Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VI - Issue #21

May 26, 2004


SANS is in need of updated information on NewsBites subscriber's use of commercial security solutions. Please help us by taking a few minutes to complete a brief, confidential survey and be entered to win a $250 credit at the SANS bookstore. This will help us target the What Works program designed to take the pain out of finding the most effective security products. Visit http://portal.sans.org/surveys/newsbites.php to enter.

TOP OF THE NEWS

Minimum Security Configuration Controls are Essential
Los Alamos National Laboratory Classified Storage Device Unaccounted For
California Sec. of State Says Counties Willing to Meet Touch Screen Voting Conditions
Deloitte Survey Shows Security Breaches Increased at Financial Institutions
Business Roundtable Encourages CEO and Board Member Attention to Security

THE REST OF THE WEEK'S NEWS

Apple Patches One Hole But Leaves Another Open
Singapore Mulls Anti Spam Legislation
ActiveX Flaw in Norton Antivirus 2004
Microsoft Criticized for Restricting Service Pack Coverage
US and Korean Police Investigating SPACECOM Computer Intrusions
Committee Hears Testimony on CAN-SPAM Efficacy
FBI Involved in Cisco Code Theft Investigation
OMB to Release Federal Enterprise Architecture Security Layer
Open Source Database Application Vulnerabilities
Keystroke-Logging Student Sentenced to Jail
eMail Authentication Standards Tested, Proposed
Half of Deceptive Duo Pleads Guilty, Admits to Various Computer Crimes
Cisco Applies for TCP Fix Patents
Phisher Gets 46-Month Prison Sentence
Police Investigating Sasser Informant
Opinion: Microsoft's Bounty Program is Working Like It's Supposed To
Kibuv Worm


********************** Sponsored by Symantec*****************************

Symantec Gateway Security 5400 Series provides fully integrated enterprise protection at the gateway. As the industry's most comprehensive firewall appliance, it integrates full inspection firewall technology, protocol anomaly-based intrusion prevention and intrusion detection, award-winning virus protection, URL-based content filtering, anti-spam, and virtual private networking technology.

To find out more, click here or call 1-800-745-6054.

http://www.sans.org/click.php?id=448

*************************************************************************

Highlighted Training Program Of The Week

****Today is the early registration deadline for SANSFIRE 2004**** SANSFIRE (July 5-13) offers you 14 immersion training tracks in one of the most beautiful places in America -- Monterey California. Phenomenal training for auditors who want to master the challenges of security auditors, managers who want to build a great security program, beginners who want to get a fast start, and, of course, the only place to go for technologists who want to master the most current methods for protecting systems and networks. SANSFIRE also offers lots of evening programs, extra one-day classes ranging from Business Law to Cyberwarrior training, and vendor exhibits, too.

http://www.sans.org/sansfire2004

*************************************************************************

TOP OF THE NEWS

Minimum Security Configuration Controls are Essential (21 May 2004)

Government agencies are failing to meet a critical FISMA provision requiring them to have minimum security configuration controls for employees' desktop and notebook computers. The Office of Management and Budget (OMB) has not provided adequate guidance on the matter; Rep. Adam Putnam (R-Fla.), chairman of the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, will send a letter to OMB administrator for IT and e-government Karen Evans, asking her to "place a greater emphasis on minimum security configuration controls."
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=26018

Los Alamos National Laboratory Classified Storage Device Unaccounted For (21 May 2004)

An inventory at the Los Alamos National Laboratory discovered that a hard disk drive containing classified information, known as a Classified Removable Electronic Media or CREM, is missing. This is not the first incident of its sort at LANL; CREMs have been reported missing in 2001, 2002 and 2003. Energy Secretary Spencer Abraham has called for LANL and other national nuclear laboratories to eliminate the use of removable drives and disks completely by 2009. A LANL press release maintains the incident "in no way constitutes a compromise of national security." The device in question was scheduled to be destroyed in March as part of a program to reduce CREMs; a LANL spokesman says it is their belief that the device was destroyed or retasked but without the necessary tracking paperwork.
-http://www.wired.com/news/print/0,1294,63553,00.html
-http://www.usatoday.com/tech/news/computersecurity/2004-05-21-los-alamos-data_x.
htm

[Editor's Note (Ranum): Useful lesson: for security practitioners: it doesn't matter how good your policies are if the implementation is too complex or the people implementing them are sloppy. ]

California Sec. of State Says Counties Willing to Meet Touch Screen Voting Conditions (20 May 2004)

California Secretary of State Kevin Shelley says that ten of his state's counties have agreed to meet an array of conditions so that they may use touch screen voting systems in the upcoming election. The conditions include precautions against tampering and providing paper ballots to voters who prefer them. Four counties remain banned from using touch screen system in the election because Diebold machines used there in the March election did not have federal approval.
-http://www.cnn.com/2004/TECH/05/19/electronic.voting.ap/index.html

Deloitte Survey Shows Security Breaches Increased at Financial Institutions (20 May 2004)

Deloitte's 2004 Global Security Survey shows that 83% of financial institutions surveyed experienced a security breach in the last year; in the 2002 survey, that figure was 39%. The two technologies receiving the most attention are identity and vulnerability management. 25% of respondents said their security budgets were "flat." Deloitte surveyed senior security officers at the top 100 global financial institutions.
-http://www.theregister.co.uk/2004/05/20/finance_security_survey/print.html
-http://www.deloitte.com/dtt/research/0,2310,sid%253D1013%2526cid%253D48978,00.ht
ml

-http://www.deloitte.com/dtt/cda/doc/content/dtt_financialservices_SecuritySurvey
2004_051704.pdf

Business Roundtable Encourages CEO and Board Member Attention to Security (20/19 May 2004)

The Business Roundtable (BRT) has released a publication entitled Securing Cyberspace: Business Roundtable's Framework for the Future. BRT is calling for CEOs and board members to be more attentive to and aware of cyber security issues within their organizations. BRT says that users, software companies and the government all need to take responsibility in improving security and threat information sharing. It also calls for the "solutions
[to ]
be market-based instead of government mandates."
-http://www.computerworld.com/printthis/2004/0,4814,93277,00.html
-http://www.washingtonpost.com/ac2/wp-dyn/A40411-2004May19?language=printer
-http://news.com.com/2102-7355_3-5216395.html?tag=st.util.print
[Editor's Note (Pescatore): Of all the myriad of committees that have put out reports on cyber security in the last few months, this one was the most sensible. The main point: software vendors have been selling shoddy software because enterprises have been buying shoddy software. We're starting to see leading enterprises put questions in RFPs on all software - including shrinkwrap commercial products - requesting proof of vulnerability testing. This simple step will drive security of commercial software much faster, and much more in the right direction, than any government regulation or mandate. ]


************************ SPONSORED LINK ******************************
Privacy notice: This link redirects to a non-SANS web page.


Event Log Strategies: Free white paper plus archiving, monitoring, and
analysis software!
http://www.sans.org/click.php?id=453


**********************************************************************

THE REST OF THE WEEK'S NEWS

Apple Patches One Hole But Leaves Another Open (24/21 May 2004)

Apple has issued a patch for one of two serious vulnerabilities in Mac OS X, but has left a second unfixed. This concerns researchers because exploits for the flaws are already available. Apple has been criticized for downplaying the seriousness of these vulnerabilities.
-http://www.techworld.com/security/news/index.cfm?newsid=1611
-http://informationweek.securitypipeline.com/showArticle.jhtml?articleId=20900516
&printableArticle=true

-http://www.securityfocus.com/news/8742

Singapore Mulls Anti Spam Legislation

New legislation being drafted by Singapore's Information Development Authority allows ISPs to use the court system to stop Singapore based spammers.
-http://asia.cnet.com/newstech/industry/0,39001143,39180714,00.htm
-http://www.channelnewsasia.com/stories/singaporelocalnews/view/86765/1/.html

ActiveX Flaw in Norton Antivirus 2004 (21 May 2004)

An ActiveX flaw in Symantec's Norton Antivirus 2004 could be exploited to run code, allow unauthorized pop-ups or create a denial-of-service on vulnerable systems. Symantec is encouraging NAV users to run LiveUpdate to address the flaw.
-http://informationweek.securitypipeline.com/news/20900285

Microsoft Criticized for Restricting Service Pack Coverage (21 May 2004)

Microsoft has been criticized for not providing Windows XP Service Pack 2 to users of pirated copies of the company's software; the fact that software is pirated makes it no less vulnerable to malware; because computer systems are so interconnected, all systems on the Internet are put at risk when anyone's is vulnerable. Microsoft has also been criticized for not providing Service Pack upgrades for versions of Windows that predate XP; more than half of corporate Windows desktops are running older versions.
-http://informationweek.securitypipeline.com/showArticle.jhtml?articleId=20900353
&printableArticle=true

[Editor's Note (Ranum): I think it's ridiculous to expect a vendor to fix goods that were stolen from them!!
(Schultz): I sympathize with Microsoft in this particular case. The Internet would be safer if pirated software were patched, true, but the software piracy problem is far more serious than those who are critical of Microsoft realize. The piracy problem and its consequences are, additionally, by no means Microsoft's fault.
(Tan): Microsoft should take this opportunity to get users of pirated software to convert to the legal version, that would provide a win-win. ]

US and Korean Police Investigating SPACECOM Computer Intrusions (21 May 2004)

US and Korean police are investigating a series of intrusions into computers at the US Air Force Space Command (SPACECOM). Apparently someone in an unnamed third country used two servers in Korea to break into the SPACECOM computers.
-http://english.chosun.com/w21data/html/news/200405/200405210043.html

Committee Hears Testimony on CAN-SPAM Efficacy (21/20 May 2004)

The US Senate Commerce, Science and Transportation Committee last week held a hearing regarding the effect of the CAN-SPAM Act. The amount of spam may be increasing despite the law. Committee chairman, Senator John McCain (R-Ariz.) wondered why the Federal Trade Commission (FTC) wasn't going after the companies whose products are advertised in spam instead of the people doing the spamming. Ronald Scelson, who changed the way he does business after CAN-SPAM became law in January of this year, said that despite the fact that he is abiding by the rules, some ISPs continue to block his email. No spammers have been charged under the act, though the FBI said 50 of the most notorious spammers have been identified for "possible prosecution" later this year.
-http://www.infoworld.com/article/04/05/20/HNcanspamimpact_1.html
-http://www.washingtonpost.com/ac2/wp-dyn/A43622-2004May20?language=printer
-http://zdnet.com.com/2102-1105_2-5217299.html?tag=printthis

FBI Involved in Cisco Code Theft Investigation (21/18 May 2004)

The FBI has joined the investigation of possible Cisco code theft. In a message posted on its web site, Cisco said on Friday, May 21 that the publication of its code on the Internet does not pose a security risk.
-http://news.bbc.co.uk/2/hi/business/3726983.stm
-http://www.computerworld.com/printthis/2004/0,4814,93237,00.html
-http://www.securityfocus.com/printable/news/8740

OMB to Release Federal Enterprise Architecture Security Layer (20 May 2004)

The Office of Management and Budget (OMB) says it plans to release a security layer for the Federal Enterprise Architecture by the end of this summer. The CIO Council's Architecture and Infrastructure Committee is reviewing comments on the plan, which will allow agencies to build security and privacy into their IT projects from the very start.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=25994

[Editors' Note (Schultz and Paller): The OMB is on the right track. Building in security right from the start is the most effective way to approach security by far. ]

Open Source Database Application Vulnerabilities (20 May 2004)

Security flaws in the Subversion and Concurrent Versions System (CVS) applications could allow attackers to access and corrupt open source databases.
-http://software.silicon.com/os/print.htm?TYPE=story&AT=39120821-39024651t-40
000022c

Keystroke-Logging Student Sentenced to Jail (20 May 2004)

National University of Singapore student Nguyen Van Phi Hung has been sentenced to 20 months in jail for using a Trojan horse program to install keystroke loggers on computers and using the information he gathered to steal fellow students' passwords and user IDs. The keylogger program was attached to a game that he posted on his website for download by victims. When they downloaded the game the keystroke logger was installed surreptitiously.
-http://www.channelnewsasia.com/stories/singaporelocalnews/print/85885/1/.html

eMail Authentication Standards Tested, Proposed (20/18 May 2004)

Microsoft plans to submit a proposed anti-spam standard, Caller-ID for Email, to the Internet Engineering Task Force (IETF). Microsoft's filing will follow close on the heels of Yahoo's proposal, called DomainKeys, which was submitted to the IETF last week. America Online is testing an email authentication technology called Sender Permitted Form.
-http://asia.cnet.com/newstech/security/printfriendly.htm?AT=39180096-39001150t-3
9000005c

-http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=5183726

Half of Deceptive Duo Pleads Guilty, Admits to Various Computer Crimes (19 May 2004)

In a plea agreement with prosecutors, Floridian Benjamin Stark has admitted to breaking into eleven US government and private commercial computer networks. Stark has admitted to being half of a cracking team known as the Deceptive Duo, which in spring 2002 defaced a number of US government web sites. Stark also admitted to two "solo missions," one of which involved selling a batch of stolen credit card numbers to an undercover FBI agent in a chat room. Stark's sentencing is scheduled for September 24; federal sentencing guidelines indicate a 24 to 36 month prison term.
-http://www.securityfocus.com/printable/news/8717
[Editor's Note (Shpantzer): "Patriotism is the last refuge of the scoundrel" fits like a glove to this case. Selling credit card numbers online and defacing government web sites under the pretense of saving the country does not a patriot make. The lawyer for the other half of this duo is stating that his client would use the defense of saving the country from cyber-terrorists. ]

Cisco Applies for TCP Fix Patents (19 May 2004)

Cisco has applied for patents on its TCP fixes. Cisco also has plans to standardize some technology in those fixes. A company spokeswoman said that if Cisco is granted the patents, it would not charge licensing fees for use of the technology.
-http://zdnet.com.com/2102-1105_2-5216494.html?tag=printthis

Phisher Gets 46-Month Prison Sentence (18 May 2004)

A Texas federal court judge has sentenced 20-year-old Zachary Hill to 46 months in prison for his role in a phishing scam. Hill stole 473 credit card numbers by sending out email messages pretending to be from AOL and PayPal informing people that their accounts had expired and requesting them to enter the card numbers into his phony web forms. Hill then used the card numbers to make $47,000 in fraudulent charges.
-http://www.washingtonpost.com/ac2/wp-dyn/A37406-2004May18?language=printer

Police Investigating Sasser Informant (18 May 2004)

German police are investigating a man who provided information leading to the arrest of Sasser author Sven Jaschan. If it becomes apparent the informant is in any way tied to the creation of Sasser, he will forfeit any claim to part of the $250,000 bounty offered by Microsoft's Anti-Virus Reward Program.
-http://www.theregister.co.uk/2004/05/18/sasser_informant_turns_suspect/print.htm
l

Opinion: Microsoft's Bounty Program is Working Like It's Supposed To (17 May 2004)

The author says that Microsoft's bounty program is working -- that it was not created to put a stop to faulty software, nor to catch seasoned criminals, but rather to catch any computer vandals, like the Sasser author, and discourage copycats.
-http://www.securityfocus.com/printable/columnists/242
[Editor's Note (Pescatore): Gee, there are several items in this issue about hackers who got caught where there were no rewards, but the Sasser writer getting caught validates vendor reward programs? The program is meeting its design goal - it shifts the attention from the Windows vulnerability to the person who wrote the exploit. ]

Kibuv Worm (18/17 May 2004)

Extremely heavy traffic on TCP port 5000 is thought to be the work of the Kibuv.b worm, which exploits a Windows Universal Plug and Play (UPnP) service vulnerability. A patch for the flaw has been available since late 2001. Kibuv spreads through a variety of methods and can use its own FTP server to distribute copies of itself. It also listens for commands on an IRC chat server.
-http://www.eweek.com/article2/0,1759,1594860,00.asp


===end===


NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan Guest Editor: Eugene Spafford

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/