Don't Miss Pen Test Hackfest Summit & Training, November 2-9 near DC!

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VI - Issue #16

April 21, 2004

Heavy News Week: The TCP vulnerability, the vendors' list of security mistakes they make, the fall out from the Windows vulnerabilities announced last week.

And a bonus section: Microsoft's Jesper Johansson provides a detailed review of Service Pack 2 of Windows XP.



TCP Vulnerable To Attacks
Vendors Publish List of Security Mistakes They Have Made
Automated Copyright Notice System Thwarts Content Pirates
Earthlink Audit Service Finds Spyware Items on PCs
Program Will Warn Users of Suspected Phishing Sites
Sentencing Commission Guidelines for Can-Spam Act
Maryland Legislators Approve Strong Anti-Spam Bill


Linux Not Appropriate for Critical Security Applications
Defense Department Releases Wireless Policy
Spammers Sending Fake Stock Tips
Open Source Vulnerability Database Open for Public Use
Fleet Issues New Business Visa Cards After Merchant Security Breach
Former Global Crossing Employee Sentenced
Industry Coalition: We Need More Clearances Faster
FBI Investigating Supercomputing Center Server Compromises
Microsoft Update Web Site Swamped by Patch Demand
Slowing Down Patch Releases Will Slow Down Attacks
NIAC Working Group Developing Vulnerability Grading Scale for Networks
Browser-Based Attacks on the Rise
Sprague Pleads Guilty to Copyright Infringement
Swift e-Mail Policy Change Helps Guard Against Bagle
Teen Allegedly Used Computer to Harass 9/11 Victim's Family


Possible New Phatbot Variant Detected
Cisco Warns of Security Flaw in VPN3000 Concentrator
NetSky.V Spreads Via Known Internet Explorer Vulnerability
Cisco Releases Protocol for WLAN LEAP Vulnerability
Vulnerabilities in HP Internet Express on Tru64 Servers and OpenView
Authentication System


Windows XP Service Pack 2 Overview

************************ Sponsored by NetIQ ** **************************

Free Vulnerability Management White Paper

Are you relying on ineffective approaches as you battle a constant barrage of worms, viruses and attacks?

Register now for NetIQ's free white paper, "From Project to Process: Policy-Based Vulnerability Management". You'll discover how to leverage policies and standards for vulnerability management and institute them as a routine business process instead of periodic projects.

Highlighted Training Programs Of The Week
1. SANS Security Bootcamp (May 9-16 in Baltimore) will be one of the best training opportunities of the year - smaller classes, plus evening bootcamps. You won't find a better opportunity for immersion training.

2. SANSFIRE offers you 14 immersion training tracks in one of the most beautiful and romantic places in America -- Monterey California - in early July. Phenomenal training for auditors who want to master the challenges of security auditors, managers who want to build a great security program, beginners who want to get a fast start, and, of course, the only place to go for technologists who want to master the most current methods for protecting systems and networks. SANSFIRE also offers lots of evening programs, extra one-day classes ranging from Business Law to Cyberwarrior training, and vendor exhibits, too.

Register soon to get a seat at your choice of courses.


TCP Vulnerable To Attacks (20 April 2004)

The U.K. National Infrastructure Security Coordination Centre and the US Department of Homeland Security announced that a vulnerability in TCP can be exploited to block traffic throughout the Internet by disrupting routers. Major backbone companies have been patching their core routers for weeks. The person who discovered the vulnerability, Paul Watson from Milwaukee, plans to make a public presentation laying out the details on April 21. He says the details he will provide will allow hackers to understand how to begin launching attacks "within five minutes of walking out of that meeting." Others familiar with the attack technique say that it will be very hard to exploit and is not a major worry.


Vendors Publish List of Security Mistakes They Have Made

The National Cyber Security Partnership, sponsored by the ITAA< BSA and Technet, released a report of its Technical Standards Task Force that contains a list of twenty-two important improvements that software vendors must make to protect their customers.

The report:
[Editor's Note (Paller): The first step toward recovery from an addiction is admitting you have an illness. Though unsafe programming may not be a medical addition, it certainly has been very hard for the vendors to correct. Let's hope this publication is the first step to ward an active program to eliminate the mistakes. ]

Automated Copyright Notice System Thwarts Content Pirates (19 April 2004)

The Automated Copyright Notice System (ACNS) allows schools and Internet service providers to restrict or deny Internet access to computer users who have violated copyright on peer-to-peer networks. ACNS has been tested and is due to go live at the University of California at Los Angeles this week.

Earthlink Audit Service Finds Spyware Items on PCs (16 April 2004)

Data collected by Earthlink through its free SpyAudit service found an average of 28 spyware items on PCs scanned during a three month period.
[Editor's Note (Northcutt): Hooray for Earthlink! The individual is given a choice whether to scan their machine, and, from the posted results, every user needs to do the scan. Possibly the GUI and advertisement for this service is not quite what your mom and dad need, but it is close, and if you were to call and talk your mom or dad through it they would be fine.

Program Will Warn Users of Suspected Phishing Sites (15 April 2004)

Earthlink plans to release a program that will warn users if they click on an e-mail link that directs them to a website that has been reported as a phony. The ScamBlocker program will be available to everyone, not just Earthlink customers.

Sentencing Commission Guidelines for Can-Spam Act (14 April 2004)

The United States Sentencing Commission has sent Congress guidelines for sentencing those convicted under the Can-Spam Act. The guidelines add penalties for those convicted of sending spam through someone else's address without permission or who deliberately mask the origin of their messages. The draft guidelines also compare "spam offenses to theft, fraud and property destruction" and could pose unusually harsh sentences on convicted spammers.

Maryland Legislators Approve Strong Anti-Spam Bill (14 April 2004)

Maryland state legislators have passed a bill that, if signed by the governor, would cause convicted spammers to face sentences of up to 10 years, fines of as much as $25,000 (USD) and confiscation of their personal assets. It specifically outlaws several deceptive practices spammers use.

************************ SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.

(1) WHITE PAPER: Control spam, viruses, phishing. "Selecting an Email
Security Solution"

(2) Knowledge Improves Security. -- Visit
for a complimentary white paper from Microsoft.



Linux Not Appropriate for Critical Security Applications (19 April 2004)

Linux is not an appropriate choice for certain critical security applications, such as tanks and missiles, according to Purdue University professor Eugene Spafford and Cynthia Irvine of the Naval Postgraduate School. Spafford, who is also executive director of the Center for Education and Research in Information Assurance and Security (CERIAS), remarked that Linux contains "many elements of unknown origin," and Irvine pointed out that just a few lines of subversive code could "cause a major malfunction." Spafford observed that Windows and Solaris would not be appropriate choices either.

[Editor's Note (Schultz): Avoiding using Windows, Linux and Solaris does not seem to leave many other practical choices. You can run special, "trusted" OSs, but they usually introduce their own set of problems (such as incompatibility with applications and performance liabilities).
(Tan): Any system that is not properly secured is not appropriate for critical applications like firewalls. This includes not only the reliability of the software but also proper configuration of the system.
(Guest Editor Gene Spafford Responds): Security is more than the apparent lack of obvious buffer overflows or the ease with which an experienced programmer can apply a patch. It includes fundamental issues of design, including (for instance) separation of privilege, user interfaces, minimalism of function, fail-safe defaults, and freedom from deadlock. Large, complex systems written for general environments are not designed to these principles. Furthermore, the majority of those systems have been developed and maintained by personnel whose skills, motives, and loyalties are not necessarily known. As such, these systems should not be used in mission-critical systems, sensitive embedded applications, or systems with high assurance needs. Those people arguing the dogma of "Linux is better" or "Windows is better" are missing the point -- both are inadequate for these needs. Unfortunately, we have too many people making decisions about security and high assurance who do not really understand the fundamentals

Defense Department Releases Wireless Policy (19 April 2004)

The Defense Department (DOD) has released its wireless policy, DOD 8100.2. The policy covers all wireless devices, services and technology that are integrated with or connected to DOD networks. It also requires data encryption to be implemented end to end.

[Editor's Note (Schneier): I suppose late is better than never, though if it goes into effect immediately, that certainly doesn't give much time to make any changes that implementation might require. ]

Spammers Sending Fake Stock Tips (19 April 2004)

The incidence of phony stock-tip related spam has grown three fold between December 2003 and March 2004.

Open Source Vulnerability Database Open for Public Use (16/15 April 2004)

The Open Source Vulnerability Database (OSVDB) is now available for public use. While there are a number of privately maintained databases, this project strives to make accurate information about vulnerabilities in all computer systems available to everyone.

Fleet Issues New Business Visa Cards After Merchant Security Breach (16 April 2004)

Fleet Credit Card Services is issuing new Visa business credit cards to a number of customers after learning of a security breach in computers of an as yet unnamed merchant.

Former Global Crossing Employee Sentenced (16 April 2004)

Stephen William Sutcliffe has been sentenced to almost 4 years in prison for posting the home addresses and Social Security numbers of 2,000 Global Crossing employees on the Internet. Sutcliffe, who was fired from the company in September 2001, also posted threats directed at specific employees.

Industry Coalition: We Need More Clearances Faster (15 April 2004)

A coalition of industry organizations will speak at a House Committee on Government Reform hearing next month regarding the process of obtaining security clearances for employees working on government contracts. The coalition recommends allowing companies to request 20% more clearances than needed for contract work as those people with clearances are snapped up quickly, providing more funding for investigators and creating better reciprocity between federal agencies so employees do not have to reapply for clearance if they move from one agency to another.

FBI Investigating Supercomputing Center Server Compromises (15 April 2004)

The FBI is investigating cyber attacks that compromised the security of servers at supercomputing centers across the United States. Staff members say the attackers were after the power of the computers rather than causing damage.
[Editors' Note (Schneier, Tan): The attacks may have been made on a supercomputing center, but the means were the prosaic ones of unpatched vulnerabilities and common passwords. Basic security practices are needed on all systems. ]

Microsoft Update Web Site Swamped by Patch Demand (16/15/14 April 2004)

Microsoft's update service web site was overwhelmed by customers trying to download the company's latest patches; some users were unable to download the patches as a result. Microsoft deployed extra servers to handle the deluge. Users were also frustrated in general with the high number of security problems Microsoft has continued to have; they say it flies in the face of the company's assertion that it is committed to security.

[Editor's Note (Schultz): The fact that Microsoft now releases patches all at once on a certain date every month substantially contributes to this problem. Perhaps Microsoft should go back to distributing patches as they become available.
(Tan): Exploits were released within two days of Microsoft announcement (
Will there be a time where we see: Here is the vulnerability; here is the patch; and here is the exploit? ]

Slowing Down Patch Releases Will Slow Down Attacks (8 April 2004)

Bill Addington writes that the rate of patch releases should be slowed down. While zero-day exploits do exist, it is more common for attackers to reverse engineer patches to create attacks for proven vulnerabilities.
[Editor's Noe (Grefer): Bill Addington might be sending the wrong message here. Rather than cutting back on patch releases, it could be that more sensitivity to timely patching and therefore education of the public is required. Cumulative patches - the result of Addington's advice - are more likely to break something while making diagnosis more difficult which part of the patch cluster might be incompatible. ]

NIAC Working Group Developing Vulnerability Grading Scale for Networks (13 April 2004)

A National Infrastructure Advisory Council working group is developing a grading scale that will be used to rate the vulnerability of public and private information networks to terrorist attacks. The grade will be calculated using a combination of three metrics: base metrics, which are constant; temporal metrics, which change with the emergence of new threats and/or countermeasures; and environmental metrics, which are based on factors relevant to specific networks.

Browser-Based Attacks on the Rise (13 April 2004)

The Computing Technology Industry Association's (CompTIA) second annual report on IT security and the work force found that of 900 organizations surveyed, nearly 37% said they had experienced at least one browser-based attack during the preceding six months, up from 25% in last year's survey. Worms and viruses topped the list of concerns.

[Editor's Note (Schneier): These are some of the nastiest attacks, because they're among the easiest to get caught by. It'd be nice if Earthlink's scamblocker tool worked on these as well. ]

Sprague Pleads Guilty to Copyright Infringement (13 April 2004)

Russell Sprague has pleaded guilty to one count of copyright infringement for illegally duplicating movie preview tapes sent to him by a friend who at the time was a member of the Academy of Motion Pictures Arts and Sciences. Sprague could face up to three years in prison.

Swift e-Mail Policy Change Helps Guard Against Bagle (13 April 2004)

The author of this article describes how his company changed its e-mail policy in the span of a few hours to defend its computers against Bagle and its variants.

Teen Allegedly Used Computer to Harass 9/11 Victim's Family (9 April 2004)

Police have tracked down a New York state teenager who has allegedly been using computers to torment the family of a NYPD officer who was killed on September 11. The teenager allegedly sent the family a virus which allowed him to take control of their computer. He also allegedly sent then scary messages and used a program that allowed him to send voice transmissions to the family's computer, telling them they were being watched.


Possible New Phatbot Variant Detected (19 April 2004)


Cisco Warns of Security Flaw in VPN3000 Concentrator (16 April 2004)


NetSky.V Spreads Via Known Internet Explorer Vulnerability (15 April 2004)


Cisco Releases Protocol for WLAN LEAP Vulnerability (15/14 April 2004)


Vulnerabilities in HP Internet Express on Tru64 Servers and OpenView Authentication System (14 April 2004)



Windows XP Service Pack 2 Overview

Windows XP Service Pack 2 (SP2) is designed to as a first installment on Microsoft's promise of more security by default. There are a large number of changes, perhaps most notably the increased focus on patching. On the first reboot after installing SP2, the user is presented with a dialog asking whether to turn on Automatic Updates. The default is to turn it on and set them to automatically install. This is obviously a step toward ensuring that all systems get the updates as soon as they are available. There is also a new security center to centralize the security-relevant control panel items. For home users, the security center will give an at-a-glance view of the security state of the system. Many more changes are made in SP2, and in this article we examine some of them.

Windows XP already includes a basic firewall, known as Internet Connection Firewall (ICF). In SP2 ICF is renamed to Windows Firewall (WF) and is significantly enhanced with a number of new capabilities.

The firewall is enabled by default. That means that all machines roaming onto an untrusted network are automatically protected by the firewall.

WF also includes significant manageability enhancements. First, the firewall configuration for all interfaces in the computer can now be configured centrally in a single applet. Second, the firewall can be configured using the netsh command from the command line. Lastly, most of the configuration options for both profiles are exposed in the new Group Policy editor interface in SP2 (these values will also be exposed in Windows Server 2003 SP1) to allow configuration of the firewall using Group Policy. This allows a domain administrator to centrally control firewall configuration and override local changes.

The Windows Firewall supports two policy profiles, each of which can be configured through group policy. The system uses Network Location Awareness (NLA) to determine whether it is on the organizational network or not. If it is, the domain profile is used. If it is not, the standard profile is invoked. This allows an administrator to control firewall behavior so that clients will automatically turn on the firewall when roaming, but turn it off when on the organizational network to facilitate remote management.

Prior to SP2, the firewall was not turned on during the boot process. This leaves the system unprotected for a short period during boot even if the firewall is enabled. Starting with SP2, if WF is enabled, it will by default block all traffic at boot time. Once the firewall service is started it will open up any defined exceptions as long as it is not configured to disallow exceptions.

In some cases, connections should only be accepted from the local subnet. This control is provided by the Local Subnet Exceptions in WF. For example, if the "File and Printer Sharing" exception is enabled, the system will only accept file and print traffic from the local subnet. The same restriction applies to UPnP traffic, if UPnP is enabled. You can also define ports to be open to traffic from only a particular set of addresses.

Applications can be added to the exceptions list to enable them to listen on particular ports. This can be done administratively or dynamically when running the application. Once an application is on the exceptions list the port(s) associated with the application is opened while the application is running and closed once the application terminates.

In case of emergencies, it may be desirable to block all exceptions for a period of time. WF includes the "On with no exceptions" switch to do so. This allows an administrator to protect the machine against future attacks until the machine can be protected in other ways.

Prior to SP2, RPC applications failed when the firewall was up. It was virtually impossible to open the correct ports for RPC since its port usage is dynamic. WF allows RPC applications to open ports dynamically, allowing them to work unhindered by the firewall. The ability to open RPC ports dynamically can be centrally controlled by profile.

Lastly, WF can now be preconfigured by an OEM to ensure that the firewall is enabled on newly purchased systems, making them "secure by default." By default it is on, but the installation program can be modified by the OEM to configure the firewall appropriately.

A number of other enhancements to WF were also made, such as enhanced multicast/broadcast support, IPv6 compatibility, etc. For more information on all these changes, please refer to the white paper "Changes to Functionality in Microsoft Windows XP Service Pack 2" at
and the Windows Firewall Deployment Guide at


RPC was used as the vector for the Blaster worm. Therefore, special attention was paid to restricting RPC traffic into and out of the system. The following new functionality was added:

RestrictRemoteClients - The RestrictRemoteClients registry value was added to allow an administrator to control remote access to all RPC interfaces (with a few exceptions) on the system. By default, anonymous remote RPC calls are now rejected unless the interface registers a security callback which explicitly allows anonymous connections. This equates to a RestrictRemoteClients value of 1. By setting the value to 2, RPC interface exceptions are no longer honored and all remote anonymous calls are rejected. Setting the value to 0 reverts to the pre-SP2 behavior where each interface needed to control remote access. Note here that interfaces registering named pipes end-points are exempted from the new restrictions due to severe compatibility issues.

EnableAuthEPResolution - This is a client-side setting which is designed to combat a problem caused by RestrictRemoteClients. The RPC End-point Mapper itself is an RPC interface. Hence, anonymous queries to the RPC End-point Mapper will fail. To enable a client to perform authenticated end-point mapper queries, this key, which is sset by default, must be configured.

Related to RPC is COM, since it uses RPC as the transport. Starting with SP2, COM provides computer-wide access control on objects instantiated through the RPC Sub-system. This prevents applications which should only be called locally from being called remotely. By default, to launch or activate a COM object remotely you have to be an administrator. These ACLs can be centrally controlled as well. An administrator can also further restrict the accessibility of a particular COM server by setting an ACL specific to that server. The distance (local v. remote) of the call is now available to the COM sub-system to be able to enforce different permissions depending on whether the call was initiated locally or from a remote system.

Prior to SP2, Windows XP would automatically attempt to authenticate using clear-text authentication to a WebDAV server. This is no longer the case. By default, the client will now request a challenge-response protocol, or fail the session if the server does not support one. This same protection mechanism can also be used in all HTTP clients on the system that use WININET, such as Internet Explorer. For example, if an administrator configures the DisableBasicOverClearChannel setting to a non-zero value, Internet Explorer will no longer send clear-text credentials to a web site unless the site is accessed via an encrypted connection. Note that this setting is turned off by default, however.

Wireless Provisioning Services (WPS) is a new feature in SP2 which allows a wireless hotspot provider to much more easily provide secure access to wireless hotspots. It works in conjunction with new functionality in Windows Server 2003 SP1 to allow a service provider to provision security parameters to the client, enabling secure wireless roaming, as opposed to the current use of clear-text roaming.

Internet Explorer (IE) includes several new security features in SP2. First, to block attacks that run code in the Local Machine Zone, that zone is now locked down to resemble the Internet Zone, giving the attack no more privileges than it would have had on an arbitrary web page. There are other changes as well though. For example, to improve stability, it includes a new add-on manager which allows configuration of add-ons and which also tracks crashes in add-ons and allows them to be disabled automatically if they appear to crash IE. IE also gets a new security switch to control binary behaviors - compiled components that control functionality for specific HTML components. Since these are executable code, they are now disabled in the Restricted Sites Zone. IE also includes more consistent and secure management of ActiveX controls by enforcing ActiveX control restrictions for all objects instantiated from a URL in the component that handles the instantiation. This does not provide a new setting, but rather more consistent enforcement of existing settings. IE includes a built-in popup blocker. This popup blocker generates notifications in the new "Information Bar" at the top of the IE window, allowing a user to easily control whether to allow a popup from a particular web page. The information bar is also used to notify users of blocked ActiveX controls and add-ons.

Execution protection is used to mark memory locations as non-executable. This feature is available in conjunction with select processors from AMD (the AMD64 family) and Intel (the Intel Itanium Processor Family). Used with a compatible processor, it can prevent certain types of buffer overflows from actually diverting code execution, instead generating an exception. Note that this setting may entail significant application compatibility problems.

Outlook Express (OE), the built-in e-mail and newsreader client, adds several new features. First, OE now blocks remote HTML content by default. This prevents spammers from harvesting e-mail addresses by sending e-mail messages that link to pictures stored on servers which then track which clients request the pictures. In addition, OE prevents users from running certain types of attachments through a unified new API known as "Attachment Execution Service" (AES).

For almost four years, beginning with Outlook 2000 SP2, the functionality of the Outlook Email Security Update has blocked delivery of executable email attachments. Similar changes were introduced in Outlook Express 6 SP1. The AES is now used in Windows Messenger as well to provide dangerous file protection. Windows Messenger will block executable file types from being received from a user not on the receiver's contact list. If the sender is on the contact list, the receiver will be prompted with a "save file" warning dialog. In addition, Windows Messenger requires a user display name starting with SP2. Viruses have been known to harvest e-mail addresses from saved Windows Messenger conversations. By providing a display name, the display name, rather than the e-mail address, is stored preventing viruses from harvesting the information.

Finally, SP2 disables a couple of services that were enabled by default in prior versions of Windows XP. The Messenger and Alerter services are now disabled, both on upgrade and on a clean installation.

For more information on all the changes to Windows XP in Service Pack 2, please refer to the paper "Changes to Functionality in Microsoft Windows XP Service Pack 2" at


NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan Guest Editor: Eugene Spafford

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit