SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume V - Issue #2
January 15, 2003
TOP OF THE NEWSNSA Reports Benchmarks Eradicate 91% Of Tested Vulnerabilities
Lawsuit Against Kazaa May Proceed
NIAC Cyber Security Recommendations
CSO Security Spending Survey
Johansen Not Guilty of Piracy in DeCSS Case
THE REST OF THE WEEK'S NEWSWeb Application Security Problems
Commission Seeks Comment on Guidelines for Sentencing Hackers
Microsoft Adds Level to Security Rating System
Researchers Show Info Sharing Reduces Cyberattack Risk
DoD Task Force to Evaluate Healthcare Contractor Security
Phreakers Target Texas A&M
Vatican Warns Against On-Line Confession
Satellite TV Hacker Will Help Feds in Plea Agreement
West Point Establishes Secure Wireless Network
Microsoft Reader e-Book Software Circumvention Code Posted
Ethernet Device Vulnerability Could Expose Sensitive Data
IETF, SANS, OASIS and Liberty Alliance Named Network Standards Leader
WORMS AND OTHER MALWAREMalware Names Can be Confusing
BBC Hit by ExploreZip Worm
January 2003 Lirva Worm
******************** This Issue Sponsored by NetIQ *******************
Security Webcast Featuring Kevin Mitnick
Join former hacker turned consultant Kevin Mitnick, as part of our
distinguished panel of security experts, for NetIQ's free security
webcast-"People & Policies: Turning Your Weakest Security Link into
a First Line of Defense."
TOP OF THE NEWS
December 2002NSA Reports Benchmarks Eradicate 91% Of Tested Vulnerabilities The most recent US Department of Defense Information Assurance Newsletter reports that tests run by the National Security Agency measured the impact of applying security configuration benchmarks, specifically the Center for Internet Security/NSA/GSA/NIST Windows 2000 Consensus Security Baseline Settings. Applying the baseline settings eliminated more than 95% of high priority vulnerabilities (as determined by a popular commercial scanner) and 91% of all vulnerabilities. Download the complete IA Newsletter at
The NSA data is presented and analyzed beginning on page 10. The baseline settings, referenced in the article, are available for download from www.cisecurity.org along with a free tool that tests your system for compliance.
10, 13 & 14 January 2003Lawsuit Against Kazaa May Proceed A federal judge in Los Angeles has ruled that a lawsuit against Australia-based Sharman Networks, the parent company of Kazaa peer-to-peer file sharing service, may proceed in U.S. court because more than 143 million people have downloaded and used Kazaa software. Sharman argued it couldn't be tried in the U.S. because it is based in Australia and incorporated in Vanuatu. Sharman plans to fight the ruling.
[Editor's Note (Spantzer): This is big. Kazaa makes Napster look like a grade-school science project, and now it may suffer a similar legal fate. ]
8 & 9 January 2003NIAC Cyber Security Recommendations The National Infrastructure Advisory Council has finalized its recommendations for the National Strategy to Secure Cyberspace. The Council recommends that the government encourage marketplace development and use of standards, but refrain from imposing standards. The Council also recommends that the government use its influence in terms of purchasing power to encourage interoperability between the standards.
[Editor's Note (Murray): The best thing that government can do to improve the security of the public networks is to stop connecting weak systems to them. ]
7 January 2003CSO Security Spending Survey A CSO Survey indicates that companies will spend 10% of their IT budget on security in 2003; this figure marks an 8% increase over 2002 spending. Investment in computer security is increasingly seen as a strategic move, and some security departments are likely to get their own budgets instead of being a part of the IT budget.
7 & 8 January 2003Johansen Not Guilty of Piracy in DeCSS Case Norwegian teenager Jon Johansen was found not guilty of DVD piracy charges for his role in creating and distributing the DeCSS DVD decryption program.
[Editorial Note (Schultz): Hopefully, U.S. court rulings over the years will achieve a reasonable balance between protecting the interests of copyright holders and the freedom to research vulnerabilities. This ruling leans towards the latter, but more rulings will undoubtedly come in time. ]
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
FREE white paper!
(2) Instantly stop DDoS attacks and port scans.
(3) Earn a Norwich University Master's Degree in Information Security
in 24 months. http://www.sans.org/cgi-bin/sanspromo/NB121
SANS Local Mentor Programs begin in 31 cities in 5 countries
during the next 16 days. Details and schedule at the SANS Web site:
THE REST OF THE WEEK'S NEWS
13 & 14 January 2003Web Application Security Problems The Open Web Application Security Project (OWASP) has listed what its members feel are the most pressing web application security problems; these include unvalidated parameters, broken access control and cross-site scripting flaws.
[Editor's Note (Murray): These are not novel; they did not originate with web applications. They were identified and enumerated decades ago. We simply fail to teach them. ]
13 January 2003Commission Seeks Comment on Guidelines for Sentencing Hackers The United States Sentencing Commission (USSC) is asking for public comment on sentencing guidelines for those convicted of cybercrimes. Currently, the guidelines for cybercriminals are the same as those for people convicted of embezzlement, theft and larceny. The deadline for comments is February 18, 2003.
13 January 2003Microsoft Adds Level to Security Rating System Microsoft has expanded its security rating system to include "important" warnings; the new level is one step below "critical." Critics say Microsoft should have reduced the number of warning levels from three to two instead of adding a level; they maintain the increased number of levels makes it harder for people to know if they have to apply a patch immediately or if they can wait until a more convenient time.
12 January 2003 Researchers Show Info Sharing Reduces Cyberattack RiskTwo computer security researchers at Harvard University have developed a model that they claim demonstrates that companies that share information about security breaches and cyber attacks may be less likely to be the victims of such attacks.
[Editor's Note (Murray): I, for one, remain to be convinced. (Paller) The authors contend that users will be protected because attackers won't want their attack methods shared. This is a second order effect and is not needed to prove the value of sharing actual attack information. The Incidents.Org project run during 2000 and 2001 proved that, during major attacks, hundreds of organizations' technical people willingly shared data about how the attacks were affecting their systems and what their attempts to block those attacks accomplished. In return, they were assured that the cumulative report published by Incidents.Org, on what was happening and what remedial steps were effective, reflected the best available information. That enabled the contributors to act quickly to improve protection for their systems. SANS made the information available to all who wanted it, so the people sharing data knew they were helping the whole community. Similar results have been shown by CERT/CC. The process works as long as technical people have complete trust that (1) the person to whom they are giving the data will guard the contributor's name and organization from any possible disclosure and (2) the people receiving the data have the technical skills to analyze it and integrate it in time to help protect the contributor and other organizations. ]
10 January 2003 DoD Task Force to Evaluate Healthcare Contractor SecurityIn the wake of the theft of computers containing personal data from a Defense Department (DoD) medical records contractor's office, the DoD has formed a task force that will evaluate security at all its medical contractors' offices, and has ordered those contractors to audit their information security procedures.
10 January 2003 Phreakers Target Texas A&MTexas A&M University's telephone system was hit by phone phreakers who guessed voice mailbox passwords and altered messages to accept charges for long distance calls. Everyone at the University has been advised to change voice mailbox passwords.
--10 January 2003 Vatican Warns Against On-Line Confession
9 January 2003 Satellite TV Hacker Will Help Feds in Plea AgreementFederal prosecutors have reached a plea agreement with Stephen Woida, who has pleaded guilty to charges of conspiracy to steal satellite services. Woida is alleged to have cracked satellite television smart cards. As part of the plea agreement, Woida will help the government with international chip hacking cases.
[Editor's Note (Ranum): This sends a dangerous message: "if you're a really skilled hacker, you'll get away with it." We reward misbehavior and are puzzled by the results. ]
8 January 2003 West Point Establishes Secure Wireless NetworkWest Point has established what it believes to be a highly secure wireless network on its campus. The security measures, which include a virtual private network (VPN) and sixty access controllers, cost the school five times what it paid for the wireless network itself. Because its network is connected to the Defense Department's network, West Point wanted to make sure every security precaution was taken.
7 & 8 January 2003 Microsoft Reader e-Book Software Circumvention Code PostedBritish programmer Dan Jackson has posted software that circumvents the copy protection on Microsoft Reader e-book software. Both the program and its source code are posted on Jackson's site; the program's creator wants to remain anonymous, according to Jackson. He says his involvement with the project stems from his desire "to read e-books on older platforms." Microsoft is examining its options, which include taking legal action.
[Editor's Note (Murray): We have heard that defense before. No one cares what he does to satisfy his own reading appetite. He does not have to publish on the Internet to do that. ]
--6 & 7 January 2003 Ethernet Device Vulnerability Could Expose Sensitive Data
23 December 2002 IETF, SANS, OASIS and Liberty Alliance Named Network Standards LeadersNetwork World's 2003 guide to the people, companies, technologies, and ideas that lead the Internet named leaders of the IETF, the Internet Architecture Board, The Liberty Alliance, OASIS, and SANS as the people "working behind the scenes to make sure everyone plays by the same rules." The url below includes Network World's choices for vendors, users, government leaders, and thought leaders as well as the standards folks.
WORMS AND OTHER MALWARE
2 & 3 January 2003 Malware Names Can be ConfusingStandardizing the way viruses and worms are named would help home users, who usually do not understand the convention used by anti-virus vendors, know if they are protected from various strains of malware.
[Editor's Note (Murray): In a space in which one has tens of thousands of things to name, it is difficult to communicate much meaning in the names. ]
[Editor's Note on Worms (Northcutt): Three new worms are shown below. They are a moderate threat only; klez is still a larger problem. All three spread using well known, classic Windows problems, such as open file shares and attachments. Here's something we can do about them: Write a note in each of our organizations reminding our coworkers to (1) keep their anti-virus up to date, (2) check their hard drives for unprotected shares by typing "net view" in a command prompt window and (3) be careful with attachments especially from people we don't know. As security professionals we know these things, but we need to keep educating the rest of our organizations, our spouses, parents, children and neighbors if we are ever going to get these worms under control. ]
13 January 2003 W32/Sobig WormThe Sobig mass mailing worm arrives as an attachment and affects all Windows operating systems. If it is opened, it will try to copy itself to all shared hard drives and send itself to e-mail addresses found in the address book and several other locations. Sobig can receive updates from the web, the most recent of which contains a back door.
10 January 2003 BBC Hit by ExploreZip WormA BBC computer system became infected with a new variant of the ExploreZip worm. The mass mailer worm, which spreads through Outlook, arrives as an .exe attachment; when executed, ExploreZip overwrites Microsoft Word, Excel and PowerPoint files and reduces their size to zero KB. Definitions and fixes are available.
9 & 10 January 2003 Lirva WormThe Lirva worm steals Windows passwords and e-mails them to a Russian address. Three times a month, it also opens Internet Explorer, connects to an Avril Lavigne website and displays a short message. Lirva spreads by sending itself to e-mail addresses it finds in various files on infected computers. The worm arrives as an .exe attachment. Lirva takes advantage of a vulnerability in several Microsoft products that allows attachments to execute when opened or previewed. Microsoft has released fixes for the vulnerability. Two variants of the originally identified worm are also circulating.
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Bill Murray, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit https://portal.sans.org/preferences.php
To update your address, visit http://www.sans.org/sansurl and enter
your SD number (from the header of this email.) You will receive your
personal URL via email.