Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VI - Issue #14

April 07, 2004

More than 1,400 people are in Orlando this week attending SANS2004immersion security training. If you missed Orlando, join us in Montereyin early July for SANSFire2004.


US Representative Putnam Releases Security Task Force Recommendations
US Representative Putnam Holds Hearings on SCADA Security
Bill Gates' Letter About Microsoft Security
Defense Department WiFi Policy
Comparing Windows and Linux Security
ISS Criticized for Giving Patches Only to Customers With Active Maintenance Contracts


Man Sentenced for Nigerian 419 Scam
Task Force Report Says MSBlast was Not Responsible for Blackout
Phishers Exploit IE Hole to Install Keystroke Loggers Surreptitiously
Legal Liability Threat Spurs Companies to Take Action Against Illegal File Sharing on Networks
Judge Says File Sharers are Not Breaking Canadian Copyright Law
Open Source Vulnerability Database
8 Million Infected by MSBlast
Security Professionals Note Improvement in Microsoft's Patches
NIST Releases Two Draft IT Security Documents for Comment
Buffalo Spammer Found Guilty
Air Force Network Security Exercise
Americans for a Secure Internet Says Cyber Security is Everyone's Responsibility
UK Companies Concerned About Security of Mandatory Electronic Reporting
Software for Detecting Phishing Schemes
What to Ask When Considering an Integrated Security Device


NCSP Software Security Task Force Releases Report
DHS Information Analysis and Infrastructure Protection Directorate Staffing Shortage
DHS NCSD Director Amit Yoran Interview
Asst. Sec. Liscouski Says DHS Could Respond Appropriately to Cyber Attack on Critical Infrastructure


NetSky.S Detected
Sober.F Spreading in Europe
IP Fragmentation Vulnerability in Multiple OSes
Distributed Denial-of-Service Vulnerability in Cisco 600 Series Web Administration

************************ SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.

(1) FREE WHITE PAPER - Spam is no longer simply a nuisance. Act to secure your email systems.http://www.sans.org/click.php?id=387

(2) Best Practices for Incident Response - Sign up for the practitioner's guide athttp://www.sans.org/click.php?id=388



US Representative Putnam Releases Security Task Force Recommendations(6 April 2004)

Rep. Adam Putnam, Chairman of the House Government Reform Subcommitteeon Technology, Information Policy, Intergovernmental Relations and theCensus, asked several dozen security industry and business leaders torecommend ways that government and industry can work together to makesubstantial improvements in the national's cyber security. The reportwas released today.

[Editor's Note (Paller): Congressman Putnam has once again shownextraordinary leadership. He did not allow his working group to bedominated by interests funded by large software companies. As you mightexpect, the recommendations from his working group are far more likelyto have real impact on improving security. ]

US Representative Putnam Holds Hearings on SCADA Security(31/30 March 2004)

US Representative Adam Putnam (R-Fla.), chairman of the HouseSubcommittee on Technology, Information Policy, IntergovernmentalRelations and the Census, held a hearing last week regarding thesecurity of Supervisory Control and Data Acquisition (SCADA) systems,which are used to manage critical infrastructure, including the electricpower grid. Putnam's concerns about SCADA systems include the fact thatdata are sent as clear text; command-accepting protocols require noauthentication, and communication channels are wireless or through theunsecured public Internet. At the hearing, the General AccountingOffice (GAO) released a study of SCADA system security that concludedthat the DHS has not been quick enough in efforts to work with theprivate sector in securing the nation's critical infrastructure.



And in a related story....James F. McDonnell, director of the DHSProtective Security division, said in his testimony that they arerunning into blocks because they do not have the authority to mandatevulnerability remediation at private companies and state and localgovernments.

Bill Gates' Letter About Microsoft Security(31 March 2004)

Bill Gates has sent a lengthy e-mail to Microsoft customers, describingthe company's efforts to improve the security of its products. Evidenceof the company's progress in addressing security includes features inupcoming Service Packs, Caller-ID antispam architecture and "improvedsoftware coding practices." Gates says Microsoft is also researchingtechnology that would allow inspection of remote devices that try toconnect to networks and refusing connections if certain securitycriteria were not met.

[Editor's Note (Schultz): I'm convinced that Microsoft is sincere inits efforts to improve the security of its products. Really, though,this corporation had little choice, given all the vulnerabilities thathave surfaced in its products every year and the large number ofsecurity-related incidents in which Microsoft products have beeninvolved. ]

Defense Department WiFi Policy(31 March 2004)

The Defense Department's (DoD) soon to be released WiFi use policy willrequire that all data, both classified and unclassified, will have tobe encrypted while traveling over wireless networks. The policy, DOD8100.bb, is expected to be signed this week. In addition, DoD plans tocreate web sites with instructions for setting up wireless networks.DoD also plans to develop a cellular phone use policy.

Comparing Windows and Linux Security(30 March 2004)

Forrester Research has released a report titled "Is Linux More SecureThan Windows?" The report, which looked at Debian, Mandrake, Windows,Red Hat and SuSE, focused on these questions: How quickly does eachfix public security vulnerabilities? How severe are the problems thatarise? And how close does each company come to fixing 100% of its flaws?The metrics used were the number of days between flaw disclosure andrelease of fix and NIST's ICAT project standard for severe computervulnerabilities. During the yearlong period studied, Microsoft had theshortest lag time between disclosure and patch release, but the highestnumber of high severity flaws (67%) in the time period examined. 56%of Red Hat flaws were ranked high severity, but Red Hat fixed all butone, or 99.6%, of its vulnerabilities.

ISS Criticized for Giving Patches Only to Customers With Active Maintenance Contracts(30 March 2004)

Internet Security Systems (ISS) has been criticized for providingpatches for flaws in its RealSecure and BlackIce products only to thosecustomers who had bought maintenance agreements. About 12,000 systemsbecame infected with the Witty worm, which exploited thosevulnerabilities. The company's director of technology solutions saidthese 12,000 customers had probably let their maintenance contractslapse, and offered no direct response to the suggestion that the companywas at fault because those with the lapsed contracts were sold defectiveproducts in the first place.

[Editor's Note (Schultz): People who are considering buying securityproducts have a choice between many vendors' products; it looks as ifthis vendor has just made the choice quite a bit easier. ]


Man Sentenced for Nigerian 419 Scam(5 April 2004)

A Welsh court has sentenced Peter Okoeguale, a Nigerian man living inIreland, to twenty months in prison for running a 419 scam. (419 is thesection of the penal code that relates to fraud.) Such scams involveusing the false promise of a share of a fortune to trick people out ofmoney and personal information. Okoeguale faces deportation once hissentence is complete.

[Editor's Note (Shpantzer): This scam is a lucrative, low-overhead,multimillion dollar industry. The US Secret Service has jurisdictionover this type of fraud in the United States. See

Task Force Report Says MSBlast was Not Responsible for Blackout(5 April 2004)

The MSBlast worm was not responsible for last summer's blackout thataffected about 50 million people in the northeastern US and Canada,according to the final report from the Security Working Group of theFederal Energy Regulatory Commission's US-Canada Power System OutageTask Force. The group also ruled out the suggestion that the blackoutwas caused by a cyberattack launched by al Qaeda.

Phishers Exploit IE Hole to Install Keystroke Loggers Surreptitiously(5 April 2004)

AusCERT released an advisory about a phishing scam that exploits avulnerability in Microsoft Internet Explorer (IE). The phony e-mailprovides a link to what appears to be a legitimate banking site, butwhich actually downloads a keystroke logging program onto theircomputers. The person is then redirected to the real bank web site andthe keystroke logger collects the personal information entered and sendsit to an anonymous mail server.

Legal Liability Threat Spurs Companies to Take Action Against Illegal File Sharing on Networks(5 April 2004)

Facing the possibility of legal liability for copyright violations,companies are starting to take steps to stop their employees fromparticipating in unauthorized peer-to-peer file sharing activity oncompany networks. Technologies used to prevent illegal file tradinginclude tools that block access to P2P sites, shut down P2P sessionsand prevent P2P programs from running on company networks, limit theamount of bandwidth P2P applications can use, and inspect all packetstraveling to and from networks, looking for P2P markers.

Open Source Vulnerability Database(2/1 April 2004)

The Open Source Vulnerability Database (OSVDB) is designed to be a"collection point" for vulnerabilities in both open source andproprietary products; the term "open source" means that thevulnerability information will be shared freely under an open sourcelicense. The OSVDB project presently lists about 1,900 vulnerabilities;approximately 2,700 more are awaiting confirmation.




8 Million Infected by MSBlast(2 April 2004)

Data from Microsoft indicates that about 8 million computers wereinfected with the MSBlast worm and its variants following its August2003 release. Microsoft was able to track how many times an on linetool that cleans MSBlast and its variants from infected machines wasused.

Security Professionals Note Improvement in Microsoft's Patches(1 April 2004)

A group of security professionals attending an event at Microsoft'sReading, UK facility voiced their opinions that Microsoft's patches haveimproved of late. The patches are more reliable than they used to beand they do not break other applications nearly as often as they didbefore.

NIST Releases Two Draft IT Security Documents for Comment(1 April 2004)

The National Institute of Standards and Technology (NIST) has releasedtwo draft IT security publications. NIST will accept comments on Guidefor Mapping Types of Information and Information Systems to SecurityCategories (Special Publication 800-60) through May 1, 2004. Commentson Recommendation for the Triple Data Encryption Algorithm (SpecialPublication 800-67) will be taken through April 15.




Buffalo Spammer Found Guilty(1 April 2004)

A jury in Erie County, NY, has found Buffalo resident Howard Carmack,a.k.a. the Buffalo Spammer, guilty on charges of identity theft andfalsifying business records. Carmack stole identities of two Buffaloarea residents and used them to send more than 800 million spammessages. He will be sentenced on May 27, when he will face betweenthree and seven years in prison.

Air Force Network Security Exercise(1 April 2004)

About 200 people at Air Force network operation security centers andnetwork control centers took part in a two-week computer network defenseexercise. Dubbed Black Demon, the exercise involved managing networkattacks, reconnaissance, denial-of-service, inside threats, maliciouslogic and loss of firewalls and network-defense tools.

Judge Says File Sharers are Not Breaking Canadian Copyright Law(1 April 2004)

A Canadian Federal Court judge ruled that music file sharers are notbreaking Canadian law. Justice Conrad von Finckenstein wrote "the merefact of placing a copy
[of a music file ]
on a shared directory in acomputer where that copy can be accessed via a P2P service does notamount to distribution." The case in question was brought by theCanadian Recording Industry association who sought the identities of 29Internet users who allegedly shared music files.

Americans for a Secure Internet Says Cyber Security is Everyone's Responsibility(1 April 2004)

Americans for a Secure Internet (ASI), a cybersecurity education group,believes that everyone has a part to play in computer security and haslaunched a website aimed at helping people educate themselves aboutcyber security. It focuses on individual users as well as businesses.ASI acknowledges the fact that there is no "silver bullet" for cybersecurity issues. ASI members include eBay, Internet Security Systemsand the Computing Technology Industry Association.


UK Companies Concerned About Security of Mandatory Electronic Reporting(1 March 2004)

Some UK companies have expressed concern about the security of theFinancial Services Authority's (FSA) Mandatory Electronic Reporting(MER), which requires them to transmit data to the FSA either over asecure Internet link or by logging on to the FSA's secure web site.The FSA says its main security objectives are authentication,establishing an audit trail and establishing a secure communicationchannel.

Software for Detecting Phishing Schemes(1 April 2004)

The preponderance of phishing scams on the Internet has given rise tosoftware designed to defeat the schemes. For example, eBay has addeda feature to its toolbar that has a green light when visiting eBay orPayPal sites and red light on sites that are known to be phony. It alsoprovides a warning when users enter eBay or PayPal passwords on othersites. Other proposed techniques include personalized password imagingsystems and technology to analyze headers.

What to Ask When Considering an Integrated Security Device(29 March 2004)

As cyber attacks increase in sophistication, entities are using a widervariety of security devices, such as firewalls and intrusion detectionand prevention systems. Managing a mix of appliances can become anunwieldy task, and it is tempting to deploy an all-in-one securityproduct rather than a combination of appliances. It is important toknow what sorts of questions to ask vendors about their products, andto know what sorts of answers you want to hear before purchasing anintegrated appliance.


NCSP Software Security Task Force Releases Report(1 April 2004)

The National Cyber Security Partnership task force on software securityhas released a report that makes four broad recommendations to theDepartment of Homeland Security. First, higher education must do abetter job of teaching software developers about security while theyare still in school. Second, the software industry needs to makesecurity a part of the design process. Third, there need to beincentives for creating secure code, and finally, the software industrymust join together to create a common method for patchingvulnerabilities. The task force also said that market forces andbusiness need are actually improving security across the developmentlifecycle" but that "it is possible that national security or criticalinfrastructure protection may require a greater level of security thanthe market will provide.

Note (Pescatore): We are a long way from the government havingthe capability to determine what constitutes the necessary level ofsecurity for critical infrastructure, let alone having regulations doa better job than market pressures.
(Ranum): The recommendations NCSP makes are the usual ones: educateusers, write better code, etc. Security practitioners have recommendedthese things since the dawn of the computing era. Why do the NCSP folksthink recommending them now will cause change? ]

DHS Information Analysis and Infrastructure Protection Directorate Staffing Shortage(1 April 2004)

The Homeland Security Department's Information Analysis andInfrastructure Protection (IA/IP) directorate is suffering from aserious staffing shortage. While the IAIP is authorized to have 729employees, at the beginning of March, it has just 279. The IAIP hashad problems filling the spots because of competition with othergovernment agencies and the private sector, and because of the delayscaused by the required and extensive process of obtaining securityclearances for new hires. The IA/IP's mission is to compile a"comprehensive and current inventory of our nation's criticalinfrastructure" and describe the threats.

DHS NCSD Director Amit Yoran Interview(30 March 2004)

In an interview with InformationWeek journalist George V. Hulme, AmitYoran, director of DHS National Cyber Security Division, refutes chargesthat progress in securing key computer systems has been slow anddiscusses questions raised by Senator Joseph Lieberman (D-Conn.) in arecent letter to DHS Secretary Tom Ridge.

Asst. Sec. Liscouski Says DHS Could Respond Appropriately to Cyber Attack on Critical Infrastructure(30 March 2004)

Robert Liscouski, Assistant Secretary for Information Assurance andInfrastructure Protection (IA/IP) at DHS, told the House SelectCommittee on Homeland Security that the DHS would be able to respondappropriately to a cyber attack on US critical infrastructure. Thecommittee questioned a number of DHS technology officials in the wakeof growing concern that the department is disorganized and lackscoordination with other agencies and the private sector.


NetSky.S Detected(5 April 2004)


Sober.F Spreading in Europe(5 April 2004)


IP Fragmentation Vulnerability in Multiple OSes(2 April 2004)


Distributed Denial-of-Service Vulnerability in Cisco 600 Series Web Administration Service(1 April 2004)


NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, JohnPescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz,Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, butno posting is allowed on web sites. For a free subscription, (and forfree posters) or to update a current subscription, visithttp://portal.sans.org/