SANS NewsBites - Volume: VII, Issue: 20

For security vendors - the short lists of leading vendors have been drafted for each of twenty-two security product categories. The short lists will be distributed to all 330,000 CISOs and other security professionals (as part of the new WhatWorks poster that will be mailed in eight weeks). If you want to check them prior to publication, email paller@sans.org today with subject "WhatWorks short lists" and let us know which product categories you serve. The security product categories are displayed at the end of this issue.

Enterprise users looking for security products, please check the case studies and user interviews at http://www.sans.org/whatworks/ before you select any product. By the end of the year WhatWorks will be fully populated. If by then, we don't have a user case there, it means we have not yet found a user who can prove he has made the vendor's technology work effectively.

*************************************************************************
SANS NewsBites                     May 18, 2005                    Volume: VII, Issue: 20
*************************************************************************

TOP OF THE NEWS

  DHS Acting IG Says New Network Not Up to Snuff
  Massachusetts AG Files Suit Against Alleged Spammers
  Verizon Faced With Lawsuits Over Blocking eMail From Foreign IP Addresses
  Georgia State Worker Charged with Breaking Into Driver's License Database

THE REST OF THE WEEK'S NEWS

  ARRESTS, CONVICTIONS AND SENTENCES
   Man Sentenced to 21 Months for Infecting DOD Computers with TK Worm
  SPAM & PHISHING
   New Phishing Scam Uses Personal Data To Fool Victims
   MasterCard's STOP IT Initiative Responsible for Shutting Down 1,400 Phishing Sites
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
   Intel Plays Down Vulnerability in Hyperthreading
   Faulty Microsoft Patch Raises Questions About Automated Patching
   Mozilla Releases Firefox Update
   RSA Releases Patch for Buffer Overflow Flaw in Web Authentication Software
   UK Security Center Warns of IPSec Vulnerability
   Apple's iTunes Update Addresses MPEG-4 Parsing Problem
   MyDoom.BQ Spreading in Europe
  ATTACKS AND INTRUSIONS
   Illinois High School Students Could Face Charges for Computer Intrusion
  MISCELLANEOUS
   Independent Review of SANS Security Training Programs


*********************** Sponsored by Shavlik ****************************
Now Available! Introducing Shavlik HFNetChkPro(tm) 5, the next generation of security patch management. With over 50 awesome new features including detailed reporting, advanced reboot options, email notification, and distribution servers, staying up to date on patches has never been easier and your network has never been more secure. Keep your world in Chk with Shavlik. Download the trial version today at

http://www.sans.org/info.php?id=778
*************************************************************************
Reasons Security Professionals Give for Justifying SANS Training

(1) "I have attended several of SANS rivals and SANS blew them away!"
- Alton Thompson, US Marines

(2) " I have attended many conferences/training sessions, and SANS, by far, has been the best. The instructors are the top in the industry, examples are from real life experiences - terrific!"
-Chris Bush, Novartis Pharmaceuticals

(3) It's very dynamic and I will be able to apply what I learned directly into my area of work."
- Wagner Nascimento, eBay, Inc.

*************************************************************************

TOP OF THE NEWS

DHS Acting IG Says New Network Not Up to Snuff (10 May 2005)

Department of Homeland Security acting inspector general Richard L. Skinner says that the department's Homeland Security Data network was hastily constructed and inadequate attention was paid to its ability to protect the data it contains. The network was designed to share classified data with 600 federal, state and local intelligence and law enforcement agencies. A department spokesperson says that the network "was still in its fledgling stages" but met security criteria before it went online.
-http://www.securitypipeline.com/shared/article/printablePipelineArticle.jhtml;?a
rticleId=163100493
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=35758

Massachusetts AG Files Suit Against Alleged Spammers (12 May 2005)

The Massachusetts attorney general has filed a lawsuit alleging that Leo Kuvayev and six other members of a "spam gang" have sent millions of unsolicited email messages attempting to draw people to their network of commercial web sites. The court order seeks to shut down the sites, which sell such things as pharmaceuticals and pirated software. No charges have been filed against Mr. Kuvayov or the other six people. The AG is concerned that people may be tricked into buying counterfeit medication. The AG also wants the accused to pay fines for breaking state and federal anti-spam laws and to compensate people who lost money as a result of the group's actions.
-http://news.bbc.co.uk/2/hi/technology/4539715.stm

Verizon Faced With Lawsuits Over Blocking eMail From Foreign IP Addresses (11 May 2005)

Verizon Communications has been hit with several lawsuits as a result of the company's policy of blocking email from IP addresses in foreign countries in an effort to reduce spam. The complaint asks that Verizon cease blocking email and that it compensate customers for losses on behalf of business customers. A second class action lawsuit was filed on behalf of residential customers. In addition, a New Jersey businessman has filed a lawsuit against Verizon because he says his email has been blocked from getting to his customers.
-http://www.securitypipeline.com/showArticle.jhtml?articleID=163101524
[Editor's Note (Schultz): Who would have thought that blocking IP addresses would become such a big issue? It appears that organizations, particularly ISPs, will be compelled to review their traffic blocking strategies on the basis of legal considerations.
(Shpantzer): Lawyers invented spam, and they will help end it. ]

Georgia State Worker Charged with Breaking Into Driver's License Database (13 May 2005)

A Georgia state agency worker has been charged with computer intrusion and theft. Asif Siddiqui, who did not undergo a background check when he was hired, allegedly accessed Georgia's driver's license files without authorization. Mr. Siddiqui was arrested at his office after it was discovered that he had logged in to the database outside of work hours and without any apparent reason. The Georgia Bureau of Investigation is involved in the case.
-http://www.accessnorthga.com/news/ap_newfullstory.asp?ID=60627



************************** Sponsored Links ******************************
Note: These links may take you to sites outside SANS:

1) ALERT: Identify, Prioritize & Control Network Behavior. Download FREE White Paper "Enterprise Network Security Architecture Doesn't End with Inline-IPS." http://www.sans.org/info.php?id=779

2) Secure storage and access control for all your ADMINISTRATIVE PASSWORDS: UNIX/Linux, Windows, databases, routers and firewalls http://www.sans.org/info.php?id=780
*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Man Sentenced to 21 Months for Infecting DOD Computers with TK Worm (11 May 2005)

Raymond Paul Steigerwalt has been sentenced to 21 months in prison and ordered to pay US$12,000 in restitution for his role in the release of the a computer worm that affected US Department of Defense computers. The TK worm exploited known vulnerabilities in Microsoft's IIS Web server to spread and install backdoors on infected systems. The worm also caused damage worldwide.
-http://www.theregister.co.uk/2005/05/11/tk_worm_kiddo_jailed/print.html

SPAM & PHISHING

New Phishing Scam Uses Personal Data To Fool Victims

Phishers are beginning to include personal information in the phishing bait to fool victims into believing the phishing email is real. They use stolen information, including a person's name, email and banking account number. The messages attempt to get the PIN code or Credit Card CVD code.
-http://news.zdnet.com/2100-1009_22-5706305.html
[Editor's Note (Schneier): This is a scary trend. It's generally simple to detect phishing attempts because there's no personalized information. If the phishing e-mail does contain personalized information, it will look considerably more authentic. The long-term solution may be to develop some method of authentication between vendor and customer, though that could be subject to a man-in-the-middle attack. ]

MasterCard's STOP IT Initiative Responsible for Shutting Down 1,400 Phishing Sites (12 May 2005)

As part of MasterCard's operation STOP IT (the IT stands for identity theft) initiative, the company has shut down 1,400 phishing web sites within the last year. In addition, the program has seen more than 750 sites that claimed to be selling stolen credit card information be shut down and claims responsibility for 27 arrests related to credit card fraud.
-http://www.techworld.com/news/index.cfm?RSS&NewsID=3646
[Editor's Note (Northcutt): I tried what I assume is my bank's number and found what is apparently an individual's credit card number on the first try. If you want to check to see if you are listed, you probably should NOT type your credit card into Google. However, it might make sense to put a range of numbers and your last name. Example, if your visa card begins with 4388: visa 4388000000000000..4388999999999999 "name"
NOTE: Please remember that you are part of the defensive information community and do not do anything you might regret later. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

Intel Plays Down Vulnerability in Hyperthreading (16 May 2005)

Colin Percival, a researcher, published a paper describing how a computer could be compromised through the theft of keys by exploiting hyperthreading. Intel pointed out that any processor that uses hyperthreading would be vulnerable, and that a computer would have to be compromised through another path before this flaw could be exploited.
-http://www.computerworld.com/securitytopics/security/story/0,10801,101769,00.htm
l
[Editor's Note (Pescatore): Gee, that's good news: *any* processor using hyperthreading is vulnerable. I recommend Intel move on from the "we're no worse than anyone else" kind of approach here. There is a lot of work to be done before virtual computing proves that it can provide the isolation needed to support trustable execution environments that can withstand real world attacks. ]

Faulty Microsoft Patch Raises Questions About Automated Patching (13 May 2005)

MS05-019 security patches, originally released in April, caused some connectivity problems for Exchange servers and have been reissued by Microsoft. Problems included inability of Exchange servers to connect to domain controllers and domain controller replication failure as well as difficulty connecting to terminal servers and file shares.
-http://www.eweek.com/article2/0,1759,1815956,00.asp
[Editor's Note (Pescatore): There really isn't much question about automated patching upon patch release- most large enterprises can't do it. Even though Microsoft has increased the quality of patches, this points out that some are still like fine wine - they need to age a bit before opening. Also, many patches break other applications and enterprises have to test for that - self inflicted wounds can be just as damaging as external attacks and you don't even have a hacker to blame.
(Schneier): Automated patching, like benevolent worms, is a nice theory that too easily falls prey to real-world implementation problems. ]

Mozilla Releases Firefox Update (13/12 May 2005)

Mozilla has released Firefox 1.0.4, an updated version of the open-source browser that addresses two vulnerabilities that were disclosed last week. The flaws could allow cross-site scripting and remote system access.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39230025-39037064t-39000
005c
-http://www.computerworld.com/printthis/2005/0,4814,101676,00.html

RSA Releases Patch for Buffer Overflow Flaw in Web Authentication Software (12 May 2005)

RSA has released a patch for an arbitrary code execution flaw in its Authentication Agent for Web for Internet Information Service. The vulnerability was due to a boundary error that could be exploited to cause a buffer overflow in versions 5, 5.2 and 5.3.
-http://news.com.com/RSA+patches+Web+authentication+tool/2110-7355_3-5705043.html

UK Security Center Warns of IPSec Vulnerability (12/9 May 2005)

The UK's National Infrastructure Security Coordination Centre has warned of a vulnerability in the way virtual private networks use IPSec encryption and tunneling to connect computers. The flaw lies in certain configurations of IPSec that use Encapsulating Security Payload (ESP) in tunnel mode with confidentiality only. The vulnerability could allow attackers to intercept network communications.
-http://news.zdnet.com/2102-1009_22-5705185.html?tag=printthis
-http://www.eweek.com/article2/0,1759,1814368,00.asp

Apple's iTunes Update Addresses MPEG-4 Parsing Problem (10 May 2005)

Apple has released an update for its iTunes application that addresses a buffer overflow flaw in the way the application parses MPEG-4 files. iTunes version 4.8 also supports some new features, including transferring contacts and calendars to iPods and video downloads.
-http://www.eweek.com/print_article2/0,2533,a=151589,00.asp

MyDoom.BQ Spreading in Europe (10 May 2005)

A new MyDoom variant has been spreading in Europe and allows attackers to take control of infected computers. MyDoom.BQ arrives as an attachment. When users open the attachment, the worm collects email addresses from the computer and sends itself out; it also installs a backdoor channel to IRC. In addition, the worm, which has also been called Mytob.ED, redirects efforts to log on to antivirus web sites.
-http://www.vnunet.com/news/1162938
[Editor's Note (Grefer): A personal firewall product installed locally on each computer, as well as a centrally managed corporate firewall, helps to identify such communications and stop them dead in their tracks. ]

ATTACKS AND INTRUSIONS

Illinois High School Students Could Face Charges for Computer Intrusion (13 May 2005)

Two Illinois high school students who allegedly broke into a school database that contains student and staff Social Security numbers could face criminal charges. The breach was discovered while the school was investigating a report of a different intrusion. The investigation is still underway and could potentially involve additional students.
-http://www.chicagotribune.com/technology/chi-0505130165may13,1,6985928,print.sto
ry?coll=chi-techtopheds-hed&ctrack=1&cset=true
-http://abclocal.go.com/wls/news/print_051205_ns_school_hacked.html

MISCELLANEOUS

Independent Review of SANS Security Training Programs (6 May 2005)

Certified Security Professional reviewed the SANS 2005 San Diego conference. CSP spoke with students, instructors and vendors who were of the unanimous opinion that SANS 2005 provided them the opportunity to be "totally immersed in an environment that promotes not only learning but a deep understanding of the subject matter."
-http://www.certifiedsecuritypro.com/index.php?option=com_content&task=view&a
mp;id=129&Itemid=172



*** Categories of security products covered in SANS WhatWorks ***

Defensive Wall 1: Blocking Attacks: Network Based
Intrusion Prevention Systems (Network)
Intrusion Detection Systems
Firewalls and Anti-Virus Gateways
Secure Web Filtering
Managed Security Services
DDOS Blocking
Secure Email - Anti-Spam

Defensive Wall 2: Blocking Attacks: Host Based
Host Intrusion Prevention System
Spyware Removal
Personal Firewalls and Scan & Block/Quarantine Systems
Personal Antivirus

Defensive Wall 3: Eliminating Security Vulnerabilities
Vulnerability Scanning and Management
Patch and Configuration Management
Application Security Testing

Defensive Wall 4: Safely Support Authorized Users
ID & Access Management
File Encryption
Secure Communication
PKI
Secure Remote Access

Defensive Wall 5: Tools for People, Processes, and Recovery
Security Information Management
Security Skills Development
Forensics Tools
Back-Up

===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/