Final Week to Get a MacBook Air or Surface Pro 7 with Online Training - Best Offers of the Year!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VI - Issue #22

June 02, 2004

Notes On Very Useful Free Tools and Opportunities

1. The Center for Internet Security (CIS) has completed a new software tool that compares the configuration of Oracle Database to the technical control recommendations in the CIS benchmark. It's FREE at That's also where you'll find tools to test security configurations of Windows and Solaris and several other systems. If you work for a federal agency or for a state or local government (or if your company is a member of CIS) you can distribute the tools to sysadmins and security auditors throughout your site. Otherwise every sysadmin must download the tools separately

2. Now that more than 40,000 people have attended SANS courses, our growing alumni community looks to us for new courses that can expand their security skills. If you have developed a course - perhaps at a university of inside a large company, and believe it could help a lot of other security people, please send a note describing the course and its audience. We pay more than a million dollars every year in royalties to course authors. so it can be very lucrative to get a course published and marketed by SANS.


Maryland Governor Signs Anti-Spam Law
California Senate Votes to Push Voting Machine Audit Trail
CSO Survey Places Cyber Attack Cost at USD$666 Million in 2003


Taiwanese Police Arrest Alleged Peep Trojan Author
Suspected Randex Author Charged
Audit Finds Computer Security Problems at FDIC
North Korea has Military Intelligence Hacking Unit
First 64-bit Virus Identified
Carmack, aka Buffalo Spammer, Gets 7-Year Sentence
Korgo Worms Exploit LSASS Vulnerability
Anti-Spam Efforts Come Together
Organization for Internet Safety Wants Comments on Vulnerability Reporting Guidelines
GAO: Outsourcing Raises Security Concerns about Weapon System Software
Opinion: Microsoft Should Release Two Versions of SP2 for Windows XP
System will Track and Document Linux Kernel Changes
Comcast Mulls Ways to Stop Spam Zombies

********************* Sponsored by Qualys, Inc. *************************

Free Web Seminar: Worm-Proof Your Network - June 10, 2004

Discover why anti-virus solutions and firewalls are not enough. Find out what proactive measures you can take to ensure your network is secure.

* Scan a global network - identify vulnerable systems and infected devices.
* Receive automatic, daily updates to vulnerabilities and worms within hours of a public announcement.
* Follow best practices to remediate problems and audit the remediation work.

Don't miss this opportunity to learn how to safeguard your organization's network from the next worm.

Thursday, June 10, 2004 10:00 a.m. 11:00 p.m. PDT Register Now!

Highlighted Training Program Of The Week

SANSFIRE (July 5-13) offers you 14 immersion training tracks in one of the most beautiful places in America -- Monterey California. Phenomenal training for auditors who want to master the challenges of security auditors, managers who want to build a great security program, beginners who want to get a fast start, and, of course, the only place to go for technologists who want to master the most current methods for protecting systems and networks. SANSFIRE also offers lots of evening programs, extra one-day classes ranging from Business Law to Cyberwarrior training, and vendor exhibits, too.



Maryland Governor Signs Anti-Spam Law (27 May 2004)

Maryland Governor Robert Ehrlich (R) has signed the Maryland Spam Deterrence Act, which provides for 10-year jail sentences and fines of up to USD$25,000 for those convicted of falsifying their identities, addresses or subject lines in spam. The law goes into effect on October 1.
[Editor's Note (Ranum): many states already have similar laws and have had them for a long time. I s.t.i.l.l. get sp8m!
(Grefer): It is interesting to see that Senator Burns, one of the co-authors of the CAN-SPAM Act now appears to endorse additional state legislation, whereas the Act explicitly superseded all stricter state spam legislation, such as California's. ]

California Senate Votes to Push Voting Machine Audit Trail (26 May 2004)

The California State Senate has unanimously approved legislation pushing up the deadline for requiring touchscreen voting machines to provide paper backups from July 1, 2005 to January 1, 2005. If the bill ultimately becomes law, counties will not be permitted to purchase machines that do not provide a voter-verifiable audit trail after that date.

[Editor's Note (Schultz): This is an extremely important development. The integrity of electronic voting systems ultimately depends more on verifiable audit trails than anything else. Hopefully, the US government will follow suit and pass similar legislation that applies to all states. ]

CSO Survey Places Cyber Attack Cost at USD$666 Million in 2003 (25 May 2004)

A survey conducted by CSO magazine with "cooperation" from the US Secret Service and CERT/CC found that cyber attacks cost businesses an estimated USD$666 million in 2003. The survey polled 500 executives and found that more than 40% said cyber security incidents had increased between 2002 and 2003. More than 40% also said hackers were their number one security concern; 28% placed insider threats as their number one concern. 36% of those responding say they monitor employees' web use and pertinent activities to guard against internal threats.


Taiwanese Police Arrest Alleged Peep Trojan Author (31/27 May 2004)

Taiwanese police have arrested Wang Ping-an, a 30-year-old computer engineer, for allegedly creating the Trojan horse program called "Peep" and posting it on the Internet. The program allowed those who used it to steal information from and control infected computers. If he is convicted, Wang faces a jail sentence of up to five years.

Suspected Randex Author Charged (28/27 May 2004)

Canadian police have charged a 16-year-old with creating and releasing the Randex worm. Lists of computers infected with the worm were reportedly being sold on the Internet black market. If convicted, the teenager could face fines and a jail sentence of up to 10 years.

Audit Finds Computer Security Problems at FDIC (28 May 2004)

According to a General Accounting Office (GAO) report, the US Federal Deposit Insurance Corporation (FDIC) still has significant computer security problems to address. A recent audit of FDIC systems found that anyone who could access the network could modify access control lists, known software vulnerabilities were not addressed, and intrusion detection systems were only partially implemented.
[Editor's Note (Ranum): My experience with federal agencies is that a tremendous amount of IT is outsourced. So when someone audits an agency, what they are measuring is often the delta between "what the taxpayer paid for" and "what the contractors got done in the time they worked on it." ]

North Korea has Military Intelligence Hacking Unit (28/27 May 2004)

A military official in Seoul said there is evidence that North Korea has a "computer hacking military unit" whose goal it is to attack and collect classified information from South Korean computer networks. The South Korean military has established a counter-cyber terrorism investigative team.

First 64-bit Virus Identified (27 May 2004)

Symantec has identified the W64.Rugrat.3344 virus, a proof-of-concept virus which is thought to be the first virus capable of infecting 64-bit Windows executables. The virus does not pose an immediate threat because 64-bit computers are not widely used and it has not been detected in the wild.

Carmack, aka Buffalo Spammer, Gets 7-Year Sentence (27 May 2004)

Howard Carmack, the New York state man known as the Buffalo Spammer, has been sentenced to 7 years in prison for forgery, identity theft and falsifying business records. EarthLink won a $16.4 million civil judgment against Carmack a year ago. Carmack received the maximum sentence under the law because he has a prior felony conviction for fraud.

[Editor's Note (Shpantzer): Perhaps more interesting than the people who send us spam are the people on whose behalf the spam is sent. After all, spammers send all those emails in order to make a profit. But where's the money going? This report from 2003 sheds some light on the topic.

Korgo Worms Exploit LSASS Vulnerability (27/26 May 2004)

The W32.Korgo.B worm, aka Padobot, exploits a flaw in Windows Local Security Authority Subsystem Service (LSASS) that was patched by Microsoft's MS04-011 fix released on April 13; the worm's spread indicates that people have not been applying the patch. Korgo does not spread by email, but instead scans for vulnerable machines; it can open TCP ports 113, 445, 2041, 3067 and 6667 to serve as a back door for communicating with certain Internet Relay Channel (IRC) servers to receive data and commands.

Anti-Spam Efforts Come Together (26 May 2004)

Microsoft has announced that it will merge its Caller-ID for email technology with the Sender Policy Framework (SPF), joining America Online, EarthLink and Google in supporting the specification.


Organization for Internet Safety Wants Comments on Vulnerability Reporting Guidelines (26/25 May 2004)

The Organization for Internet Safety (OIS) is asking for comments on the 2004 draft of its guidelines for security vulnerability reporting. A version of the guidelines was released in July 2003, but did not address certain issues, such as the government's role in vulnerability reporting. The new set of guidelines is expected to be published in July 2004; comments will be accepted through June 24 at


GAO: Outsourcing Raises Security Concerns about Weapon System Software (25 May 2004)

A General Accounting Office (GAO) report released last week expressed concern about outsourcing the development of weapon system software. In addition, policies designed to reduce security risks largely address external rather than internal threats. The report says "unless program officials provide specific guidance, contractors may favor business considerations over potential software development security risks associated with using foreign suppliers." Recently adopted DOD initiatives could help address the problem, but they have not been implemented throughout the Department yet.
In a related story, Lt. Jamie Gateau, director of technology innovation for the Navy's Network and Space Operations Command, says he plans to "beef up" security requirements in software outsourcing contracts. Gateau is also evaluating technology that could identify vulnerabilities in outsourced software.
[Editor's Note (Ranum): This is a crucial issue that has been swept under the rug for years. In truth, most of our weapons developments are "outsourced" already - but the software aspect is far harder to track and increasingly important. When you consider that there are indications that the US intelligence community has taken advantage of rival nations' technical acquisitions to "plant" technology or backdoors, I find it horrifying to see our deliberate, willful ignorance that the same might apply to us. Interesting references on this topic are:

Opinion: Microsoft Should Release Two Versions of SP2 for Windows XP (24 May 2004)

Columnist Mark Rasch weighs in on Microsoft's decision not to support Service Pack 2 for Windows XP for people using unlicensed copies of the software. Microsoft now apparently intends to make SP2 available to some people using unlicensed software, but Rasch points out that this still leaves some systems unpatched. He proposes that Microsoft release two versions of SP2 for XP; one for licensed users, which will contain security fixes as well as functional upgrades, and the other, for unlicensed versions, which contains just security fixes.
[Editor's Note (Schultz): Rasch's idea is an intriguing one. I predict, however, that Microsoft will not be willing to make concessions to those who run illegal copies of its software. Microsoft is, after all, engaged in a major effort to reduce the immense amount of pirating of its software that occurs.
(Ranum) People are not "using unlicensed pieces of software" they are running stolen software. And they've got the unmitigated gall to complain that it doesn't work right? They can get the support and moral high ground by paying Microsoft their tithe, or running a free O/S - or they can shut up. ]

System will Track and Document Linux Kernel Changes (24 May 2004)

Open Source Development Labs has devised a new system for tracking and documenting Linux kernel changes, which should help clarify the origin of code. A Developer's Certificate of Origin will help track changes and their authorship. The DCO applies to the Linux kernel only, not to the open source applications that run on it.

Comcast Mulls Ways to Stop Spam Zombies (24 May 2004)

Comcast network engineer Sean Lutner acknowledged that more than 85% of the 800 million email messages sent every day from Comcast networks is spam from zombie computers. One reason for the sheer volume of spam coming from Comcast is that Comcast has a large number of high-speed Internet customers whose connections are most desirable for spammers to hijack. Comcast's marketing department nixed a proposal to block traffic on port 25 because the cost of helping customers reconfigure their mail programs would be quite high. Instead, Comcast engineers are considering identifying zombie computers and sending a new configuration routine to their modems that will prohibit outbound connections on port 25.


NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit