SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume V - Issue #52
December 30, 2003
A Research Question: We're exploring the effectiveness of cyber insurance policies, and preliminary research has uncovered several cases where cyber claims were denied by the insurance companies and the courts backed them up. Does anyone have counter examples in which substantial cyber claims were actually paid? If so, or if you have access to any relevant information, please write us at firstname.lastname@example.org with subject "Cyberinsurance."
FRAUD ON THE INTERNETPhishers Target Visa Cardholders
Semantic Attacks are "the Future of Fraud on the Internet"
On-Line Fraud Complaints Up 60%
Symantec Wins $3 Million Judgment in Counterfeit Software Suit
THE REST OF THE WEEK'S NEWSSecurity Developer For Electronic Voting Systems Suffers Hacker Attack
Beijing Court Orders Return of Virtual Property
NIST Releases Draft Guidance of Determining Security Levels
Appeals Court Upholds Johansen's Acquittal
New Malware Defenses Discussed at Workshop
DARPA Examining Proposals for Self-Regenerative Systems (SRS) Technology
VULNERABILITY UPDATES AND EFFECTSApple Issues Patch for Mac OS X Vulnerabilities
******** Highlighted Immersion Training Conference of the Week **********
CDI West, in San Diego at the end of January, is the place to find all six of SANS' most popular courses, including Forensics, Hacker Exploits, Firewalls, Securing Windows, Intrusion detection, and SANS Security Essentials. It also offers an interactive vendor exposition and an extensive evening programs. And San Diego in the winter is lovely.
More information: http://www.sans.org/cdiwest04
FRAUD ON THE INTERNET
Phishers Target Visa Cardholders (26 December 2003)Visa credit card holders are the latest targets of phishers. People have been receiving e-mail messages with a link for users to reactivate their accounts as part of a purported anti-fraud service. The link, which led to a web page that does not belong to Visa, has been taken down.
Semantic Attacks are "the Future of Fraud on the Internet" (19 December 2003)Bruce Schneier observes that phishing is a form of "semantic attacks," which are harder to protect against than physical and logical or "syntactic" attacks because their targets are computer users, not the computers themselves. People have a tendency to believe things they read, even on the Internet and they are likely to open attachments from what appear to be known senders.
[Editor's Note (Shpantzer): Dr. Paul Thompson from Dartmouth's Institute for Security Technology Studies is also a subject matter expert in this field. This link is for the semantic hacking web page at the institute:
On-Line Fraud Complaints Up 60% (24 December 2003)Statistics from the Internet Fraud Complaint Center (IFCC) show that on-line fraud complaints rose from 75,000 on 2002 to more than 120,000 in 2003 - an increase of 60%. The center, which is run by the FBI and the National White Collar Crime Center (NW3C), is changing its name to the Internet Crime Complaint Center (IC3).
Symantec Wins $3 Million Judgment in Counterfeit Software Suit (24 December 2003)Symantec has won a $3 million judgment against Baltimore-based Maryland Internet Marketing, which has been selling counterfeit Symantec applications. As part of the settlement, Maryland Internet Marketing's chief executive, George Moore, is personally responsible for $300,000 in damages. Maryland Internet Marketing has been using high volume unsolicited email (spam) to market its counterfeit software. Interestingly, Symantec is critical of the newly signed CAN-SPAM Act saying it cannot effectively be enforced.
[Editor's Note (Northcutt): I have noticed spammers consistently sending counterfeit ads for Adobe products as well as Symantec products. Both Symantec and Adobe have "contact us" links on their web pages. If you see one of these ads, it only takes about 30 seconds to copy the mail message with all headers intact and send it to Symantec or Adobe. That way, we may see additional successful legal cases and put these criminals who are collecting unsuspecting customer's credit card information out of business.
(Grefer): The CAN-SPAM Act looks to be a license to spam rather than a way to stop spam. Aside from the fact that it is hardly enforceable, it legalizes an opt-out approach, rather than the opt-in approach favored in some parts of the U.S. as well as in Europe. Who in their right mind would want to provide international spammers, unconcerned about us law, with a verification of their email address in order to "opt-out"? Unfortunately the CAN-SPAM Act also overrides more stringent state laws, legally reopening the spam flood gates in states, such as California, that had more stringent rules. ]
************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Enhanced Security Posture. Improved Efficiency. Download LURHQ's whitepaper "Reducing Risk with Effective Threat Management."
(2) Invest in the best network protection. Introducing the Microsoft(r) Security Readiness Kit.
THE REST OF THE WEEK'S NEWS
Security Developer For Electronic Voting Systems Suffers Hacker AttackVoteHere, a company developing security technology for electronic voting suffered an embarrassing hacker break-in that executives think was tied to the rancorous debate over the safety of casting ballots online. The company's chief executive claims that the attack was politically motivated, and that he has identified the attacker and turned over evidence to the FBI and Secret Service.
Beijing Court Orders Return of Virtual Property (29 December 2003)A Beijing court has found an on-line gaming company liable for flaws in its servers which allegedly allowed a cyber thief to break into a player's account and drain it of virtual goods. The company was ordered to return the player's virtual property, though whether or not it will pay him damages or identify the person responsible for the virtual theft remains unclear.
[Editor's Note (Schultz): This is an intriguing case. The fact that in this case the gaming company was held responsible independently of who broke into Li Hongchen's account is significant. It will certainly send a strong message to other on-line gaming companies--namely that *they* are responsible for security breaches that result in losses to customers. ]
NIST Releases Draft Guidance of Determining Security Levels (22/23 December 2003)The National Institute of Standards and Technology (NIST) has released draft guidance designed to help agencies determine the appropriate levels of security for their systems. "Special Publication 800-60: Guide for Mapping Types of Information and Information Systems to Security Categories" will help agencies comply with the Federal Information Security Management Act (FISMA). Comments on the draft will be accepted through February 20, 2004.
Appeals Court Upholds Johansen's Acquittal (22/24 December 2003)A Norwegian appeals court upheld an earlier verdict clearing Jon Johansen of piracy charges. Johansen has been embroiled in a legal battle with the Recording Industry Association of America (RIAA) for his role in the creation of the DeCSS utility, which he used to circumvent copy protection on DVDs he already owned.
New Malware Defenses Discussed at Workshop (22 December 2003)Malware creators are benefiting from the ubiquity of high-speed Internet connections, increasingly complex software and increasingly sophisticated attack weapons. However, researchers are developing new defenses. Among methods discussed at the Adaptive and Resilient Computing Security workshop at the Santa Fe Institute are one inspired by the human immune system, one that focuses on automated diversity to thwart the spread of attacks and one that uses Kolmogorov Complexity to determine the presence of anomalous activity.
[Editor's Note (Ranum): Hype Alert!. Kolmogorov Complexity, neural networks, blah blah blah. Basically, they're working on software anomaly detection (just like everyone has for years), perimeter protection (yawn), and distributed agents (been there, done that), but with a veneer of "biosystem" and "monoculture" hype. ]
DARPA Examining Proposals for Self-Regenerative Systems (SRS) Technology (22 December 2003)The US Defense Advanced Research Projects Agency (DARPA) is looking at proposals to develop technology for its Self-Regenerative Systems (SRS) program. DARPA program manager Lee Badger says they hope to be able to develop systems that can learn from their environments much as the human immune system learns from exposure to pathogens.
[Editor's Note for the previous two items (Pescatore): Just because Fred Cohen came up with the name virus for software attacks, doesn't mean that the human immune system is a great model for protecting software or computer systems. The threat is very different - malicious software attacks don't just randomly mutate, for one. Also, the human immune system seems to have allowed many catastrophic plagues to occur over the years. This is great for population control, but we needed modern medicine to keep the dead bodies from piling up. ]
VULNERABILITY UPDATES AND EFFECTS
Apple Issues Patch for Mac OS X Vulnerabilities (22/23 December 2003)
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Bruce Schneier, Eugene Schultz, Gal Shpantzer
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit