SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume V - Issue #40
October 08, 2003
Two chances to participate:
$200 Reward for a New Name for the Vulnerability Newsletter
The most useful security vulnerability report needs a name. If you are
the first to suggest the name that is selected, you win $200. Runners
up get books or other prizes. Here's why the newsletter is so useful:
Each week, several of the top security analysts in the US and Europe
work together to (1) agree on the most critical new vulnerabilities,
(2) analyze them to determine what they impact and how to block them,
(3) determine what a dozen of the largest user organizations in the
world have already done to protect their users, and (4) summarize it
all in a quick reference report. They also provide a complete list of
all newly discovered vulnerabilities. Send your name suggestion to
email@example.com with subject "Newsletter naming contest." If you want to
subscribe to the newsletter (it is a free service of SANS), go to
www.sans.org/newsletters/ and select the Critical Vulnerability
Analysis. That's the name that we are trying to change.
The Center for Internet Security is working on a project for the US
department of Defense to map professional certifications to cyber
security job functions and they need the help of active practitioners
to make sure that the results pass the reality test. They have an online
questionnaire you can fill out if you are willing to help.
TOP OF THE NEWSSuit Filed Against Microsoft for Security Problems Could Gain Class Action Status
US Cyber Criminals Face Harsher Penalties Come November
Canadian Tax Department Computers Stolen
THE REST OF THE WEEK'S NEWSPort of Houston Disabled By Hacker Attack in September 2001
Students in Ethical Hacking Course Must Sign Legal Agreement
Phishing Scam Pretends to be Part of FBI Investigation Dan Geer Interview
Symantec's Internet Security Threat Report for First Half of 2003
China Gets a Look at Windows Source Code
VULNERABILITY UPDATES AND EFFECTSIE Object Data Vulnerability Exploited to Install Qhosts-1 Trojan
IE Vulnerabilities Blamed for Source Code Theft
Microsoft Issues Cumulative IE Patch
Microsoft Issues Patch for Outlook-Exchange Incompatibility
CISCO Lightweight Extensible Authentication Protocol (LEAP) Vulnerable to Dictionary Attacks
New Vulnerabilities in IBM's DB2 UDB and MySQL AB's MySQL Database
OpenSSL Vulnerabilities Patched
********************** Sponsored by Qualys, Inc. **********************
Can your network pass the NEW SANS Top 20 test?
Find out for FREE with QualysGuard FreeScan.
QualysGuard FreeScan is a Web-based service that enables companies of
every size to identify the most prevalent and critical vulnerabilities
and remedy these threats within their perimeter network. With the
largest vulnerability testing database in the industry, QualysGuard
enables you to assess, prioritize, and remediate the vulnerabilities in
heterogeneous networks of any size. Our Web-based service provides you
with the ability to run immediate assessments without installation of
hardware or software.
Click on the link below to scan your network perimeter.
TOP OF THE NEWS
Suit Filed Against Microsoft for Security Problems Could Gain Class Action Status (3 October 2003)A California attorney has filed a suit against Microsoft in Los Angeles Superior Court alleging that the company's software is not secure and could "trigger
massive, cascading failures." The suit also claims that Microsoft security bulletins are too complicated for some users and that they provide attackers with information to create exploits. The suit was filed on behalf of a single client, though a request has been filed to certify the case as a class action suit, an action which Microsoft plans to fight. A Microsoft spokeswoman maintains that the problems are caused by malware writers and those who break into computer systems.
[Editors' Note (multiple): The law suit is a fascinating read. The attorney of record shared it with us and we've posted it for your review at
US Cyber Criminals Face Harsher Penalties Come November (2/3 October 2003)People convicted of cyber crimes will begin receiving harsher sentences in November. Under the new guidelines, developed by the US Sentencing Commission, most computer crimes are punishable by sentences of between 1 and 10 years; if the offense threatens or results in injury or death, the prison sentence is 20 years. Virus and worm authors will see a 50% increase in length of prison sentences; sentences for those convicted of breaking into government systems or systems connected with the nation's critical infrastructure will be double what they were before.
[Editor's Note (Schultz): This is a very positive development. Cybercriminals have not been getting sentences that are proportional to the magnitude of the crimes they have been committing. (Schneier): I worry whether this is going to be used to increase the threat for crimes that are only peripherally computer-related by tying them to computer use. It's already a problem that damage amounts in computer-related crime are often based on numbers plucked from thin air. ]
Canadian Tax Department Computers Stolen (30 September 2003)Four Canadian tax department computers were stolen from offices in Laval, Quebec. The computers contain personal information belonging to 120,000 Canadians. Revenue minister Elinor Caplan has ordered a security review.
[Editor's Note (Shpantzer): When hacking over the lines isn't appealing, sending a couple of goons to steal the disks should do the trick. Note that even if the computers are 'standalone' the mere fact that the information is in digital form is a major advantage for thieves. It used to be that if you wanted to steal 120,000 government records, you'd need a crew of people to work all night and a semi-trailer to haul away all that paper. Now you just need a jacket with a pocket for the disks. ]
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) MAKE YOUR FIREWALL DYNAMIC. Accurately block attackers in realtime.
(2) Simplify secure file transfer! Download a white paper and
(3) Does your solution include these four components critical to
THE REST OF THE WEEK'S NEWS
Port of Houston Disabled By Hacker Attack in September 2001A Dorset, UK, Hacker brought chaos to one of the US's busiest ports while attempting to target a female chat room user with whom he had been arguing. The Houston port computer was an intermediary in the attack. The attack took place on September 20, 2001 and is believed to be the first cyber attack to disable a major element of the critical infrastructure. The hacker, Aaron Caffrey, age 19, is being tried for the crime this week.
Students in Ethical Hacking Course Must Sign Legal Agreement (1 October 2003)Students taking an "Ethical Hacking" course at SMU (Southern Methodist University) School of Engineering's Advanced Computer Education Centers in Texas are required to sign a legal document that says they will not use what they learn for malicious purposes and also indemnifies the Education Center Council with respect to the use or misuse of what they learn in class.
[Editor's Note (Schneier): There's a certain amount of silliness to this. Why should we assume that anyone taking this class for nefarious purposes would intend to abide by any signed agreement? ]
Phishing Scam Pretends to be Part of FBI Investigation (1 October 2003)A recent phishing scam claimed to be part of an FBI investigation into credit card theft. Internet users received an e-mail message that appeared to be from the FBI and led them to a phony website designed to look like an official FBI site. Once there, users were asked to enter their credit card numbers, PINs and approximate account balances. The site has been taken down and the FBI is investigating.
Dan Geer Interview (1 October 2003)Former @Stake CTO Dan Geer talks with journalist Dan Verton about his firing after he participated in the publication of a paper warning of the security problems caused by the Microsoft monoculture.
[Editor's Note (Ranum):If it is true that there's no such thing as bad publicity, the marketing people at @Stake are geniuses. ]
Symantec's Internet Security Threat Report for First Half of 2003 (1 October 2003)Symantec's Internet Security Threat Report indicates that exploits for vulnerabilities are emerging more and more quickly after the vulnerabilities become public knowledge. In addition, blended threats are increasing in popularity among malware authors. The report is based on data from the first six months of 2003.
China Gets a Look at Windows Source Code (29 September 2003)The Chinese government will review Microsoft Windows source code for security loopholes. Earlier this year, the China Information Technology Security Certification Center signed an agreement to participate in Microsoft's Government Security Program (GSP).
VULNERABILITY UPDATES AND EFFECTS
IE Object Data Vulnerability Exploited to Install Qhosts-1 Trojan (2 October 2003)The Qhosts-1 Trojan horse program alters Windows machines' DNS configurations so that Internet searches are redirected to a website maintained by the attackers; the program is installed on machines with vulnerable versions of Internet Explorer (5.01. 5.5 and 6.0) via code on a pop-up advertisement on a certain website. Microsoft issued a patch for the vulnerability in August, but reports indicate the patch is faulty and does not protect computers against attacks.
IE Vulnerabilities Blamed for Source Code Theft (3 October 2003)Unpatched vulnerabilities in Internet Explorer are being blamed for the theft of source code for the video game Half Life 2.
Microsoft Issues Cumulative IE Patch (4 October 2003)Microsoft has released a cumulative patch for Internet Explorer that addresses the security holes exploited by the Qhosts Trojan.
Microsoft Issues Patch for Outlook-Exchange Incompatibility (2 October 2003)
CISCO Lightweight Extensible Authentication Protocol (LEAP) Vulnerable to Dictionary Attacks (2 October 2003)
New Vulnerabilities in IBM's DB2 UDB and MySQL AB's MySQL Database (1 October 2003)
OpenSSL Vulnerabilities Patched (30 September/2 October 2003)
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, Marcus
Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit