Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume V - Issue #20

May 21, 2003


Baiting the Trap for Cyber Criminals
Operation E-Con Nets 135 Arrests, Millions in Assets
Open Relay Warnings Sent To ISPs In Several Countries
SEC Files Charges Against Alleged Spammer


W32/Palyh Worm Pretends to be From Microsoft
NIST Releases Draft of New Federal Information Processing Standard
Malware Myths Debunked
Taking the Fizz Out of Fizzer
Australian ISP Hacker Convicted on Appeal
South Korean Official Says North Korea is Training Hackers
UK Small Business Security is Lagging
DHS to Establish Cybersecurity R & D Office
Bank of America Customers Targeted by Fraud Artist
Fending off DoS Attacks
Targeted Attacks on the Rise
DMCA Researcher Exemption Hearings
RIAA Withdraws Errant Copyright Violation Notices
Survey Says External Threats More Prevalent than Internal Threats


Secure Installation and Configuration of Apache 1.3.x Web Server

********************* Sponsored by Qualys, Inc. ***********************
Discover Rogue Devices on Your Network for FREE
Qualys FreeMap is a Web-based technology that let's you discover systems
on your network including routers, VPN servers and wireless access
points and rogue devices. Take advantage of this service before someone
takes advantage of your network.
Get your FreeMap now! https://freemap.qualys.com/?lsid=599


Baiting the Trap for Cyber Criminals (18/19 May 2003)

A fascinating three-part series of articles detailing how two Russian men turned to cyber security extortion, how they were ultimately captured in an FBI sting (when they came to the US for a purported job interview), and how the threat continues to build because of differences in legal approaches between the US and Russia.

Operation E-Con Nets 135 Arrests, Millions in Assets (16 May 2003)

Federal officials have arrested 135 cyber criminals and have seized over $17 million in assets as a part of "Operation E-Con." Alleged crimes include setting up phony bank web sites to steal account information from unsuspecting customers and taping and selling unreleased movies. Among the agencies participating are the FBI, the US Postal Inspection Service and the Federal Trade Commission.

Open Relay Warnings Sent To ISPs In Several Countries (15 May 2003)

US federal and state law enforcement agencies will work with their counterparts in Australia, Canada and Japan in a concerted effort to combat spam. Letters have been sent to operators of more than 1,000 e-mail servers around the world, warning them that open relays could be used to send unsolicited e-mail. The letters explained that spam appears to be coming from their systems. The spam can cause network traffic to increase significantly and their ISPs could cut off their service. The letters concluded by advising the operators to close their relays.

SEC Files Charges Against Alleged Spammer (13 May 2003)

The US Securities and Exchange Commission (SEC) has filed fraud charges against K.C. Smith who allegedly stole more than $100,000 from unwitting on-line investors by setting up two phony web sites, including one for the nonexistent US Deposit Insurance Corp. (USDIC) that had the SEC's official seal on it. Smith allegedly sent 9 million spam messages promoting his scheme and used other fraudulent means to hide his identity while conducting business. Smith agreed to repay the allegedly stolen funds plus interest, but has neither admitted nor denied the allegations against him.

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Alert! Securing healthcare organizations with firewalls and VPNs -
(2) ALERT: Top 8 SPAM BLOCKING methods. ***FREE White paper***
(3) Instantly stop DDoS attacks. Prevent worm propagation. Hands-on,
online demo
--launch and mitigate live attacks.


W32/Palyh Worm Pretends to be From Microsoft (19 May 2003)

A worm called Palyh travels as a .pif attachment to e-mail designed to look like is comes from support@microsoft.com. The worm copies itself to the Windows folder and sends itself to e-mail addresses found in the infected computer.


NIST Releases Draft of New Federal Information Processing Standard (FIPS) (15 May 2003)

The National Institute of Standards and Technology's (NIST's) Computer Security Division has released a draft of the new Federal Information Processing Standard (FIPS) which tells agencies how to categorize their computer systems based on security risks. There is a 90-day comment period.
[Editor's Note (Paller): Although this NIST document is just the first step in a series that will lead to useful new standards, it is still extremely important. Its unique value arises because it is the first federal document that explains to federal agencies (and any other readers) why they must bring all systems up to a minimum standard of due care for security before they conduct in-depth risk assessments to target additional security controls on the greatest risks. ]

Malware Myths Debunked (19 May 2003)

The first of a series of three articles about malware and misinformation debunks the belief that not using Microsoft products offers immunity to malware.

Taking the Fizz Out of Fizzer (14/16/19 May 2003)

The chat network security group IRC/Unity has figured out the algorithm that determines the user nickname that is able to send commands to machines infected with the Fizzer worm. Once someone knows the nickname, which is dependent on the current date, that person can send controls to the infected machine. The worm has overwhelmed some IRC networks., and some administrators say there are ways to address the problem, but they involve executing code on victim's computers, a possible violation of the US Computer Fraud and Abuse Act.

Australian ISP Hacker Convicted on Appeal (16 May 2003)

Stephen Craig Dendtler, who initially received a suspended sentence for illegally accessing account information belonging to more than 400,000 customers of Australia's Optus network, was convicted on appeal. Dendtler will pay a fine of AU$4,000 and is on a two-year "good behaviour" bond. Authorities had been concerned that the absence of a conviction would send the wrong message to other would-be cyber-criminals.

South Korean Official Says North Korea is Training Hackers; (16 May 2003)

A South Korean military official says that North Korea is training approximately 100 hackers each year to boost its cyber warfare capability. Because of its reliance on computers, South Korea would be particularly vulnerable to a cyber attack. Song Young-keun, commanding general of Seoul's Defense Security Command, says the South Korean military is working on bolstering cyber security, and needs help from research institutions and private sector businesses.

UK Small Business Security is Lagging (15 May 2003)

A Symantec survey found that while 97% of small businesses in the UK use anti-virus software, 30% do not use firewalls and 63% do not monitor their networks. In addition, only 26% of the businesses install software patches as soon as they are available.
[Editor's Note (Grefer): Businesses may be well advised to delay installing patches on production systems immediately upon availability. Patches should be tested on systems that are not business-critical prior to their deployment. ]

DHS to Establish Cybersecurity R & D Office (14 May 2003)

The Department of Homeland Security plans to establish a cybersecurity office; no one has yet been named to run that office. Responsibilities of the new office will include the development of a cybersecurity disaster recovery plan. It will also coordinate cybersecurity efforts in both the public and private sectors. The creation of the office is seen by some as evidence that the administration is committed to protecting the Internet from security threats. It is still uncertain how many employees will be assigned to the new office and how much finding it will receive. The office will have partnerships with the National Science Foundation and the National Institute of Standards and Technology (NIST).

Bank of America Customers Targeted by Fraud Artist (13/14 May 2003)

Bank of America customers have been targeted by a con artist who tries to get them to visit a phony website and provide their personal account data. They received spoofed e-mails directing them to the phony site. Bank of America has warned its customers about the scam and encourages them to be proactive about their on-line habits.

[Editor's Note (Ranum) Similar scams are being launched against Ebay users. This is going to be a major problem because, unfortunately, authenticated e-mail is still an unsolved problem. ]

Fending off DoS Attacks (13/14 May 2003)

Carnegie Mellon graduate students presented two papers at the recent IEEE (Institute of Electrical and Electronic Engineers) Symposium on Security and Privacy describing methods of countering denial-of-service attacks. One involves requiring a computer to solve a puzzle before being granted access to a website; the more requests sent by one computer, the more difficult the puzzles become. The other involves modifying data in request headers.

Targeted Attacks on the Rise (13 May 2003)

Hackers are increasingly launching "targeted attacks" in which specific tools are used against specific cyber targets, instead of releasing worms and viruses that spread indiscriminately across the Internet. Statistics from security services provider Riptech show that 40% of attacks suffered by their client base were targeted, significantly above the expected 15%.

DMCA Researcher Exemption Hearings (13 May 2003)

The US Copyright Office is holding hearings to decide if it should broaden the exemptions to the Digital Millennium Copyright Act (DMCA) to include researchers looking for vulnerabilities. There are two exemptions now in place, both of which expire in October of this year. The first allows researchers to crack censoring software to see which sites are blocked; the second covers old programs and databases with defective or obsolete access control mechanisms.
[Editor's Note (Schultz): I've said it before and I'll say it again --the DMCA is bad news for information security. Let's hope that those who are considering the exemptions are more rational than those who originally wrote and passed this act. ]

RIAA Withdraws Errant Copyright Violation Notices (13 May 2003)

The Recording Industry Association of America (RIAA) has sent 24 withdrawal notices to entities which had erroneously received cease-and-desist notices. The notices alleged the recipients were in violation of the Digital Millennium Copyright Act (DMCA) for offering copyrighted files for downloading.

Survey Says External Threats More Prevalent than Internal Threats (12/15 May 2003)

A Deloitte Touche Tohmatsu (DTT) survey found that 39% of banks and financial services companies reported computer security breaches last year. 16% of those came from external sources, 10% from internal sources and 13% from both. 175 senior IT executives were surveyed. DTT's Simon Owen said the figures show that the biggest threat to companies is not from employees; cyber attacks are becoming increasingly sophisticated.
[Editor's Note (Schultz): The old (and, unfortunately, still often quoted) adage, "More attacks come from the inside than outside," has been untrue for years. ]

Secure Installation and Configuration of Apache 1.3.x Web Server (14 May 2003)

This article provides step-by-step instructions for installing and configuring the Apache 1.3.x Web server. Advice includes enabling only necessary modules, chrooting the server and configuring the software so that its version number is hidden.

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit