Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume V - Issue #22

June 04, 2003

Correction: In the note we sent you Monday about new developments in
standards and benchmarks for security assessments, we inadvertently
pointed you to an out-of-date agenda for the June 21-22 National
Information Assurance Leadership Conference in Washington (which focuses
on the most important new standards and benchmarks, and an updated
threat briefing.). The updated information is at

Today (June 4) is the deadline for early registration for both SANSFIRE
2003 and the National Information Assurance Leadership Conference. To
help you decide whether they are applicable to your needs, we included
a brief description of both programs at the end of this issue of
NewsBites. Online registration: http://www.sans.org/sansfire03


Preparing for California's New Security Breach Disclosure Law
Univ. of Calgary Defends Decision to Offer Virus-Writing Course
CSI/FBI Study Shows Cyber Crime Losses are Dropping
UK's NHCTU Will Offer PR Assistance to Companies that Follow Through with Prosecuting Cyber Criminals


Microsoft to Offer Windows Security Credentials
W32/Sobig.C Worm
Palyh and Fizzer More Prevalent than Klez
Yahoo Offers Fixes for IM and Chat Clients
Hacker Breaks Into Colorado Health Clinic System
Company Releases Info on Sun Vulnerabilities Before Fixes are Available
Tiger Team Program Teaches Teens Ethical Hacking
Microsoft Issues Bulletins for Vulnerabilities in IIS and Windows Media Services
Researcher Says Microsoft Bulletin is Misleading
Microsoft Updates Two Bulletins from Earlier this Spring
Apache HTTP Server Vulnerabilities
Malware Myths Debunked, Part II
OMB's FY 2002 GISRA Shows Improvement, Room for Growth
Microsoft Pulls XP Update After Customers Complain of Losing Internet Connectivity
IDC Survey Finds 72% of Asian Companies Suffered Network Intrusions
KaZaA Patches FastTrack Vulnerability
The Potential Risks of "Good Worms"

*********************** Sponsored by Websense ***********************
Deadly Internet Sin #2: GLUTTONY
Stop movies, music or Internet gaming from eating up your IT resources.
Limit multi-media downloads with Websense Enterprise software. A
superior database, flexible filtering options, comprehensive reporting
and seamless integration have made Websense the preferred employee
Internet management software of the Fortune 500.
Visit http://www.websense.com?id=NL15948 and download a free, 30-day


Preparing for California's New Security Breach Disclosure Law (30 May 2003)

This article addresses the implications of California's new law requiring businesses to report security breaches of unencrypted data to affected California residents. Businesses worldwide will be affected by the law, which goes into effect in less than one month. The law does not require companies to report breaches of encrypted personal data. The article also offers suggestions for getting ready to comply with the new law, including creating incident response plans, reviewing third-party contracts that involve sensitive data and evaluating the cost-effectiveness of encrypting all stored customer data.

Univ. of Calgary Defends Decision to Offer Virus-Writing Course (29/30 May 2003)

The University of Calgary has described the precautions that will be taken apropos of a course in virus writing to be offered in the fall: students' work will be limited to a closed network, no storage media will be allowed out of the locked laboratory, and removable media will be destroyed and hard drives scrubbed at the close of the semester. In addition, students will receive instruction in cyber ethics and law. Some anti-virus firms have made clear that they will not hire people who have taken such a course.

[Editor's Note (Schultz): These precautions seem superfluous. At a minimum, I would think that putting a measure for assigning any student a failing grade during or even after the course if that student were to misuse the knowledge gained in the course in place would be more reasonable. (Grefer): While such training increases knowledge of the inner workings of malware and can be helpful in developing better defenses, it bears a high risk, too. I have my doubts about the viability of enforcing the "no storage media will be allowed out" policy. USB storage key chains are very small, offer sufficient capacity, and can be hidden anywhere. Short of a strip search and/or extremely sensitive scanners, they'll be hard to detect. Similarly, a wireless card is easy to install and allows for external access to the lab's computers. And this list could go on and on and on. ]

CSI/FBI Study Shows Cyber Crime Losses are Dropping (29/30 May 2003)

The most recent Computer Crime and Security Survey from the Computer Security Institute (CSI) and the FBI found that US losses from cyber crimes have fallen significantly. Last year, 503 survey respondents reported $455.8 million in losses from cyber crimes; this year, 503 respondents reported $201.8 million in losses. The number of significant incidents reported has remained steady. The study also found that only 30% of respondents reported cyber attacks to law enforcement.

UK's NHCTU Will Offer PR Assistance to Companies that Follow Through with Prosecuting Cyber Criminals (27 May 2003)

In an attempt to encourage more companies to follow through with prosecution of people accused of cyber crimes, the UK's National Hi Tech Crime Unit (NHTCU) has formed a public relations group to help those companies manage any negative PR generated by publicity from the trials. Though a confidentiality charter allows companies to report cyber crimes without fear of public disclosure, many have been pulling out of prosecutions for fear of the negative publicity.
[Editor's Note (Schultz): What a clever idea! I would not at all be surprised if it works. ]

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) ALERT: Top 8 SPAM BLOCKING methods. ***FREE White paper***
(2) FREE White Paper: "Top Web Application Attack Techniques!"


Microsoft to Offer Windows Security Credentials (2 June 2003)

Microsoft has created certification credentials for IT administrators and engineers who focus on Windows security. The "Microsoft Certified Systems Engineer (MCSE) Security on Microsoft Windows 2000" certification requires passing grades on six core exams and demonstration of a security specialty. The "Microsoft Certified Systems Administrator (MCSA): Security on Microsoft Windows 2000" certification requires a total of five exams.
[Editor's Note (Paller): Microsoft emphasizes that these are not "new certifications" but rather new names for existing specializations within MCSE and MCSA. These specializations have been available (without the special names) for years, and a minuscule number of MCSE candidates have chosen to pursue them. Most Windows security breaches are made possible by unsafe configurations installed and maintained by people who have Administrator privileges but do not have security skills. Continuing to allow people to earn MCSE or MCSA certification without ensuring they have mastered the basics of security, implies that Microsoft still doesn't "get it." ]

W32/Sobig.C Worm (2 June 2003)

The W32/Sobig.C-mm worm arrives with a phony address, sometimes appearing to be from Bill Gates. Sobig-C sends itself out to e-mail addresses found on infected computers. The worm also uses a variety of attachment names, including screensaver.scr, movie.pif and documents.pif. Interestingly, Sobig.C appeared the same day Sobig.B expired.

Palyh and Fizzer More Prevalent than Klez (30 May 2003)

The Palyh and Fizzer worms have bumped the Klez worm from the top position on both the Sophos and MessageLabs monthly virus report lists, a position it had held for 16 months. On Central Command's list, Palyh bumped Klez down to the second spot.

Yahoo Offers Fixes for IM and Chat Clients (30 May 2003)

Yahoo has patches available for buffer overflow vulnerabilities in its Yahoo Instant Messenger and Yahoo Chat clients; the vulnerabilities could be exploited to allow malicious code to execute on users' machines. Users have been receiving messages encouraging them to apply the patches.

Hacker Breaks Into Colorado Health Clinic System (30 May 2003)

A hacker infiltrated the computer system at Southwest Family Medicine in Littleton, Colorado, leaving staff and patients wondering what personal data have been exposed. The clinic's office manager said they had mistakenly believed that their computer consultants had addressed security appropriately.

Company Releases Info on Sun Vulnerabilities Before Fixes are Available (30 May 2003)

Spi Dynamics on-line security consultants have released information about a handful of vulnerabilities in Sun ONE Application Server 7.0 before Sun had released patches or workarounds for the flaws. A Sun spokesperson said one of the flaws had been addressed in Update 1 for Application Server 7.0 and that the others will be addressed in Update 2, due out in August. Spi Dynamics maintains that Sun never responded to attempted communications regarding the vulnerabilities; a Sun spokesperson says Spi was informed of Sun's plans to address the flaws.
[Editor's Note (Ranum): This story underscores the problem with today's focus on disclosure instead of practicing security: we're left with a vendor and a bunch of hackers or "security researchers" pointing fingers at each other. ]

Tiger Team Program Teaches Teens Ethical Hacking (29 May 2003)

Teenagers in southern Maine with a demonstrated interest in and aptitude for computer skills have the opportunity to participate in a program called "Tiger Team." Developed by Andrew Robinson, who has an information security company in Portland, the program teaches the teenagers ethical hacking. Robinson hopes that the skills they acquire will help them get jobs.

Microsoft Issues Bulletins for Vulnerabilities in IIS and Windows Media Services (29 May 2003)

Microsoft has released two security bulletins. The first addresses flaws in Internet Information Server (IIS), including a denial-of-service vulnerability in IIS versions 5.0 and 5.1. Microsoft has issued a cumulative patch for IIS, which covers versions 4.0, 5.0 and 5.1. The second bulletin addresses a flaw in the ISAPI Extension for Windows Media Services; the vulnerability affects Windows NT 4.0 and 2000.
IIS Bulletin:
Windows Media Services Bulletin:

Researcher Says Microsoft Bulletin is Misleading (30 May 2003)

Marc Maiffret of eEye Digital Security says the recent Windows Media Services bulletin is misleading. While the bulletin tells customers that the vulnerability could allow a denial-of-service and that the web server will automatically restart, Maiffret maintains "If you're running Windows Media Services on IIS, attackers can spawn a remote shell 'command prompt' on your vulnerable system."

Microsoft Updates Two Bulletins from Earlier this Spring (29 May 2003)

Microsoft has released updates for two previously released bulletins. The first updates MS03-007, originally released in March, and is for a vulnerability in ntdll.dll. The patch now addresses the vulnerability in the Windows NT and XP platforms. The second is for MS03-013, originally released in April. The original patch caused performance problems for some users after the fix was installed. The update addresses those problems.
Updated bulletins:

Apache HTTP Server Vulnerabilities (28/29 May 2003)

A newly released version of Apache HTTP Server, v 2.0.46, addresses a handful of security vulnerabilities, including one in the component that downloads WebDAV instructions which could let an attacker crash a server, and another which allows a denial-of-service attack to be launched on Apache's authentication module. The vulnerabilities affect Apache versions 2.0.37 through 2.0.45; Apache is strongly encouraging customers to download the new version.

Malware Myths Debunked, Part II (28 May 2003)

The second article in a three-part series dispels more myths people hold about their protection from computer malware. This installment addresses user beliefs about safe e-mail habits, firewalls and intrusion detection systems.

OMB's FY 2002 GISRA Shows Improvement, Room for Growth (27/28 May 2003)

The Office of Management and Budget's (OMB) fiscal 2002 Government Information Security Reform Act (GISRA) report found that federal agencies have taken steps to improve their information technology security when compared to the baseline data recorded in the fiscal 2001 GISRA report. However, the new report outlines some new concerns: systems are not being evaluated annually, the same weaknesses appear every year and agency program officials are not taking responsibility for the security of their computer systems.

Microsoft Pulls XP Update After Customers Complain of Losing Internet Connectivity (27 May 2003)

Microsoft has removed a Windows XP security update from its web site because the update broke Internet connectivity. It was evidently incompatible with certain security software. Connectivity was restored upon removing the update. The update was to IPSec software.

IDC Survey Finds 72% of Asian Companies Suffered Network Intrusions (27 May 2003)

An IDC survey of more than 1,000 companies in nine Asian countries found that 72% reported having experienced network intrusions. Though 97% of the companies surveyed have anti-virus protection, most of them use off-the-shelf products.

KaZaA Patches FastTrack Vulnerability (27 May 2003)

KaZaA has released a patch for a flaw in the program that drives the FastTrack network. The flaw could allow attackers to gain control of or crash supernodes to which the filesharers connect. The person who found the vulnerability claims to have exploited it, but says he will not make the exploit code public. Other peer-to-peer file sharing services also use FastTrack.

The Potential Risks of "Good Worms" (26 May 2003)

Martha Stansell-Gamm, chief of the Computer Crime and Intellectual Property Section at the U.S. Department of Justice, addresses the ethical and legal issues surrounding the potential release of "good worms." Stansell-Gamm notes that while releasing such a worm may constitute a felony, there are ways to obtain authorization to alter data on someone else's computer.


Overview of the National Information Assurance Leadership Conference
Washington, DC July 21-22
The National Information Assurance Leadership is a special conference
designed uniquely for security managers, senior security professionals,
and the people who perform security audits and assessments. It
combines three unique programs in one:
(1) a set of completely new briefings on emerging standards and
benchmarks for security acquisition, audit, and assessments -- both
federal and commercial, and audit controls that work.
(2) technology updates on new security tools and issues from .net to
vulnerability management, and
(3) a breathtaking series of threat briefings that are more detailed
and incisive (and scary) than anything other than classified military
intelligence briefings
Add to all that keynote presentations by Marcus Sachs of the Department
of Homeland Security and by the nation's first Cyber Security Czar,
Richard Clarke, and the (surprising) Information Security Leadership
Awards presentations, and you have a program that should not be missed.
Registration information and detailed agenda at

Brief Summary of the training programs at SANSFire
Washington, DC, July 14-19
NIAL is running right after SANSFIRE, and they are both in Washington,
D.C. so we close by listing the wonderful, four, five, and six-day
tracks that provide immersion training by the nation's best security
teachers. Security and system administration staff cannot be expected
to have systems meet any standards if they do not have the opportunity
to get up-to-date training and certifications.
Here's what a few recent students said about these tracks:
"The most valuable training experience I have had. Really
opened my eyes to true information security and its
implementation." (Nicole Saper, Los Alamos National Labs)
"SANS has proven itself to be the premier leader in training.
That they focus on security training makes it that much more
beneficial for our industry. These guys have it down to an art."
(Daniel Baker, The Consultant Registry)
SANS Security +S
(Track 9)
SANS' foundational course that allows someone new to security to
understand the main issues and concepts fast. This course is designed
to prepare the student for both the CompTIA Security + certification as
well as the GIAC GISO.
SANS Security Essentials and the CISSP 10 Domians
(Track 1)
Survival skills for system administrators who also have security
responsibility. It is also by far the best training for security
officers who want to know the CISSP material but also want to be able
to look at security through the eyes of system administrators - the only
people who can make sure systems are secured properly.
SANS Security Leadership Essentials for Managers
(Track 12)
The CIOs who attended the first run of this program said, "Just
perfect." It teaches the key concepts and technologies - from a
management perspective.
Firewalls, Perimeter Protection & Virtual Private Networks
(Track 2)
The minimum knowledge needed for anyone implementing and managing
firewalls or VPNs.
Intrusion Detection In-Depth
(Track 3)
The toughest, richest course in security - but an essential program for
anyone involved in intrusion detection.
Hacker Techniques, Exploits, and Incident Handling
(Track 4)
It is tough to stop hackers if you don't know how they get in. This
track teaches you their techniques and how to block them. It is also a
must-attend course for anyone involved in responding to security
Securing Windows
(Track 5)
It is extraordinary what Microsoft fails to teach about threats and how
to block them. Track 5 fills the void with countermeasures that can be
used immediately upon returning to the office.
Securing UNIX
(Track 6)
Like Microsoft, the UNIX and Linux vendors fail to teach system
administrators about common threats and how to block them. Any CIO who
allows UNIX or Linux systems to be deployed in an important organization
without system admins certified in Track 6 material, is probably guilty
of malpractice. In both cases, Windows and Unix, it would be like
doctors sending samples to lab technicians without the right skills.
Auditing Networks, Perimeters, and Systems
(Track 7)
Auditors, even those with auditing certifications, are generally
untrained in the selection and use of automated tools for conducting
in-depth audits of systems. As more organizations demand security
audits, people with the skills taught in Track 7 will stand out more
and more from the rest of the audit community.
System Forensics, Investigation & Response
(Track 8)
Consultants and law enforcement people - in fact anyone who is called
in after an attack to find out what happened -will need the material
taught in Track 8.
That's actually not all. SANSFIRE will hold a large exposition of the
tools and services you need for a robust security program, as well as
nightly programs called SANS@NIGHT that provide updates on the important
new developments in security.
Registration information:
for SANSFIRE: http://www.sans.org/sansfire03/
Be afraid - very afraid! Load yourself with some armor for your
K. Taylor, U.S. Army Corps of Engineers
NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit