OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume V - Issue #45

November 12, 2003


White House Revises PDD-63
FTC Temporarily Stops Pop-Up Spammer
Telecom Provider Will Block Traffic to and From Spamming Machines
Cyber Criminals Face Stiffer Sentences
Three Critical Microsoft Vulnerabilities Patched


New Cyber Crime Laws Passed in Singapore
Australian Defense Minister Enumerates Department Security Breaches
CSOs Concerned About DoS Attacks
Wireless LAN Security
Developers Catch Stealthily Planted Backdoor in Linux Kernel
Microsoft's Anti-virus Reward Program Gets Mixed Reviews
Minnesota Legislator Won't Reveal Identity of Possible Computer Intruder
Legislator Suggests Antivirus Software be Required
Man Allegedly Used Virus to Change Dial-Up Numbers
Alleged CyberCrime Gang Members Arrested
E-Mail BackUp Tapes Unintentionally Thrown Out
Temporary Restraining Order Sought Against Diebold
California Puts Diebold Certification on Hold
National Guard Bureau Data Sharing Suffering from Cyber Attacks


Exploits Posted for Internet Explorer Vulnerabilities
Windows XP Wireless Security Rollup

***************** Sponsored by VeriSign - The Value of Trust ************

Secure all your Web servers now - with a proven 5-part strategy. The FREE Server Security Guide shows you how:
- - DEPLOY THE LATEST ENCRYPTION and authentication techniques
- - DELIVER TRANSPARENT PROTECTION with the strongest security without disrupting users. And more.

Get your FREE Guide now:

Highlighted Training Programs of the Week

The best east-coast security conference this year will bring six of SANS top courses to Washington in early December. It also includes a management conference and a free evening program filled with authoritative presentations. The courses are taught by the people who have won the seven-year, global competition to identify the best teachers in each security subject area.SANS instructors bring the information to life - giving you the confidence to put it to work as soon as you get back to the office.
Details: http://www.sans.org/cdieast03/

Black Ice Class Coming to DC in December
This class will explore several probable scenarios highlighted in Dan Verton's new book, "Black Ice: The Invisible Threat of Cyber Terrorism," endorsed by some of the nation's top cyber security experts. It will bring you up to date information on current hostile Internet activity and what it means for business continuity. You will spend time examining case studies and lessons learned from recent information system failures. You will learn how to minimize the risk of being targeted for a physical attack by understanding what not to post on the Internet. Finally, you will learn how to contain a large scale attack on your information systems, including developing policies and procedures, building business continuity plans, employing disaster recovery techniques, and returning your business back to normal.For more information please go to http://www.sans.org/blackice03/



White House Revises PDD-63 (7 November 2003)

The Bush administration plans to release its version of President Clinton's Presidential Decision Directive-63 (PDD-63) which will be called the Homeland Security Presidential Directive (HSPD).The new document will "reflect changes in the bureaucracy at the Department of Homeland Security and give more importance to the ISACs (Information Sharing and Analysis Centers)."
[Editor's Note (Pescatore): The original PDD-63 had much useful guidance way back in 1998. It challenged the federal government to be a model citizen in cyberspace, use existing public-private partnerships to improve information security, etc. It was largely completely ignored as cybersecurity became a hot topic. If it is rewritten without doing a "lessons learned" on why PDD-63 didn't work, this will just be an empty paper exercise. ]

FTC Temporarily Stops Pop-Up Spammer (6 November 2003)

The Federal Trade Commission (FTC) has received a temporary restraining order against two officers of D Squared Solutions, a San Diego based company that has been using Windows Messenger Service to send pop-up spam.Ironically, the pop-ups advertised pop-up blocking software. The FTC took action because it has received a large number of complaints about the company's practices.

Telecom Provider Will Block Traffic to and From Spamming Machines (4 November 2003)

Telia Sonera, a telecommunications provider that serves the Baltic and Nordic areas of northeastern Europe, plans to block all Internet traffic to and from machines that send out spam.This applies to machines infected with Trojan horse programs that have made them unwitting accomplices in spammers' schemes.Telia Sonera will not give warnings before blocking traffic, but will offer help to decontaminate the affected machines before resuming Internet traffic.
[Editor's Note (Schultz): Given the high percentage of falsified sending addresses on spam, Telia Sonera's plan could prove catastrophic unless sources are verified. ]

Cyber Criminals Face Stiffer Sentences (3 November 2003)

As of November 1st, people convicted for cyber crimes face stiffer sentences, thanks to the 2002 Homeland Security Act.People who use computers to inflict bodily harm or death face sentences of 20 years to life.Another law, passed just this April, makes it harder for judges to be lenient and give sentences that are not as harsh as federal guidelines.

Three Critical Microsoft Vulnerabilities Patched (3 November 2003)

Microsoft Corp. released the second installment of its now monthly security bulletins, patching three software holes in Windows systems that it said were "critical" security risks and a fourth problem with Microsoft Office that the company rated "important."
[Editor's Note (Paller): As I read today's news stories about Microsoft's new patches, what stood out most was the lack of outrage by the reporters. Microsoft's PR people must be cheering. By moving to monthly release of new patches, they have made bad programming announcements so regular that the press is giving them a free pass. These patches fix one, or many programming errors made by Microsoft's vaunted software development team.The errors are there because that team didn't adequately check its code.Hundreds of thousands or millions of people will not install the patches, because it still takes work and expertise on the part of users.Hackers will write worms that take over those unprotected machines and use them to steal information or attack others.Some of those attacks will be low and slow so you'll never know your systems were compromised or by whom. That's the bottom line on Microsoft's patch announcements. ]

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Stop Network Attacks versus just Detecting. Intrusion Prevention Essentials White Paper

(2) ALERT - Are you ready for Sobig.G? *** free white paper

(3) Considering vulnerability assessment? Read the latest nCircle white paper about the ten most common pitfalls.

(4) Stop DDoS, Worm Exploits, and Unwanted Network Traffic. Hands-On, Online Demo.


Practice Tests Now Available

GIAC Practice Tests are a proven aid in helping to master material covered on the GIAC exams and earn the valued certifications. Why worry about retakes when you can take a practice test beforehand at a fraction of the cost of the actual exam? Now available for SANS Security Essentials and SANS Intro to Information Security.For more information please go tohttps://store.sans.org/store_category.php?category=tests



New Cyber Crime Laws Passed in Singapore (10/11 November 2003)

Newly enacted legislation in Singapore allows law enforcement with credible evidence to take pre-emptive action against suspected cyber criminals.People convicted of breaking into or defacing a web site face a jail sentences of as much as three years or fines of up to S$10,000 ($5,800).

Australian Defense Minister Enumerates Department Security Breaches (10 November 2003)

Australian Defense Minister Robert Hill said that there have been three externally launched security breaches resulting in unauthorized access to computer systems in his department during the past three years; in that same time period, there have been 13 internal attempts to breach security. These attacks plus the theft of 1,600 personal computers have raised serious concerns about security in the Australian Defense Organization.
[Editor's Note (Schultz): Figures such as these which will undoubtedly give ammunition to those who still believe the outdated 1983 FBI statistic that 80 percent of all attacks come from the inside.Mr. Hill's statistics pertain to successful, not attempted attacks.A close examination of their firewall logs would probably uncover hundreds of externally initiated attacks for every internally initiated attack. Nevertheless, the greatest risk is from internal sources; employees and contractors already have access to and knowledge about systems they attack.
(Schneier): This is useful information, but be careful of the conclusions.The story compares apples and oranges -- successful external attacks versus all internal attacks.
(Grefer) Only three successful external attacks in three years?Is it possible that there were attacks that weren't detected? ]

CSOs Concerned About DoS Attacks (7 November 2003)

A survey of 250 chief security officers (CSO) of multinational corporations found that the attacks of September 11, 2001 were more of an impetus to improve IT security than were government regulation, computer intrusions and malware attacks.Denial-of-service attacks topped the list of concerns among the respondents, closely followed by hacking and theft of corporate information.RSA and CSO conducted the survey.

The survey may be found at
[Editor's Note (Ranum): The methodology behind this survey is unclear. Reading the whitepaper it says "more than 250 readers of CSO magazine were surveyed..." which does not necessarily mean that the respondents were CSOs. ]

Wireless LAN Security (7 November 2003)

This article lists eight security risks involved in deploying wireless local area networks (LANs ) and offers suggestions for mitigating those risks.Topics addressed include rogue access points, traffic analysis and eavesdropping and insufficient policies.

Developers Catch Stealthily Planted Backdoor in Linux Kernel (6/7 November 2003)

Developers foiled a sophisticated attempt to inject a backdoor into the source code of the Linux kernel.The code could appear to be simply a programming error, but actually it would allow an attacker to gain elevated privileges on compromised systems.The anomaly was detected during a routine file integrity check.
[Editor's Note (Schneier): This story shows both the security benefits and dangers of open source software. ]

Microsoft's Anti-virus Reward Program Gets Mixed Reviews (5/7 November 2003)

Microsoft's announcement of a $5 million fund to catch virus and worm writers has met with lukewarm reactions from some in the industry.Some experts believe the offers of bounties for information leading to the conviction of virus writers could have a chilling effect on code sharing among malware writers and could increase distrust in that community. Others believe it will have no real effect.Many would rather see Microsoft put its effort into improving Windows security.
[Editor's Note (Schultz): I am not sure whether it will work, but I suppose it is worth a try.I'm not very convinced by critics/skeptics' concerns--the effect on code sharing among malware writers is very uncertain, and I doubt whether Microsoft's investing an extra $5 million in code development efforts would make much of a difference in the quality of its code. ]

Minnesota Legislator Won't Reveal Identity of Possible Computer Intruder (6 November 2003)

Minnesota state representative Mary Liz Holberg says she will not reveal the identity of the individual who provided her with evidence of a vulnerability in a state computer network used only by law enforcement. Officials have shut down the network known as the Multiple Jurisdictional Network Organization (MJNO) while the Bureau of Criminal Apprehension investigates whether or not there was a security breach. Holberg has been looking into the possibility that MJNO was not secure when she received a call from an individual who offered proof that the system was vulnerable; the individual accessed Holberg's MJNO files and read excerpts to her over the phone.Holberg then informed the governor's office and other state officials.

Legislator Suggests Antivirus Software be Required (6 November 2003)

During a House Energy and Commerce Committee's Subcommittee on Telecommunications and the Internet hearing, Representative Charles Bass (R-N.H.) asked, "Is there any reason why any computer in this country shouldn't have some kind of antivirus software on it as a requirement?" Others at the hearing pointed out that US citizens would perceive any such requirement to be trampling their rights.In addition, some computers, like those used in factory automation, are simply not set up to run anti-virus software.
[Editor's Note (Pescatore): This is a very typical instance of how well meaning legislation aimed at technology can have disastrous results. Signature-based anti-virus barely works for its intended purpose, and it already ships on almost every PC sold. This always reminds me of when the Senate held hearings about requiring special safety seats for all children flying on commercial airline flights. At the hearing, someone pointed out that since parents would now have to buy tickets for little Susie, that more parents would be likely to drive than fly for many trips. Since driving is more dangerous per mile than flying, more children would die per year if special seats were required for children. The response from the senators: "This committee is looking at airline safety, not highway safety." Systems engineering is not a widely understood discipline.
(Schneier): While it's certainly a good idea for every computer to be outfitted with anti-virus software, I wouldn't want it legislated.I prefer liability solutions to regulation. ]

Man Allegedly Used Virus to Change Dial-Up Numbers (5 November 2003)

Italian police have charged a 39-year-old man with fraud and virus distribution for allegedly using e-mail messages that trick users into running a virus on their computers; the virus, known as Marq-A or Zelig, changes the Internet dial up number to that of a "premium rate" line. The man stood to reap more than one million Euros a month if his scheme had been allowed to run that long.
[Editor's Note (Grefer): This is an oldie but a goodie.One of the original modem-hijacking scams was handled by the Federal Trade Commission in the US in 1997.The victim was tricked into downloading an executable that was a covert dialer. It even turned down the volume of the modem so victims couldn't tell their modem was dialing.See

Alleged CyberCrime Gang Members Arrested (5 November 2003)

Brazilian police arrested 18 members of a cybercrime gang; the gang members allegedly used specially crafted web sites and programs to steal passwords from people who transferred money on-line; the gang allegedly stole over $10 million last year.

E-Mail BackUp Tapes Unintentionally Thrown Out (4 November 2003)

Staff of IT contractor Telstra Enterprise Services apparently dug through trash in order to recover Australian government department and agency e-mail backup tapes that had been inadvertently thrown out. Telstra regulatory and corporate director Bill Scales said that his company told the security agencies about the security problem as soon as they discovered it.

Temporary Restraining Order Sought Against Diebold (4 November 2003)

The Electronic Frontier Foundation (EFF) and the Stanford Law School's Center for Internet and Society have filed for a temporary restraining order against electronic voting machine maker Diebold, demanding that they stop sending cease and desist letters to people and organizations that have posted internal Diebold documents of their web sites.An EFF attorney says they maintain that hosting the documents constitutes fair use under US copyright laws.

California Puts Diebold Certification on Hold (3 November 2003)

The California Secretary of State's office has put certification of new Diebold electronic voting machines on indefinite hold pending the outcome of an investigation into allegations that the company installed uncertified software on machines used in Alameda county.

National Guard Bureau Data Sharing Suffering from Cyber Attacks (4 November 2003)

National Guard Bureau CIO Maureen Lischke said numerous cyber attacks have made it harder for her organization to share information for disaster planning and first response.Currently, the Guard installs patches manually on every PC.
[Editor's Note (Ranum): If you read the article, it will make you weep. Is this really the way that government agencies think security should be done for information sharing?]


Exploits Posted for Internet Explorer Vulnerabilities (7 November 2003)


Windows XP Wireless Security Rollup (6 November 2003)



NewsBites Editorial Board: Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer

Please feel free to share this with interested parties via email, but no posting is allowed on web sites.For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/