SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IV - Issue #52
December 23, 2002
TOP OF THE NEWS20 December 2002 Report Says Cyberterrorism is Overhyped
19 December 2002 President Bush Signs e-Government Act
16 December 2002 Software Company Files Suit Over Vulnerability Disclosure
THE REST OF THE WEEK'S NEWS20 December 2002 Welsh Man Admits Authoring Three Viruses
19 December 2002 Cross-Site Scripting Vulnerability on Cisco.com
19 December 2002 NamesDirect.com Customer Info Exposed
18 December 2002 e-Clearance Initiative on Target
18 & 19 December 2002 Windows XP Vulnerability
16 & 17 December 2002 CERT/CC Warns of SSH Vulnerabilities
18 December 2002 Fix Available for Macromedia Flash Vulnerability
18 December 2002 RealNetworks Releases Fix
18 December 2002 Former Employee Charged with Cyber Sabotage
18 December 2002 Man Takes Control of al Qaeda Sites
17 & 18 December 2002 Iraq_Oil Worm
17 December 2002 Revised Cyberspace Strategy Due
17 December 2002 Survey Finds Surfing Opens Companies Up to Viruses
17 December 2002 Another Phony eBay Site Tries to Gather Personal Data
16 & 20 December 2002 CA HS Student Hacks School Computer for Project
16 December 2002 DEA Agent Who Sold Data Receives Prison Sentence
*************** This issue sponsored by SANS 2003 *******************
Why Do People Come Back Year After Year To SANS Annual Conferences?
"No other organization delivers courses with the technical detail,
organization and 'mentoring' that SANS provides. Many conferences turn
out to be very expensive marketing messages. SANS' vendor neutral
approach assures that I get the info that will best protect/support
my network. Ultimately, I come away from the conference a little more
paranoid but much better armed to protect my system."
(Tom E. Gonzales, Colorado State Employees Credit Union)
"The one primary reason that I keep coming back to SANS events is
the quality of the faculty."
(Jim Clausing, AT&T)
Early registration earns free bonus book: http://www.sans.org/SANS2003
TOP OF THE NEWS
20 December 2002 Report Says Cyberterrorism is OverhypedA report for the Center for Strategic and International Studies says that the threat of cyberterrorism is over-hyped, calling such threats "weapons of mass annoyance" and comparing them to delayed flights and broken off phone calls. The country's critical infrastructure is accustomed to dealing with problems. Jim Lewis, who compiled the report, allows that a cyber attack in concert with a physical attack could compound the effects.
[Editor's Note (Schultz): I'm in full agreement with Mr. Lewis. I'm sure that a genuine cyberterrorism threat exists, but it has been blown far out of proportion. "Crying wolf" in the information security arena is no new problem, but the events of September 11 have, unfortunately, given impetus to louder and more extreme rhetoric. ]
19 December 2002 President Bush Signs e-Government ActThe E-Government Act of 2002 has been signed into law; among other provisions is a requirement that agencies test their systems for security problems and address those they find.
[Editor's Note (Paller): Two contracting changes in the new law will impact many government contractors: (1) contractors may take home a share of the savings their e-Gov systems provide to the government, and (2) security contractors that have the technical skills to fix security vulnerabilities such as configuration flaws and perimeter errors will take most of the contracts away from traditional contractors that can only test for vulnerabilities but do not have the certified skills needed to fix them. A listing of contractors with relevant skills will help agencies choose effective contractors. ]
16 December 2002 Software Company Files Suit Over Vulnerability DisclosureAutoProf.Com Inc., a New Hampshire software company, published a white paper in July describing vulnerabilities in a tool from Florida software company ScriptLogic Corp. ScriptLogic has filed a federal lawsuit against AutoProf that accuses the Portsmouth-based company of violating copyright laws and license agreements, and asks that the company pay $75,000 in damages and recall their white paper. AutoProf and ScriptLogic are competitors. The case underscores the need for vulnerability disclosure guidelines.
THE REST OF THE WEEK'S NEWS
20 December 2002 Welsh Man Admits Authoring Three VirusesSimon Vallor of Wales has admitted to creating and spreading three computer viruses, Gokar, Redesi and Admirer. Vallor has been released on bail pending sentencing.
19 December 2002 Cross-Site Scripting Vulnerability on Cisco.comThe cisco.com web site is vulnerable to cross-site scripting, according to an advisory from online security portal Securiteam.com. Cross-site scripting vulnerabilities could allow attackers to steal information that would let them log in to the site.
[Editor's Note (Ranum): Yet another example of "security researchers" hyping someone's vulnerability to market themselves. This is the kind of thing that, if someone really wanted to help, would have been cleared up quietly with a minimum of fuss and no need for a self-serving grab at headlines. As long as the press continues to reward this kind of behavior with headlines, we'll see this kind of behavior.
My remarks about this same topic in the December 12 issue of NewsBites shouldn't be construed as an attack directed at ISS; my issue is with the disclosure-as-marketing phenomenon. For a good counterpoint, there is an article at
that advocates the ISS approach to vulnerability disclosure and discusses making the vendors more accountable. For those following the vulnerability disclosure saga, it's a worthwhile read. Robert Graham, Chris Klaus and I have been carrying on an amiable private debate via Email on this topic. Robert's posted a good opinion piece on his web site (see:
19 December 2002 NamesDirect.com Customer Info ExposedA website administrator and customer of NamesDirect.com discovered company log-in credentials that provided access to large quantities of sensitive customer data, including names associated with registered domains, and home addresses, credit card numbers and expiration dates. The log-in information was available on 13 web pages, and furthermore, was quite easily guessed. The administrator tried to let the company know about the problem, but the company didn't fix the problem, so he took the information to CardCops.com, which in turn told MSNBC.com; when MSNBC.com contacted the company about the problem, they finally did address it.
18 December 2002 e-Clearance Initiative on TargetThe Office of Personnel Management (OPM) is taking steps to speed up federal employee security clearances; widely used and helpful forms are expected to be available on line soon. The OPM is heading up the e-Clearance e-Government initiative, which should be complete by May, 2003.
[Editor's Note (Northcutt): The security risks of this are obvious as evidenced by the story above. This is made even more interesting since OPM intends to link to the DoD clearance adjudication service. What a juicy target, all the information about people trusted with sensitive information including the "dirt". (Shpantzer): As the DEA and UBS story in this issue demonstrated, security eventually hinges on the trustworthiness and reliability of personnel with high levels of privilege. Streamlining the clearance process while maintaining thoroughness is important because many sensitive IT projects are not fully staffed due to investigative backlogs. ]
18 & 19 December 2002 Windows XP VulnerabilityA buffer overflow flaw in Microsoft Windows Shell in Windows XP could allow specially crafted MP3 or WMA files to execute code that could potentially alter data on vulnerable computers. Microsoft has deemed the flaw "critical" and has released a patch for it.
16 & 17 December 2002 CERT/CC Warns of SSH VulnerabilitiesThe Computer Emergency Response Team Coordination Center (CERT/CC) has issued an advisory warning of a number of vulnerabilities in secure shell (SSH) protocol implementations in SSH clients and servers. The vulnerabilities occur prior to user authentication and could allow arbitrary code execution or denial of service. CERT/CC recommends applying appropriate vendor patches and limiting SSH server access.
18 December 2002 Fix Available for Macromedia Flash VulnerabilityMacromedia has released a new version of its Flash multimedia player that addresses an overflow vulnerability that could be used to run malicious code. Users running versions older than 126.96.36.199 are encouraged to upgrade to the new edition, which is available on Macromedia's web site.
18 December 2002 RealNetworks Releases FixRealNetworks has released updates for buffer overflow flaws in its RealOne Player products. RealNetworks had released a fix several weeks ago which was found to have vulnerabilities.
18 December 2002 Former Employee Charged with Cyber SabotageFormer UBS PaineWebber system administrator Roger Duronio has been charged with sabotaging company computer systems in an attempt to manipulate its stock price. Duronio placed logic bombs on the computers that deleted files. Duronio has been charged with one count of securities fraud and one count of violation of the Computer Fraud and Abuse Act.
[Editor's Note (Shpantzer): Separation of privilege is one of the most important principles in security. How did this person gain access to 1,000 systems at branch offices across the country? ]
18 December 2002 Man Takes Control of al Qaeda SitesA Minnesota man said he took control of two web addresses that had been used by al Qaeda to praise terrorist attacks. The man got the information he needed by breaking into the Hotmail account of someone listed as the contact for one of the sites. The man's actions have met with much criticism; some say that he is hindering the government's efforts to fight terrorism.
[Editors' Note (Multiple): Sounds like he's also breaking the law. Self-appointed vigilantes ultimately cause more trouble than good. ]
17 & 18 December 2002 Iraq_Oil WormThe W32/Lioten worm, also known as the Iraq-_Oil worm, spreads through shared folders in Windows XP, NT and 2000. The worm scans for machines that are sharing folders and listens for responses from port 445 from computers using Windows Server Message Block. If it receives a response, it tries to break into the machine through brute force password guessing.
[Editor's Note (Murray): If one must expose even a small part of one's file system to the public networks, one should not expose both read and write privileges on the same object. To do so invites the storage of contraband on one's system; worse, it invites this kind of mischief. ]
17 December 2002 Revised Cyberspace Strategy DueThe revised version of the National Strategy to Secure Cyberspace is expected to be submitted for President Bush's approval next soon. Among the changes in the document are increased responsibility placed on Internet service providers (ISPs) for ensuring networks are protected from cyber attacks, the need for improved wireless security and for private companies to be more forthcoming with information about computer vulnerabilities.
[Editor's Note (Schultz): Requiring more responsibility on the part of ISP's is the most appropriate recommendation of all. ISPs have too long been a weak link, perhaps even the weakest link, in Internet security. (Murray): I agree. However, I think that it is important that we not give blanket endorsement to the government agenda. We should endorse ISP cooperation with warrants while resisting routine cooperation with warrantless, not to say unwarranted, queries. ]
17 December 2002 Survey Finds Surfing Opens Companies Up to VirusesWebsense's Australian 2002 Web@Work report found that companies suffered virus infections as a result of employees surfing the web during work. Websense recommends that businesses allow employees to use their company e-mail account to conduct personal e-correspondence, as many web-based e-mail services do not provide the virus protection afforded by the company's own e-mail systems.
[Editor's Note (Grefer): The report itself can be found at
How representative is a sample size of 143 technology professionals? For comparison, the corresponding U.S. and European reports are available at
17 December 2002 Another Phony eBay Site Tries to Gather Personal DataFor the third time in recent weeks, eBay customers have been targeted by a fraudulent site asking them to verify their account information; the operators of the sites harvest eBay usernames and passwords as well as credit card, banking, drivers' license and social security numbers. An eBay spokesman says the company never asks members for their passwords.
16 & 20 December 2002 CA HS Student Hacks School Computer for ProjectA California high school student broke into the school's grades database and changed his GPA from a perfect 4.0 to a 1.9. Reid Ellison performed the intrusion as part of an approved project; Ellison provided the school with three pages of suggestions for improving its computer security.
16 December 2002 DEA Agent Who Sold Data Receives Prison SentenceEmilio Calatayud, formerly of the U.S. Drug Enforcement Agency (DEA), has received a 27-month prison sentence for selling information from three sensitive law enforcement databases to an investigative service. Calatayud will also pay a $5,000 fine.
[Editor's Note (Murray): Sanctions for abuse of professional privileges should be harsher than the same acts committed by others. Abuse of law enforcement privileges must be harshly punished to preserve public trust and confidence in the rule of law. ]
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) e-mail firstname.lastname@example.org with the subject: