Don't Miss Pen Test Hackfest Summit & Training, November 2-9 near DC!

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume V - Issue #42

October 22, 2003

If you are planning to attend SANS Network Security 2003 in New Orleans, two deadlines loom today: (1) The late registration deadline is today (October 22) but if you need a couple extra days, contact (2) The preferred, discounted hotel rate deadline is today, as well. Call the hotel and make your reservation today.

Details at


CIO Magazine's State of Security Survey
UK Teen Found Not Guilty of Attacking Port of Houston Computer System
Federal Prosecutor Admits Error, Moves to Vacate Whistleblower Conviction
NIST Releases Five Security Guides


ISC to Create Internet Crisis Coordination Center
CIDDAC Security Sensors Could Enhance Data Sharing
DoD Sites Connected to IPv6 Testbed
House Committee Hears Testimony Critical of Government Security Efforts
Juniper's Infranet Initiative
Judge Dismisses Bernstein Encryption Case
California Universities Receive Grant to Build Cyber Defense Research Network
Outlook 2003 to Have Increased Security
Presenting a Business Case for Security Funding
Former Employee Alleges Diebold Installed Uncertified Patches
PivX Removes Web Page of Unpatched IE Flaws
Wireless Security


Microsoft Releases First Monthly Update
Microsoft Fixes Hotmail Cross-Site Scripting Vulnerability
New RPC Exploit Code Circulating

**************** Sponsored by Verisign-The Value Of Trust ***************

Secure Your Servers

Secure your servers with 128-bit SSL encryption! Grab your copy of VeriSign's FREE Guide, "Securing Your Web site for Business," and you'll learn everything you need to know about using 128-bit SSL to encrypt your e-commerce transactions, secure your corporate intranets and authenticate your Web sites. 128-bit SSL is serious security for your online business.

Get it now!

Highlighted Training Programs of the Week
If you know of any auditors who want to master the key technologies need to do effective security audits, tell them about the SANS Auditing Networks, Perimeters and Systems. It is by far the best security auditing course anywhere. Here's two recent students described it:
**"The whole security industry is based on being reactive. This program gives you the skills and framework to turn the corner and start the road toward proactive security management through auditing" (Barry Cox, Aliant Telecom)
**"Great for every part of the organization that wants to set up a security baseline and continuously monitor adherence to the baseline." - Les Thompson, Canada Life)

You'll find one of the smaller classes - with more opportunity for instructor/student interaction - for the Auditing track in Nashville beginning November 3. See



CIO Magazine's State of Security Survey (15 October 2003)

Data from 7500 respondents in 54 countries seems to reinforce other surveys showing declining losses from cybersecurity. CIO magazine and PricewaterhouseCoopers report that most organizations dealt with few attacks, had little downtime, and rarely had damages from the attacks that exceeded $10,000. This will be used by CIOs who want to spend less on security to justify their cutbacks. Other interesting data compares European and US respondents and attempts to compare the security behaviors of "very confident" and "not at all confident" organizations. Definitely worth reading.
[Editor's Note (Pescatore) Of course, in 2002 we had no major worm or virus attacks. When this and the CSI survey get redone in 2004, they will show a phenomenal leap in damages from 2002 to 2003 - Slammer/Blaster/SoBig costs. So, (2002 +2003)/2 looks about the same as 2001 but this year they conclude cutbacks and next year they will conclude everything has gone to hell in a hand basket.
(Northcutt): This is what I call a watermelon article, eat the fruit, spit out the seeds. There are some questionable ideas; the reason loss to attacks has not been catastrophic is that the worm authors have CHOSEN not to send out a worm with a malicious payload. If blaster had overwritten hard drives the damage would have been in the billions. That said, it is worth a careful read. If this article doesn't provoke thought then your brain has flatlined.
(Schultz) Any survey results concerning estimated monetary losses due to incidents are suspect in the first place, regardless of who performs the survey. Without a proven, widely accepted loss estimation methodology, wide discrepancies are bound to occur.
And on the differences between European and US Security attitudes
(Pescatore): There are definitely some differences - the privacy of individual data is actually a major concern for European companies and has been for years. That makes them much more conservative in exposing customer data to potential attack and much more likely to proactively notify customers if there is an exposure. In the US, consumers have been slow to react to misuse of their data - until identity theft kicked up, mainly on credit card fraud via numbers obtained from online databases - thus laws like SB1386 and the like. ]

UK Teen Found Not Guilty of Attacking Port of Houston Computer System (17 October 2003)

Aaron Caffrey, the UK teenager accused of launching a distributed denial-of-service attack in the port of Houston (TX), has been acquitted. Caffrey maintained that though the attack did come from Caffrey's computer, it was the work of someone who had installed a Trojan horse program on the machine; he also claimed that an intruder altered his computer's log files. Some feel that Caffrey's acquittal sets a dangerous precedent.
[Editor's Note (Schneier): Innocent, or merely possessing plausible deniability? Can this defense be used as a shield by not-so-innocent attackers? Could the elimination of this defense be used to convict the innocent? Proving that a computer is involved in an attack is much easier than making the leap across the keyboard to a person.
(Ranum): So, now, if you're a hacker, you need to install a "plausible deniability Trojan" on your machine, and you're safe from prosecution. Whether or not Caffrey was innocent I really don't know, but this case raises tough questions about the definition of "reasonable doubt." ]

Federal Prosecutor Admits Error, Moves to Vacate Whistleblower Conviction (14 October 2003)

The appellate division of the US Attorney's office in Los Angeles (CA) will move to vacate a felony conviction against Bret McDanel, who last year was convicted under the Computer Fraud and Abuse Act for using his former employer's computer system to send out more than 5,000 e-mail messages warning customers of the company about a vulnerability in the company's e-mail service. McDanel appealed the decision; a federal prosecutor now says the government will file a "confession of error" acknowledging that McDanel was convicted under a misinterpretation of the Computer Fraud and Abuse Act. McDanel has already served his entire 16-month federal prison sentence. If McDanel's conviction is overturned, it would set a significant precedent.
[Editor's Note (Schultz): This case appears to be a major setback for cybercrime legislation. Perhaps it is time for the US Congress to go back to the proverbial drawing boards and draft new legislation that improves upon the weaknesses of previous legislation. ]

NIST Releases Five Security Guides (14 October 2003)

The National Institute of Standards and Technology (NIST) has released five security guides; the guides were designed to help agencies comply with the Federal Information Security Management Act (FISMA) regulations and address security concerns raised by the office of Management and Budget (OMB).
Links to the guides -- Guideline on Network Security Testing, Security Considerations in the Information System Development Life Cycle, Building an Information Technology Security Awareness and Training Program, Guide to Selecting Information Security Products, and Guide to Information Technology Security Services - can be found at this site:

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Simplify secure file transfer! Download a white paper and evaluation software.

(2) Control spam! - Top 10 enterprise techniques to control spam ***white paper

(3) **Just Published** Yankee Group Special Report on Assuring Network Integrity



ISC to Create Internet Crisis Coordination Center (20 October 2003)

The Internet Software Consortium (ISC) has announced that it will create the Operations, Analysis and Research Center (OARC) which will scrutinize Internet traffic in order to be able to distinguish traffic spikes from root server attacks. The ISC hopes to recruit between 100 and 500 members by early next year so the OARC can begin its research.

CIDDAC Security Sensors Could Enhance Data Sharing (20 October 2003)

The Cyber Incident Detection and Data Analysis Center (CIDDAC) is developing network security sensors that sit outside of companies' production networks and send incident data back to a central facility. The benefit of this technology is that it will allow companies to share information with the government without the privacy issues raised by allowing the government inside their networks. In addition, AIG says it will offer reduced insurance rates to companies that deploy the CIDDAC sensors.
[Editor's Note (Paller): Corporations and most other enterprises generally do not share information about attacks that they suffer. Two exceptions arise when victims need help in cleaning up after the attack or need law enforcement help to prosecute the attacker. In those two situations they tell specific outside people, but generally even then, they try to keep the information secret from anyone else. So when you read that some organization has found a solution to the information sharing problem, you can be very sure they haven't solved the critical problem of reporting successful attacks. On the other hand, most companies don't mind sharing information about malicious traffic that they blocked at their firewalls or intrusion prevention system. Thousands of organizations already share such information with the SANS Internet Storm Center (daily attack data is published at and that data allowed Storm Center to provide early alerts to the whole community telling of several of the largest worm attacks. Another related way companies will share is with honeypot information. Honeypots are information resources that pretend to be targets and are able to record attackers' behavior. There are several important projects using distributed honeypots. This article tells about another organization setting up a network of sensors that will collect data about attacks that did not actually do any damage. ]

DoD Sites Connected to IPv6 Testbed (17/20 October 2003)

Six US military sites are now connected to an IPv6 testbed dubbed Moonv6, the largest native IPv6 network in the country. The Defense Department (DoD) said in June that IPv6 will become departmental standard by 2008. The advantages of IPv6 over IPv4 include better security and increased address space.

House Committee Hears Testimony Critical of Government Security Efforts (16/17 October 2003)

At a House Government Reform Committee hearing on Internet Security, NetSec president Kenneth Ammon testified that the Federal Information Security Management Act (FISMA) misallocates precious resources and doesn't adequately address the problem of security for legacy IT systems. At the same hearing, Akamai chief scientist F. Thomas Leighton suggested it would be prudent "to remove public-facing Web sites from government networks."
[Editor's Note (Paller): FISMA has required a lot of paperwork, but new SANS research has discovered a systematic effort by commercial firms to make the tasks far more onerous (and expensive) than the law requires. There's enormous flexibility in FISMA, especially for the vast bulk of systems that fall in the low risk category. One Cabinet-level Department has demonstrated that the cost of certification and accreditation of low-risk systems does not need to exceed $6,000 per system. Most agencies pay consulting firms $20,000 - $60,000 for certification and accreditation work on each low-risk system. And for the very high risk systems, don't you want the government to spend the time and money to understand the risks and develop plans to mitigate them? Moreover, FISMA and associated OMB guidance have specific requirements for continuous monitoring of vulnerabilities and risk mitigation. In other words, FISMA isn't the problem. ]

Juniper's Infranet Initiative (15/20 October 2003)

Juniper Networks has announced the Infranet Initiative which aims to (unite) the industry in creating interface standards to enhance the security of the public data network.

Judge Dismisses Bernstein Encryption Case (15 October 2003)

US District Judge Marilyn Hall Patel dismissed a lawsuit, filed by University of Illinois math professor Daniel Bernstein, that challenged the government's restrictions of the publication of encryption code. The judge dismissed the case after receiving assurances from a Justice Department attorney that the government would not enforce the rules to prosecute those "engaged in legitimate research."
[Editor's Note (Ranum): This was not necessarily a victory for free speech. Since it looked like the government might *lose* its case, the Justice Department took the position that it wouldn't go after Bernstein in this situation. Thus Judge Patel had no choice but to dismiss the case. Effectively this means that no case law regarding crypto/free speech was established. (Schneier): I'm disappointed but not surprised to see this. I'd much rather have seen a final decision, but the government kept shifting the rules and the playing ground. ]

California Universities Receive Grant to Build Cyber Defense Research Network (15 October 2003)

The University of California at Berkeley and the University of Southern California have received a $5.46 million grant from the National Science Foundation (NSF) to build an isolated network that is "the Internet in microcosm." The Cyber Defense Technology Experimental Research network, or DETER, will be deliberately attacked in various ways so researchers can evaluate cyber attack defense methods. Members of academia and private industry will also be able to use the network to test the efficacy of their products.

Outlook 2003 to Have Increased Security (14 October 2003)

In the newest version of Microsoft Outlook, which will become available at the end of the month when Microsoft office 2003 is released, security options will be set at the highest level by default. Users of Outlook 2003 will also be able to disable all macros and block HTML content in e-mail.
[Editor's Note (Ranum): Hang on - if it's going to have security options set at the highest level by default, then Macros and HTML blocking should be enabled by default, too, right? ]

Presenting a Business Case for Security Funding (13 October 2003)

It used to be that bosses could be scared into funding security proposals with stories of other companies' cyber disasters. Now that funding is scarcer, bosses want more hard data to back up spending requests. Advice for preparing such information includes getting a security assessment done by a third party, creating a plan to address the vulnerabilities found in the assessment, and "build(ing) an ROI-based business case for security investments."

Former Employee Alleges Diebold Installed Uncertified Patches (13 October 2003)

A man who worked in Diebold Election Systems' warehouse alleges that the company installed at least three patches on voting machines used in Georgia's 2002 gubernatorial election without having them certified by an independent party or clearing them with state election officials. A Diebold spokesman denied that the company applied patches to the machines.

PivX Removes Web Page of Unpatched IE Flaws (13/16 October 2003)

PivX Solutions has removed a web page listing 31 unpatched security flaws in Microsoft Internet Explorer (IE), replacing it with an explanation of the page's removal. PivX acknowledged "a sea change in Microsoft's commitment" to eradicate the IE vulnerabilities, and that they took down their unpatched vulnerability page to give the Microsoft "a good faith reprieve."

Wireless Security (13 October 2003)

This article describes 11 steps for enhancing wireless LAN security.


Microsoft Releases First Monthly Update (15/16 October 2003)

Microsoft has released the first of its new, scheduled monthly updates.

Microsoft Fixes Hotmail Cross-Site Scripting Vulnerability (15 October 2003)


New RPC Exploit Code Circulating (14/15 October 2003)

New code could cause denial-of-service on patched Windows 2000 and XP.


--- end ---

NewsBites Editorial Board: This week we welcome John Pescatore of Gartner to the Editorial Board. Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit