OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume V - Issue #23

June 11, 2003

A bonus for Cisco users at the end of this issue:


Cisco routers and switches are nearly ubiquitous and are increasingly
being targeted by hackers as entry points for networks. To try to help
network administrators, engineers, and managers and security folks keep
up with important new developments on the Cisco front, SANS began this
week publishing a definitive weekly summary of new alerts and
countermeasures with announcements from industry news sources for
everything useful we can find pertaining to Cisco and its immediate

You'll find a sample issue at the end of this NewsBites.
Subscribe today (it's free) at: http://www.sans.org/newsletters/
We would love your feedback on ways to help make it more useful.


P.S. For our readers in the UK, we're scheduling an executive briefing
entitled "Internet Threat Update and Innovative Defenses" at the end of
SANS Hammersmith 2003 in London. To get an invitation to the briefing
(free to everyone who works at companies or agencies that are sending
delegates to SANS Hammersmith 2003, and a small fee to others) email
sansro@sans.org with subject Hammersmith Briefing.

For information on the 5 immersion training tracks on basic and advanced
security and audit topics at SANS Hammersmith 2003:


DHS Establishes National Cyber Security Division
OIS Releases Draft Disclosure Guidelines
New Laws in Taiwan Make Hacking a Felony
Addressing Security During Software Development Saves Money


Wired Magazine Article Includes Slammer Code
Microsoft to Improve Patch Management
Bugbear Variant is Spreading
Bugbear.B Sent Out Stanford Documents
Apple OS X Update
Microsoft Releases Cumulative Patch for IE
LA Police Officer Suspended for Allegedly Accessing Databases
Gartner: Security Will Consume Greater Portion of IT Budgets
Sobig.C Worm
New Attack Requires Little Bandwidth, Consumes Machines' Resources
Quarterly CERT/CC Summary
Business Software Alliance Says Piracy Rate Shows Modest Decline
GAO Report: IRS Systems Security Still Needs Work
Cyber Corps Troubles Lead to Reorganization Effort

******************** Sponsored by VeriSign, Inc. ********************
Simplify Security for Web Services and Applications.
Traditional firewalls have minimal application awareness - hindering
consistent enforcement of security standards - as well as your ability
to extend functionality to partners. Our FREE white paper shows you how
to extend application and web services security beyond the firewall.
Click here to get your copy:


DHS Establishes National Cyber Security Division (6 June 2003)

The Department of Homeland Security (DHS) will establish the National Cyber Security Division, which will incorporate the Critical Infrastructure Assurance Office (CIAO), the National Infrastructure Protection Center (NIPC), the Federal Computer Incident Response Center (FedCIRC) and the National Communications System. The new, 60-employee office will be a part of the DHS Information Analysis and Infrastructure Protection (IAIP) directorate. The Division will have three units: the first will focus on identifying cyber security risks and eliminating vulnerabilities in government and critical infrastructure systems, the second will focus on detecting and responding to cyber security incidents, and the third will encourage cyber security awareness. The office does not yet have a chief.

OIS Releases Draft Disclosure Guidelines (4/5 June 2003)

The Organization for Internet Safety (OIS), a coalition comprised of security and software companies, has drafted a set of guidelines that defines a standardized process for sharing information about security vulnerabilities. The draft gives software makers seven days to respond to researchers' notifications of flaws, and asks that the companies develop a patch for the problem within 30 days. The researchers who find the flaws are required to keep vulnerability details under their hats for 30 days after the release of the patch. OIS is accepting comments on the draft by e-mail until July 4.
[Editor's Note (Schneier): A patch within 30 days, then publication 30 days after the patch is developed means up to 60 days (assuming the patch is developed that quickly); that seems a bit excessive to me, but not irrational. ]

New Laws in Taiwan Make Hacking a Felony (4 June 2003)

Two new articles added to Taiwan's criminal code make hacking a felony. Obtaining unauthorized access to a proprietary computer system is now punishable by a prison term of up to three years and a fine of up to NT$100,000. Causing damage by attempting to alter data on someone else's computer disks is punishable by a prison term of five years and a fine of up to NT$200,000. Punishment is even more stringent for attacks against government computer systems.
[Editor's Note (Schultz): It sounds as if Taiwan is getting serious about computer crime. I hope this helps inspire other countries to do the same. ]

Addressing Security During Software Development Saves Money (4 June 2003)

Software flaws are costing the economy $59.5 million annually, according to the National Institute of Standards and Technology (NIST). An IBM study has shown that the cost of fixing a software flaw after the software has gone to market is nearly 15 times more than the cost of finding and fixing flaws during development. Software developers must have time to pay attention to security during the development process. They should receive training and be provided with tools to check for vulnerabilities in specific environments.
[Editor's Note (Schneier): I've been saying this for years; it's nice to have some objective proof. ]

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Stop attacks before damage is done. Download LURHQ's whitepaper
"The Foundation for Effective Incident Handling"
(2) Stop Network Attacks versus just Detecting. Intrusion Prevention
Essentials White Paper
(3) FREE White Paper: "How Web Application Hackers Break In!"
(4) Alert! Email attacks & spam are getting worse. Learn to stop them.


Wired Magazine Article Includes Slammer Code (6 June 2003)

Wired Magazine plans to publish code for the Slammer worm in its July issue. The article will omit information on planting Slammer and hiding one's tracks.
[Editor's Note (Grefer): What's going to be next? Free advice on how to build a machine gun from regular household components? Give me a break! (Schneier): The amount of ink being spilled over this is remarkable. The code is available elsewhere. And good guys can't defend against something they're not allowed to understand. ]

Microsoft to Improve Patch Management (6 June 2003)

Microsoft plans to improve patch management for its products. In a recently released white paper, Microsoft said it plans to address patch quality, simplify patch application and delivery, and increase the number of applications that receive automated patching.

Bugbear Variant is Spreading (5/6 June 2003)

A new variant of the Bugbear virus, Bugbear.B, is circulating on the Internet. It arrives as an attachment, uses random e-mail addresses found on infected computers for the From line, and uses document names from infected computers as well. It exploits a two-year old MIME vulnerability in Outlook to send itself out. It copies itself to shared hard drives. It also places a back door on infected computers and installs key-logging software, ostensibly to steal personal information like passwords and credit card information. It also tries to disable anti-virus products.

Bugbear.B Sent Out Stanford Documents (6 June 2003)

Stanford University's computer system became infected with the Bugbear.B worm, which sent random files, some of them confidential, to other system users, who have since been blocked from sending mail to people outside the system.

Apple OS X Update (5 June 2003)

Apple plans to release an update to OS X which will address a vulnerability in the operating system's installation of Apache 2.0; the update upgrades Apache to version 2.0.46. The vulnerability lies in the mod_dav module and could cause Apache to crash.

Microsoft Releases Cumulative Patch for IE (4/6 June 2003)

Microsoft has released a cumulative patch that addresses vulnerabilities in Internet Explorer (IE) 5.01, 5.5 and 6.0, as well as for Internet Explorer 6.0 for Windows Server 2003. The patch is critical for all versions of Windows except Server 2003, for which it is rated moderate, because it runs in Enhanced Security Configuration. Windows Server 2003 is not vulnerable to the flaws when in default configuration.

LA Police Officer Suspended for Allegedly Accessing Databases (4 June 2003)

A Los Angeles (CA) police sergeant has been suspended from the force for allegedly accessing confidential databases without permission. Sgt. Mark Arneson had allegedly been obtaining information for a private investigator.

Gartner: Security Will Consume Greater Portion of IT Budgets (4 June 2003)

Gartner analysis indicates that businesses will spend more than 5% of their IT budgets on security in 2003, giving security budgets a 28% compound growth rate since 2001. The increase in spending is largely due to copyright laws liability concerns and focus on critical infrastructure protection.

Sobig.C Worm (3/4 June 2003)

The Sobig.C worm is spreading. It infects Windows 95, 98, Me, NT, XP and 2000 systems. It also spreads to shared hard drives in search of e-mail addresses to use when it sends itself out again using its own simple mail transfer protocol (SMTP) engine. Analysis of the worm's distribution pattern has led some to speculation that Sobig.C uses a spam engine to spread.

New Attack Requires Little Bandwidth, Consumes Machines' Resources (3 June 2003)

Researchers Dan Wallach and Scott Crosby of Rice University have developed an attack method that knock a computer off-line, consuming a computer's resources without requiring a lot of bandwidth, unlike a denial-of-service attack. The method involves forcing the targeted computer to perform unusually laborious hash calculations. Defense against the attack requires developing new, more efficient hashing algorithms. The researchers plan to present their findings in a paper at the Usenix Security 2003 conference in August.

Quarterly CERT/CC Summary (3 June 2003)

The quarterly Computer Emergency Response Team Coordination Center (CERT/CC) summary lists recent cyber attack activity and incident and vulnerability information. Recent activity addressed includes an integer overflow vulnerability in Sun's XDR Library, a buffer overflow vulnerability in sendmail and multiple vulnerabilities in Snort's preprocessors as well as in Lotus Notes and Domino Server. The summary also includes links to recently published advisories, vulnerability notes and statistics.

Business Software Alliance Says Piracy Rate Shows Modest Decline (3 June 2003)

The Business Software Alliance (BSA) says that the software piracy rate fell last year, from 40% to 39%; the decline follows two straight years of increases. The rate is 10 percentage points below its 1994 level. Piracy rates in the US have fallen from 32% to 24% since 1994; Eastern Europe and the Asia-Pacific region have piracy rates of at least 90%.

GAO Report: IRS Systems Security Still Needs Work (2 June 2003)

A General Accounting Office (GAO) report says that while the Internal Revenue Service (IRS) has made progress in securing its computer systems, there are still some significant weaknesses. The IRS has not adequately implemented its security program, resulting in access and authorization vulnerabilities.

Cyber Corps Troubles Lead to Reorganization Effort (June 2003)

The Cyber Corps program, which provides scholarships, stipends and summer internships to qualified students of information security in exchange for up to two years of service at a government agency after graduation, has been experiencing some difficulty placing graduates in government jobs. Agencies' reluctance to hire the graduates can be attributed to small budgets, concern that the graduates will leave after their commitment has been fulfilled, and the expenditure of time and money involved in obtaining appropriate security clearances. Summer internships have proven even more difficult to obtain. Students who are unable to find government employment despite a good faith effort are released from their obligations. The program is currently being reorganized.

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit