2 Days Left to Save $250 on SANS Chicago 2014

SANS NewsBites - Volume: VI, Issue: 15

Microsoft Trusted Computing Update:
Three "critical" flaws in Windows were announced yesterday by Microsoft. The critical flaws were included in four security bulletins announcing a total of 20 flaws.

Paul Robert's IDG News Service story provides good pointers:

It makes sense to take time today to update your systems.


SANS NewsBites                     April 14, 2004                    Volume: VI, Issue: 15

  Hackers Strike Supercomputer Centers and Other Advanced Research Sites
  Witty Marks Some Serious Firsts
  ISS Makes Witty Patch Available to All
  Researcher Claims On-Line Scanners Have Security Flaws
  New Phishing Scheme Uses Phony Browser Address Bar to Collect Information
  FDIC Warns of Bogus "Fraud Report" E-Mail Messages


  Hackers Find Holes In WiFi Hot Spots Easy Entry Points
  New Intel Processors Have Security Built In
  Stolen Computer Equipment Contained Data that Could be Used in Identity Theft
  Tool Could be Abused by Attackers
  Cisco Wireless Hacking Tool Released
  Microsoft Security Summits
  Linux Distributors Object to Forrester's Conclusions Regarding Security
  Japanese Police Say Virus Put Documents on Internet
  University of Kansas Pharmacy Server Intrusion
  e-Voting Audit Trail Software Code Released
  WestJet Sued for Accessing Air Canada Proprietary Information
  Alleged Keystroke Logger Pleads Innocent
  On Line Betting Site Temporarily Downed by Denial-of-Service Attack
  Researchers Find Certain e-Mail Server Configurations are Vulnerable to Attack


  Microsoft May Restore Security, But Not Trust -- Washington Post


  Internet Explorer ITS Protocol Handler Vulnerability
  MP3Concept Trojan Exploits Flaw in Mac OS X
  Cisco Warns of Vulnerabilities in Wireless LAN Solution Engine and Hosting Solution Engine Software
  Bagle.X Detected
  RealPlayer Client Flaw Could Allow Remote Execution of Arbitrary Code
  BugBear Variant Exploits IE Hole, Logs Keystrokes
  Vulnerabilities in Apache 2.x Servers
  NetSky.Q and T to Launch DoS Attacks in File Sharing and Cracking Tool Web Sites
  NetSky.S and T May Have Different Author than Earlier Variants
  Patches for Panther and Jaguar Fix a Variety of Vulnerabilities

************************ Sponsored by Symantec **************************

Symantec Gateway Security 5400 Series provides fully integrated enterprise protection at the gateway. As the industry's most comprehensive firewall appliance, it integrates full inspection firewall technology, protocol anomaly-based intrusion prevention and intrusion detection, award-winning virus protection, URL-based content filtering, anti-spam, and virtual private networking technology. To find out more, click here or call 800-745-6054.

Please use the following click-thru url:

Highlighted Training Programs Of The Week
1. SANS Security Bootcamp (May 9-16 in Baltimore) will be one of the best training opportunities of the year - smaller classes, plus evening bootcamps. You won't find a better opportunity for immersion training.

2. SANSFIRE offers you 14 immersion training tracks in one of the most beautiful and romantic places in America -- Monterey California - in early July. Phenomenal training for auditors who want to master the challenges of security auditors, managers who want to build a great security program, beginners who want to get a fast start, and, of course, the only place to go for technologists who want to master the most current methods for protecting systems and networks. SANSFire also offers lots of evening programs, extra one-day classes ranging from Business Law to Cyberwarrior training, and vendor exhibits, too.

Register soon to get a seat at your choice of courses.


Hackers Strike Supercomputer Centers And Other Advanced Research Sites (13 April 2004)
Hackers infiltrated powerful supercomputers at colleges, universities and research institutions in recent weeks, disrupting one of the nation's largest online research networks for several days. Up to twenty institutions were involved and parts of the TeraGrid were unavailable for as much as five days.

Witty Marks Some Serious Firsts (7 April 2004)
The spread of the Witty worm marked a series of ominous firsts in the realm of malware. Witty was the first widespread worm that also destroyed the hosts it used to spread; Witty was also the first worm to target a set of security products (from ISS). Additionally, Witty emerged on the scene just one day after the vulnerability it exploited was disclosed. There is also a growing belief that Witty was initially distributed through a "bot network of compromised machines," which probably helped it reach its saturation point in just 45 minutes.
[Editor's Note (Northcutt): We have always known a malicious worm would finally be released, thankfully this one was targeted at a niche product, the ISS Personal Firewall. Disaster Recovery and Business Continuity Planners would be wise to read this article and ponder its implications. Everyone should really start asking just how effective are our organization's backup procedures, do we really get all the data backed up, what about files the user writes to local drives, what about the road warrior's laptops.
(Tan): If you are using ISS products, you may feel betrayed, and will definitely remember it. ]

ISS Makes Witty Patch Available to All (5 April 2004)
Internet Security Systems (ISS) has made a patch that protects two of its products (RealSecure and BlackIce) from the Witty worm available to everyone who owns the products. Last week, the company was criticized for making the patch available only to those customers whose maintenance contracts were current. The patch will be available for everyone through May 15, 2004.
[Editor's Note (Grefer): Searching the ISS website for the "patch" takes a lot of time, but leads nowhere since ISS did not bother to update their security alerts with pertinent links. Only once one in desperation looks at the download center, one may stumble across the "Free Update Program":
(Northcutt): The first Matrix movie says it best: Agent Smith: "No, Lieutenant, your men are already dead." ]

Researcher Claims On-Line Scanners Have Security Flaws (12 April 2004)
Security researcher Rafel Ivgi has made claims that three anti-virus companies' free on-line scanners contain buffer overflow vulnerabilities. Two of the companies say there is not a problem; the third has acknowledged and corrected the problem.
[Editor's Note (Pescatore): Security vendors are getting sloppy. Vulnerabilities are being found at an alarming rate in firewalls, IDS, anti-viral and other security products. If the security vendors don't write better code than the commercial software vendors, they will find the market can move away from them very rapidly. ]

New Phishing Scheme Uses Phony Browser Address Bar to Collect Information (8/6 April 2004)
A new phishing scam offers a link to a site that detects users' browsers and generates a phony address bar. The bogus bar acts like a real address bar and will send users to other sites if they type those addresses into it. This method could be exploited to launch a man-in-the-middle attack.
[Editor's Note (Pescatore): Combine this with spyware that causes pop windows that look like address bars and it is evident that the basic browser has long needed to improved to provide higher levels of authentication on both ends - CallerID for the Internet again. We've seen that over the last 12 months (especially over the last 6 months) phishing is causing consumers to lose trust in any link in any email, which puts a lot of electronic bill presentment and online payment systems at the risk of being abandoned. ]

FDIC Warns of Bogus "Fraud Report" E-Mail Messages (8 April 2004)
The Federal Deposit Insurance corporation (FDIC) has warned that someone is sending out e-mail messages purporting to be from the FDIC with the subject line "fraud report" and warning recipients that their accounts have been closed due to fraudulent activity. They are also advised to open an attached file which actually contains a virus capable of gathering information from the infected computers.

************************ SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.

(1) FREE White Paper: "Outsmart the Top 10 Web Application Attacks!"

(2) Event Log Strategies: Free white paper plus archiving, monitoring, and analysis software!



Hackers Find Holes In WiFi Hot Spots Easy Entry Points (13 April 2004)
(Digital intruders are piercing defenseless air space at corporations, public Wi-Fi hot spots and homes to gain illegal entry to computers. Gartner Group says about 90% of mobile devices lack protection.

New Intel Processors Have Security Built In (12 April 2004)
Intel's next-generation microprocessors will have a security engine separate from the area in which the general processing occurs. The processors, which are for cellular phones and hand-held computers, will be able to enforce copy protection and guard against wireless network intrusions.

[Editor's Note (Pescatore): This Trusted Wireless Module can be a good thing, in that it is OS independent and will support MSFT, Linux, Symbian and Palm OSs for mobile devices. But it is mostly oriented at secure boot, crypto support and secure storage on the chip. Saying it will guard against wireless network intrusions is a reach. ]

Stolen Computer Equipment Contained Data that Could be Used in Identity Theft (8 April 2004)
Thieves stole hard drives, servers and other computer equipment from a Houston, Texas office building last week. Equipment was stolen from four businesses, including an insurance firm and a title company. People who have conducted business with the companies over the last few years could be vulnerable to identity theft.
[Editor's Note (Schneier): I wonder whether the thieves were more interested in the data or the street value of the equipment -- or both. ]

Tool Could be Abused by Attackers (8 April 2004)
The Metasploit Project has released an updated design framework for its tool, which allows users to check for vulnerabilities to recently disclosed security flaws. Metasploit founder HD Moore calls it "a good research tool," but some researchers are concerned that it could be used maliciously to seek out vulnerable computers on the Internet. On the other hand, the tool levels the playing field for administrators and malicious hackers.

Cisco Wireless Hacking Tool Released (8 April 2004)
A network engineer has apparently released a tool that allows users to compromise WLANs that use Cisco's Lightweight Extensible Authentication Protocol, or LEAP through the use of dictionary attacks.
[Editor's Note (Pescatore): LEAP is a proprietary protocol with known flaws. Cisco has proposed EAP-FAST as a more secure replacement but really needs to help its installed base move from LEAP to supported standards like PEAP. ]

Microsoft Security Summits (8 April 2004)
Microsoft Corp. is conducting Security Summits in 20 cities around the world to train developers and system managers how to improve the security of their systems. The free, one-day classes have two tracks: basic and advanced. B

[Editor's Note (Tan): One day free class is not sufficient to train the developers and security managers in how to protect their systems. Nevertheless, this is still a good move by Microsoft.
(Paller) I took a day to attend one of these seminars in the US, and, although two of the speakers were excellent (one used to teach for SANS before he moved to Microsoft), each session by the two good speakers was so short that the audience was not able to glean enough valuable data to make the session actually help them improve security. If Microsoft does a series again, they need to reorganize the sessions to make them more teaching sessions and less marketing sessions. ]

Linux Distributors Object to Forrester's Conclusions Regarding Security (7 April 2004)
In a joint statement, Linux distributors Debian, Mandrake, Red Hat and SUSE assert that a recent report from Forrester claiming that Linux and Windows are equal when it comes to security is flawed. The statement maintains that the study treated all vulnerabilities as equal, regardless of the risks they pose to users.
Linux Vendors' Statement:
[Editor's Note (Grefer): To get a better idea of the report's content, read the article listed below; It provides more details than I have seen anywhere else. Using the National Instiute of Standards and Technology's ICAT vulnerability database to weigh the vulnerabilities tips the scales ... and strikes me as the most important metric in this context.

Japanese Police Say Virus Put Documents on Internet (7 April 2004)
Japanese police are claiming that a computer virus is responsible for a number of documents related to criminal investigations appearing on the Internet. The files, which contained names and personal data belonging to 11 people as well as details of an alleged crime, were found to be available on a P2P network.

University of Kansas Pharmacy Server Intrusion (7/6 April 2004)
Cyber intruders broke into a server at the University of Kansas Watkins Health Center pharmacy. The server contained records of prescriptions filled for students, faculty and staff between July 1994 and January 2004. The FBI is involved in the investigation.

e-Voting Audit Trail Software Code Released (6 April 2004)
VoteHere Inc. has released source code for an e-voting security module. The company hopes to increase confidence in the reliability of electronic voting. The software is designed to let voters use the Internet to check that their ballots were accurately counted.

[Editor's Note (Pescatore): This should be the norm for any voting software, with one caveat: Just releasing the source doesn't guarantee meaningful open source review. Clue-ful reviewers need to be encouraged, supported and encouraged to perform meaningful review.
(Schneier): This is good, but it should be the default, rather than something unusual and praiseworthy. ]

WestJet Sued for Accessing Air Canada Proprietary Information (6 April 2004)
Air Canada has filed a lawsuit against WestJet and two WestJet employees, alleging that WestJet used privileged information from an Air Canada web site to fuel its expansion and institute pricing that would force Air Canada out of certain markets. Apparently WestJet had hired former Air Canada employee Jeffrey Lafond as a financial analyst. When Lafond left Air Canada, he was granted two tickets a year for five years, and given an identification number to access a private web site used to book Air Canada employee personal travel. Air Canada alleges that Lafond's identification number was used 243,630 times between May 2003 and March 2004, a statistic that "could only be accomplished through automated technology." Air Canada is seeking $5 million CAD in punitive damages, damages for lost revenues and profits and is asking that any profit reaped by WestJet as a result of obtaining the proprietary information be held in trust and that the data be returned to Air Canada.

[Editor's Note (Shpantzer): This story illustrates the nature of intellectual property in the networked economy. By pinging the reservation system a quarter million times in less than a year, so Air Canada alleges, WestJet was able to gain a detailed picture of Air Canada's pricing and profit structure. When you combine this real-time information with LaFond's knowledge of Air Canada's business, via his previous position as a financial analyst, and you have the components of a very strong competitor against Air Canada.
(Grefer): Repeat after me "When an employee leaves the company, disable privileged access first, then all access!" ]

Alleged Keystroke Logger Pleads Innocent (6 April 2004)
Larry Lee Ropp, who in March was indicted on a violation of federal wiretapping statutes for installing a keystroke logger on his former employer's computer, has pleaded innocent in court. Ropp claims he was collecting information for the California Department of Insurance, but a Department spokesperson said they had never asked Ropp to use that method to collect information for them.

[Editor's Note (Ranum): "I was just a researcher" - this is the inevitable excuse we encourage when we (including NewsBites) persist in referring to hackers as "security researchers"
(Paller): I was in the Montreal courtroom when MafiaBoy made that claim to the judge. The judge gave him a sentence longer than any sentence ever given to another minor accused of computer crimes in Canada. ]

On Line Betting Site Temporarily Downed by Denial-of-Service Attack (5 April 2004)
UK on line gambling site Sporting Options was hit with a denial-of-service attack the first weekend in April. The site had apparently received threats that it would be attacked unless it paid 40,000. Sporting Options ignored the extortion threat; it estimates that it has lost between 10,000 and 15,000 pounds sterling as a result of the attack.
[Editor's Note (Ranum): Well, then they came out ahead! If they would have had to pay 40,000 to buy off the hackers, then losing 15,000 was a cost savings. Next, expect some hackers fished out of the bottom of a pond, someplace, with their feet encased in concrete. ]

Researchers Find Certain e-Mail Server Configurations are Vulnerable to Attack (4 April 2004)
Security researchers have found a way to crash an e-mail server using a forged sender address with thousands of invalid addresses in the "copy to" fields. In order for the attack to work, the targeted server must be configured to return undeliverable e-mail and attachments to the sender's address.


Microsoft May Restore Security, But Not Trust Washington Post
Washington Post technology writer Rob Pegoraro writes about his interview with Steve Ballmer, the history of Microsoft's security lapses, and the new initiative to improve security.


Internet Explorer ITS Protocol Handler Vulnerability (9 April 2004)


MP3Concept Trojan Exploits Flaw in Mac OS X (9/8 April 2004)
Security experts say the company that announced the Trojan exaggerated the threat.

Cisco Warns of Vulnerabilities in Wireless LAN Solution Engine and Hosting Solution Engine Software (9/8/7 April 2004)


Bagle.X Detected (8 April 2004)


RealPlayer Client Flaw Could Allow Remote Execution of Arbitrary Code (7 April 2004)


BugBear Variant Exploits IE Hole, Logs Keystrokes (7 April 2004)


Vulnerabilities in Apache 2.x Servers (7 April 2004)


NetSky.Q and T to Launch DoS Attacks in File Sharing and Cracking Tool Web Sites (6 April 2004)


NetSky.S and T May Have Different Author than Earlier Variants (6 April 2004)


Patches for Panther and Jaguar Fix a Variety of Vulnerabilities (6 April 2004)



NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit