Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VI - Issue #18

May 05, 2004

TOP OF THE NEWS

Sasser Variants Spreading
Sasser is Possible Culprit in Australian Train Outage
Legislators Want Answers on Cyber Security
Legislators Prepare to Address Spyware
FTC Brings First Charges Under Can-Spam Act

SECRITY AND ELECTRONIC VOTING

California Secretary of State Bans Touchscreen Voting Machines in Four Counties
Irish Commission Recommends Against Electronic Voting for Now
Voting Concerns Groups Want Legislation Requiring Paper Trail

THE REST OF THE WEEK'S NEWS

DHS Publishes Incident Response and Reporting Guidelines
DHS and NSF Fund Security Research Test Bed
Student Pleads Guilty to Computer Misuse Charges in Theft Case
Alleged Government Web Site Defacer Charged
Looming Sarbanes-Oxley Deadlines Have Firms Scrambling for Skilled Auditors
IRS Warns of Phishing Scam
Australian Tax Office Warns of Virus-Laden Phony eMail
Wireless Phones Vulnerable to Assortment of Attacks
UK's National Hi-Tech Crime Unit Arrests Alleged Phisher
Service Pack 2 for Windows XP Release Delayed Until Third Quarter
Barnesandnoble.com Reaches Agreement in Customer Data Exposure Case
Patch Causes Windows Slowdowns
Survey Says Cost of Breaches is Down in UK, But Volume is Up
Security Training and Certification are Wise Investments
Microsoft Rethinks External Patch Testing
SSL Flaw Being Used to Attack Bank Systems
Team of Mathematicians Gets to Root of RSA Encryption

VULNERABILITY UPDATES AND EFFECTS

Apple Issues Patch or QuickTime Flaw
Bagle.AA, NetSky.AB Emerge
Worm Exploits Windows SSL Vulnerability
Bagle Reaches the End of the Alphabet


******** Sponsored by LURHQ Managed Security Services *****************


LURHQ empowers security professionals by forming a true partnership with clients to achieve Threat Management. A true partnership requires transparent service delivery, real-time enterprise security visibility and no security product conflicts of interest. Download our "11 Elements of a Successful MSS Partnership" to see why we are the leader in MSS for security professionals.

http://www.lurhq.com/MSS-Partnership.html


*************************************************************************
Highlighted Training Programs Of The Week
1. SANS Security Bootcamp (May 9-16 in Baltimore) will be one of the best training opportunities of the year - smaller classes, plus evening bootcamps. You won't find a better opportunity for immersion training. http://www.sans.org/bootcamp04

2. SANSFIRE offers you 14 immersion training tracks in one of the most beautiful and romantic places in America -- Monterey California - in early July. Phenomenal training for auditors who want to master the challenges of security auditors, managers who want to build a great security program, beginners who want to get a fast start, and, of course, the only place to go for technologists who want to master the most current methods for protecting systems and networks. SANSFIRE also offers lots of evening programs, extra one-day classes ranging from Business Law to Cyberwarrior training, and vendor exhibits, too.

Register soon to get a seat at your choice of courses. http://www.sans.org/sansfire2004
*************************************************************************

TOP OF THE NEWS

Sasser Variants Spreading (3 May 2004)

At least three versions of the Sasser worm are circulating on the Internet. Sasser exploits a vulnerability in the Local Security Authority Subsystem Service (LSASS) of certain editions of Windows.
-http://www.eweek.com/print_article/0,1761,a=125859,00.asp
-http://www.computerworld.com/printthis/2004/0,4814,92851,00.html
-http://isc.sans.org/diary.php?date=2004-05-01
-http://isc.sans.org/diary.php?date=2004-05-02

Sasser is Possible Culprit in Australian Train Outage (3 May 2004)

The Sasser worm may be responsible for an outage that stranded as many as 300,000 Sydney train commuters on Sunday.
-http://www.news.com.au/common/printpage/0,6093,9454774,00.html
-http://australianit.news.com.au/common/print/0,7208,9455677%5E15318%5E%5Enbv%5E,
00.html

[Editor's Note (Ranum): Repeat after me: put mission critical systems on isolated networks. Put mission critical systems on isolated networks. Is this so hard to understand?
(Shpantzer): One of the earlier casualties of note for this worm is a UK Coast Guard facility where they switched to manual tracking via plotting ship movements on paper charts, instead of computerized mapping, for several hours. "But search and rescue operations have not been affected."
(Schneier): The computer systems we use on our desktops are not reliable enough for critical applications like controlling trains. Neither is the Internet. The more we rely on them in our critical infrastructure, the more vulnerable we become. The more our systems become interconnected, the more vulnerable we become. ]

Legislators Want Answers on Cyber Security (3 May 2004)

Legislators are growing increasingly frustrated with what they see as a lack of progress and strong leadership regarding the nation's cyber security. At a recent House subcommittee hearing, representative Adam Putnam (R-Fla.) grilled OMB administrator of e-government and information technology Karen Evans on the specifics of the effectiveness of OMB's budget guidance. Earlier this year, Senator Joseph Lieberman (D-Conn.) wrote a letter to DHS secretary Tom Ridge describing the National Strategy to Secure Cyber Space as "vague and weak." Just last week, members of the House Select Committee on Homeland Security also wrote to Secretary Ridge, asking him for a "detailed plan linking the department's program to the cyber space strategy." The letter also asked him to comment on the National Cyber Security Division's placement and effectiveness within the DHS. The letter requests a response by May 10.
-http://www.fcw.com/fcw/articles/2004/0503/pol-cyber-05-03-04.asp
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=25781

[Editor's Note (Ranum): DHS may be the scapegoat in this scenario. Since they have no enforcement authority and can't order government agencies to change their practices, they aren't likely to accomplish anything in their mission. ]

Legislators Plan to Address Spyware (28 April 2004)

Two anti-spyware bills are being prepared in the US House of Representatives. One bill, sponsored by Representative Jay Inslee (D-Wash.) would charge spyware authors with criminal penalties and allow state attorneys general to bring civil cases. The other, sponsored by Representative Mary Bono (R-Calif.), would ban spyware that does not obtain specific end-user consent and provide a warning before installing; it would also grant the Federal Trade Commission power to create regulations requiring companies to allow spywear and adware to be uninstalled. Both bills would preempt existing state laws.
-http://zdnet.com.com/2102-1104_2-5201819.html?tag=printthis
[Editor's Note (Schneier): I expect that legislation will work against spyware about as well as CAN-SPAM is working against spam. The solution is to build operating systems that aren't vulnerable to foreign executables.
(Grefer); As witnessed with the (I) CAN-SPAM Act, preemption of existing state laws is not always the smartest idea. In a lot of cases it would be more beneficial if Federal law provided for a minimum standard, but would leave the option for more restrictive/stringent state law(s). ]

FTC Brings First Charges Under Can-Spam Act (30/29/28 April 2004)

Federal authorities have charged four Detriot-area men under the Can-Spam Act; this is the first case in which the new law has been invoked. The four are accused of hiding their identities while sending huge quantities of unsolicited commercial email. The FTC has also filed charges against an Australian concern that is allegedly responsible for large quantities of spam in the US.
-http://www.usatoday.com/tech/news/2004-04-28-spam-charges-filed_x.htm
-http://www.computerworld.com/printthis/2004/0,4814,92756,00.html
-http://www.news.com.au/common/printpage/0,6093,9429772,00.html
-http://www.infoworld.com/article/04/04/29/HNcanspam%20_1.html


************************ SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.


(1) FREE WHITE PAPER: Control spam, viruses, phishing. "Selecting an
Email Security Solution"
http://www.sans.org/click.php?id=426


(2) Security information management systems facilitate Sarbanes-Oxley
compliance.
Request white paper at http://www.sans.org/click.php?id=427


(3) Knowledge Improves Security.
Visit www.securitywhitepaper.com
for a complimentary white paper from Microsoft.
http://www.sans.org/click.php?id=428


***********************************************************************

SECRITY AND ELECTRONIC VOTING

California Secretary of State Bans Touchscreen Voting Machines in Four Counties (1 May 2004)

California secretary of State Kevin Shelley has decided to ban the use of touchscreen voting machines in four counties and may extend the ban to cover ten more counties if they fail to meet certain conditions.
-http://edition.cnn.com/2004/ALLPOLITICS/04/30/electronic.voting.ap/index.html
[Editor's Note (Schultz): Diebold didn't seem to take the security issues that had been raised very seriously until it became apparent that some of its voting systems were about to be banned. Then suddenly Diebold issued an apology, professing eagerness to fix the problems found in some of its systems, but this didn't stop California Secretary of State Shelley from banning the use of these systems in several counties. Sooner or later companies wake up to the fact that ignoring security doesn't pay. ]

Irish Commission Recommends Against Electronic Voting for Now (30 April 2004)

Ireland's Commission on Electronic Voting has published an interim report on electronic voting, recommending that the government "not implement the system" because it is constantly being updated and therefore cannot be accurately tested for reliability. In the report, the Commission said that before it could be in favor of electronic voting, there would need to be "a final definitive version of the software and all related software and hardware components, and a full independent review and testing of the final source code." The commission also wants the system to be tested in parallel with a paper ballot, preferably "in a live electoral context."
-http://www.theregister.co.uk/2004/04/30/ireland_evote/print.html
[Editor's Note (Schultz): Ireland is approaching the issue of electronic voting in a systematic, careful manner, providing an excellent role model for other countries that are considering using electronic voting. For better or for worse, electronic voting is inevitable in most nations around the world, but rushing into it (as certain nations have done) without the type of scrutiny that Ireland is performing is a huge mistake. ]

Voting Concerns Groups Want Legislation Requiring Paper Trail (28 April 2004)

Two voting concerns groups are encouraging congress to enact legislation that would require electronic voting machines to provide paper audit trails to allow recounts. VerifiedVoting.org and Common Cause want Congress to move ahead with the Voter Confidence and Accessibility Act to make electronic voting systems accountable; the bill would allow voters to view paper versions of their ballots before they leave polling places but would not allow them to take them home.
-http://www.computerworld.com/printthis/2004/0,4814,92731,00.html
-http://www.security-survey.gov.uk/
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39153186-39020330t-10000025c

THE REST OF THE WEEK'S NEWS

DHS Publishes Incident Response and Reporting Guidelines (30 April 2004)

The US Department of Homeland Security has issued "The Incident Response and Reporting Guidelines." The publication describes possible symptoms of a cyber intrusion or infection, and offers guidelines for reporting suspicious cyber events. FedCIRC, which is part of the DHS National Cyber Security Division, has both telephone and online alert hotlines. FedCIRC will use the information it collects from the hotlines to build a threat database to deepen their understanding of the "threats" and possibly issue warnings to other agencies.
-http://www.pcworld.com/resource/printable/article/0,aid,115955,00.asp
[Editor's Note (Schultz): NIST just came out with a superb set of guidelines on the same subjects not too many months ago. Isn't anyone in the US government looking for ways to avoid duplication of effort? ]

DHS and NSF Fund Security Research Test Bed (3 May 2004)

The Department of Homeland Security and the National Science Foundation have provided US$10.8 million to develop a national test bed for Internet security research. An array of 64 nodes is running at the University of Southern California's Information Sciences Institute in Los Angeles; ultimately, the goal is to have 1,000 nodes with additional sites in Berkeley, California and in Virginia.
-http://gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=2579
8

Student Pleads Guilty to Computer Misuse Charges in Theft Case (3 May 2004)

A Vietnamese student studying computer engineering in Singapore has pleaded guilty to charges of computer misuse for sending friends a keystroke logging program hidden in a game, and using the information he reaped from that program to steal money from another student. Nguyen Van Phi Hung faces a fine of up to SGD$50,000 and a ten-year jail sentence for three of the four charges; the fourth charge carries a maximum fine of SGD$10,000 and a three-year jail sentence.
-http://australianit.news.com.au/common/print/0,7208,9456274%5E15322%5E%5Enbv%5E,
00.html

Alleged Government Web Site Defacer Charged (3 May 2004)

Twenty-two-year-old Benjamin Stark of Florida has been charged in federal court for his part in a spate of US government web site defacements. Stark and a cohort, who called themselves "The Deceptive Duo," placed messages on the sites urging the government to address cyber security of the nation's critical infrastructure. The form of the charges indicates that Stark may have made a plea agreement with prosecutors. Stark has also been charged with selling credit card numbers in an IRC chat room in June 2001.
-http://www.securityfocus.com/printable/news/8559

Looming Sarbanes-Oxley Deadlines Have Firms Scrambling for Skilled Auditors (3 May 2004)

The approach of the first wave of Sarbanes-Oxley compliance deadlines has companies scrambling to find auditors with enough knowledge, experience and expertise to gather the documentation required by section 404 of the financial reporting law.
-http://www.computerworld.com/printthis/2004/0,4814,92819,00.html

IRS Warns of Phishing Scam (1 May 2004)

The US Internal Revenue Service has issued a warning about a phishing scam that tells people they are the subjects of tax investigation and encourages them to visit a web site and provide personal information such as credit card and Social Security numbers to dispute the alleged allegations.
-http://edition.cnn.com/2004/TECH/internet/04/30/identity.theft.ap/index.html

Australian Tax Office Warns of Virus-Laden Phony eMail (30 April 2004)

The Australian Tax Office (ATO) has issued a warning about forged emails that purport to be from the ATO and may contain a virus. In addition, the National Australia Bank has warned of forged emails that can trick people into downloading a keystroke logging program onto their machines.
-http://australianit.news.com.au/common/print/0,7208,9423066%5E15306%5E%5Enbv%5E,
00.html

Wireless Phones Vulnerable to Assortment of Attacks (30 April 2004)

A Times (UK) investigation found that numerous mobile phones used at some of Britain's largest companies were susceptible to a variety of attacks, including downloading text messages and phone lists as well as manipulating the phones to act as listening devices.
-http://business.timesonline.co.uk/article/0,,8209-1092789,00.html

UK's National Hi-Tech Crime Unit Arrests Alleged Phisher (29 April 2004)

The UK's National Hi-Tech Crime Unit (NHTCU) has arrested a man who allegedly targeted customers of an online banking service with a phishing scam. The NHTCU says it is also investigating organized criminal gangs suspected of being behind large scale phishing operations.
-http://news.bbc.co.uk/2/hi/uk_news/3668941.stm

Service Pack 2 for Windows XP Release Delayed Until Third Quarter (29 April 2004)

Service Pack 2 for Windows XP, which was due to be released in the first half of 2004, now will not be released until July, according to a company spokesman, because it does not yet meet company standards. In addition to the usual fixes and updates, XP2 will alter the operating system's software to improve its security.
-http://www.computerworld.com/printthis/2004/0,4814,92740,00.html
-http://www.crn.com/Components/printArticle.asp?ArticleID=49808

Barnesandnoble.com Reaches Agreement in Customer Data Exposure Case (29 April 2004)

Barnesandnoble.com has reached an agreement with New York State Attorney General Eliot Spitzer regarding a vulnerability on the site which exposed customers' names, billing addresses and account information. The problem stemmed from the site's "cookieless" shopping. Under the terms of the agreement, Barnesandnoble.com will pay $60,000 (USD) in costs and fines, establish an information security program, and hire an external auditor to ensure the company is complying with the agreement.
-http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=4990565&a
mp;section=news


-http://www.computerworld.com/printthis/2004/0,4814,92804,00.html

Patch Causes Windows Slowdowns (29 April 2004)

A recently released Microsoft patch for Windows apparently slows down some machines that are running Windows 2000.
-http://www.computerworld.com/printthis/2004/0,4814,92757,00.html
[Editor's Note (Tan): To patch or not to patch, that is the question. ]

Survey Says Cost of Breaches is Down in UK, But Volume is Up (28 April 2004)

According to the Department of Trade and Industry's 2004 Information Security Breaches Survey, the average cost of serious security incidents dropped from GBP 30,000 in 2002 to just GBP 10,000 in 2004. However, the number of incidents is on the rise. While information security spending has increased, most companies responding to the survey viewed it as a cost rather than as an investment.
-http://www.theregister.co.uk/2004/04/28/dti_security_survey/print.html

Security Training and Certification are Wise Investments (28 April 2004)

According to a Computing Technology Industry Association (CompTIA) study, companies that invest in security training and certification for their employees are less likely to suffer major security violations than those that don't. In addition, the companies surveyed said that vendor-neutral training and certification was better than that focused on a specific vendor.
-http://www.idg.com.hk/cw/printstory.asp?aid=20040428001

Microsoft Rethinks External Patch Testing (28 April 2004)

Though Microsoft announced last year that it might introduce an external patch testing system, a year later, Microsoft UK CSO Stuart Okin expressed concern that such an arrangement could allow less-than-honest people to obtain and reverse-engineer the patches, allowing them to create exploits for unpatched vulnerabilities.
-http://www.theregister.co.uk/2004/04/28/ms_testing_u-turn1/print.html

SSL Flaw Being Used to Attack Bank Systems (27 April 2004)

According to Internet Security Systems, attackers are attempting to exploit an SSL vulnerability in Microsoft Windows to break into banks and other financial institutions in Australia.
-http://www.smh.com.au/articles/2004/04/27/1082831541968.html

Team of Mathematicians Gets to Root of RSA Encryption (27 April 2004)

A team of eight European and North American mathematicians using 100 workstations took three months to crack RSA Security's most recent encryption puzzle. The team won a $10,000 (USD) prize for figuring out the two prime numbers used to generate eight other values in RSA's 576-bit encryption. Typical products use 1024 bit keys; the next challenge will involve a 640-bit key.
-http://news.com.com/2102-7355_3-5201037.html?tag=st.util.print

VULNERABILITY UPDATES AND EFFECTS

Apple Issues Patch for QuickTime Flaw (30 April 2004)


-http://zdnet.com.com/2102-1105_2-5203525.html?tag=printthis

Bagle.AA, NetSky.AB Emerge (28 April 2004)


-http://www.eweek.com/print_article/0,1761,a=125626,00.asp
[Editor's Note (Tan): And now the authors of Netsky claim to also have authored the Sasser worm,
-http://zdnet.com.com/2100-1105_2-5204930.html]

Worm Exploits Windows SSL Vulnerability (27 April 2004)


-http://www.eweek.com/print_article/0,1761,a=125527,00.asp

Bagle Reaches the End of the Alphabet (26 April 2004)


-http://zdnet.com.com/2102-1105_2-5200017.html?tag=printthis


===end===


NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan Guest Editor: Eugene Spafford

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/