Don't Miss Pen Test Hackfest Summit & Training, November 2-9 near DC!

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume V - Issue #46

November 19, 2003

For the 41,000 SANS NewsBites readers in the Washington area - today is the deadline for saving money on the six-courses and the security executive conference that will be held in early December in Washington. The hacking class, the SANS security essentials class, the firewalls class, and the UNIX and Windows security classes are each taught by the highest rated teacher in world on each topic, and all of the courses are hands on. If you can attend, or if your sysadmins want security training, this is definitely the best program. People from other cities may come, too, but Washington area people save travel and hotel costs by attending this local program. If you need an extra couple of days to get your payment in, email and tell them I said they should accommodate you. For details on the program:



MIT e-Mail Systems Reject Messages with Executable Attachments
Cumulative IE Update Causes Problems
Exchange Flaw Could be Exploited by Spammers
Exploits for Workstation Posted Right After Patch Release


Commercial Quantum Encryption Product Available
Man Sentenced for al Jazeera Site Redirect
SQL Flaw in UK e-Commerce Site
Mimail Variant Goes After Financial Information
Global Council of CSOs
Downloader Trojan
Alleged Wardrivers Arrested for Penetrating Lowe's Network
NHTCU Investigating On Line Extortion Schemes
Diebold Will Pay for Statewide Voting Machine Audit in California
WPA Security Issues


1,250 Original Research Papers In the Information Security Reading Room
15 White Papers From Security Vendors
Practice Tests For Security Certification

************************ Sponsored by Qualys, Inc. **********************

Can your network pass the 2003 SANS Top 20 test? Find out for FREE with QualysGuard FreeScan.

QualysGuard FreeScan is a Web-based service that enables companies of every size to identify the most prevalent and critical vulnerabilities and remedy these threats within their perimeter network. With the largest vulnerability testing database in the industry, QualysGuard enables you to assess, prioritize, and remediate the vulnerabilities in heterogeneous networks of any size. Our Web-based service provides you with the ability to run immediate assessments without installation of hardware or software.

Click on the link to scan your network perimeter.

Highlighted Training Programs of the Week
The best east-coast security conference this year will bring six of SANS top courses to Washington in early December. It also includes a management conference and a free evening program filled with authoritative presentations. The courses are taught by the people who have won the seven-year, global competition to identify the best teachers in each security subject area. SANS instructors bring the information to life - giving you the confidence to put it to work as soon as you get back to the office.


MIT e-Mail Systems Reject Messages with Executable Attachments (13 November 2003)

Massachusetts Institute of Technology (MIT) e-mail administrators have reconfigured their systems to reject any e-mail messages that have executable attachments. Senders will receive error messages detailing why their message was rejected.

[Editor's Note (Pescatore): This is an increasingly common strategy, as enterprises who analyze their incoming email realize that 99.9% of the executable attachments have zero business value. It makes sense to do it at home, as well.
(Paller) This is one more in a long line of security innovations pioneered by MIT. MIT offers a remarkable example of how well a large research university can police its systems, protect its faculty, staff, and students, and be a good citizen on the Internet. Kudos to Bob Mahoney and the whole MIT security team. ]

Cumulative IE Update Causes Problems (14 November 2003)

The Cumulative Security Update for Internet Explorer has been causing problems for some users. In addition, some of the patch files have dates indicating that Microsoft has been aware of the problems for some months.

Exchange Flaw Could be Exploited by Spammers (14 November 2003)

A Harvard University undergraduate student has published a white paper describing a flaw in Microsoft's Exchange 5.5 and 2000 that could allow machines running those versions to be used to send spam. The vulnerability exists if the guest account is enabled.

Exploits for Workstation Posted Right After Patch Release (11/13/17 November 2003)

Less than a day after Microsoft released its second monthly group of patches, exploits for one of the vulnerabilities were posted on the Internet. The flaw in question is a buffer overflow vulnerability in Microsoft Workstation service in Windows 2000 and XP. Some in the security industry believe the appearance of the exploits so soon after the patch was released makes the flaw ripe for a worm.
[Editor's Note (Pescatore): The same firewall actions that many enterprises put in to block Blaster should slow this one down, so the most likely form of enterprise infection will be the laptop out in the field that gets hit and then is brought into the enterprise, put in the docking station and whammo! If you combine the speed of the exploit coming out with the complexity of the patch scenario (see quote from MSFT patch bulletin below), you begin to see why patching faster will never be the answer.
- From Microsoft: "Note: The Windows XP security updates that released on October 15th as part of Security Bulletin MS03-043 (828035) include the updated file that helps protect from this vulnerability. If you have applied the Windows XP security updates for MS03-043 (828035) you do not have to reapply this update. However, the Windows 2000 security update that is released as part of this security bulletin contains updated files that were not part of the MS03-043 (828035) security bulletin. Customers have to apply this Windows 2000 security update even if they applied the Windows 2000 security updates for MS03-043 (828035)." ]

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Simplify secure file transfer! Download a white paper and evaluation software.

(2) ALERT - Spam is no longer simply a nuisance. Learn more with our FREE WHITE PAPER

(3) Considering vulnerability assessment? Read the latest nCircle white paper about the ten most common pitfalls.

(4) Free Technical Webinar: Scary Network Mapping Techniques - featuring Simple Nomad.
Register at



Commercial Quantum Encryption Product Available (17 November 2003)

MagiQ Technologies has begun selling Navajo systems, reputedly unbreakable encryption technology that employs the laws of quantum physics. Navajo systems use photons to transmit encryption keys over fiber-optic lines; photons are so sensitive that their behavior changes if they are examined. MagiQ is requesting governmental permission to sell Navajo abroad.
[Editor's Note (Shpantzer): Comment: Quantum encryption may just be 'unbreakable' in terms of solving certain key-exchange problems, but someone on one end has to write the data before it becomes cyphertext, and someone on the other end has to decrypt it for use. What does quantum do for us at these endpoints, which is where smart attackers go anyways? ]

Man Sentenced for al Jazeera Site Redirect (13/14 November 2003)

John William Racine, a.k.a. John Buffo, has been sentenced to 1,000 hours of community service and ordered to pay a $2,000 fine for redirecting Internet traffic from the al Jazeera web site to a page of his own creation for several days earlier this year.

SQL Flaw in UK e-Commerce Site (14 November 2003)

A flaw in the handling of an SQL query on the web site for UK retailer B&Q ( could allow users to access others' accounts, change personal details, and if credit card information had previously been entered, make purchases on that person's account. The head of B&Q's technology team said the problem was promptly addressed.

[Editor's Note (Pescatore): Just once, I'd like to see one of these all too frequent stories end with "The head of "Engulf & Devour's' technology team was promptly fired." ]

Mimail Variant Goes After Financial Information (14 November 2003)

A variant of the Mimail worm has been spreading; this newest version pretends to be a message from PayPal saying an account is about to expire and requesting personal and financial information from its recipients.

Global Council of CSOs (12/13 November 2003)

The newly formed Global Council of CSOs aims to improve Internet security through the assembling of expertise from the government, industry and academia. The Council hopes to encourage greater cooperation between government and industry regarding cybersecurity. Founding members include eBay CISO Howard Schmidt, Oracle CSO Mary Ann Davidson and Microsoft chief security strategist Scott Charney.

Downloader Trojan (12 November 2003)

The Downloader-Dl Trojan horse program arrives as an attachment to an e-mail that appears to be from Citibank. Once activated, the Trojan allows attackers to use infected computers as a conduit to conduct activity on the Internet, which would be traced back to the infected computer rather than to the perpetrator.

Alleged Wardrivers Arrested for Penetrating Lowe's Network (11/12 November 2003)

Federal officials have charged two Michigan men with violating the Computer Fraud and Abuse Act for allegedly gaining repeated unauthorized access to the wireless computer system of Lowe's home improvement stores. Paul Timmons and Adam Botbyl allegedly accessed Lowe's central data center and crashed point of sale terminals of a California store. An FBI surveillance team discovered a suspicious car in a Southfield, Michigan parking lot; one of the two people inside was typing on a laptop computer. The pair has been released on bond; they are permitted to use computers for work and school purposes only. A Lowe's spokesperson wouldn't comment on whether or not the store in question uses encryption.

NHTCU Investigating On Line Extortion Schemes (11/12 November 2003)

In an electronic spin on old protection schemes, organized crime groups are apparently bombarding on line businesses, many of them gambling sites, with distributed denial of service (DDoS) attacks and extorting money in return for relief from the barrage of bogus traffic. Increasing use of broadband could be to blame for the increased number of compromised zombie machines used in the attacks. The UK's National Hi Tech Crime Unit (NHTCU) is investigating a number of these incidents, and is asking companies to come forward if they have been targeted by DDoS attacks.

Diebold Will Pay for Statewide Voting Machine Audit in California (11 November 2003)

California halted the process of certifying new Diebold voting machines when allegations that uncertified software had been installed on machines in Alameda County, CA surfaced. California election law requires that vendors notify the state about changes to voting systems. All Diebold machines in the state are now to undergo an audit to find out if uncertified software was installed anywhere else; Diebold has agreed to pay for the audit.
[Editor's Note (Pescatore) It isn't real confidence inspiring when you read, "Diebold spokesman Rob Norcross said, 'Vendors don't just decide to install new software onto systems.' He said it usually happens as a result of discussing with county officials what kinds of features they want." That's OK for video games, not quite the configuration control I'd look for from a voting machine vendor. ]

WPA Security Issues (11 November 2003)

According to a paper published by Robert Moskowitz, senior technical director at ICSA Labs, the Wi-Fi Protected Access (WPA) security standard may in some cases be less secure than the older WEP. The problems with the WPA standard are related to the Pre-Shared Keys (PSK); the handshake method used by WPA allows keys to be discovered through the use of a dictionary attack.


1,250 Original Research Papers In the Information Security Reading Room

More than 7,000 people visited the Information Security Reading Room on Tuesday and they looked at more than 1,000 of the 1,250 available papers. Out of the 75 categories, these six were the most popular: (1) Firewalls & Perimeter Protection, (2) Wireless Access, (3) Encryption & VPNs, (4) Auditing & Assessment, (5) Windows 2000 Issues, (6) Security Policy Issues. The Reading Room is by far the richest security research library in the world. None of the papers appear anywhere else. And it is all free as a public service from SANS. Especially useful is the list of the most popular 25 papers and the 25 papers most recently added to the Reading Room.

15 White Papers From Security Vendors

Many of the vendor white papers are very useful (and a few are too promotional.) Take a look. They are free though the vendors want you to register.

Practice Tests For Security Certification

GIAC Practice Tests are a proven aid in helping to master material covered on the GIAC exams and earn the valued certifications. Why worry about retakes when you can take a practice test beforehand at a fraction of the cost of the actual exam? Now available for SANS Security Essentials and SANS Intro to Information Security. For more information please go to


NewsBites Editorial Board: Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit