SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume V - Issue #47
November 26, 2003
TOP OF THE NEWSDiebold ATMs Hit by Nachi in August
Operation Cyber Sweep Nets 125 Alleged Cyber Criminals
The Cisco Network Admission Control Program
The Voter Confidence and Increased Accessibility Act of 2003
THE REST OF THE WEEK'S NEWSWells Fargo Offers $100,000 Reward in Computer Theft Case
DHS Critical Infrastructure Attack Simulation Reveals Information Sharing Problems
Debian Servers Compromised
Meta Group Report Shows Increased Security Spending
Six Men Guilty of Identity Theft, Internet Bank Fraud
The European Network and Information Security Agency
Alleged Lowe's Wardrivers Indicted on Federal Charges
Blackout Not Caused by Cyber Attack
Think Tank Wants Spyware Problems Addressed
Bush Wants Congress to Ratify International Cyber Crime Treaty
ISS Internet Risk Impact Summary Report
Trade Association for Vulnerability Researchers Proposed
Microsoft Looking for Security Alliance Partners
VULNERABILITY UPDATES AND EFFECTSMicrosoft Testing Patch for Possible Flaw in Outlook Web Access Component of Exchange Server 2003
CERT Summary of Recent Activity
Opera Update Fixes Flaws Affecting Both Windows and Linux-based Systems
Apple Releases Update for Panther & Jaguar
************* Sponsored by SANS Local Mentor Program ******************
We hope you come to one of SANS immersion training programs in Washington or San Diego or Atlanta or Miami or Hawaii or Sydney or Edinburgh or several other cities (www.sans.org), but if you cannot travel or you cannot take a week off from work or if you like to spread out your learning, then SANS 250 local mentor programs in more than 80 cities around the world are just right for you. They cover SANS Security Essentials, Hacker Exploits, Firewalls and Perimeter Protection. In fact thirty-seven local mentor programs are starting in just the next couple of weeks. They give you access to the same training content you get in the live classes (delivered online) and add to it weekly mentored sessions to help you master the material, work through the hands-on exercises, build a peer network in your city, and gain confidence in the material. Check out the locations and topics at
Highlighted Immersion Training Conference of the Week
Assuming you cannot get to Washington for SANS CDI East starting on December 8, you can enjoy exactly the same high quality training program in San Diego at SANS CDI West January 26-31. Both of the Cyber Defense Initiative conferences stand out in the SANS schedule because they have vendor expositions and extensive evening programs, but the class sizes are smaller than the big national conferences. Besides San Diego in the winter is lovely.
San Diego: http://www.sans.org/cdiwest04
TOP OF THE NEWS
Diebold ATMs Hit by Nachi in August (24 November 2003)Diebold ATMs at two different banks were infected with the Nachi worm in August of this year. The infected machines' vigorous scanning for vulnerable computers triggered the banks' intrusion detection systems and were cut off. Though a patch for the vulnerability exploited by Nachi had been available for more than a month, Diebold had not installed it on the affected ATMs.
[Editor's Note (Pescatore): A lot of bad design decisions here: Running a single purpose appliance (ATM machine) on a general purpose OS; not minimizing ports/protocols it listens to; using an architecture that allows a worm to modify the ATM machine's software but requires a hand's on visit by a service tech to install patches. Certainly not a good reference design for other single purpose machines, like say electronic voting terminals?
(Shpantzer): Diebold recently announced that it is partnering with Sygate to deliver firewalled Windows-based ATM terminals, so they've improved security since the Nachi worm came about this summer.
While this is better than having XP-based financial hardware "riding bareback" on the networks, perhaps, as Pescatore suggested in his comment, financial hardware of such limited scope shouldn't be XP based at all. ]
Operation Cyber Sweep Nets 125 Alleged Cyber Criminals (20/21 November 2003)The Justice Department's Operation Cyber Sweep, which resulted in 125 arrests of alleged cyber criminals, is significant because state attorneys general, the US Postal Service, the Secret Service and local law enforcement cooperated in the operation. The crimes include credit card theft, securities fraud, spam and phishing.
The Cisco Network Admission Control Program (18/19/24 November 2003)Cisco has developed technology that will protect networks from malware. The Cisco Network Admission Control (CNAC) program will check to see if computers wanting to connect to the network have up to date anti-virus protection and whether or not their operating systems are adequately patched. If the machines are deemed inadequately protected they could be quarantined, allowed only limited access to the network or denied network access altogether. Cisco has established licensing agreements with three anti-virus software companies.
[Editor's Note (Schultz): As draconian as measures that limit or prevent network access to insufficiently secure machines may seem, measures such as these are bound to become commonplace in the future. There appears to be no alternative but to eliminate the weak links that have plagued networks for so many years. ]
The Voter Confidence and Increased Accessibility Act of 2003 (19 November 2003)Three Republican congressmen have joined more than 70 of their Democratic counterparts in co-sponsoring the Voter Confidence and Increased Accessibility Act of 2003. The bill would require electronic voting machines to provide voter-verifiable paper receipts. It would also prohibit using wireless devices to transfer votes from polling places to election precincts as well as ban the use of undisclosed software in electronic voting systems - the code would have to be made public upon request.
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Best Practices for Incident Response - Sign up for the practitioner's guide at
(2) Earn a Norwich University Master's Degree in Information Security in 24 months.
(3) Free Technical Webinar: Scary Network Mapping Techniques - featuring Simple Nomad.
Register at http://www.sans.org/cgi-bin/sanspromo/NB262
THE REST OF THE WEEK'S NEWS
Wells Fargo Offers $100,000 Reward in Computer Theft Case (24 November 2003)Wells Fargo is offering $100,000 for information leading to the arrest and conviction of the person who stole a computer from a bank analyst's office. The stolen computer contains the names, addresses, bank account and social security numbers of customers who had taken out personal lines of credit. Lynn Greenwood, senior vice president of Wells Fargo's home and consumer finance group, says there is no evidence the data is being misused. The bank has told affected customers about the problem.
[Editor's Note (Grefer): This incident serves as a reminder that it data encryption technology must be used wherever sensitive or privileged data is stored. ]
DHS Critical Infrastructure Attack Simulation Reveals Information Sharing Problems (24 November 2003)The Homeland Security Department's "Livewire" exercise simulated physical and cyber attacks on the nation's critical infrastructure, including banks. The exercise exposed gaps in information sharing procedures and showed that people were uncertain about which organizations could be contacted in the middle of the night to report crucial information about attacks.
[Editor's Note (Grefer): The lesson to be learned from this exercise is that business continuity and disaster recovery plans need to be exercised so that kinks may be worked out before the crisis hits. ]
Debian Servers Compromised (21/24 November 2003)Four servers that belong to the open-source Debian Project were compromised recently. While access to Debian machines will remain locked until members have cleaned them, a Debian software update, Debian GNU/Linux 3.0r2, was checked for integrity and released on Friday (11/21).
Meta Group Report Shows Increased Security Spending (21 November 2003)The Meta Group's 2004 Worldwide IT Benchmark Report says that security spending consumed 8.2% of IT budgets, up from 7.6% in 2002. Two-thirds of responding companies increased security spending. Some factors responsible for increased security spending are more ubiquitous security threats, data protection laws, business continuity and disaster recovery.
[Editor's Note (Paller): It is gratifying to see security gaining sufficient management attention to increase its funding. But we are receiving increasing numbers of complaints from the user community that the spending is not improving defenses. Apparently a large portion of the increased funding is being spent on consultants who write reports required by regulation. Those consultant studies are consuming so much money that budgets for vulnerability elimination and perimeter protection and identity management is actually being reduced to pay for the studies. If you are experiencing similar problems, where more than half your security budget is being consumed by report writing exercises required for regulations, let us know. Congress doesn't want to exacerbate the problem, but if the only people they hear from are lobbyists from the consulting and vendor community, then they have no way of finding out what's happening in the real world. ]
Six Men Guilty of Identity Theft, Internet Bank Fraud (21 November 2003)Six UK men have received prison sentences after pleading guilty to defrauding banks of x9c350,000 (approximately US$594 million) using the Internet. The six stole identities over the Internet, which they then used to establish bank accounts and apply for credit cards.
The European Network and Information Security Agency (20/21 November 2003)The European Union has created the European Network and Information Security Agency (ENISA). With a budget of 24.3 million Euros (approximately US$28.7) the agency will educate the public about worms and other attacks and security issues. ENISA will also commission security research and coordinate investigations into attacks that affect Europe as a whole. ENISA will be based in Brussels and will begin work in 2004.
[Editor's Note (Pescatore): This amount of funding is roughly equivalent to what the firewall and anti-viral vendors alone will spend on advertising across Europe - not enough to make any difference in the "security culture" of 750M Europeans. The EU would be much better off focusing that level of funding on incenting enterprises to make sure system administrators to do a better job of securing the servers that hold the public's sensitive information. ]
Alleged Lowe's Wardrivers Indicted on Federal Charges (20 November 2003)Three Michigan men have been indicted on federal charges related to their alleged conspiracy to break into the national wireless network of Lowe's home improvement stores. The three men also allegedly installed software designed to catch credit card information on computer systems of a number of Lowe's stores.
Blackout Not Caused by Cyber Attack (19 November 2003)The US-Canada Power System Outage Task Force issued a report saying that the massive blackout in August of this year was not caused by computer attacks, though the fact that the power grid relies heavily on the Internet does present the threat of "potentially devastating" cyber attacks.
[Editor's Note (Pescatore): The utility industry certainly has a lot of Internet exposure to clean up, but even at today's levels of protection we will never see even 1% of electrical system downtime be caused by cyber attacks. I guess new threats are always more news worthy than every day screwups. Coming soon to headlines near you: "Presidential Election Results of November 2004 Were *Not* Caused by Cyber Attack" ]
Think Tank Wants Spyware Problems Addressed (18/19 November 2003)The Center for Democracy and Technology wants Internet users to detail their unpleasant experiences with spyware. The Washington DC-based think tank hopes to compile the experiences and submit them to the Federal Trade Commission in the hopes the FTC will take action against businesses that do not clearly inform users about the presence and potential actions of spyware. Representative Mary Bono (R-Calif.) has introduced legislation that would require companies to display information about the programs more conspicuously.
Bush Wants Congress to Ratify International Cyber Crime Treaty (18 November 2003)President Bush wants the US Senate to ratify the Council of Europe's international cyber crime treaty, though the United States is not a voting member of the council. Only three countries - Croatia, Albania and Estonia - have ratified the treaty so far. The Bush administration believes the US already abides by the provisions prescribed by the treaty. Those provisions include banning software that is designed to aid in the commission of crimes and requiring ISPs to preserve traffic data "upon request."
[Editor's Note (Grefer): Be careful what you ask for. This could backfire badly. A wide variety of vulnerability testing software, just an example, can be (ab)used in the commission of crimes. ]
ISS Internet Risk Impact Summary Report (18 November 2003)Internet Security Systems' Internet Risk Impact Summary Report says that "overt" attacks in the third quarter of 2003 increased 15% over the previous quarter. One reason for the significant increase is the shrinking window of time between vulnerability disclosures and the appearance of exploits for those vulnerabilities.
Trade Association for Vulnerability Researchers Proposed (18/19 November 2003)PivX Solutions senior security researcher Thor Larholm wants to create a trade association for vulnerability researchers. The organization would lobby "against legislation" that would hinder the work of its members while establishing lines of communication with vendors and reviewing research and advisories.
Microsoft Looking for Security Alliance Partners (14 November 2003)Microsoft is talking with governments and companies in countries around the world in hopes of establishing cyber security alliances that will help protect computer users from cyber attacks.
[Editor's Note (Schultz): Should the goal be to protect home users against hackers, or to radically reduce the number of vulnerabilities that hackers who attack home users' computers can exploit? I would think that the latter would be far more important. ]
VULNERABILITY UPDATES AND EFFECTS
Microsoft Testing Patch for Possible Flaw in Outlook Web Access Component of Exchange Server 2003 (24 November 2003)
CERT Summary of Recent Activity (24 November 2003)
Opera Update Fixes Flaws Affecting Both Windows and Linux-based Systems (24 November 2003)
Apple Releases Update for Panther & Jaguar (20 November 2003)
NewsBites Editorial Board: Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/