Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VI - Issue #20

May 19, 2004

Two Quick Announcements

SANS is launching a new initiative to make it easy for you to find the right tool for each security challenge you face. We identify leading edge *users* to share with you the lessons they learned and the tools they found that actually get the job done cost effectively. Our new "What Works" series kicks off with a great (free) webcast on May 27 at 1 PM EDT (1700 UTC). It features Paul Simmons, CISO at chemical giant ICI in Britain, who tells exactly how his organization solved the vulnerability remediation problem and then answers questions from the audience. The webcast will help you launch a vulnerability remediation program confidently and correctly. Limit of 2,000 listeners, so please register right away if vulnerability remediation is one of your priorities.

Next Wednesday, May 26, is the last day to get the early registration discount for SANSFIRE in Monterey. This is one of SANS biggest conferences with 14 immersion training tracks, lots of bonus evening sessions, and a great exposition. And it is right on Monterey Bay, one of the most beautiful places in America. Registration info:


Cisco IOS Source Code Reported Stolen
Members of US House of Representatives Ask GAO To Investigate Electronic Voting
States Moving To Outlaw Spyware
US Federal Agencies To Combine Smart Card Procurements
Senator Proposes Bill To Improve Privacy of Offshore Work


Japanese Yahoo Users Sue For Damages Over Data Leak
NIST Publishes Certification and Accreditation Guide
Corporations Setting Up Board-Level IT Oversight Committees
Anti-Spammers Infiltrate Spammers' Web Sites; Gain Intelligence
News: Mac Trojan Set Loose - More to Come?
Five German Homes Raided by Police in Sasser Investigation
SpamCop Restraining Order Lifted
New Worm Uses Sasser Flaw To Spread
"Survivor" Web Site Has Malicious Code
Windows XP Service Pack 2 To Battle Spyware
Wallon Virus Destroys Windows Media Player
Cyber Crimes By Korean Teens Surge
Extortion Attackers Now Using DDoS


More Information

************************ Sponsored by NetIQ *****************************

Policy-Based Vulnerability Management White Paper from NetIQ

Are you relying on ineffective approaches as you battle a constant barrage of worms, viruses and attacks? Why not take a holistic policy-based approach to vulnerability management? Register now for NetIQ's free white paper, "From Project to Process: Policy-Based Vulnerability Management" to get the critical, step-by-step methods you need. You'll discover how to leverage policies and standards for vulnerability management and institute them as a routine business process instead of periodic projects.

Highlighted Training Program Of The Week

SANSFIRE (July 5-13) offers you 14 immersion training tracks in one of the most beautiful places in America -- Monterey California. Phenomenal training for auditors who want to master the challenges of security auditors, managers who want to build a great security program, beginners who want to get a fast start, and, of course, the only place to go for technologists who want to master the most current methods for protecting systems and networks. SANSFIRE also offers lots of evening programs, extra one-day classes ranging from Business Law to Cyberwarrior training, and vendor exhibits, too.

Register soon to get a seat at your choice of courses.



Cisco IOS Source Code Reported Stolen (17 May 2004)

Cisco is investigating a report by a Russian site, that reported on Saturday that approximately 800 megabytes of IOS Version 12.3 source code was stolen and released on the Internet. Some analysts say that this is not a big problem because attacks against network devices are uncommon. A Slashdot reporter said, "I guess Cisco forgot to implement
[its ]
Self Protecting Network solutions."

Members of US House of Representatives Ask GAO To Investigate Electronic Voting (14 May 2004)

Writing that the topic concerns "a critical aspect of American democracy ,the ability of Americans to have confidence that the votes they cast in an election will be counted accurately and fairly," thirteen members of the House of Representatives have asked the General Accounting Office to investigate electronic voting and the security and reliability of voting machines.

States Moving To Outlaw Spyware (13 May 2004)

Utah has already passed an anti-spyware bill and New York and California are both considering such laws. The US Congress is considering several different anti-spyware bills. If enough states pass bills, the case for a national law is strengthened.

US Federal Agencies To Combine Smart Card Procurements (12 May 2004)

Five US federal agencies, led by the Bureau of Land Management, plan to buy as many as 40 million smart cards over the next three years, They are combining their procurements to try to lower the costs of the cards, but they note that the card costs account for only 6% of the entire cost of setting up a smart card infrastructure. The joint procurement may also be used to lower the cost of other components of the needed infrastructure.
[Editor's Note (Schultz): Hurrah for these federal agencies. Hopefully, they will serve as an example for other agencies that rely on password-based authentication, something that has long outlived its utility.
(Pescatore): What they need to do is band together to combine smart card *reader* procurements. Everyone focuses on the cards which makes no sense. Smart cards have stayed on the sidelines because no standard PC contains a smart card reader. We are seeing resurgence in challenge response tokens and USB, as well as cell phone based approaches to two factor authentication - all because smart card readers are not standard on PCs. ]

Senator Proposes Bill To Improve Privacy of Offshore Work (7 May 2004)

Senator Hillary Clinton has proposed a new law that would limit disclosure of personal data about Americans to offshore contractors that are located in countries that have adequate privacy protection. The bill is called SAFE-ID (Safeguarding Americans From Exporting Identification Data Act) and is being strongly opposed by a consortium of industry groups.

************************ SPONSORED LINK ******************************
Privacy notice: This link redirects to non-SANS web pages.

FREE WHITE PAPER: Control spam, viruses, phishing.
"Selecting an Email Security Solution"



Japanese Yahoo Users Sue For Damages Over Data Leak (17 May 2004)

Three customers of Yahoo BB, run by Japan's Softbank, have sued for nearly $1,000 each for damages due to negligence by the Internet service provider in managing customer data. The suit claims data for 4.6 million people was leaked. The company's CEO has admitted there is a possibility data was leaked.

NIST Publishes Certification and Accreditation Guide (14 May 2004)

The US National Institutes of Standards and Technology published the final version of its Special Publication 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems." It also released two final publications on cryptography.
The documents are available here:

Corporations Setting Up Board-Level IT Oversight Committees (14 May 2004)

A few companies, including FedEx and Novell, have established committees of their boards of directors to oversee IT policy because, as one board-member said, "This is an area where boards of directors will be named in stockholder suits."
[Editor's Note (Pescatore): This will accelerate due to the hype around Sarbanes Oxley. Having board level attention paid to IT will increase visibility of IT security issues, which is good for security overall but a mixed blessing for organizations that depend on security through obscurity. As my boss's boss said to me years ago "We only micromanage you when you deserve it." ]

Anti-Spammers Infiltrate Spammers' Web Sites; Gain Intelligence (14 May 2004)

Anti-spam organizations such as Spamhaus, have gained access to web sites run by spammers and have learned that virus writers are using MyDoom, Bagle and other viruses to gain control of computers to sell to spammers.

News: Mac Trojan Set Loose - More to Come? (13 May 2004)

The first malicious Trojan for Mac OS X has been found in the wild, leading some to claim the platform may be on the verge of increased attention from virus writers.
[Editor's Note (Schultz): I fear that for too long Mac OS users have assumed that their machines are invincible. It's true that Windows and Linux systems are targeted more than any others, but Mac OS systems, even Mac OS X systems, are still at risk. Neglecting their security can lead to dire consequences. ]

Five German Homes Raided by Police in Sasser Investigation (13 May 2004)

German investigators have raided five houses near the home of confessed Sasser author Sven Jaschen. They have reconsidered their original belief that Jaschen acted alone.

SpamCop Restraining Order Lifted (13 May 2004)

A Northern California court has rescinded its restraining order against SpamCop. The judge said she had not fully reviewed SpamCop's opposition papers.

New Worm Uses Sasser Flaw To Spread (13 May 2004)

Dabber is piggy-backing on Sasser by taking over computers that have already been exploited by Sasser. Dabber uses a flaw in Sasser to spread and attempts to block the behavior of other worms

"Survivor" Web Site Has Malicious Code (13 May 2004)

A website designed to attract fans of the Survivor television series has infected with malicious code. Users who visit the site without adequate virus detection may get infected by three viruses coded into scripts embedded in the site's content.

Windows XP Service Pack 2 To Battle Spyware (13 May 2004)

Microsoft has announced that SP2 for Windows XP will have five new security features designed to ward off the unauthorized installation of software via the Internet. The most noticeable will be a pop-up blocker.
[Editor's Note (Pescatore): The biggest security changes in SP2 are changing defaults to have more security protections on by default, and fixing a number of long term security weaknesses in the IE browser. That will cause more application breakage than usual for a service pack, but the applications that do break deserve to break - they were part of the problem. NX support in SP2 to fight buffer overflow attacks will also be a long term positive. Pop up blocking is usually not very successful, as many friendly applications use pop-ups, too. ]

Wallon Virus Destroys Windows Media Player (12 May 20004)

The Wallon virus destroys Windows Media Player and harvests email addresses from the victim's computer. It also creates new buttons on the Internet Explorer tool bar and changes the default web page for Internet Explorer. Wallon is distributed differently from other mass-mailing viruses. It spreads when the victim clicks on a url in its mass-mailed email. That url points directly to the virus which is downloaded immediately.

Cyber Crimes By Korean Teens Surge (10 May 2004)

The number of teenagers in Korea cited for cyber crimes surged to more than 10,000 in 2003 from around 8,200 in 2002 and 2,200 in 2001. Seventy percent of the crimes were related to hacking multi-user online games.

Extortion Attackers Now Using DDoS (10 May 2004)

Multiple ecommerce sites, including online credit card processors Authorize-It and 2Checkout were hit by sustained DDoS attacks as part of an extortion scheme.

[Editor's Note (Pescatore): This is an example of targeted attacks that are going on continually but never get the press of the big worm events that go after Windows vulnerabilities. We are seeing more ISPs starting to offer DoS protection services, but we aren't far away from enterprises saying to ISPs "Why am I paying you for 10Mbs of Internet bandwidth when 40% of the bits are either DoS, worms, viruses or spam?" ]


@RISK weekly summary

If you are looking for new vulnerabilities, please sign up for the (free) @RISK weekly summary, It provides the only authoritative list of new critical vulnerabilities along with analysis and remediation information. It also includes a complete list of all newly discovered vulnerabilities. Sample issues at


NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan Guest Editor: Eugene Spafford

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit