40+ Cyber Security Courses at SANSFIRE in Washington DC! Save up to $350 thru 4/24.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume V - Issue #37

September 17, 2003


DHS Announces Creation of US-CERT
Amit Yoran Named DHS Cyber Security Chief
Microsoft Issues Patches for Three Critical RPC Vulnerabilities
Object Data Vulnerability in Internet Explorer


Barclays Bank Tries To Blunt Cyber Scam
Worm Authors Hard to Find
North Carolina Man Allegedly Breached Medical Facility Wireless Network
Federal Agencies Need to Improve Patch Management
Two UK Men Charged With Creating TK Worm
Romanian Man Charged with Spreading MSBlast.F
Lamo Remanded to Parents' Custody
Security Policy Management Tools
Laptop Stolen from Australia's Department of Transport
Putnam Lines Up 11 Hearings on IT
Putnam Dissatisfied with Cybercrime Prosecution Tally
Anatomy of a Penetration Test

*********************** Sponsored by NetIQ ****************************
"Information Security Policies Made Easy" is the most comprehensive
security policy resource guide you can buy, with 1300+ ready-to-use
security policies that can be quickly customized for any company. Build
best practice security policies in half the time and expense. Also
available "Information Security Roles & Responsibilities Made Easy."
Download a free policy now http://www.netiq.com/order/publications.asp


DHS Announces Creation of US-CERT (15 September 2003)

The US Department of Homeland Security (DHS) announced that it will establish the US Computer Emergency Response Team (US-CERT), which will work closely with Carnegie Mellon University's CERT Coordination Center. US-CERT will be part of the DHS National Cyber Security Division. The creation of US CERT will gather into one location the Federal Computer Incident Response Center (FedCIRC), the National Communications System, the former National Infrastructure Protection Center (NIPC) and the DHS watch center. Among US CERT's objectives is to "assure a 30-minute response time to cybersecurity threats by the end of next year."

Amit Yoran Named DHS Cyber Security Chief (15 September 2003)

Symantec vice-president Amit Yoran has been named cybersecurity chief at the US Department of Homeland Security (DHS).
[Editor's Note (Ranum): Yoran's a smart technical guy, but DHS is a political entity. Will technology or politics win? So far, politics has won every time. (Paller): I'll bet on Yoran. The politicians have had enough of the vendor promises; I think they are ready to back a government security team that can clearly make the case for action. ]
--Microsoft Issues Patches for Three Critical RPC Vulnerabilities (11 September 2003) Microsoft has issued an advisory and a patch for three critical vulnerabilities in the remote procedure call (RPC) protocol in most versions of Windows. Two of the vulnerabilities are buffer overflow flaws that could provide attackers with administrative control of vulnerable computers; the third is a denial-of-service vulnerability. Because the vulnerabilities are similar to the flaw exploited by the ubiquitous MSBlast worm, experts feel it is likely they will soon be exploited. The vulnerabilities affect the following versions of Windows: NT Workstation 4.0, Windows NT Server 4.0, Terminal Server Edition, Windows 2000, Windows XP and Microsoft Windows Server 2003.
[Editors' Note (Northcutt): We know you have run Microsoft update and are patched. That is not enough. Is your mother patched? Your sister and brother? Will you take 20 minutes of your personal time to make sure the neighbor on either side of your house is patched? When someone finally releases a major worm with a destructive payload, it will do as much financial damage as a hurricane. If you are willing to help your neighbor board up their windows, then also be willing to help them get patched. (Paller): I chose to exclude the other editors' comments about Microsoft's security because the comments were hilarious, and this is no laughing matter. Jim Allchin (who has overall responsibility for Windows delivery, engineering and technical architecture) needs to fix this problem, and fix it fast. ]

Object Data Vulnerability in Internet Explorer (9 September 2003)

The Object Data vulnerability affects Microsoft Internet Explorer (IE) versions 5.01, 5.5 and 6.0, and could allow malicious code to be placed on vulnerable machines. Microsoft released an IE patch in August that allegedly fixed this hole along with others, but there is evidence that the vulnerability can still be exploited on machines that have the patch installed. Researchers say there is an exploit for the vulnerability circulating on the Internet.

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) MAKE YOUR FIREWALL DYNAMIC. Accurately block attackers in realtime.
FREE White Paper.
(2) Best Practices for Incident Response - Sign up for the
practitioner's guide at
(3) WHITE PAPER - Beyond Sobig: Achieving Email Security
*** request paper
(4) Webinar: "Preventing the next Blaster, SQL Slammer and More"
featuring Scott Blake


Barclays Bank Tries To Blunt Cyber Scam (15 September 2003)

BarclaysBank managers have called in the policy and set limits on online cash transactions to blunt a cyber scam that has already claimed several of the bank's customers as victims. The scam involves emails directing customers to a fake website that collects data used by the criminals to take money from the customers' accounts.

Worm Authors Hard to Find (13 September 2003)

The anonymous nature of the Internet makes it hard to track down those responsible for writing and releasing computer worms and viruses. Those who have been apprehended, like Melissa author David Smith and MSBlast.B author Jeffrey Lee Parson, left clues to their identities in their code; other malware authors are more scrupulous about hiding their identities.

North Carolina Man Allegedly Breached Medical Facility Wireless Network (12 September 2003)

Clayton Taylor Dillard allegedly broke into the wireless computer network of a North Carolina medical facility; and then sent a letter to a local television station that included copies of patient checks and insurance forms, and contacted patients and insurance companies to let them know of the medical facility's weak security practices. Dillard faces criminal charges for his alleged actions; the Raleigh (NC) Police Department Cyber Crime Unit is working with the FBI's Hi-Tech Task Force on the investigation.

Federal Agencies Need to Improve Patch Management (11 September 2003)

Robert Dacey, General Accounting Office (GAO) director for information security issues, says that patching systems for federal agencies need to be improved. Testifying before the House Government Reform Committee's Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee Dacey spoke of the ever-decreasing window of time between vulnerability disclosure and the availability of an exploit. Larry Hale, director of the Federal Computer Incident Response Center (FedCIRC), says FedCIRC would like to modify its Patch Authentication and Dissemination Capability to include automatic downloads.
[Editor's Note (Schneier): Of course this is a universal problem, not just in the government. ]

Two UK Men Charged With Creating TK Worm (10/11 September 2003)

UK police have charged two men with creating the TK worm, which exploits a vulnerability in Microsoft's IIS Web Server software to take control of vulnerable websites; a patch for the vulnerability has been available since October 2000. The TK worm allegedly caused $8.75 million worth of damage worldwide. The alleged authors, Jordan Bradley and Andrew Harvey, are believed to be members of a known cracking group.

Romanian Man Charged with Spreading MSBlast.F (10/11 September 2003)

Romanian police confirmed that Dan Dumitru Ciobanu has been charged with spreading MSBlast.F, a variant of the MSBlast worm that spread rampantly in August. The police say Ciobanu has admitted spreading the worm, but that he claims it was an accident. Romanian cybercrime law carries a sentence of between 3 and 15 years for such offenses. He is not in custody.

Lamo Remanded to Parents' Custody (9/10/13 September 2003)

A federal judge in Manhattan has allowed Lamo to remain free on the $250,000 bond his parents posted; he must also stay with his parents. The judge limited Lamo's use of computers to e-mail and education- and job-search-related activity. Lamo's next hearing is scheduled for October 14. He faces charges for allegedly breaking into the New York Times' internal computer network.

Security Policy Management Tools (10 September 2003)

This article describes system security policy management tools and offers a five step implementation procedure: establish a policy, identify the systems to be secured, schedule an audit, assess the results and based on those results, change and/or patch systems to bring them into compliance. The author also lists several aspects to consider when choosing a security policy management tool.

Laptop Stolen from Australia's Department of Transport (10 September 2003)

Thieves used a swipe card to enter the Canberra (Australia) headquarters of the Department of Transport and steal cash, office equipment and a laptop computer that contains information about Australia's maritime security. Australian federal police are investigating. Last month, thieves stole two Customs computers from the Sydney airport.

Putnam Lines Up 11 Hearings on IT (8 September 2003)

Representative Adam Putnam (R-Fla.), chairman of the House Government Reform subcommittee on Information Technology, Information Policy, Intergovernmental Relations and the Census, has planned eleven hearings on IT over the next two months. Topics to be addressed include cybersecurity common criteria, supervisory control and data acquisition (SCADA) systems and "the Homeland Security Department's IT investment strategy and enterprise architecture plan."

Putnam Dissatisfied with Cybercrime Prosecution Tally (10 September 2003)

At a hearing, Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census chairman Adam Putnam (R-Fla) said that the discrepancy between the number of worms and viruses released every year and the number of related arrests and prosecutions suggests that the Justice Department is not taking the problem of computer crime seriously enough. Deputy assistant attorney general John Malcolm responded that the Justice Department places a high priority on such cases, but pointed out that many malware writers are adept at maintaining their anonymity. Putnam was also critical of the Organization for Internet Safety's (OIS) exclusion of the government from any role in their vulnerability reporting guidelines.

Anatomy of a Penetration Test (8 September 2003)

This article provides a detailed account of one security consultant's "sanctioned break-in" of a company's computer system. The consultant begins by gathering information about the company on Google; he finds job listings and requirements that offer clues to the software and systems the company is running. He also uses various network analysis and scanning tools to uncover vulnerabilities in the company's system.

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, Marcus
Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit