SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume V - Issue #30
July 30, 2003
TOP OF THE NEWSJudge Orders US Dept. of Interior to Sever Internet Connections
Exploit Code Released for Widespread Windows RPC Vulnerability
Researchers Find Flaws in Electronic Voting Software
Man Put Keystroke Loggers on Kinko's Terminals
THE REST OF THE WEEK'S NEWSVerizon Wireless Web Site Flaw Repair Causes Other Problems
Japanese Ministry Cancels Hacking Contest
Oracle Warns of E-Business Suite Vulnerabilities
Concerns About DOD Systems Security
34 States are Considering or Have Passed Information Security Laws
Banking Committee Report Lists Risk Management Principles
The Pros and (Mostly) Cons of Bringing in the Authorities After a Cyber Attack
Paper Describes Method for Cracking Windows Passwords
FTC Settles Case Against Teen AOL Fraudster
Transportation Security Administration Laptop Stolen
Australian Internet Industry Association Cybercrime Code Draft
Worm Author Vallor Denied Sentence Reduction
BANKS AND CYBERCRIMEWells Fargo Customers Receive Fraudulent e-Mail
South African Police Questioning Suspect in Absa Account Thefts
Russian Cyber Thief Sentenced to Four Years in Prison
***************** Sponsored by Internet Security Systems **************
Maximum Protection, Minimum Complexity!
Learn about Proventia(tm), Internet Security Systems' easy-to-deploy
Dynamic Threat Protection(tm) appliances that leverage the industry's
most advanced research and intelligence to proactively guard your
high-speed, multi-segment network with minimal user intervention.
Click to learn more!
TOP OF THE NEWS
Judge Orders US Dept. of Interior to Sever Internet Connections (28 July 2003)US District Court Judge Royce Lamberth has issued a preliminary injunction ordering the Department of the Interior to disconnect its systems from the Internet; exceptions are allowed for systems "essential for protection against fires or other threats to life or property." The Department has 10 days in which to identify and certify those "essential" systems as well as to provide justification for them to remain on-line. Systems that do not connect to American Indian trust data are also exempt. The injunction supersedes a temporary restraining order entered in late June. The injunction was sought by the plaintiff in Cobell v. Norton to protect American Indian trust accounts from cyber intrusions.
Exploit Code Released for Widespread Windows RPC Vulnerability (25 July 2003)At least one hacker group has released code to exploit a Windows flaw that allows remote break-ins, raising concerns that attacks will soon follow if they have not already begun. Microsoft released an advisory for the RPC component buffer overflow flaw on July 16.
[Editor's Note (Paller): This Windows vulnerability affects substantially all Windows operating systems other than Windows 95 and 98. That means hundreds of millions of machines are vulnerable. If you have not yet instituted an enterprise-wide program to find and eliminate this vulnerability -- covering all systems that connect to your network, including those used by your employees at home and by your business partners at work and at home - now is the time. Microsoft's latest advisory on this vulnerability:
Researchers Find Flaws in Electronic Voting Software (24/25 July 2003)Researchers at Johns Hopkins University and Rice University have discovered a number of vulnerabilities in a Diebold electronic voting system. The software could allow people to cast multiple ballots, change votes cast by others or even shut down an election early. The researchers found the software on a Diebold web site and believe it is close to what the company is running on the systems they have sold. Diebold electronic voting systems have been used in elections in Maryland, Georgia, Kansas and California. Diebold believes the software the researchers used was outdated and was never used in an election.
[Editor's Note (Schultz): Even if Diebold's claim that the flawed voting system was never used proves correct, the researchers' discoveries will further undermine public confidence in voting systems. Voting systems have a long way to go if they are ever going to gain widespread public acceptance. (Ranum): The fact that the researchers used out-of-date code may illustrate another key point about "security researchers." They sometimes search for and find and publish information about flaws in software that was never used or has not been used in years. When I was CEO of NFR we had several situations where "security researchers" (hackers) threatened to release vulnerability information about code that, in some cases, was 2+ years out of date, and about which they had misunderstood the functionally. But they wanted to grandstand for media attention anyhow. Who should the end user believe in this kind of situation? Unfortunately, there's no reason to trust the "security researchers" OR the vendors because their agendas are not aligned and there is nothing to keep either party honest. This is why the whole economy of vulnerability disclosure is intellectually - to say nothing of morally - corrupt. ]
Man Put Keystroke Loggers on Kinko's Terminals (18/23 July 2003)Juju Jiang pleaded guilty to charges stemming from his installing keystroke logging software on Internet terminals at Kinko's in New York City. He used the information he harvested to open on-line accounts.
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Hacking Web Applications- FREE White Paper
(2) Simplify secure file transfer! Download a white paper and
(3) WATCH FOR ATTACKERS. THEN BOTCH THEIR ATTACKS.
Foolproof Intrusion Prevention. FREE Demo.
THE REST OF THE WEEK'S NEWS
Verizon Wireless Web Site Flaw Repair Causes Other Problems (26 July 2003)A flaw in the Verizon Wireless web site could have allowed people to view others' cell phone numbers and text messages. Confirmation messages received by people sending text messages through the Verizon web site include a unique identification code; altering a character or two in the code allowed access to the other Verizon customers' information. Verizon has fixed the problem, but now people who send messages through the website see a string of asterisks in place of the recipient's phone number, so they cannot be assured it was sent to the correct number.
Japanese Ministry Cancels Hacking Contest (25 July 2003)Japan's Economic, Industry and Trade Ministry has scrapped plans to hold a "hacking contest" after receiving complaints that it appeared the government was endorsing hacking.
[Editor's Note (Ranum) Score one for the good guys. ]
Oracle Warns of E-Business Suite Vulnerabilities (24 July 2003)Oracle has released warnings about three security vulnerabilities in its products. The two most serious flaws are both in Oracle's E-Business Suite. The first could allow an attacker to view configuration and host-system information; the second is a buffer overflow flaw that could allow attackers to run arbitrary code on vulnerable machines. Oracle also reiterated an earlier warning about a handful of flaws in its application server.
Concerns About DOD Systems Security (24 July 2003)Testifying before the House Armed Services Committee's Subcommittee on Terrorism, Unconventional Threats and Capabilities, several security experts expressed concern about the Department of Defense's (DOD) reliance on off-the-shelf software. In addition, the same software is used across many DOD systems; if a security flaw is found in the software, then all those systems are vulnerable to attack. Microsoft chief security strategist Scott Charney said using the same software across the board could simplify patching. Charney added that vulnerabilities will exist no matter what operating system is used.
[Editor's Note (Paller): The benefits of software diversity are insufficient to balance the benefits of common configurations, namely lower cost of training and management and more rapid updating/patching. ]
34 States are Considering or Have Passed Information Security Laws (23 July 2003)According to a report from the National Council of State Legislatures, at least 24 states have introduced legislation regarding information security, and 10 states have passed information security laws.
Banking Committee Report Lists Risk Management Principles (23 July 2003)The Basel Committee on Banking Supervision has published a report calling for better security for and management of e-banking. The report included a list of 14 risk management principles, which include monitoring and auditing third-party contractors and authenticating users in e-banking transactions.
The Pros and (Mostly) Cons of Bringing in the Authorities After a Cyber Attack (23 July 2003)If companies call in the authorities after a cyber attack, they should be prepared to cooperate. Calling in law enforcement means surrendering control of the prosecution, and could mean the seizure of essential equipment.
[Editor's Note (Schneier): Can't the writer of the article come up with a better example than the Steve Jackson Games bust? That was 14 years ago; hasn't there been a fair amount of case law since then? Not to mention that it's not even on point, since that wasn't a case of calling in the authorities. ]
Paper Describes Method for Cracking Windows Passwords (23 July 2003)Swiss researchers have released a paper describing a method whereby an attacker with a great deal of computer memory could reduce the amount of time it takes to crack a Windows alphanumeric password to about 13.6 seconds. The method involves the use of large lookup tables. The researchers have posted a web page that allows people to test their technique; users must enter their encrypted passwords, available from hard drives to those with administrator privileges, and the site will return the user's e-mail, hash and password. It is unclear whether the researchers plan to release their code.
FTC Settles Case Against Teen AOL Fraudster (21 July 2003)The Federal Trade Commission (FTC) has settled a case against a teenager who used spam and a phony AOL web page to trick people out of their credit card and other personal data. The teenager has agreed to pay back $3,500 he stole and to never again send spam. EarthLink, the FBI and the FTC have issued a statement indicating that such scams are on the rise.
Transportation Security Administration Laptop Stolen (21 July 2003)A Transportation Security Administration laptop was stolen from a staffer's car; officials are concerned because the computer contains personal information about airport baggage and passenger screeners which could be used to steal identities if it were to fall into the wrong hands. The laptop is protected by a number of security measures.
[Editor's Note (Ranum): Most such security measures are worthless if the laptop physically falls in to someone else's hands. ]
Australian Internet Industry Association Cybercrime Code Draft (21 July 2003)Australia's Internet Industry Association has released a draft cybercrime code of conduct, which aims to clarify ISP's responsibilities regarding data retention and assistance to official investigators.
URL to download the IIA draft is:
[Editor's Note (Northcutt): The data retention statement for personal data is based on other legislation and is seven years which is at least two years too long. When you consider how many businesses fail, or are acquired, how many people move or change their information, how much technology changes and fails, the data that survives will be of low value by seven years. In addition, a substantial number of businesses will not be in compliance with the legislation. ]
Worm Author Vallor Denied Sentence Reduction (21 July 2003)An appeal to reduce the prison sentence for 22-year-old Simon Vallor, who admitted authoring and releasing the Gokar, Redesi and Admirer worms, was dismissed. Despite arguments from Vallor's counsel that he did not realize how much damage the worms would do, Mr. Justice Aikens said Vallor's actions were "calculated and disruptive."
BANKS AND CYBERCRIME
Wells Fargo Customers Receive Fraudulent e-Mail (23 July 2003)Some Wells Fargo customers have reported receiving e-mail messages that appeared to be about new accounts, and which included an attachment that, if launched, harvested passwords from the infected machines and sent them to a third party.
South African Police Questioning Suspect in Absa Account Thefts (21/25 July 2003)Western Cape (South Africa) police are holding a suspect for questioning regarding money being illegally transferred from Absa bank customers' accounts. The suspect allegedly sent the bank customers "spy software" that harvested their bank account numbers and PINs.
Russian Cyber Thief Sentenced to Four Years in Prison (24 July 2003)Aleksey Vladimirovich Ivanov, the Russian man who pleaded guilty to a number of cybercrimes, has been sentenced to four years in federal prison. Ivanov and another Russian man broke into e-banking and e-commerce computers, stole credit card numbers and other personal data of customers and attempted to extort money from companies with threats of publishing the private data on the Internet or deleting data.
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, Marcus
Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit