SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #35

August 31, 2005

We apologize that SANS wireless security classes were again sold out this month. You can still get a seat in "Assessing and Securing Wireless Networks" in San Jose at the end of September. Also in San Jose you will find a special evening program on wireless assessment tools that all San Jose students may attend. The other top rated SANS classes and instructors will be there, too: Securing Windows, Hacker Techniques, SANS Security Essentials Bootcamp, SANS(R) +S(TM) Training Program for the CISSP(R) Certification Exam and a dozen more. Plus a great exposition of effective security tools. More information: http://www.sans.org/siliconvalley2005/

Alan

---

TOP OF THE NEWS

Two Arrested in Connection with Zotob Worm
US Government Network Breaches Appear to be Coming from China
Raid In Brazil Serves Up Arrests of 85 Alleged Cyber Thieves
NSF's GENI Project to Develop New Internet Architectures

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Former University Employees Charged in Grade-Altering Scheme
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
NSF Cyber Trust Grants to Total US$36 Million for 2005
SPAM & PHISHING
Grand Jury Indicts Three in Large Spam Operation
Alleged Spammer Indicted
Anti-Phishing Working Group Report Indicates Phishers are Honing Their Skills
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
MPAA Uses Data from Shuttered File-Sharing Sites in New Lawsuits
Legal Action Against File Sharing Sites Does Not Deter Traders
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Malware Could Lurk in Long Registry Keys
Cisco SSL Flaw
Polyglot Kelvir.HI Worm First of its Kind
Buffer Overflow Flaws in Elm eMail Client and Mplayer
Zotob Worm a Threat to Certain Configurations of Windows XP
Fix Available for eval() Injection Vulnerability in PHP Libraries
ATTACKS & INTRUSIONS & DATA THEFT
Keystroke-Logging Software Still Sending Personal Data to Servers

---

********************** Sponsored by SurfControl ************************
Test your defenses! Can you build a bullet-proof email security system? Try our network simulator and set up our ultra-powerful e-mail appliance, RiskFilter, to fight spam, viruses, spyware and other blended and emerging threats - even protect outgoing email. It's fun. It's challenging. Put your security skill to the test. Logon now. http://www.surfcontrol.com/go/XRFN46
************************************************************************

---

TOP OF THE NEWS

Two Arrested in Connection with Zotob Worm (27/26/25 August 2005)

Authorities in Morocco and Turkey arrested two men in connection with the Zotob worm that caused computer outages at organizations around the world two weeks ago. Farid Essebar of Morocco allegedly wrote both the Zotob worm and the Mytob worm in February. Atilla Ekici of Turkey is alleged to have paid Essebar to write them. Authorities say the pair was interested in using the worms for financial gain. The men will be prosecuted in their countries of origin. The Washington Post also reported that these same criminals were suspected of authoring and distributing Rbot, a family of trojans that allow attackers to maintain access to many tens of thousands of infected systems on the Internet.
-http://www.washingtonpost.com/wp-dyn/content/article/2005/08/26/AR2005082601201_
pf.html
-http://news.ft.com/cms/s/4082848c-1685-11da-8081-00000e2511c8.html
-http://www.computerworld.com/printthis/2005/0,4814,104200,00.html
-http://money.cnn.com/2005/08/26/technology/worm_arrest/
-http://news.com.com/2102-7348_3-5843583.html?tag=st.util.print
-http://news.bbc.co.uk/2/hi/technology/4189996.stm
(the following site requires free registration)
-http://www.nytimes.com/2005/08/27/technology/27worm.html?pagewanted=print
[Editor's Note (Paller): Most of the press coverage of this event omitted the unprecedented role that the Turkish and Moroccan law enforcement officials played in the quick arrests of the alleged criminals. That these nations took time out from all their other police work, and acted so quickly and so cooperatively with US law enforcement authorities is remarkable. Their actions offer persuasive evidence of the value of the international outreach efforts of the FBI and other US law enforcement organizations. ]

US Government Network Breaches Appear to be Coming from China (25/29 August 2005)

Multiple US military sites and other government sites have been penetrated by a ring of hackers, called Titan Rain by federal investigators, believed to be in China. Victims range from the Redstone Arsenal military base to NASA to the World Bank. In one case, the hackers stole flight-planning software from the Army. Shawn Carpenter, a Department of Energy security analyst penetrated routers in China, recorded sites that had been compromised, discovered data the attackers had stolen, and turned the data over to the Army and the FBI. Sadly the act of breaking into computers is illegal; Shawn was fired.
-http://www.time.com/time/magazine/printout/0,8816,1098961,00.html
[Editor's Note (Paller): This story is worth reading, offering definitive proof of widespread penetration of government computers, a fact that has been largely denied or ignored by senior executives. Titan Rain hackers left back doors for repeated entry, but few fingerprints. Widespread penetration of government and industry computers was first disclosed by the British Government in June. The next story (about arrests in Brazil) shows that the US and UK are not the only victims. Is it time yet for the US government to get serious about leading by example, using its procurement dollars to begin eliminating the vulnerabilities these hackers exploit? ]

Raid In Brazil Serves Up Arrests of 85 Alleged Cyber Thieves (26 August 2005)

A four-month investigation into on-line banking theft in Brazil culminated in a raid last week that netted Brazilian police 85 arrests. The raid, which was given the moniker "Operation Pegasus," was carried out by 410 police in seven Brazilian states. The suspects allegedly stole roughly 80 million BRL (approximately US$33.5 million) by breaking into online bank accounts.
-http://msnbc.msn.com/id/9085008/

NSF's GENI Project to Develop New Internet Architectures (26 August 2005)

The National Science Foundation has announced the creation of the Global Environment for Networking Investigations initiative, which will include a facility that will allow exploration of "new network architectures at scale." GENI could eventually produce an entirely new Internet architecture "with built-in security measures and support for ubiquitous sensors and wireless communications devices." The NSF's Computer and Information Science and Engineering Directorate will manage the program.
-http://www.wired.com/news/print/0,1294,68667,00.html
-http://www.fcw.com/article90455-08-26-05-Web&RSS=yes
-http://www.nsf.gov/cise/geni/

---

************************* Sponsored Link *******************************


1) Earn your Master's degree in Information Security from an NSA-
recognized online program.
http://www.sans.org/info.php?id=856


************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Former University Employees Charged in Grade-Altering Scheme (19 August 2005)

Ellis Peet and Clifton Franklin, both former Florida Memorial University employees, have been charged in connection with a grade-altering scheme. The men allegedly accepted money and favors in return for changing students' grades. Mr. Peet was a computer technician in the registrar's office and Mr. Franklin a data entry clerk. Officials believe the pair changed their own grades while they attended the school. According to Mr. Peet's attorney, his client has pleaded not guilty to racketeering and violating intellectual property and computer access laws. Mr. Franklin faces the same charges. In addition, three of five students who allegedly acted as middlemen in the scheme have been arrested and charged with racketeering.
-http://www.local10.com/news/4868830/detail.html

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

NSF Cyber Trust Grants to Total US$36 Million for 2005 (25 August 2005)

The National Science Foundation has awarded five-year, US$7.5 million grants to Johns Hopkins University and the University of Illinois at Urbana-Champaign through its Cyber Trust program. The Johns Hopkins project will be researching technologies for safeguarding electronic voting systems; the University of Illinois at Urbana-Champaign project will develop technologies to communicate critical information to power grid operators. The NSF's Cyber Trust program will award a total of $36 million in grants in 2005.
-http://www.fcw.com/article90392-08-25-05-Web&RSS=yes
[Editor's Note (Ranum): I am bothered by this. Checking the article, $7.5 million is going to the group at Johns Hopkins that is headed by Avi Rubin. Dr. Rubin is highly qualified in the area of E-voting systems and vulnerabilities - but he's also the researcher who caused Diebold massive trouble by publicizing a number of flaws in their E-voting products. To me, this creates a potentially dangerous situation in which NSF is financially rewarding people to work on problems that they helped publicize. That creates a highly negative feedback loop - it sends the wrong message. Eventually the message sounds like, "this is a stick up."
Avi Rubin Responds: "Ever since we criticized Diebold and others, the one thing I've been hearing from election officials is, "why don't you do something about it instead of just being critical." So, a bunch of us who have been working on this issue for a long time, got together, and put in a proposal to NSF to raise the level of technology to a point that could improve the security and auditability of e-voting, while preserving all the other properties such as accessibility and transparency. The funds from our grant will cover graduate students, summer salaries for professors and workshops. It will not be lining anyone's pockets. NSF funds science, and science is what we proposed with the main application of our technology being e-voting, which is a fascinating domain for a researcher given all of the hard problems found there.
We're damned if we do and damned if we don't, by your logic. We can't get any real work done without funding, but if we seek and receive that funding to do something about the problem, then we are criticized." ]

SPAM & PHISHING

Grand Jury Indicts Three in Large Spam Operation (26/25 August 2005)

The US Department of Justice has announced that a federal grand jury in Phoenix, AZ, has indicted three people accused of sending vast quantities of spam. Jennifer R. Clason, James R. Schaffer and Jeffrey A. Kilbride allegedly sent the unsolicited messages to earn commissions for getting people to visit certain web sites. AOL reportedly received 600,000 complaints about messages allegedly sent by the defendants; Spamhaus ranked the organization among its top 200 largest offenders worldwide. Each of the three was issued three indictments: two on counts of fraud under the Can-SPAM Act and one count of criminal conspiracy. Mr. Schaffer and Mr. Kilbride were also indicted on two counts of interstate transportation of obscene material using a computer service, two counts of interstate transportation of obscene material and one count of money laundering; they face up to 20 years in prison for the money laundering charges and five years for the obscenity charges. All three face sentences of up to five years for the spamming and criminal conspiracy charges. A fourth defendant, Andrew Ellifson, pleaded guilty in last February to one count of violating the Can-SPAM Act and one count of criminal conspiracy.
-http://news.zdnet.com/2102-9588_22-5843505.html?tag=printthis
-http://www.internetnews.com/security/article.php/3530386
-http://www.computerworld.com/printthis/2005/0,4814,104189,00.html
-http://www.usdoj.gov/opa/pr/2005/August/05_crm_431.htm

Alleged Spammer Indicted (26/25 August 2005)

A grand jury has indicted Christopher William Smith of Prior Lake, MN, on charges of conspiracy to dispense controlled substances, wire fraud, money laundering, distributing controlled substances and introducing misbranded drugs into interstate commerce. The Spamhaus Project says Mr. Smith's business, Xpress Pharmacy Direct, is one of its worst offenders worldwide. Mr. Smith allegedly offered drugs over his web site without requiring a valid prescription. Two other men were also named in the indictment: Dr. Philip Mach allegedly filled the prescriptions Mr. Smith sold, and Bruce Jordan Lieberman, who was formerly Mr. Smith's accountant, allegedly helped Mr. Smith process credit cards and hide the money he made in his business venture. Mr. Smith has been arrested and is being held without bond.
-http://www.wired.com/news/print/0,1294,68646,00.html

-http://www.thisweek-online.com/2005/August/26indicted.html

Anti-Phishing Working Group Report Indicates Phishers are Honing Their Skills (24 August 2005)

According to the Anti-Phishing Working Group's July 2005 phishing report, spammers are fine-tuning their techniques to evade conventional spam detection and prevention technologies. APWG noted a significant increase in screenscrapers, which send screenshots of users actions to phishers' servers. In this case, shots of users clicking on graphical keyboards were surreptitiously taken; graphical keyboards are sometimes implemented as an anti-keystroke-logging mechanism. In addition, as larger financial institutions implement stronger safeguards against phishing, the phishers are starting to target smaller financial institutions. The report also notes that the total number of reported phishing campaigns in July was down slightly from June numbers.
-http://www.theregister.co.uk/2005/08/24/apwg_fraud_trends/print.html
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39250552-39000005c

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

MPAA Uses Data from Shuttered File-Sharing Sites in New Lawsuits (29/25 August 2005)

The Motion Picture Association of (MPAA) America's latest round of lawsuits was based on information the organization obtained from file trading sites - largely BitTorrent hubs -- that were shut down earlier this year. The MPAA filed suits against 286 individuals for illegal file sharing. The MPAA and those it represents are hopeful that the action will discourage people from illegally trading copyrighted digital content. The lawsuits at present are filed against John Does along with Internet addresses; the MPAA will seek their identities at a later date.
-http://news.zdnet.com/2102-9588_22-5843082.html?tag=printthis

-http://www.pcmag.com/article2/0,1895,1853573,00.asp
[Editor's Note (Ranum): The people who engage in file "sharing" appear to be ignorant of the notion of system logging and traffic analysis. Stealing things in an environment where nearly everything is logged is amazingly stupid! Wait until the MPAA guys start getting access to file "sharing" data from professionals who set up file "sharing" honeypots - then things will get interesting. ]

Legal Action Against File Sharing Sites Does Not Deter Traders (29 August 2005)

A study has indicated that the legal action taken against BitTorrent has not reduced the amount of file trading that takes place on the Internet, but merely caused file traders to shift to a different network.
-http://today.reuters.com/news/NewsArticle.aspx?type=internetNews&storyID=200
5-08-29T143009Z_01_MAR952163_RTRIDST_0_NET-P2P-DC.XML

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Malware Could Lurk in Long Registry Keys (29 August 2005)

A flaw in the way Windows handles extremely long registry keys could allow attackers to hide malware on PCs. Because the registry editor is confused by keys in excess of 254 characters, those keys essentially disappear; so do others added to the key after the long one because the editor believes the long key is the last one in the section. Of particular concern is the "Run" registry key, which indicates what executables run when Windows is booted. Some malicious code scanners have a similar problem with long registry keys so the malware may not be detected.
-http://isc.sans.org/diary.php?date=2005-08-25
-http://www.cmpnetasia.com/nw_PrintArticle.cfm?Artid=27519
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39251533-39000005c
[Editor's Note (Schultz): One of the best things Microsoft could do to improve security would be to get rid of the Registry in its operating system products. The Registry is not accessible through the normal means used by system administrators when they configure and maintain systems. The Registry is thus an almost-too-good place for a perpetrator to make hard-to-detect changes. ]

Cisco SSL Flaw (26/23 August 2005)

Cisco has warned of a flaw in the Secure Sockets Layer certificate checking function that could be used to "pretend to be a legitimate Cisco Intrusion Detection Sensor or Intrusion Prevention System." Attackers could harvest login credentials or filter what IDSMC and Secmon see, potentially disguising activity that indicates an attack. They could also submit false data to the products. The flaw affects CiscoWorks Management Center for IDS Sensors (IDSMC) versions 2.0 and 2.1 and Monitoring Center for Security (Secmon) versions 1.1 through 2.0 and 2.1. Updates are available on the Cisco web site. In a separate warning, Cisco announced a flaw in its Intrusion Prevention System that could allow a local user to gain full administrative privileges.
-http://computerworld.co.nz/news.nsf/PrintDoc/8BC9444DB5CAA06ECC2570680016EE5D?Op
enDocument&pub=Computerworld
-http://www.eweek.com/print_article2/0,1217,a=158639,00.asp
-http://www.cisco.com/en/US/products/products_security_advisory09186a00804fa92e.s
html
-http://www.cisco.com/warp/public/707/cisco-sa-20050824-ips.shtml

Polyglot Kelvir.HI Worm First of its Kind (25 August 2005)

The Kelvir.HI worm spreads through MSN Messenger, appearing to be a message from someone on users' contact lists. Before sending its message, the worm apparently checks which language the Windows client is configured to use, then sends an IM in that language to the compromised machine. Kelvir.HI can spread in ten languages: English, Dutch, French, German, English alphabet Greek, Italian, Portuguese, Swedish, Spanish and Turkish. It sends itself to every address on the user's IM contact list; recipients become infected if they visit a web site that downloads the malicious back door software and enables further spread of the worm. Kelvir.HI affects computers running Windows XP, Windows Server 2003, Windows 2000, Windows 98, Windows 95, Windows Me and Windows NT.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39250841-39000005c

Buffer Overflow Flaws in Elm eMail Client and Mplayer (25 August 2005)

Buffer overflow flaws in the Elm email client and Mplayer could allow malicious code execution. Exploit code for the Elm vulnerability, which affects versions 2.5 PL7 and earlier, is reportedly circulating on the Internet; an updated version, 2.5 PL8, addresses the problem. There is no patch presently available for the Mplayer vulnerability, which affects versions 1.0pre7 and earlier.
-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4283

Zotob Worm a Threat to Certain Configurations of Windows XP (23 August 2005)

Although the Zotob worm, which exploits a Plug-and-Play vulnerability, targets Windows 2000 machines, certain configurations of Windows XP are at risk for infection as well. Users running Windows XP with SP1 with file and printer sharing and the Windows guest user account enabled are vulnerable. Microsoft says most XP users have upgraded to SP2. If the PCs are connected to a network domain, they are not vulnerable to Zotob.
-http://news.com.com/2102-1002_3-5842359.html?tag=st.util.print

Fix Available for eval() Injection Vulnerability in PHP Libraries (22 August 2005)

A flaw in two PHP libraries, XML-RPC For PHP and PEAR XML_RPC, could allow attackers to inject arbitrary PHP code into eval() statements. The hardened-PHP Project found the vulnerability after scheduling an audit in response to the disclosure of a PHP code injection flaw earlier this year. The vulnerability is caused "by an improper handling of XMLRPC requests and responses that are malformed in a certain way." The hardened-PHP Project and the maintainers of both libraries have developed a fix that eliminates the use of eval() from those libraries.
-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4259
-http://www.hardened-php.net/advisory_142005.66.html

ATTACKS & INTRUSIONS & DATA THEFT

Keystroke-Logging Software Still Sending Personal Data to Servers (26/25 August 2005)

Although some of the web servers used in an identity theft ring discovered earlier this month have been shut down, others are still operational. The servers receive sensitive personal data from infected machines. The FBI is investigating. The company that uncovered the scheme has released a tool that detects and removes the keystroke-logger from users' computers. The company estimates that 27,000 people have been affected by the scheme.
-http://software.silicon.com/security/0,39024655,39151703,00.htm
-http://news.bbc.co.uk/2/hi/technology/4186972.stm

---

NewsBites Editorial Board: Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/