SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #5

February 02, 2005

A great new SANS research project needs your help. The Microsoft Security Response Center has published the Ten Immutable Laws of Security and we've provided a copy of them at the end of this issue. Our research project is to find examples of true stories that illustrate each of these laws so we can make them real for sysadmins. Take a look at the "Laws" and the examples we provide and please share examples you have seen. The three best examples win an Apple iPod.

Registration is now open for SANS 2004, the largest security training conference in the world. This year it is in San Diego in early April.
Details: http://www.sans.org/sans2005

---

TOP OF THE NEWS

Microsoft to Limit Windows Update Service to Users with Verified Legitimate Software
Blaster Variant Author Sentenced
Committee Gives Anti-Spyware Bill Top Priority
Lawsuit to be Brought Against Verizon Over Stringent eMail Filtering Policies

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
German Police Arrest Rogue Dialer Suspects
Man Arrested for Attempting Tsunami Donations Site Intrusion
Spanish Police Arrest Alleged Tasin Author
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Exodus of DHS Officials Could Slow Department Momentum
NRC Releases Draft Cyber Security Guidelines
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
MySpool Worm Infects MySQL Servers
Bagle Reemerges
PGP Creator Says Microsoft Encryption Flaw Needs Immediate Attention
MD5 Hashing Algorithm Flawed
Mobile Phones May Have Infected Lexus On-board Computers
Trojan Masquerades as Windows Security Fix
More Vulnerabilities in Cisco IOS
W32/Cisum.A Worm
PayPal eMail Addresses Exposed in Attack
MISCELLANEOUS
Car Key and Wireless Gas Card RFIDs Vulnerable
Classified Dutch Military Documents Found on P2P Site
Australia's Government Document Verification Plan Turns Up Data Purging Problems
Diebold Designs Printer That Provides Paper Audit Trail
UK Cyber Crime Funding is Sparse
Companies Revise International Security Policies
Disk Containing Personal Data Missing from University of Northern Colorado

---

************************** SPONSORED LINKS ******************************
Privacy notice: Some sponsored links redirect to non-SANS web pages.

(1) ALERT: ARE YOU VULNERABLE TO A 'SQL INJECTION' ATTACK?
FREE Product Trial
http://www.sans.org/info.php?id=721

(2) Cut months of the process of finding security tools that work with SANS "WhatWorks" interviews and short lists of proven products.
http://www.sans.org/whatworks/ (all free)

*************************************************************************

---

TOP OF THE NEWS

Microsoft to Limit Windows Update Service to Users with Verified Legitimate Software (27/25 January 2005)

As of February 7, Microsoft will require Windows users in the Czech Republic, China and Norway to have verified the legitimacy of their software before they will be permitted to download security patches and other add-ons. Users found to be running unauthorized copies of Windows will be offered the opportunity to purchase legitimate copies at a discount. The verification program, known as Windows Genuine Advantage, will become mandatory worldwide by the middle of this year. All Windows users, whether or not they have verified their software, will be able to receive Windows updates through the Automatic Update feature. Gartner analysts have expressed concern that the verification requirement could create a "large pool" of vulnerable computers because availability of critical security patches will be limited to those who are participating in the Windows Genuine Advantage Program.
-http://news.com.com/2102-1016_3-5550205.html?tag=st.util.print
-http://www.cbronline.com/article_news.asp?guid=D424DB2C-4688-4B54-88A8-E846BCDD2
F7B
-http://www.techweb.com/wire/security/59100489

Blaster Variant Author Sentenced (28 January 2005)

Jeffrey Lee Parson, the Minnesota man who released a variant of the Blaster worm in summer 2003, has been sentenced to 18 months in prison and 10 months of community service. Parson's variant affected about 48,000 computers; it launched distributed denial-of-service attacks against personal computers and against a Microsoft Windows Update web site.
-http://www.usatoday.com/tech/news/computersecurity/wormsviruses/2005-01-28-worm-
man_x.htm

Committee Gives Anti-Spyware Bill Top Priority (27 January 2005)

The House Commerce Committee has given HR29, the Spy Act, high priority; members hope to get it out of committee in under three weeks. The bill would require that spyware be easy to identify and to remove from computers. It would also prohibit the programs from collecting personal data without the user's express permission and authorize the Federal Trade Commission to fine violators as much as US$3 million for each infraction.
-http://www.wired.com/news/print/0,1294,66407,00.html
[Editor's Note (Schneier): I'm having trouble with the concept of spyware that's easy to identify and remove. Legal spyware? Sounds like an oxymoron. ]

Lawsuit to be Brought Against Verizon Over Stringent eMail Filtering Policies (21 January 2005)

A Philadelphia law firm has filed a lawsuit against Verizon on behalf of a DSL subscriber. The suit is seeking damages caused by the company's aggressive email filtering policies. Other Verizon customers are invited to join the suit, which is seeking class action status. Verizon.net mail servers are configured to reject connections from Europe, New Zealand and China by default; the policy has been in effect since December 22, 2004. Customers can request to have domains unblocked.
-http://www.theregister.co.uk/2005/01/21/verizon_class_action/print.html

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

German Police Arrest Rogue Dialer Suspects (28 January 2005)

German police have arrested two suspects in a rogue dialing scheme. The two allegedly surreptitiously altered people's computer settings so that they dialed out to premium rate phone lines. Several other suspects remain at large.
-http://www.theregister.co.uk/2005/01/28/rogue_diallers_cuffed/print.html
[Editor's Note (Shpantzer): This is one of the oldest tricks in the cybercrime book. The FTC settled a large modem hijacking case in 1997, with 38,000 victims and $2.74 million dollars worth of phone calls to Moldova. See
-http://www.ftc.gov/opa/1997/11/audiot-2.htm
for details. The attorney for the FTC on that case was Paul Luehr, who went to work for the DOJ in the cybercrime section and was responsible for, among other cases, the conviction of Jeffrey Lee Parson from the Blaster worm described above. ]

Man Arrested for Attempting Tsunami Donations Site Intrusion (28 January 2005)

London (UK) police have arrested a man for allegedly trying to break into the Disasters Emergency Committee tsunami donations web site. Police are examining the suspect's computer equipment for evidence of the attempted intrusion. The suspect has been released on bail.
-http://www.vnunet.com/news/1160839

Spanish Police Arrest Alleged Tasin Author (27 January 2005)

Spanish police have arrested the alleged author of the Tasin worm, which spreads with Spanish subject lines and was responsible for infecting computers in Spain and South America in November 2004. The worm carries a destructive payload, "trashing critical Windows systems files."
-http://www.theregister.co.uk/2005/01/27/tasin_arrest/print.html

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

Exodus of DHS Officials Could Slow Department Momentum (27 January 2005)

The departure of at least a half dozen high ranking Department of Homeland Security officials has raised concerns that the department's projects, including the National Plan for Critical Infrastructure and Key Resources Protection, could be delayed. Though an infusion of new management is often viewed as a good thing, DHS is still quite young and "initial capabilities" have not yet been established.
-http://www.govexec.com/story_page.cfm?articleid=30410&printerfriendlyVers=1&
amp;
[Editor's Note (Schneier): Any attempt to spin this as a good thing is going to fall painfully flat. ]

NRC Releases Draft Cyber Security Guidelines (25 January 2005)

The US Nuclear Regulatory Commission has issued a proposed update to its "Criteria for the Use of Computers in Safety Systems of Nuclear Power Plants" that addresses security; the guide, which dates to 1996, makes no mention of security. The update recommends including security at every step of system development, deployment and retirement. The draft advises against computer interconnections with contractors' computers like the one that allowed Slammer to infect a private network at an idled Ohio power plant in 2003. The guidelines would be voluntary for all nuclear reactor operators. NRC is accepting public comment on the update through February 11, 2005.
-http://www.securityfocus.com/printable/news/10353
draft update:
-http://ruleforum.llnl.gov/cgi-bin/downloader/rg_lib/123-0184.pdf
current version:
-http://www.nrc.gov/reading-rm/doc-collections/reg-guides/power-reactors/active/0
1-152/
[Editor's Note (Schultz): The very narrow window of time the NRC is allowing for public comment on this update seems unreasonable. If the NRC is in reality serious about obtaining feedback from the public, it should allow more time. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

MySpool Worm Infects MySQL Servers (28 January 2005)

More than 8,000 MySQL servers have been infected with malware that could allow them to be used to launch a massive denial-of-service attack. The worm, known as MySpool, MySpooler or Forbot uses brute force password attacks to seek out weak root passwords. MySQL has warned its customers to tighten up their security and is looking into hardening the database against future attacks -- these would include automatic updates and changes in the default installation.
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39178706-20000
61744t-10000005c
-http://www.theregister.co.uk/2005/01/28/mysql_worm/print.html
-http://www.internetnews.com/dev-news/print.php/3465791
-http://www.infoworld.com//article/05/01/28/HNmysqlwarning_1.html
-http://news.com.com/2102-7349_3-5555242.html?tag=st.util.print
[Editor's Note (Pescatore): this one is getting a lot of press but really has mostly just gone pffft. Glad to see MySQL will make changes in the default configuration. Every single software product needs to remember it isn't 1980 anymore - out of the box should be secure and force sys admins to consciously mess things up.
(Tan): Accordingly to the Internet Storm Center, it is actually exploiting weak root password (
-http://isc.sans.org/diary.php?date=2005-01-27
). The fundamental of good security practices still holds: strong password, lock down your server and do not expose it unnecessary. ]

Bagle Reemerges (28/27 January 2005)

Yet another variant of the Bagle worm has been detected in the wild. Bagle.AZ was detected last week, spreading in China, Japan, the US and parts of Europe. The worm is not considered a high level threat. Bagle.AY was also detected last week; it appears to include a backdoor that listens on TCP port 81, and shuts down security programs and other applications.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39214903-39037064t-39000
005c
-http://www.vnunet.com/news/1160823

PGP Creator Says Microsoft Encryption Flaw Needs Immediate Attention (27 January 2005)

Phil Zimmerman, creator of the Pretty Good Privacy (PGP) desktop encryption algorithm, believes that the recently disclosed encryption flaw in Microsoft Word and Excel is "highly exploitable" and deserves immediate attention. The vulnerability is in the RC4 encryption stream cipher implementation. Zimmerman also questions why Microsoft is using RC4 at all given that it has other known flaws.
-http://www.infoworld.com//article/05/01/27/HNseriousflaw_1.html
[Editor's Note (Ranum): (Tongue in cheek) Will the five users of word document encryption please go use PGP already? Is Phil an unbiased source? ]

MD5 Hashing Algorithm Flawed (28 January 2005)

Security researchers are warning that the MD5 hashing algorithm, which is used by two of the three major content addressed storage system vendors, is flawed. MD5 has reportedly been decertified for secure operations by NIST since at least 1998.
-http://www.computerworld.com/printthis/2005/0,4814,99331,00.html
[Editor's Note (Tan): So far the MD5 collision is only on two 1024-bit messages (
-http://eprint.iacr.org/2004/199.pdf),
but this is sufficient to prove that it is not 100% reliable. It will be good to start considering using a larger hash function. In fact, NIST plans to phase out SHA-1 in favor of SHA-224, SHA-256, SHA-384 and SHA-512 by 2010 (
-http://csrc.nist.gov/hash_standards_comments.pdf
).
(Schneier): As the article says, the idea that there are flaws in MD5 is nothing new. It really is time and past for vendors to stop using it. ]

Mobile Phones May Have Infected Lexus On-board Computers (27 January 2005)

There have been reports that the on-board computers of several models of Lexus automobiles have been infected with viruses. It is likely that a mobile phone is responsible for the infections. Some Lexus cars have navigation systems that use Bluetooth to connect to mobile phones to allow hands-free calling.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39214840-39037064t-39000
005c
[Editor's Note (Shpantzer): I hope Lexus (Toyota) is keeping XP Embedded Edition and other general-purpose OSs out of the main chips for the actual automotive functions. ]

Trojan Masquerades as Windows Security Fix (27 January 2005)

An email purporting to be from Microsoft, claims an attachment will address security vulnerabilities in Windows. The attachment actually contains a Trojan horse program. The body of the email contains errors in grammar and spelling, which should clue people in to the fact that it is phony. Microsoft has encountered this type of scam often enough that they have devoted a web page to it, making clear that the company never sends security updates as email attachments.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39214825-39037064t-39000
005c

More Vulnerabilities in Cisco IOS (27/26 January 2005)

Cisco has disclosed three additional denial-of-service vulnerabilities in certain versions of Cisco Internetwork Operating Software (IOS) routing software. Free upgrades and fixes for the flaws are available on Cisco's web site. US-CERT also announced a denial-of-service flaw in Juniper Network routers running JUNOS software created before January 7, 2005.
-http://news.com.com/2102-1002_3-5551791.html?tag=st.util.print
-http://www.techweb.com/wire/networking/59100102
-http://www.cisco.com/en/US/products/products_security_advisories_listing.html

W32/Cisum.A Worm (26 January 2005)

The W32.Cisum.A worm plays and displays an insulting message ("You are an idiot!") while attempting to shut down firewalls, anti-virus and other security programs. It also searches for and shuts down Netsky and Bagle worms. Cisum.A affects Windows 2003, XP, 2000, NT, ME, 98 and 95.
-http://www.internetnews.com/security/article.php/3464731

PayPal eMail Addresses Exposed in Attack (24 January 2005)

A malicious attacker exploited a flaw in the software used by Benchmark Portal, a third-party company that handles PayPal customer survey email. Certain URLs could be manipulated to allow unauthorized access to email addresses of PayPal users who had recently unsubscribed from the surveys. A PayPal spokesperson says the problem has been fixed and that only a small number of email addresses were exposed. PayPal is informing customers affected by the breach.
-http://www.eweek.com/print_article2/0,2533,a=143176,00.asp

MISCELLANEOUS

Car Key and Wireless Gas Card RFIDs Vulnerable (31 January 2005)

The code in radio frequency ID (RFID) chips used in high security car keys and wireless keychain tags used to purchase gasoline at service stations is easy to decipher. The encryption function can be broken without even having direct contact with the RFID chip. The problem is that the mathematical key used in the chips is too short.
-http://www.eweek.com/print_article2/0,2533,a=143597,00.asp
-http://www.technewsworld.com/story/news/40173.html
[Editor's Note (Pescatore): I'm pretty sure that key copying is a very small percentage of car thefts - finding keys left in the ignition and popped lock cylinders are much easier ways to steal someone's wheels. However, covert copying of SpeedPass type devices is another story.
(Tan): Just having some encryption features and labeling a product as secure will be totally deceiving. Without proper assessment of the security function, the vendor will just be giving a false sense of security. ]

Classified Dutch Military Documents Found on P2P Site (31/30 January 2005)

Classified documents from the Dutch military have been found on a P2P site. It is possible that the unencrypted documents found their way to the file sharing site when a Dutch armed forces worker worked on them from his home and unintentionally placed them in a shared folder.
-http://www.theregister.co.uk/2005/01/30/dutch_classified_info_found_on_kazaa/pri
nt.html
-http://software.silicon.com/security/print.htm?TYPE=story&AT=39127477-390246
55t-40000024c
[Editor's Note (Shpantzer): Let's say it again: Create awareness and enforce policy against P2P in your environment. This story is outrageous, yet more common than most people think. We reported months ago on a website that scans shared drives for such material and posts it on the site, with some obfuscation of the most sensitive data. ]

Australia's Government Document Verification Plan Turns Up Data Purging Problems (28 January 2005)

Australia's recently introduced identity security plan, which was designed to allow various government agencies to verify documents, has turned up a number of data purging problems. As many as half a million deceased people still have active medicare numbers in Health Insurance Commission's system, and the Australian Taxation Office office has "several hundred thousand 'active' but inaccurate tax file numbers assigned to individuals."
-http://australianit.news.com.au/common/print/0,7208,12072744%5E15306%5E%5Enbv%5E
,00.html

Diebold Designs Printer That Provides Paper Audit Trail (27 January 2005)

Diebold has completed the design for a printer that will provide a voter-verified audit trail for electronic voting machines. The decision is thought to be a result of customer demand: Nevada used machines that provided paper trails in the November 2004 election and California and Ohio have recently passed legislation requiring the use of printers with e-voting machines in future elections.
-http://www.computerworld.com/printthis/2005/0,4814,99290,00.html
[Editor's Note (Schultz): Good for Diebold! Once again, audit trails are one of the best if not the best ways to verify the accuracy of voting machines.
(Pescatore): Now, that wasn't so difficult, was it? ]

UK Cyber Crime Funding is Sparse (26 January 2005)

A deputy constable from the Surrey (UK) Police Computer crime unit says funding for cyber crime investigation is scanty at best. Many reported cyber crimes are not investigated, and significant portions of the budget are spent on outside specialists due to a lack of expertise within the police force. Each 45 of the UK's constabularies has a dedicated cyber crime investigator, but the level of expertise varies.
-http://www.silicon.com/research/specialreports/thespamreport/print.htm?TYPE=stor
y&AT=39127363-39025001t-40000011c
[Editor's Note (Shpantzer): This is the state of affairs in many jurisdictions in the US, as well. Digital forensics helps solve serious 'meatspace' crimes such as murder and arson-for-hire and drug trafficking, in addition to cybercrimes. If enough decision makers were aware of the impact that digital forensics could have on the closure rate for these meatspace crimes, maybe we'd get more funding for this crucial capability in law enforcement. ]

Companies Revise International Security Policies (25 January 2005)

Some international companies are revising their global security policies to comply with the most stringent laws worldwide. In some cases this can be seen less as a burgeoning interest in improving corporate security and more of a desire not to run afoul of laws in certain countries. In Italy, failure to comply with data security and privacy laws can result in a three-year prison sentence regardless of whether or not a security breach has taken place.
-http://www.theregister.co.uk/2005/01/25/international_security_policy/print.html

Disk Containing Personal Data Missing from University of Northern Colorado (23/21 January 2005)

A computer hard disk containing sensitive personal information -- including bank account numbers -- belonging to University of Northern Colorado employees and their families is missing. Campus police are investigating; it is unknown whether the disk was stolen or misplaced.
-http://www.thedenverchannel.com/news/4121643/detail.html
-http://www.thedenverchannel.com/news/4116428/detail.html

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/

=============================================

Microsoft's Ten Immutable Laws of Security

Please provide examples of real security incidents that illustrate any of these laws. Other examples of security breaches caused by sysadmins errors are equally welcome. Email them to info@sans.org Subject: 10Laws (Original source and more details: http://www.microsoft.com/technet/archive/community/columns/security/essays/10iml
aws.mspx )

We've made a few changes [in brackets] to make them a little more inclusive.

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore

Law #3: If a bad guy has unrestricted physical access to your computer, [or data] it's not your computer anymore

Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more

Law #5: Weak [or weakly protected] passwords trump strong security

Law #6: A computer is only as secure as the administrator is trustworthy [and is aware of threats and countermeasures]

Law #7: Encrypted data is only as secure as the decryption key

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

Law #9: Absolute anonymity isn't practical, in real life or on the Web

Law #10: Technology is not a panacea

Law 1 example
A sysadmin at one e-commerce company received an email that looked like a security alert and contained a url that seemed to go to Microsoft for patches. He clicked on the hyperlink, taking him to the fake Microsoft site. He downloaded the fake patch and infected his system with a keystroke logger that recorded his passwords and account names for every system to which he had access. More than a dozen of the servers he managed were later used by the attackers as pornography servers.

Law 5 example
A sysadmin for an aerospace contractor posted sensitive Department of Defense files on a computer in the DMZ that also had a configuration weakness. The files were stolen and a major DoD investigation ensued.

We look forward to receiving your examples.