Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume V - Issue #28

July 16, 2003


Rep. Putnam Promises Cyber Security Legislation
House Select Committee on Homeland Security Holds Cyber Hearings
Ridge Describes Security Plan for US Financial System


1,000 Personal Computers Hijacked For Pornography Ring
French Teen Allegedly Defaced More Than 2,000 Sites Migmaf Trojan
UK Teen Questioned in Connection with Fermi Lab Intrusions
GSA Releases Draft e-Assurance Levels
Adult Web Sites Targeted by Extortionist
Microsoft Releases Three More Security Bulletins
Massachusetts Stale Lottery Commission Web Site Spoofed
NIST Report Suggests Metrics for IDS Performance
Apache Updates HTTP Server
US Information Security Law
PriceWaterhouseCoopers Electronic Crime Survey
Stop the Hype, Say Experts
PayPal Customers Targeted by ID Data Theft Scam
Defacers' Challenge Tally Site Hit with DDoS
U of Illinois Receives Grant to Establish Anti-Cyber Attack
Technology Research Center
Microsoft Software Simplifies Identity Management

*************** Sponsored by Verisign - The Value Of Trust ************
Secure Your Servers
Secure your servers with 128-bit SSL encryption! Grab your copy of
VeriSign's FREE Guide, "Securing Your Web site for Business," and you'll
learn everything you need to know about using 128-bit SSL to encrypt
your e-commerce transactions, secure your corporate intranets and
authenticate your Web sites. 128-bit SSL is serious security for your
online business. Get it now!
Highlighted Security Training in August and September
SANS Rocky Mountain returns to Denver August 14-19 with six popular
immersion training tracks and a vendor exposition. Register soon:
Or come to Boston http://www.sans.org/newengland03 or Los Angeles
http://www.sans.org/losangeles03 in September for our two other
six-track programs.
Programs in more than 60 other cities as well: http://www.sans.org


Rep. Putnam Promises Cyber Security Legislation (10 July 2003)

Speaking at an e-government conference last week, Representative Adam Putnam (R-Fla.), chairman of the US House Government Reform Subcommittee on Technology, said that what the US has done thus far to defend against cyber attacks is "simply not acceptable" and has promised the introduction of legislation "mandating" cyber security requirements for the private sector. Putnam wants to address the cyber security problems "before a major disaster happens." He says the blame for inadequate cyber security can be shared among private sector firms and government agencies, which are not doing enough to shore up their security, as well as the present administration and Congress which have failed to give the problem adequate attention. Robert W. Holleyman, president of the Business Software Alliance, one of the conference's sponsors, spoke out against government regulation; Putnam responded that business has not done enough fast enough.

House Select Committee on Homeland Security Holds Cyber Hearings (15 July 2003)

At today's House Select Committee on Homeland Security, Cybersecurity Subcommittee hearings, chaired by Cong. Mac Thornberry of Texas, major vendors including Microsoft, Dell, AT&T, Sun, and AOL agreed that industry could help solve part of the cyber security problem but that government action was needed to complete the job. Most of them supported the idea of establishing minimum configuration standards -- specific to various operating systems and environments -- that would be recognized by government and the buying public. They further emphasized that government procurement could be used to prove sufficient demand so the computer industry develops products that are configured more safely. Microsoft announced that it was working wit the Center for Internet Security to bring its security recommendations and those of the Center together. Although the threat of government regulation is ever present, the vendors said that most of the impetus for their increased interest in security was the growing level of us
[Editor's Note (Paller): The vendors' testimony will be posted at the www.house.gov site within a couple of weeks. Testimony from Bruce Schneier of Counterpane, Rich Pethia of CERT/CC, and me (for SANS) at the Cybersecurity Subcommittee's first hearing on June 25, defining the cybersecurity problem, has already been posted. Download it here: Schneier:

Ridge Describes Security Plan for US Financial System (8 July 2003)

Speaking at the Federal Reserve Board in New York, Homeland Security Secretary Tom Ridge outlined plans to help protect the country's financial system from criminals. Included in the plans is an expansion of the electronic crimes task force from nine to thirteen cities; the new cities are Columbia, S.C., Cleveland, Dallas and Houston. The task forces focus on computer-based crimes such as identity theft, network and computer intrusions, and telecommunications fraud. They will partner with federal, state and local law enforcement, as well as segments of the private sector, such as the telecommunications industry and academic community, to identify and try to eliminate weaknesses in networks.

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) FREE White Paper: "Top Web Application Hacker Tricks"
(2) Simplify secure file transfer! Download a white paper and
evaluation software.
(3) BE OFFENSIVE. Don't react to network intrusions. Actively prevent
them. FREE White Paper.


1,000 Personal Computers Hijacked For Pornography Ring (11 July 2003)

A pornography ring is hiding its location from ISPs who might shut it down by using more than 1,000 personal computers that the ring had hijacked. Pornography is stored on each computer for just a short time and customers asking for it are served from whichever PC has the material when the request arrives.

French Teen Allegedly Defaced More Than 2,000 Sites (11 July 2003)

A seventeen-year-old French high school student is being investigated in connection with approximately 2,000 web site defacements, including one on a US Navy site. The attacks in question took place over the course of 14 months. The young person could face up to three years in prison and a fine of $50,850 if convicted.

Migmaf Trojan (11 July 2003)

A Trojan horse program, sometimes called Migmaf, is a reverse proxy server. It hijacks home computers running some versions of Windows and uses them to send advertisements for pornography. Migmaf has hijacked approximately 2,000 computers with high-speed Internet connections; it does not appear to damage compromised machines.
[Editor's Note (Northcutt): "Honest honey, it was the trojan!" While the article does say some versions of Windows it would be more accurate to say most versions. ]

UK Teen Questioned in Connection with Fermi Lab Intrusions (10/11 July 2003)

London police have arrested and are questioning an 18-year-old in connection with unauthorized access to US Department of Energy (DoE) computers at Fermi National Accelerator Laboratory in Batavia, IL. The teen allegedly used the computers to store music and video files. He has been released on bail.

GSA Releases Draft e-Assurance Levels (10 July 2003)

As part of the e-Authentication e-government initiative, the General Services Administration (GSA) has released a draft policy describing the four levels of assurance agencies will be required to use to categorize their systems and transactions for authentication. Agencies must assess risks of e-government projects and IT systems that conduct transactions and adopt a level by the end of fiscal 2004.

Adult Web Sites Targeted by Extortionist (10 July 2003)

Someone using the on-line name "Deepsy" has been attempting to extort money from adult web sites, threatening to take them off-line with denial-of-service attacks unless they pay him $1,500. "Deepsy" has apparently made good on his threats; one of the targeted adult web sites has contacted the FBI.

Microsoft Releases Three More Security Bulletins (9 July 2003)

Microsoft has released security bulletins for three vulnerabilities. The most serious, rated "critical," is a buffer overflow flaw in the HTML converter in all supported versions of the Windows operating system. The flaw is rated only moderate for Windows Server 2003 because of its Enhanced Security Configuration. The other two flaws, both rated "important," concern another buffer overflow in Windows NT, XP and Windows Server 2000 and a privilege elevation vulnerability in Windows 2000's utility manager.

Massachusetts State Lottery Commission Web Site Spoofed (9 July 2003)

A phony web site that mimics the Massachusetts State Lottery Commission site was being used in an attempt to try to steal personal data. Some people received e-mails and text messages telling them they had won $30,000 in a lottery and directing them to the phony site. Once there, they found they were required to enter personal information and pay a $100 processing fee in order to claim their prize. The site has been taken down. The Commission is working with the FBI to find those responsible for the scam.

NIST Report Suggests Metrics for IDS Performance (9 July 2003)

A National Institute of Standards and Technology (NIST) report entitled "An Overview of Issues in Testing Intrusion Detection Systems" observes that there are no standard metrics by which to measure IDS performance. The report lists some possible metrics, including the range of attacks a system can detect, the number of attacks a system can detect within a certain period of time and throughput, or how much traffic the system can handle.
[Editor's Note (Schultz): It's still amazing to me how so many vendors and developers of intrusion detection systems somehow fail to obtain and distribute benchmark metrics for their systems, possibly because of fear that objective testing will reveal unfavorable hit and false alarm rates. The user community needs such metrics, however. ]

Apache Updates HTTP Server (9 July 2003)

The Apache Software Foundation has released an updated version of its Apache HTTP Server. The new version (2.0.47) corrects four security flaws, including some which could result in denial-of-service attacks.

US Information Security Law (9 July 2003)

The final installment in a four article series on US Information Security Law examines "national security law in the United States as it pertains to information security."

PriceWaterhouseCoopers Electronic Crime Survey (9 July 2003)

The PriceWaterhouseCoopers Global Economic Crime Survey 2003 shows that 15% of the 3,623 companies surveyed reported suffering losses attributable to cyber crime. Telecommunications and IT companies appear to be among the most targeted.

Stop the Hype, Say Experts (8/9 July 2003)

Some computer security experts are encouraging security companies to refrain from "hyping" cyber threats that don't pose serious risks because the plethora of warnings may inure people to threats that do pose serious risks. The group of experts protested the hype surrounding the July 6 Defacement Challenge. The hype benefits both the attackers and the security companies because the former desire publicity, and the latter want to sell more products.
[Editor's Note (Schultz): These experts are correct. You can cry "wolf" only so many times. ]

PayPal Customers Targeted by ID Data Theft Scam (8/9 July 2003)

Some PayPal customers have received messages telling them that their billing information has been lost and that in order to keep their accounts, they must re-enter the data on a specific site. Though many of the sites' links point to the PayPal web site, the form which requests personal information, such as name, address, credit card information and social security number, is on an server at a different IP address. The phony site uses a valid SSL certificate

Defacers' Challenge Tally Site Hit with DDoS (7 July 2003)

Zone-h, the web site responsible for tallying the results of the Defacers' Challenge on Sunday, 6 July fell prey to a "massive" distributed denial of service attack that lasted for seven hours that very same day. The attack was the work of a group protesting the event.

U of Illinois Receives Grant to Establish Anti-Cyber Attack Technology Research Center (3 July 2003)

The University of Illinois' National Center for Supercomputing Applications in Urbana-Champaign has received an initial $5.7 million grant from the Office of Naval Research to establish a research center devoted to developing technology to thwart enemy cyber attackers. Developers at the center will focus on finding the best ways for military forces to share information without it being intercepted.

Microsoft Software Simplifies Identity Management (2 July 2003)

Microsoft's forthcoming Microsoft Identity Integration Server (MIIS) 2003 will "unify" workers' user name and password information to provide a picture of each employee "across the enterprise." The software will allow for the creation of a variety of identities as soon as a new employee is entered into the human resources database; it will also allow for efficient removal of an employee's system access upon termination.

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit