SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #32

August 10, 2005

TOP OF THE NEWS

Microsoft Announces "Six" Security Vulnerabilities; "Three" Critical
Nearly 10 Percent of DNS Machines Vulnerable to Cache Poisoning Attacks
Court Says University Can Filter eMail
Cyber Intruder Sentenced to 60 Days Work Release, Two Years Probation

THE REST OF THE WEEK'S NEWS

SPAM & PHISHING
Microsoft, Spammer Reach Settlement
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Computer Associates Issues Patches for Buffer Overflow Flaw in Backup Agents
Microsoft Looking Into Windows 2000 Flaw Report
ATTACKS, INTRUSIONS & DATA THEFT
Cisco Resets Cisco.com User Passwords Following Intrusion
UNIVERSITY COMPROMISES
University of North Texas Server Breached; 39,000 People Affected
Sonoma State University Security Breach Affects Students and Applicants
Cal Poly Pomona Notifies 30,000 of Security Breach
University of Colorado Hires Outside Auditor After Third Breach
STATISTICS, STUDIES & SURVEYS
Report Estimates US$2.75 Billion in Losses From Phony ATM and Debit Cards
MISCELLANEOUS
Research Company Mulls Over No Disclosure Policy
German Bank Uses Indexed Transaction Numbers to Protect Customers From Phishers
Proof-of-Concept Viruses Point Out Flaw; Monad Will Not Appear in Vista
Tracking Down a Cyber Extortionist
Identity Thieves Using Browser Hijackers to Steal Data

---

******************* Sponsored by SANS Institute *************************

"I have attended several courses by SANS' rivals; SANS blew them away!" (Alton Thompson, US Marine Corps)

"Topical information that can immediately be applied and shared in the workplace." (Blair Campbell, Bank of Nova Scotia)

Upcoming SANS training programs in New York, Long Beach, CA, Virginia Beach, Boston, Washington, San Jose, Ottawa and Tokyo. Details at
http://www.sans.org/index.php

--------------------------------------------------

Announcing the SANS Advisor
A newsletter that gets straight to the point with tips and breaking news on IT Security, Audit, Privacy. Volume 1, Number 2 is complimentary and available for downloading from:
http://www.sans.org/newsletters/advisor/1.2.pdf">http://www.sans.org/newsletters/advisor/1.2.pdf
If you enjoy SANS Advisor and want to make sure you are notified when the next edition comes out, sign up at http://www.sans.org/newsletters

*************************************************************************

---

TOP OF THE NEWS

Microsoft Announces "Six" Security Vulnerabilities; "Three" Critical (9 August 2005)

Microsoft's second Tuesday security announcement included six bulletins, three rated critical. Just one of the critical bulletins covers three independent critical vulnerabilities in Internet Explorer. One of those three, an error in the way IE handles JPEG images, is especially alarming. An attacker could commandeer a PC by crafting a malicious image and tricking the victim to look at it on a Web site or in an HTML e-mail
-http://news.com.com/IE+flaw+opens+door+to+infection+on+sight/2100-1002_3-5825669
.html?tag=nefd.top
[Editor's Note (Paller): Microsoft's disclosure method may mislead some readers into thinking the number of vulnerabilities in its software is smaller than the real number. When MS combines five vulnerabilities in three bulletins, and then talks about the announcement as covering three critical vulnerabilities instead of the real number, the press headlines present the wrong number, and the public is misled. To see how it is done look at the "Summary Section: at
-http://www.microsoft.com/technet/security/bulletin/ms05-aug.mspx]

Nearly 10 Percent of DNS Machines Vulnerable to Cache Poisoning Attacks (8/3 August 2005)

A security researcher scanned 2.5 million Domain Name System (DNS) machines and found that 230,000, or nearly 10 percent, of the scanned servers were potentially vulnerable to DNS cache poisoning attacks, in which Internet users are redirected from legitimate sites to malicious ones. The servers are running vulnerable versions of Berkeley Internet Name Domain (BIND) software. Some organizations are not paying DNS attacks much attention, but this could change as the number of DNS attacks continues to increase.
-http://news.com.com/2102-7349_3-5816061.html?tag=st.util.print
-http://www.fcw.com/article89790-08-08-05-Print
[Editor's Note (Schmidt): The issue of DNS security has been a topic we have discussed for a long time, yet it continues to be of greater concern as attack vectors change. The reliability of DNS security should be directly linked to whether or not it will be trusted by other DNS servers. As with many security issues, there are well documented best practices available that MUST be implemented; if they are not implemented, the servers are considered "un-trusted". ]

Court Says University Can Filter eMail (4 August 2005)

The 5th US Circuit Court of Appeals upheld a lower court ruling that the University of Texas did not violate the free speech rights of White Buffalo Ventures by filtering the unsolicited email the company sent to students despite the fact that the it complied with CAN-SPAM rules. White Buffalo Ventures had obtained the students' email addresses through the Freedom of Information Act (FOIA); the university did not block the email until after the company failed to comply with a cease and desist order.
-http://www.theregister.co.uk/2005/08/04/ut_can_spam_case/print.html
[Editor's Note (Schultz): This is another very interesting ruling, one that clearly says that individuals and organizations do not have the right to send messages to anyone, even if the messages are not SPAM. This ruling is likely to set an important precedent in similar cases such as the recent one in which an ISP has been sued for blocking messages from certain parts of the world.
(Schultz): We are seeing more and more instances where civil courts are being called upon to decide these issues. During the ABA conference in Chicago this past weekend some really interesting discussions took place in this area and it is obvious that many good legal minds are looking at this. Stay tuned! ]

Cyber Intruder Sentenced to 60 Days Work Release, Two Years Probation (2 August 2005)

US District Judge John S. Rhoades has sentenced Brett Edward O'Keefe to 60 days in a work release program for breaking into government and private sector computer systems to demonstrate their vulnerabilities and "drum up business." O'Keefe was also sentenced to two years of probation, during which time he is not permitted to do work connected to computer security, and was ordered to complete 100 hours of community service. O'Keefe's targets included NASA and National Institutes of Health (NIH) computers; the judge said that while his crime was serious, its effects were offset by the fact that the organizations learned that their systems were not secure. Two other people from O'Keefe's security firm pleaded guilty to gaining unauthorized access to computers for financial gain in September 2003 and are scheduled to receive their sentences in September of this year.
-http://www.signonsandiego.com/news/metro/20050802-9999-1m2hack.html
[Editor's Note (Schultz): It is disturbing to once again learn that yet another computer criminal has gotten away with a light sentence in part because someone perceived that the computer criminal's unauthorized access showed the victim organization that it had inadequate security. Saying that computer criminals have helped their victims is parallel to saying that bank robbers help banks by showing how the banks can be robbed.
(Ranum): This kind of thing is the inevitable consequence of the computer security industry's breathless romance with criminality. Romanticizing hacking, making hacking techniques and skills a gauge of credibility, and encouraging marketing through "vulnerability research" is going to continue to attract sociopaths to this field. You'll note that even the judge fell for the "at least you learned something" argument. ]

Court Says University Can Filter eMail (4 August 2005)

The 5th US Circuit Court of Appeals upheld a lower court ruling that the University of Texas did not violate the free speech rights of White Buffalo Ventures by filtering the unsolicited email the company sent to students despite the fact that the it complied with CAN-SPAM rules. White Buffalo Ventures had obtained the students' email addresses through the Freedom of Information Act (FOIA); the university did not block the email until after the company failed to comply with a cease and desist order.
-http://www.theregister.co.uk/2005/08/04/ut_can_spam_case/print.html
[Editor's Note (Schultz): This is another very interesting ruling, one that clearly says that individuals and organizations do not have the right to send messages to anyone, even if the messages are not SPAM. This ruling is likely to set an important precedent in similar cases such as the recent one in which an ISP has been sued for blocking messages from certain parts of the world.
(Schultz): We are seeing more and more instances where civil courts are being called upon to decide these issues. During the ABA conference in Chicago this past weekend some really interesting discussions took place in this area and it is obvious that many good legal minds are looking at this. Stay tuned! ]

Cyber Intruder Sentenced to 60 Days Work Release, Two Years Probation (2 August 2005)

US District Judge John S. Rhoades has sentenced Brett Edward O'Keefe to 60 days in a work release program for breaking into government and private sector computer systems to demonstrate their vulnerabilities and "drum up business." O'Keefe was also sentenced to two years of probation, during which time he is not permitted to do work connected to computer security, and was ordered to complete 100 hours of community service. O'Keefe's targets included NASA and National Institutes of Health (NIH) computers; the judge said that while his crime was serious, its effects were offset by the fact that the organizations learned that their systems were not secure. Two other people from O'Keefe's security firm pleaded guilty to gaining unauthorized access to computers for financial gain in September 2003 and are scheduled to receive their sentences in September of this year.
-http://www.signonsandiego.com/news/metro/20050802-9999-1m2hack.html
[Editor's Note (Schultz): It is disturbing to once again learn that yet another computer criminal has gotten away with a light sentence in part because someone perceived that the computer criminal's unauthorized access showed the victim organization that it had inadequate security. Saying that computer criminals have helped their victims is parallel to saying that bank robbers help banks by showing how the banks can be robbed.
(Ranum): This kind of thing is the inevitable consequence of the computer security industry's breathless romance with criminality. Romanticizing hacking, making hacking techniques and skills a gauge of credibility, and encouraging marketing through "vulnerability research" is going to continue to attract sociopaths to this field. You'll note that even the judge fell for the "at least you learned something" argument. ]

---

********************* Sponsored Links *********************************

1) Free security software! Buy SecureCRT by September 9 and get SecureFX free. Download today!
http://www.sans.org/info.php?id=841

2) Earn your Master's degree in Information Security from an NSA- recognized online program.
http://www.sans.org/info.php?id=842

***********************************************************************

---

THE REST OF THE WEEK'S NEWS

SPAM & PHISHING

Microsoft, Spammer Reach Settlement (9 August 2005)

Microsoft has settled a lawsuit against Scott Richter who was known as a "spam king." As part of the settlement, Richer will pay Microsoft US$7 million, $5 million of which Microsoft will put toward expanding technology and support available to law enforcement for investigating cyber crime.
-http://www.washingtonpost.com/wp-dyn/content/article/2005/08/09/AR2005080900153.
html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Computer Associates Issues Patches for Buffer Overflow Flaw in Backup Agents (4 August 2005)

A buffer overflow flaw in Computer Associates' BrightStor ARCServe Backup Agents and BrightStor Enterprise Backup Agents could allow attackers to take control of vulnerable systems. Exploit code for the flaws has been posted on the Internet. Computer Associates has issued patches for the flaws.
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39205588-20000
61744t-10000005c
[Editor's Note (Paller): Sadly many of the people who bought BrightStor packages have no idea the vulnerability exists. Computer Associates, like other larger vendors, sold through resellers to customers who never bothered to register. Those organizations, large and small, are at extreme risk and are completely unaware of the risk. ]

Microsoft Looking Into Windows 2000 Flaw Report (4 August 2005)

Microsoft is investigating a reported flaw in Windows 2000 that could allow attackers to gain access to vulnerable computers without any action on the part of the computers' users.
-http://software.silicon.com/security/0,39024655,39151021,00.htm

ATTACKS, INTRUSIONS & DATA THEFT

Cisco Resets Cisco.com User Passwords Following Intrusion (8/3 August 2005)

Cisco Systems is warning users that the Cisco.com password protection has been compromised. Cisco has addressed the vulnerability and has reset users' passwords as a precaution. Users are encouraged to update their passwords.
-http://www.nzherald.co.nz/index.cfm?c_id=5&ObjectID=10339397
-http://software.silicon.com/security/0,39024655,39150991,00.htm
-http://www.theregister.co.uk/2005/08/03/cisco_password_backlog/print.html

UNIVERSITY SECURITY BREACH NOTIFICATIONS

[Editor's Note (Pescatore): There has been a flood of universities acknowledging data compromises and .edu domains are one of the largest sources of computers compromised with malicious software. While the amount of attention universities pay to security has been rising in the past few years, it has mostly been to react to potential lawsuits do to illegal file sharing and the like - universities need to pay way more attention to how their own sys admins manage their own servers. ]

University of North Texas Server Breached; 39,000 People Affected (8 August 2005)

School officials at the University of North Texas say a security breach of a school server may have compromised data belonging to about 39,000 current and former students as well as some applicants. Although there is no evidence that any information was stolen, the intruders may have had access to names, Social Security numbers and some credit card numbers. The school says it has blocked access to the server. University of North Texas has set up a web site with more information.
-http://www.kltv.com/Global/story.asp?S=3696978
-http://www.nbc5i.com/news/4824186/detail.html
-https://www.securityid.unt.edu/

Sonoma State University Security Breach Affects Students and Applicants (8 August 2005)

Sonoma State University in California said that cyber intruders gained access to the names and Social Security numbers of people who attended or applied to the school between 1995 and 2002.
-http://www.mercurynews.com/mld/mercurynews/news/12334677.htm

Cal Poly Pomona Notifies 30,000 of Security Breach (4 August 2005)

Cal Poly Pomona has sent notices to more than 31,000 people notifying them that their personal data may have been compromised when cyber intruders accessed two of the school's servers earlier this summer. The information compromised includes the names and Social Security numbers of applicants and current and former students, faculty and staff.
-http://www.sgvtribune.com/cda/article/print/0,1674,205%257E12220%257E2996765,00.
html

University of Colorado Hires Outside Auditor After Third Breach (3 August 2005)

A third intrusion into University of Colorado computer over the course of several weeks has prompted the school to hire an outside auditor to examine its "security safeguards." The school also plans to put firewalls on some of its systems. The most recent breach involved a computer that holds information related to the school's Buff OneCards, which allow students and staff to access buildings after hours and to purchase food. The files contain Social Security numbers, photographs and other personal information belonging to 29,000 students and 7,000 staff members.
-http://www.denverpost.com/portlet/article/html/fragments/print_article.jsp?artic
le=2909173

STATISTICS, STUDIES & SURVEYS

Report Estimates US$2.75 Billion in Losses From Phony ATM and Debit Cards (2 August 2005)

According to a recent Gartner report, phishing attacks are responsible for US$2.75 billion in losses from ATM and debit cards over the past year; based on a survey of 5,000 Americans Gartner estimates that 3 million people have each lost an average of US$900. The thieves obtain card information through phishing attacks and with the aid of keystroke loggers; they then use the information to create phony cards. Card-issuing banks should validate security codes on the cards' magnetic strips, but not all are doing it.
-http://news.com.com/2102-7349_3-5815141.html?tag=st.util.print

MISCELLANEOUS

Research Company Mulls Over No Disclosure Policy (8 August 2005)

David Litchfield of Next Generation Security Software Ltd. says his company is considering moving to a "no disclosure" policy regarding software flaws; instead, the company would share information about vulnerabilities it discovered only with the affected vendors. This marks a change from the company's earlier stance on disclosing flaws which netted them trouble from vendors unhappy with their practices. NGSS amended their policy after a talk Mr. Litchfield gave in 2002 detailing a vulnerability in Microsoft's SQL Server database, for which a patch was already available, was followed closely by the appearance of the Sasser worm which took advantage of that vulnerability. NGS then decided to give the vendor 90 days to develop and release a patch before releasing details of the flaw. Mr. Litchfield told eWeek he feels the terrain has changed in the past several years: "How many times do you have to teach people about buffer overflows? If people are not educated by now, they're never going to be."
-http://www.eweek.com/print_article2/0,1217,a=157384,00.asp
[Editor's Note (Pescatore): It is a no-brainer to say vulnerability discoverers never need to give out exploit code, and it is *almost* a no brainer to say that they should make no disclosure at all, other than what they give to the software vendor. However, one part of me remembers the bad old days when vendors never had any pressure to fix software and enterprises never bothered to patch when fixes did come out. This leads directly to the tremendous impact of Code Red/Nimda/Blaster/Slammer - and actually the Morris worm long before that. There still needs to be pressure but I don't think there can be a fixed time period for complex issues, but 90 days might be good as a minimum. ]

German Bank Uses Indexed Transaction Numbers to Protect Customers From Phishers (8 August 2005)

A German bank has begun using indexed transaction numbers (iTANs) to protect its customers from phishing attacks. Postbank AG was targeted by a large phishing attack last year. Customers have a list of transaction numbers with an index number next to each; the computer lets the customers know which TAN is required through the use of this number.
-http://www.infoworld.com/article/05/08/08/HNgermanbank_1.html

Proof-of-Concept Viruses Point Out Flaw; Monad Will Not Appear in Vista (8/5 August 2005)

Microsoft will not include the Monad command shell feature scripting tool in the first release of Windows Vista; last week, five proof-of-concept viruses targeting Monad were published on the Internet. The viruses were posted after the release of a beta version of Vista; the first public version of Vista is scheduled to be released at the end of 2006. Monad will now presumably make its first appearance in the next edition of Microsoft Exchange due out in the autumn of 2006.
-http://www.techworld.com/security/news/index.cfm?newsid=4170
-http://www.theregister.co.uk/2005/08/08/monad_vista/print.html
-http://software.silicon.com/os/0,39024651,39151061,00.htm

Tracking Down a Cyber Extortionist (7 August 2005)

Cyber extortion is apparently on the rise, though it is difficult to determine precise statistics; companies are reluctant to come forward with such information because they fear negative publicity. This article details how a Connecticut company, MicroPatent, employed private investigators and a psychological profiler who had worked for the CIA to track down a man who was demanding US$17 million to stop him from launching DDoS attacks and from making company documents, customer data, and computer passwords public.
-http://news.com.com/2102-1029_3-5822417.html?tag=st.util.print
[Editor's Note (Schultz): Increasingly we are seeing investigations being "outsourced" to private firms to do this type of work. This is not a bad thing given the burden that law enforcement has with all the things they are being asked to do with not enough resources. People looking to hire private firms need to make sure they perform their "due diligence" or they may wind up being victimized twice. While there are trustworthy firms that do this work, there are also people that do not have the training or the ethics to do the work required. ]

Identity Thieves Using Browser Hijackers to Steal Data (8/5 August 2005)

An identity theft ring is using CoolWebSearch browser hijacking tools to steal information from people's computers; the researchers who stumbled upon this fact say a great deal of information has been uploaded to a remote server. The stolen information includes chart sessions, usernames, passwords and banking data as well as other personal details including eBay account information, salary data and vacation plans. The FBI is reportedly involved in the case.
-http://www.computerworld.com/printthis/2005/0,4814,103737,00.html
-http://www.eweek.com/print_article2/0,1217,a=157623,00.asp

MISCELLANEOUS Research Company Mulls Over No Disclosure Policy (8 August 2005)

David Litchfield of Next Generation Security Software Ltd. says his company is considering moving to a "no disclosure" policy regarding software flaws; instead, the company would share information about vulnerabilities it discovered only with the affected vendors. This marks a change from the company's earlier stance on disclosing flaws which netted them trouble from vendors unhappy with their practices. NGSS amended their policy after a talk Mr. Litchfield gave in 2002 detailing a vulnerability in Microsoft's SQL Server database, for which a patch was already available, was followed closely by the appearance of the Sasser worm which took advantage of that vulnerability. NGS then decided to give the vendor 90 days to develop and release a patch before releasing details of the flaw. Mr. Litchfield told eWeek he feels the terrain has changed in the past several years: "How many times do you have to teach people about buffer overflows? If people are not educated by now, they're never going to be."
-http://www.eweek.com/print_article2/0,1217,a=157384,00.asp
[Editor's Note (Pescatore): It is a no-brainer to say vulnerability discoverers never need to give out exploit code, and it is *almost* a no brainer to say that they should make no disclosure at all, other than what they give to the software vendor. However, one part of me remembers the bad old days when vendors never had any pressure to fix software and enterprises never bothered to patch when fixes did come out. This leads directly to the tremendous impact of Code Red/Nimda/Blaster/Slammer - and actually the Morris worm long before that. There still needs to be pressure but I don't think there can be a fixed time period for complex issues, but 90 days might be good as a minimum. ]

German Bank Uses Indexed Transaction Numbers to Protect Customers From Phishers (8 August 2005)

A German bank has begun using indexed transaction numbers (iTANs) to protect its customers from phishing attacks. Postbank AG was targeted by a large phishing attack last year. Customers have a list of transaction numbers with an index number next to each; the computer lets the customers know which TAN is required through the use of this number.
-http://www.infoworld.com/article/05/08/08/HNgermanbank_1.html

Proof-of-Concept Viruses Point Out Flaw; Monad Will Not Appear in Vista (8/5 August 2005)

Microsoft will not include the Monad command shell feature scripting tool in the first release of Windows Vista; last week, five proof-of-concept viruses targeting Monad were published on the Internet. The viruses were posted after the release of a beta version of Vista; the first public version of Vista is scheduled to be released at the end of 2006. Monad will now presumably make its first appearance in the next edition of Microsoft Exchange due out in the autumn of 2006.
-http://www.techworld.com/security/news/index.cfm?newsid=4170
-http://www.theregister.co.uk/2005/08/08/monad_vista/print.html
-http://software.silicon.com/os/0,39024651,39151061,00.htm

Tracking Down a Cyber Extortionist (7 August 2005)

Cyber extortion is apparently on the rise, though it is difficult to determine precise statistics; companies are reluctant to come forward with such information because they fear negative publicity. This article details how a Connecticut company, MicroPatent, employed private investigators and a psychological profiler who had worked for the CIA to track down a man who was demanding US$17 million to stop him from launching DDoS attacks and from making company documents, customer data, and computer passwords public.
-http://news.com.com/2102-1029_3-5822417.html?tag=st.util.print
[Editor's Note (Schultz): Increasingly we are seeing investigations being "outsourced" to private firms to do this type of work. This is not a bad thing given the burden that law enforcement has with all the things they are being asked to do with not enough resources. People looking to hire private firms need to make sure they perform their "due diligence" or they may wind up being victimized twice. While there are trustworthy firms that do this work, there are also people that do not have the training or the ethics to do the work required. ]

Identity Thieves Using Browser Hijackers to Steal Data (8/5 August 2005)

An identity theft ring is using CoolWebSearch browser hijacking tools to steal information from people's computers; the researchers who stumbled upon this fact say a great deal of information has been uploaded to a remote server. The stolen information includes chart sessions, usernames, passwords and banking data as well as other personal details including eBay account information, salary data and vacation plans. The FBI is reportedly involved in the case.
-http://www.computerworld.com/printthis/2005/0,4814,103737,00.html
-http://www.eweek.com/print_article2/0,1217,a=157623,00.asp

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/