Develop invaluable cybersecurity skills through interactive training during SANS 2021 - Live Online. Register now.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume V - Issue #3

January 22, 2003

In about six weeks more than 1,400 security and audit professionals
will arrive in San Diego (at a hotel right on the ocean, a great
escape from arctic blasts) for immersion training at SANS 2003 Annual
Conference. (

Three quick notes:

(1)If you have already registered or do so within the next three
weeks, you will get an email enabling you to participate in SANS'
extraordinary online Internet Threat Update that details the new
methods attackers are using and available techniques for blocking
them. This is the keynote (and highest rated) presentation at the
National Information Assurance Leadership Conference and we want to
make sure all SANS2003 attendees get the benefit of having access to
the newest information.

(2)Monday January 27 is the deadline for the early registration
discount for SANS 2003.

(3)If you received more than one SANS 2003 conference program
(it's 100 pages long) please pass the extra along to someone who
can gain from SANS security training. If you need an extra copy,
email with subject SANS2003 brochure.


$4.7 Billion Budgeted for Federal IT Security
Virus Writer Jailed for Two Years
Rumsfeld Orders Material Removed from Web
Ohio State Computer System Overwhelmed with 11 Million e-Mails
Microsoft to Share Windows Source Code


Peer-to-Peer Hydra Worm Claim is a Hoax
Study Shows Old Drives Not Adequately Cleaned
Allstate Banned from On-Line CA DMV Access
SPV Phone Vulnerability
Advice for Choosing a VPN
Agencies are Encouraged to Use FedCIRC's Patch System
DHCP Buffer Overflow Flaws
New Mexico to Deploy Identity Management Program for State Web Access
Sobig Worm Upgraded
Spammer's Site Exposes Customer Data
Mullen Defends Striking Back at Systems Running Worms
Instant Messaging Security Risks
Microsoft Will Release APIs to Ensure Longhorn Works Well with AV Products


SANS seeks reviewers for Business Law and Computer Security and for New SSH Step-by-Step
Dartmouth ISTS Seeks Comments on Security Research Gap Analysis

******************** This Issue Sponsored by NetIQ *******************
Security Webcast Featuring Social Engineering Experts
Join our distinguished panel of security experts, for NetIQ's free
security webcast-"People & Policies: Turning Your Weakest Security
Link into a First Line of Defense."
Register now.


4.7 Billion Budgeted for Federal IT Security (21 January 2003)

President Bush will ask Congress for $59 billion in new information technology spending in his FY 2004 budget. $4.9 billion of that is targeted for computer security.

Virus Writer Jailed for Two Years (21 January 2003)

Simon Vallor, a Welsh web designer, was jailed for 24 months for writing and spreading viruses. This sentence is four moths longer than the one given in the US to David Smith, author of Melissa.

Rumsfeld Orders Material Removed from Web (16 January 2003)

Defense Secretary Donald Rumsfeld has issued an order restricting what information is to be available on armed forces web sites. An al Qaeda training manual found in Afghanistan indicates the group used US military web sites to gather information.
[Editor's Note (Ranum): Some of us pointed this out back in the early 1990's, when (for example) Ft Huachuca posted intelligence analysts' training manuals on the web. It's sad that something so obvious had to go as high as the SecDef. (Denning): The DoD has been cracking down on this since at least 1998. See the 1998 memo from the secdef on information vulnerability on the web
. The official DoD policy on web content (issued Nov 98 and updated Jan 02) is at

Ohio State Computer System Overwhelmed with 11 Million e-Mails (15 January 2003)

Police believe they know who is responsible for sending 11 million e-mail messages into Ohio State University's computer system. The attack made Internet access difficult and delayed e-mail delivery for several days.

Microsoft to Share Windows Source Code (15 January 2003)

Microsoft will share Windows source code with governments and international organizations to allow them to conduct security reviews. Participants in the Government Security program will also be able to visit Microsoft's development facilities.


************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Fortinet's ASIC-powered Antivirus Firewalls stop viruses in real
(2) Bulletin: Instantly stop DDoS attacks and port scans.
(3) BE OFFENSIVE. Don't react to network intrusions. Actively prevent
them. FREE WP (White Paper).
SANS Local Mentor Programs begin in 31 cities in 5 countries
during the next 16 days. Details and schedule at the SANS Web site:


Peer-to-Peer Hydra Worm Claim is a Hoax (14/16 January 2003)

A hacking group called Gobbles Security admitted that claims it had been hired by the Recording Industry Association of America (RIAA) to create a worm to infect peer-to-peer file sharing networks was a hoax. However, the phony announcement included a description of a real security flaw and source code to exploit it. The flaw could be exploited to delete files on Unix-based computers.

Study Shows Old Drives Not Adequately Cleaned (15/16 January 2003)

According to a study conducted by two MIT graduate students, people who sell their old disk drives are not doing an adequate job of ensuring the information they hold is removed. Of 158 drives purchased on eBay or computer salvage stores, only 12 had been appropriately sanitized; of the rest were either broken or contained personal data that were easy to recover and read. The report says people need to be better educated about methods for cleaning their data off drives they are selling.

[Editor's Note (Shpantzer): IT assets should be tracked and managed in some sort of formal manner. One way to do this is to use the System Development Life Cycle model (SDLC). This model includes the disposal phase of assets, which should be given due regard in accordance with the data sensitivity, as well as updated to defend against new threats such as advances in forensic recovery techniques. Here is how one agency works with the SDLC:

Allstate Banned from On-Line CA DMV Access (16 January 2003)

Allstate Insurance has been banned from checking on line driving records at the California Department of Motor Vehicles after officials discovered that employees at the company were violating confidentiality rules. Among the infractions: a confidential home address of one driver was given to another driver, computer passwords were shared, and false claim numbers were submitted to gain access to friends and family members' records.
[Editor's Note (Grefer): Who'd believe that they're the only ones abusing the system? ]

SPV Phone Vulnerability (16 January 2003)

Microsoft and Orange, a mobile phone operator, are together developing a patch for a vulnerability in the SPV phone, which they market in Europe. The SPV phone is able to run certain downloadable applications; users and developers who were unhappy with the restrictions apparently circulated information about disarming that security feature.

Advice for Choosing a VPN (16 January 2003)

This article describes the differences between trusted virtual private networks (VPNs) and secure VPNs. The article also discusses implementing VPNs, deciding how they will be managed and what to expect to pay for VPN gateways and client software.

Agencies are Encouraged to Use FedCIRC's Patch System (16 January 2003)

Presidential cyber security advisor Richard Clarke and the Office of Management and Budget's (OMB's) associate director for IT Mark Forman both recommend that government agencies make use of the Federal Computer Incident Response Center's (FedCIRC's) security patch distribution service. The Patch Authentication and Dissemination Capability (PADC) could help agencies meet the FISMA requirements. Agencies can enter system profiles and receive information about potential vulnerabilities and how to address them. Patches will be tested and stored to a secure server for agencies to download as needed.

DHCP Buffer Overflow Flaws (16 January 2003)

The Computer Emergency Response Team Coordination Center (CERT/CC) has issued an advisory warning of buffer overflow vulnerabilities in Internet Software Consortium's (ISC) Dynamic Host Configuration Protocol (DHCP) software. DHCP versions 3.0 through 3.0.1RC10 are affected. The ISC has released an update that addresses the flaws.


New Mexico to Deploy Identity Management Program for State Web Access (16 January 2003)

Within the next month, the state of New Mexico plans to implement a centralized identity management program so that employees and citizens can access web applications securely. Administrators will be able to alter employees' profiles, so that if they leave their job, their permissions change at the same time.
[Editor's Note (Schultz): New Mexico's system appears to be a big step forward. Too often organizations neglect revoking access to former employees. Hopefully, the changes in profiles and permissions that New Mexico is implementing will occur soon after employees leave their jobs. ]

Sobig Worm Upgraded (15 January 2003)

Several anti-virus companies have upgraded warnings for the Sobig worm which spreads through e-mail and shared folders affects Windows-based systems.

Spammer's Site Exposes Customer Data (15 January 2003)

A web site operated by a spammer who mass mails people with offers of cheap, pirated software has exposed customer data, leaving it ripe for picking by other spammers.

Mullen Defends Striking Back at Systems Running Worms (13 January 2003)

Tim Mullen defends his "strikeback" position; he believes people should be allowed to "neutralize a worm process" on others' systems. He reasons that if an entity has no responsibility for worms running on their systems without their knowledge, they have no rights to the process, either. In other words, if entities claim their rights were violated by a strikeback, that claim carries with it an acknowledgment of responsibility for the worm's actions.
[Editor's Note (Ranum): "Blame the victim" is not a moral position. (Paller) Whether or not it is moral, blaming the victim may be legal. In the BNA Electronic Commerce Law Report, Raul, Volpe and Meyer write, "Under a tort liability model, security breach victims may be able to seek damages from a company if they can prove the existence of: (1) a reasonable duty of care necessary to prevent security breaches, (2) a breach of that duty, (3) a proximate relationship between the breach of the duty and the injury, and (4) actual loss or damage sustained as a result of the breach." <
The problem with Tim Mullen's thesis is that he is not asking for damages from the victim, but for a right to break into the victim's computer. Federal statutes clear say that is illegal without the victim's permission. (Schultz) Mr. Mullen certainly has the right to his opinions, but frankly, I'm disappointed that a well-respected site like Security Focus would resort to publishing a white paper that advocates the right to become a cyber-vigilante. ]

Instant Messaging Security Risks (13 January 2003)

This article describes the various security threats associated with Instant Messaging clients: worms, backdoors, hijacking, and denial of service. Because the use of Instant Messaging is increasing, the possibility of becoming infected with malware is increasing as well.

Microsoft Will Release APIs to Ensure Longhorn Works Well with AV Products (13 January 2003)

Microsoft is taking steps to ensure that its next-generation operating system, code-named Longhorn, will work well with anti-virus software. The company is releasing approximately 100 APIs to anti-virus vendors, which should help with virus scanning and detection and reduce interference with operating systems and applications.


SANS seeks reviewers for Business Law and Computer Security and for New SSH Step-by-Step

Two consensus research opportunities: The first draft of our new SANS SSH Step-By-Step is ready for review. This work includes configuration, usage and verification steps for SSH. In addition, we are seeking Attorneys who are interested in reviewing the first draft of our new SANS one day course that is slated to be come the book: Business Law and Computer Security To participate in either project, please include any relevant experience and credentials along with your Bio/resume and respond to by February 1, 2003. Selected reviewers who make substantial contributions will receive credit by having your name and organization listed on the inside front cover. In addition, you will receive a free copy of the book. Dartmouth ISTS Seeks Comments on Security Research Gap Analysis The Institute for Security Technology Studies (ISTS) is doing an analysis of the gap between needs and available technology for cyber attack investigation. If you have tools that are useful in this field, email Andrew MacPherson at

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz and Gal Shpantzer
Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) visit
To update your address, visit and enter
your SD number or email address (from the header of this email.) You
will receive your personal URL via email.