security training conference in Orlando starts in just 24 days. Practical, timely, exciting training programs for every security professional. Fourteen immersion tracks for security practitioners, managers and auditors. Those seeking ISC2 CISSP certification will find the nation's top rated prep course at SANS Orlando, too. Plus seven one and two day short courses. And Orlando is comfortable in February!

Details: http://www.sans.org/orlando05/
PS. The late registration fee goes into effect the end of this week.

*************************************************************************

---

TOP OF THE NEWS

Hacker Gets Data on 32,000 Students and Staff at George Mason University (11 January 2005)

A hacker compromised a Windows server and gained access to social security numbers and other private information of thousands of students and staff at George Mason University. The university is one of the Centers of Excellence in Information Security designated by the US government.
-http://www.computerworld.com/securitytopics/security/hacking/story/0,10801,98848
,00.html?SKC=news98848

AntiSpyware Legislation Reintroduced in House (5 January 2005)

US Representative Mary Bono (R-Calif.) has reintroduced legislation that could levy fines of up to US$3 million for companies that make software that steals personal information from computers or hijacks people's browsers. The Securely Protect Yourself Against Cyber Trespass Act, or SPY ACT, would require users to give permission before software is downloaded onto their computers. It also prohibits unauthorized software from changing default browser pages, altering security settings, logging keystrokes and delivering advertisements that cannot be closed without ending browser sessions or turning off the computer.
-http://www.computerworld.com/printthis/2005/0,4814,98725,00.html
[Editor's Note (Schultz): No user should have to endure the constant barrage of spyware that keeps getting injected into systems. Those of us in the US should be writing our Congressional representatives, urging them to pass this bill. ]

Cyber Scams Prey on Tsunami Donors (6 January 2005)

The FBI says that cyber scam artists are preying on people's efforts to help the Tsunami victims. There have been reports of sites being set up allegedly to collect donations, but which actually place a Trojan horse program on the computers of users who visit the site. The FBI advises going directly to sites of known charities to make donations and verifying the legitimacy of nonprofit organizations.
-http://www.computerworld.com/printthis/2005/0,4814,98756,00.html
[Editor's Note (Schneier and others): This is really appalling. Not surprising, I suppose, but appalling nevertheless. ]

Google Search Leads to Security Webcams (5 January 2005)

A simple, well-crafted Google search can provide access to numerous security webcams, many of which are presumed private. Webmasters should keep the webcam pages password protected and use the robots.txt file to instruct Google and other search engines indicating that the directory should not be spidered.
-http://www.vnunet.com/news/1160289

---

************************** SPONSORED LINKS ******************************
Privacy notice: Sponsored links redirect to non-SANS web pages.

(1) ALERT: ARE YOU VULNERABLE TO A 'SQL INJECTION' ATTACK?- FREE Product Trial
http://www.sans.org/info.php?id=703

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

PRISON SENTENCES

Software Pirate Sentenced to 18 Months in Prison (10 January 2004)

A US federal judge has sentenced Kishan Singh to 18 months in prison on a charge of copyright infringement. Singh operated a "pay-for-access" website on which he sold pirated copies of business software. Under the plea agreement, Singh and the US prosecutor agreed that the value of the software was between US$70,000 and US$120,000. Singh has also been ordered to forfeit the computer equipment he used in the commission of his crime.
-http://www.news.com.au/common/printpage/0,6093,11899303,00.html
-http://www.newsfactor.com/story.xhtml?story_title=Software-Pirate-Gets----Month-
Jail-Term&story_id=29606

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

NIST Mulls WLAN Standard (10 January 2004)

The National Institute of Standards and Technology plans to issue wireless LAN security guidelines, perhaps as soon as sometime this month. The guidelines will have a significant effect on federal agencies, which are required to abide by the standards NIST recommendations. Some agencies have held off deploying WLAN technology because they do not want to spend money on something that may have to be changed. NIST is deciding whether to approve IEEE's 802.11i WLAN standard as the government standard. NIST has some concerns about the Temporal Key Integrity Protocol in 802.11i because it may not be sufficiently robust for government; NIST leaning towards 128-bit AES for WLAN security, which would require hardware changes in most older WLAN equipment.
-http://www.nwfusion.com/news/2005/011005nist.html
[Editor's Note (Pescatore): I hope NIST learned from the GOSIP vs. TCP/IP debacle, and the DSS digital signature stuff, that the non-DoD government trying to push a standard that is different from standards that are good enough for private industry isn't a good idea. It invariably results in lower levels of security or expensive retrofits to the proven standard.
(Schneier): "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum ]

SPAM & PHISHING

eBay Launches Private Mail Service For Customers (5 January 2005)

eBay has started a private mail service for its customers to help protect them from spam and phishing scams. The free, personalized in-boxes available from My Messages contain only communication from eBay.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39211930-39037064t-39000
005c
[Editor's Note (Pescatore): Really not a long term tenable solution to tell consumers to have a unique place to go to see email from every vendor they might deal with. We still need to see some basic improvements in browsers and mail clients to fight this.
(Schneier): I can't see this as a practical solution; if it works for eBay users, at best, it will lead to balkanization as other organizations create their own in-house e-mail systems. ]

"Spam King" to Refrain From Sending Ads (4 January 2005)

Stanford Wallace, the alleged "Spam King," has reached an agreement with the Federal Trade Commission to refrain from sending unsolicited advertisements until a federal case against him has been resolved. Under the terms of the agreement, Wallace's companies may send the ads only to people who actually visit the companies' websites. The government alleges that Wallace planted spyware on people's computers that caused them to be deluged with spam; he then offered to sell tools he claimed would fix the problem, but they proved ineffective.
-http://www.globetechnology.com/servlet/story/RTGAM.20050104.gtspamjan4/BNStory/T
echnology/
[Editor's Note (Pescatore): Just a note - wasn't it a full decade ago that the first real spam (the lawyers sending the green card alert) came out? It took 8 years before email became that important to consumers and business that anti-spam really took off. Anti-spyware is following a much faster trajectory. ]

COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT

BSA Wants Copyright Law Revamped to Facilitate Prosecution of Pirates (7 January 2005)

The Business Software Alliance has released a white paper outlining legislative suggestions that would make it easier to prosecute Internet pirates. In the paper, the BSA maintains that the recent court decisions have created an "impediment to effective enforcement" of the Digital Millennium Copyright Act.
-http://news.com.com/2102-1030_3-5516568.html?tag=st.util.print
-http://bsa.org/ceoinitiative/loader.cfm?url=/commonspot/security/
[Editor's Note (Schneier): And the BSA wants to create an impediment to effective enforcement of the concept of fair use.
(Schultz): I can understand the BSA's point of view, but I still think that the Digital Millennium Copyright Act originally contained far too many provisions that were adverse to individuals such as security researchers, and thus had to be toned down. ]

Bogus Windows Media Files Contaminated with Adware (31/29 December 2004)

Some Windows Media Files have been found to be "contaminated" with code that installs adware and launches multiple pop-up advertisements. Loudeye subsidiary Overpeer, who in 2002 planted P2P files that contained short loops of the songs and antipiracy messages, is believed to be responsible for the spoofed files. A Windows Media DRM loophole allows the creation of phony files that are linked to adware; it could be exploited by malicious attackers to deliberately plant software such as keystroke loggers and other Trojan horse programs on people's machines. Microsoft is investigating whether the adware violates Windows DRM policies.
-http://www.pcworld.com/resource/printable/article/0,aid,119016,00.asp
-http://www.theregister.co.uk/2004/12/31/p2p_adware_threat/print.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

Microsoft's January Security Update Includes Three Windows Patches (10 January 2004)

Microsoft's monthly security update includes three patches for Windows; the highest rating in this set of vulnerabilities is "critical." Microsoft has also said that some users may need to restart their systems after installing the updates.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39212473-39037064t-39000
005c

Mozilla and Firefox Vulnerabilities (10/7/6 January 2004)

A vulnerability in Mozilla could be exploited by a phishers. The flaw is due to the fact that the dialog box incorrectly displays long sub-domains and paths. The flaw is known to affect Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows and Mozilla Firefox 1.0, but could affect other versions as well. In addition, a buffer overflow flaw in the way Mozilla processes news:// addresses could crash vulnerable systems and allow attackers to inject hostile code.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39212469-39037064t-39000
005c
-http://www.theregister.co.uk/2005/01/07/mozilla_flaws/print.html
-http://www.computerworld.com/printthis/2005/0,4814,98757,00.html

New Skulls Variant Detected (7/6 January 2004)

The Skulls.D Trojan horse pretends to be the new version of Macromedia Flash player but kills off applications on mobile phones running the Symbian operating system. Users will need to reset their phones, which will put them in factory default condition, erasing address books and other data.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39183213-39020330t-10000025c
-http://www.computerworld.com/printthis/2005/0,4814,98799,00.html

Probes Against WINS Servers are Increasing (6/4 January 2005)

The SANS Internet Storm Center and the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) have noted a significant increase in the number of probes against WINS servers since December 31, 2004. Microsoft released fixes for the WINS vulnerabilities last month; users are urged to patch their machines. For users who are unable to patch their machines promptly, there are several workarounds: block TCP port 42 and UDP port 42 at the firewall, or remove WINS if it is not needed.
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1041758,0
0.html
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39212031-39037064t-39000
005c
[Editor's Note (Schultz): Note that blocking tcp and udp port 42 may defend against the WINS vulnerabilities in question, but if you really want to defend WINS against a wider range of externally initiated attacks, you also need to block tcp port 139. This is probably not worth saying here, however. ]

MISCELLANEOUS

Microsoft Releases Anti-Spyware, Malware Removal Applications (10/7 January 2005)

Microsoft has released a beta version of its anti-spyware application. Windows AntiSpyware monitors system and software changes and provides pop-up warnings when an attempt to install spyware is detected. The application works with Windows 2000 and XP but not earlier versions of the operating system. Microsoft also plans to release Titan, a tool for removing malicious software from computers running Windows 2000 and later versions. The current version can detect and delete Blaster, Sasser, MyDoom and other malware. Updates to the applications will be made part of Microsoft's monthly security release; if there is a serious malware outbreak, Microsoft will push an update outside of the monthly schedule.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39212136-39037064t-39000
005c
-http://www.computerworld.com/printthis/2005/0,4814,98802,00.html
-http://www.eweek.com/print_article2/0,2533,a=142346,00.asp

NIST Issues Report on VoIP Security Concerns (6 January 2005)

The National Institute of Standards and Technology has released SP 800-58, Security Considerations for Voice Over IP (VoIP) Systems. Many government agencies plan to use VoIP networks, but may not be aware that the systems are expensive and complicated to install. Security measures used on traditional data network are not compatible with current Internet-based phone systems; data networks would require added firewalls designed specifically for VoIP. NIST's recommendations include creating separate subnetworks for data and voice traffic and ensuring the physical security of the voice components to guard against eavesdropping.
-http://www.fcw.com/fcw/articles/2005/0103/web-voip-01-06-05.asp
-http://csrc.nist.gov/publications/nistpubs/#sp800-58
-http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf

Sims 2 Hacks Travel With Shared Houses (6 January 2005)

Homes in the Sims 2 game are starting to take on some odd and unexpected characteristics. Apparently some players have been hacking their houses to allow certain types of behavior. Houses can be shared with others on the Sims 2 website; when a player downloads a house, the hacked characteristics come with it and "infect" the player's own game. The exchange has been reprogrammed to correct the problem.
-http://www.securityfocus.com/printable/news/10232
[Editor's Note (Pescatore): The same pattern over, and over again - just like buffer overflows: friendly developers think up a protocol to allow friendly parties to exchange information. At the end, they sprinkle some security on. Clever unfriendly folks misuse the protocol or the API and cause many unintended consequences. Need to have a "safe" neighborhood in SIM world where a building inspector has determined that none of the houses have malware built in - sort of like looking for mold in houses today. ]

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/