DFIRCON - Live Online: The ALL Digital Forensics, Threat Hunting and Incident Response Training Event. Save $300 thru 10/7.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume V - Issue #36

September 10, 2003


Karen Evans Nominated for The Top US Government IT Position
ISPs Could Block Ports to Reduce Spread of Malware
Colleges Cracking Down on Infected Student Computers
NRC Issues Security Warning to Plant Operators


Web Hosting Company's Sites Infected With Malicious Code
Two Computers Stolen From Sydney Airport in Broad Daylight
FBI Cyber Division Looking at Computer Logs in Blackout Investigation
Lamo May Surrender to FBI
FTC Report Indicates 10 Million Americans Were Victims of ID Theft Last Year
Tech Trade Group to Address ID Theft
Blast of Worms Prompts Rethinking of Traditional Anti-Virus Methods
Man Pleads Guilty to Password Trafficking
Romanian Student Arrested for Allegedly Releasing MSBlast Variant
Microsoft Issues Patches for Five Vulnerabilities
Parson Claims He Was Helping Feds
DOD Will Incorporate Biometrics Into Security Measures by 2010
August Was a Big Month for Worms
Half of Americans Fear Cyber Attacks
Navy Investigating NMCI Infection
Does Sobig Have Anything to do with DDoS Attacks on Anti-Spam Sites?
NIST Draft Special Publication 800-38C: CCM Mode
Justice Official Calls For Parents To Educate Children On Cyber Ethics



*****This Issue Brought To You By LURHQ Managed Security Solutions*****
Sobig variants have been plaguing organizations since the beginning of
the year. Each new version brings an ever-increasing flood of spam,
placing enormous strains on corporate networks.
Learn how Sobig operates and how you can protect your organization by
reading this analysis of the Sobig family:


Karen Evans Nominated for The Top US Government IT Position (3 September 2003)

President Bush says he will nominate Karen Evans to replace Mark Forman in the position of federal government technology chief in the Office of Management and Budget (OMB). Evans is currently the Department of Energy's chief information officer (CIO).
[Editor's Note (Paller): Karen Evans' selection as the top IT person in government will prove to be a defining moment in the fight against cybercrime. For years experts have called on the federal government to become a model of cyber security leadership. No one in the country is better suited to make that happen. ]

ISPs Could Block Ports to Reduce Spread of Malware (8 September 2003)

A report written by Johannes Ullrich, SANS Internet Storm Center CTO, proposes that Internet service providers (ISPs) block access to "commonly exploited" communications ports on customers' computers. While it would not prevent all Internet threats, it could address a bulk of the problems. The four ports, 135, 137, 139 and 445, are not necessary for most Internet use. The proposal is aimed at ISPs that serve individual customers and universities, not those that serve corporate customers.
[Editor's Note (Ranum): It's good that we are finally reinventing "default deny"! Historically, though, this has been countered by unsupported claims of reduced performance due to router filtering rules ]

Colleges Cracking Down on Infected Student Computers (4 September 2003)

Colleges and universities across the United States are taking extra precautions against computer worms and viruses and passing some of that responsibility and liability off to the students. Oberlin College (Ohio) students will be fined $25 if they inadvertently spread a virus. At some institutions, students have to prove they've had their computers "cleaned" of viruses before they're allowed to connect to the school's network. Virginia's George Mason University cut Internet access for all 3,600 students; too few students confirmed that the computers they brought to school had all necessary security upgrades. Some schools require that all students have their computer checked for viruses.
[Editor's Note (Schultz): I'm glad to see that universities are starting to adopt measures such as these. Having users take responsibility for their own computers is a big part of a successful security strategy. (Schneier): I suspect part of the problem is the multiplicity of operating systems and setups. But providing or requiring purchase of a uniform version of one brand of antivirus software would seem to be a major step in the right direction. ]

NRC Issues Security Warning to Plant Operators (3 September 2003)

In a nod to the need to address computer security in the nuclear power industry, the US Nuclear Regulatory Commission (NRC) has issued an Information Notice to plant operators; the notice describes the problems faced by the Davis-Besse nuclear power plant when the Slammer worm infected the plant's computer network. The notice does not provide any recommendations.
[Editor's Note (Schneier): Biometrics for authentication is an appropriate use of the technology. ]

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
1) Stop Network Attacks versus just Detecting. Intrusion Prevention
Essentials White Paper
source. FREE Demo.
(3) WHITE PAPER - 10 leading enterprise techniques to control spam ***
request paper


Web Hosting Company's Sites Infected With Malicious Code (5/8 September 2003)

Thousands of websites hosted by Atlanta, Georgia-based Interland Inc. became infected with malicious code due to an "administrative error." The code caused an executable to be downloaded to the computers of those who visited the site; that program in turn downloaded proxy servers onto the infected computers.

Two Computers Stolen From Sydney Airport in Broad Daylight (5 September 2003)

Two men posing as technicians got past security at cargo processing and intelligence center at Sydney International Airport, gained access to the top security mainframe room, and made off with two computers, wheeling them out of the room on a cart. Australian Customs service said "no sensitive operational data
[were ]
lost." The theft occurred on August 27th; Customs neglected to mention the incident at a recent parliamentary inquiry.
[Editor's Note (Schneier): A useful reminder that computer-related theft doesn't have to be high-tech. ]

FBI Cyber Division Looking at Computer Logs in Blackout Investigation (5 September 2003)

FBI counterterrorism chief Larry A. Mefford said his agency's cyber division "has found no indication to date that the blackout was the result of a malicious computer-related intrusion or any sort of computer worm or virus attack." However, the group is examining utility control computer logs to investigate the possibility of insider involvement.
[Editor's Note (Schneier): This looks more like an attempt to spread FUD than anything. If people hear "there's no clear evidence that the blackout was related to cyberterrorism" often enough, they are then going to assume that it was in fact related, and the proof is being kept secret? (Grefer): Historically, the focus of utility control computer logs has been on tracking operational data. There has been very little emphasis on information security aspects in this particular industry. Consequently, it would be difficult to find such indications, and the focus of the investigation would as a result shift to readily available data. ]

Lamo May Surrender to FBI and is Booked (5/8 September 2003)

FBI agents carrying a federal arrest warrant for Adrian Lamo went to his parents' house in Sacramento, California looking for him. An attorney for Adrian Lamo negotiated his surrender to the FBI and he was booked. It is likely related to his high-profile break-in to a New York Times computer system last year." Lamo is well known for finding security holes in various big companies' systems making them public and then offering to help fix them. His intrusions are quite likely violations of the Computer Fraud and Abuse Act.

FTC Report Indicates 10 Million Americans Were Victims of ID Theft Last Year (3/4 September 2003)

Nearly 10 million people in the United States were victims of identity theft in the last 12 months, according to a recently released report from the Federal Trade Commission (FTC). Only 13% of those surveyed said that the identity theft was due to using a credit card on the Internet; the remainder attributed the thefts to lost wallets or family members and acquaintances. The FTC based these statistics on a random telephone survey of 4,057 adults taken this spring.


Tech Trade Group to Address ID Theft (2 September 2003)

The Coalition on Online Identity Theft, a technology trade group which includes Microsoft, eBay, Amazon.com and Visa USA, plans to start an identity theft consumer awareness program. The coalition also plans to provide on-line advice for "preventing on line theft" and work with the government to make sure cyber thieves are appropriately punished.

Blast of Worms Prompts Rethinking of Traditional Anti-Virus Methods (3/4 September 2003)

Not only have MSBlast, its variants and the Sobig.F worm caused companies to spend more of their budgets on IT security, but the worms have also made organizations rethink traditional security methods and adding layers to their security models. Heuristic antivirus detection, which is behavior rather than signature based, did a good job of detecting Sobig.F because the worm acted much like spam. Support for this shift in anti-virus thinking is borne out by research conducted at Hewlett-Packard's Bristol (UK) laboratories which indicates that current anti-virus methods are not effective because large numbers of infections can occur before new anti-virus signatures become available. Hewlett-Packard researcher Matthew Williamson's research showed that even if a virus signature is available from the moment that virus is released, viruses can now spread rapidly enough that the availability of the signature will not stem the tide of infection.
[Editor's Note (Grefer): Heuristic antivirus detection has been commercially available since the 80s. While heuristic methods can be very helpful in detecting unusual patterns, commonly they also lead to a substantial number of false positives. ]

Man Pleads Guilty to Password Trafficking (3 September 2003)

A former American Eagle Outfitters employee has pleaded guilty to password trafficking and computer damage aimed at hurting the company's business. Kenneth Patterson of Greensburg, PA, allegedly posted American Eagle Outfitters password information on the Internet; he also posted information about how to break into the company's computer system. Patterson could receive a sentence of 11 years in prison or a fine of $350,000 or both; sentencing is set for December 2.

Romanian Student Arrested for Allegedly Releasing MSBlast Variant (3/5 September 2003)

A Romanian student has been arrested for allegedly releasing MSBlast.F, a variant of the MSBlast or Lovsan worm that spread rampantly in August. If convicted, 24-year-old Dan Dumitru Ciobanu could face between 3 and 15 years in prison under new Romanian cyber crime laws. He is not the author of the original MSBlast worm.

Microsoft Issues Patches for Five Vulnerabilities (3 September 2003)

Microsoft has released a patch for a critical buffer overflow flaw in its Office software as well as in any applications that use Microsoft Visual Basic for Applications. The flaw could be exploited through specially crafted documents to execute code on a vulnerable computer. The patch addresses five flaws, one of which was accidentally discovered by an end user.
[Editor's Note (Grefer): Users of Microsoft's email products would be well advised to patch their systems asap, since the simple forwarding of an infected file can result in execution of the malicious code. Here is the corresponding section of Microsoft Security Bulletin MS03-037:
"When Microsoft Word is being used as the HTML e-mail editor in Outlook, a user would need to reply to or forward a malicious e-mail document sent to them in order for this vulnerability to be exploited." ]

Parson Claims He Was Helping Feds (3 September 2003)

Jeffrey Lee Parson, the Minnesota teenager arrested in connection with the MSBlast.B worm, said in an off-camera interview that the government has exaggerated the case against him. He also takes exception to the media's portrayal of him as a depressed loner with no respect for authority. Parson maintains that he believed he was helping the government in their attempt to track down the author of the original and much more virulent form of the worm. In addition, Parson claims he was never read his Miranda rights.

DOD Will Incorporate Biometrics Into Security Measures by 2010 (2 September 2003)

The Defense Department's (DOD) Biometrics Management Office (BMO) has released as a memo outlining the steps it plans to take toward incorporating biometric identification technology into physical and data access security on both classified and unclassified systems by 2010 as a part of a multilayered security strategy. The memo, dated August 25 of this year and signed by deputy secretary of Defense Mark Wolfowitz, will eventually be incorporated into a directive and implementation instructions.

August Was a Big Month for Worms (1/2 September 2003)

The rampant spread of the MSBlast and Sobig.F worms in August made it one of the worst months ever for infections. At Sophos, the top four entries on the monthly virus list are all new, and any one of them would have been first on the list in any other month.

Half of Americans Fear Cyber Attacks (1 September 2003)

In a Federal Computer Week/Pew Internet & American Life Project poll conducted prior to the August 14 blackout, 49% of Americans surveyed said they were afraid of cyberattacks on the nation's critical infrastructure.

Navy Investigating NMCI Infection (29 August 2003)

The Navy has launched an inquiry aimed at finding out how the Welchia worm found its way into the Navy Marine Corps Intranet (NMCI). This is the first infection the NMCI has suffered since users began switching over from legacy systems in 2001. The Naval Network Warfare Command, which is leading the investigation, is focusing largely on the events that led up to the infection; the Navy's response to the worm was effective as they managed to contain the infection rather quickly.

Does Sobig Have Anything to do with DDoS Attacks on Anti-Spam Sites? (29 August 2003)

A number of major anti-spam websites have fallen prey to distributed denial of service (DDoS) attacks in recent months; some believe there is a correlation between the attacks and the proliferation of the Sobig worm. A Sobig variant discovered in June turns infected machines into open proxies, which are capable of sending out spam. Those infected computers could also be used to launch DDoS attacks like those aimed at the Spam Prevention Early Warning System (spews.org), the Spam Open Relay Blocking System (sorbs.net) and Osirusoft, which has ceased operation.

NIST Draft Special Publication 800-38C: CCM Mode

Draft Special Publication 800-38C, "Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality," is now available for review at
The draft specifies the CCM mode of operation of the Advanced Encryption Standard (AES) algorithm. CCM combines the counter authentication code (CBC-MAC) technique for authentication and data integrity. The specification of CCM is intended to be compatible with the use of CCM within the draft IEEE 802.11i standard. NIST welcomes public comments until October 20, 2003. Send comments to EncryptionModes@nist.gov.

Justice Official Calls For Parents To Educate Children On Cyber Ethics

Marti Stansell-Gamm, head of the Justice Department's Computer Crime and Intellectual Property Section, says parents should pay more attention to what their kids are doing online.



The results of the SAGE/SANS/BigAdmin salary survey for individuals have arrived. This year's most interesting result is that those who are employed are, in general, continuing on reasonable compensation paths. The 68 page summary is packed with graphs, charts, and analysis. The accompanying set of comments illuminates some of the issues on the minds of the almost 10,000 respondents. The results are available to SANS portal members only. You may visit
to establish your personal portal account. Then login in to the portal to view the survey data.

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, Marcus
Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit