SANS Open-Source Intelligence (OSINT) Summit & Training offers immersive cyber security courses and a free Summit!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume V - Issue #27

July 09, 2003

Dell's announcement this morning that it has begun delivering a new
hardened configuration of Windows 2000 is a defining moment in the
ongoing quest to make security less expensive and more effective. Dell
has proven that vendors can take the initial security configuration load
off of users and that there are standards that vendors can use (from
the Center for Internet Security if they want to
deliver safer systems. Users no longer have to settle for wide-open,
unsafe configurations. It may soon be perceived as unwise to order a
system configured unsafely when vendors are delivering safe
configurations. If you want to buy systems from other vendors, it is
now acceptable to require in your specifications that they deliver those
systems configured safely. You'll find the Dell announcement at end of
this issue.



Defacing Contest Scheduled for July 6 -- Was A Dud
CERT/CC Incident Report on Malware Spread Rates and User Misconceptions
RIAA Will Pursue More File Traders


Dissertation Makes Sensitive Security Data Available
Rain Forest Puppy Steps Away From Security Research
Australian High Tech Crime Center
Web Application Penetration Testing, Part 2: Input Validation
Sluter-A Worm Seeks Network Shares With Weak Passwords
Bloomberg Extortionist Sentenced
Australian Government to Review Cyber Crime Laws
The Limitations of Cross-Platform Authentication
ISS Vulnerability List
Six-Month Virus Report
Microsoft Patches for Passport Vulnerability
Process Systems Security
Romanian Men Arrested in Connection With Cyber Extortion Scheme

******* Sponsored by the Instructor-Led Online Training of SANS *******
Hacker Exploits Instructor Led On Line - By popular demand one of the
two top rated hacker exploits teachers in the world will teach a live,
online version of this very popular track. No flying away for a week,
convenient hours, lots of time between classes for hands-on work. And
Eric Cole is extraordinary. Begins July 22. More information:


Defacing Contest Scheduled for July 6 - Was A Dud (6 and 2/3 July 2003)

Despite warnings from Internet Security Systems about the Defacers' Challenge scheduled to take place on Sunday, July 6, very few sites were hacked. The contest awarded points to attackers who compromised organizations' web servers and defaced their web sites; more points were awarded for compromising less popular operating systems, such as Mac OS and Unix variants. The Department of Homeland Security says it received "credible evidence" about the planned attacks and that it detected probes looking for vulnerable networks, but it did think the problem was important enough to issue warnings. Results:
Original press coverage:

CERT/CC Incident Report on Malware Spread Rates and User Misconceptions (2 July 2003)

The Computer Emergency Response Team Coordination Center (CERT/CC) has issued an Incident Note regarding two "chronic problems" evidenced by recent reports to CERT/CC. First, the speed at which malware spreads is increasing, and second, users whose systems have been compromised mistakenly assume that having anti-virus software installed was sufficient to protect them from all malware attacks. To address these problems, CERT/CC recommends employing layers of security and access controls in addition to observing safe computing practices, such as running and maintaining anti-virus software, disabling or securing file shares and using firewalls.

RIAA Will Pursue More File Traders (1 July 2003)

The Recording Industry Association of America's (RIAA) announcement that they plan to aggressively pursue action against people who trade copyrighted files on line seems to have little effect on use of the file-sharing services. Some users have taken precautions, like turning the file-sharing feature off in their software. Some file-sharing services have said they plan to employ methods to keep file-sharers' identities anonymous.

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Best Practices for Incident Response - Sign up for the
practitioner's guide at
(2) ALERT: Test Your Web Apps for SQL Injection Vulnerabilities-Six
Easy Steps
(3) Stop Network Attacks versus just Detecting. Intrusion Prevention
Essentials White Paper


Dissertation Makes Sensitive Security Data Available (8 July )

Sean Gorman, a PhD student at George Mason University outside Washington, DC, has mapped all US business and industrial sectors and the fiber-optic lines that connect them. Queries show choke points and other vulnerabilities.

Rain Forest Puppy Steps Away From Security Research (8 July )

One of the industry's most prolific discoverers of security flaws, Rain Forest Puppy, has called it quits. His reasons make interesting reading.

Australian High Tech Crime Center (3 July )

The recently launched Australian High Tech Crime Center will unite police around the country in the fight against cyber crime. The Center's responsibilities will include "education and prevention of high-tech crime through cooperation with law enforcement, government agencies, industry groups and private organizations." The Center, which is hosted by the Australian Federal Police in Canberra, will initially have a staff of 13 and is expected to grow.
[Guest Editor, Nick Main, a SANS local mentor in Canberra and member of the Windows 2003 Gold Standard Courseware development team adds: This has not received a lot of press in Australia, but their web site is and it looks like a good start for electronic law enforcement down under. ]

Web Application Penetration Testing, Part 2: Input Validation (3 July )

The second article in a three-part series on penetration testing for web applications addresses issues surrounding input validation, such as SQL injection vulnerabilities, code and content injection and cross site scripting.

Sluter-A Worm Seeks Network Shares With Weak Passwords (2 July )

The Sluter-A worm scans port 445 of random IP addresses for certain network shares protected by weak passwords; the worm uses a battery of just 16 passwords. If it is successful in breaking in, Sluter-A will make a copy of itself with the filename msslut32.exe and schedule itself to be run; it will also add a registry key to ensure that it is run on start-up.

Bloomberg Extortionist Sentenced (1/2 July )

Oleg Zezov, the Ukrainian man convicted of trying to extort $200,000 from Michael Bloomberg, founder of Bloomberg financial news service, has been sentenced to 51 months in prison, one of the longest sentences ever for computer intrusion.

Australian Government to Review Cyber Crime Laws (1 July )

The Australian Federal Government plans to review the country's existing cybercrime laws with an eye to ensuring that those convicted of those crimes in the future will receive stiff penalties. The review occurred because federal authorities believe the courts are treating cyber criminals too leniently. The review will be conducted by the Attorney-General's Department, which plans to focus on a recent case in which a man was given a suspended sentence for breaking into OptusNet and accessing account details belonging to 400,000 customers; an appeal brought by the prosecutors resulted in a fine and a "two-year good behaviour bond."

The Limitations of Cross-Platform Authentication (1 July )

One of the biggest impediments to cross-platform authentication is the fact that each server platform uses a different schema for the fields that hold information about user identity, account information and permissions. Of the many fields each schema contains, only three are considered standard: user name, password and home directory.
[Editor's Note (Grefer): Third party solution for centralized and/or cross-platform authentication have been around for a long time. These serve as an add-on to the operating system and replace the standard authentication mechanism. Similarly, a wide variety of platforms by now support LDAP, the Light-weight Directory Access Protocol as an alternate means for authentication. It is also possible to integrate LDAP with Microsoft's Active Directory Service (ADS), resulting in a sizeable amount of systems and platforms that can use LDAP for cross-platform authentication.

ISS Vulnerability List (1 July )

Internet Security Systems' (ISS) new tool, the Catastrophic Risk Index, lists the 30 most important vulnerabilities in the view of its X-Force security experts.

Six-Month Virus Report (1 July )

According to a report from anti-virus company Sophos, 3,855 new viruses were detected during the first six months of 2003, a 17.5% increase over last year's numbers. The most frequently reported viruses during that time were Bugbear-B, Sobig-C and Klez-H.

Microsoft Patches for Passport Vulnerability (30 June/1 July )

Microsoft has patched a vulnerability in Passport's "Secret Question" feature, which could allow an attacker to reset the password for and hijack someone else's account. Accounts established prior to August 1999 are vulnerable because the Secret Question feature was not in place then.

Process Systems Security (30 June )

Security problems faced by supervisory control and data acquisition (SCADA) and other process systems and networks include the "barriers between IT and the engineers who ... run process networks," customized applications and a dearth of security software for the applications and networks. The Instrumentation, Systems and Automation Society is developing best practices for securing process networks.

Romanian Men Arrested in Connection With Cyber Extortion Scheme (29 June )

Several Romanian men have been arrested for their alleged roles in a cyber extortion scheme. The group would break into computer systems at US companies, download client data from company databases and then ask $50,000 to refrain from posting the information on the Internet. The FBI worked with the Special Investigations Unit of the Romanian Supreme Court to track down the alleged perpetrators.

The Dell Announcement

Texas, July 9, 2003-Dell is helping customers better protect their information assets from unauthorized access, control or damage by giving them the option of a more secure or "hardened" configuration. The new security service, in which Dell activates more than 50 security settings on Microsoft Windows 2000, helps customers better secure their systems without adding time nor complexity to their system installations.
This service, available on desktops and notebooks, helps public and private organizations meet a security benchmark established by the Center for Internet Security (CIS), whose mission is to help organizations around the world effectively manage risks related to information security. CIS is made up of leading companies, universities, auditing organizations and government agencies. "Dell is taking a leadership position in providing secure systems to its customers," said Clint Kreitner, president of CIS. "We hope other vendors will follow Dell's lead." Dell intends to develop a similar offering for Windows XP after the benchmark is released by CIS later this year.
"Protecting data from dangers such as hackers and computer viruses is a challenge for today's organizations," said Tom Buchsbaum, sales vice president of Dell's federal sector. "Dell is committed to providing our customers with technology products that provide a high level of security, and our work with CIS builds on that commitment." For more information on Dell's security-enabled hardware and security services, visit

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit