Last Chance: MacBook Air, Dell XPS 13 or $600 off with SANS Online Training Ends December 7

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VI - Issue #25

June 23, 2004

TOP OF THE NEWS

Davis and Putnam Propose Cyber Security Amendment to Clinger-Cohen
House Subcommittee Approves Spyware Act
Audit Finds Nearly One-Third of PCs Scanned in April Has Spyware
California Secretary of State Establishes Electronic Voting Standards
Switches to Incorporate More Security Options

THE REST OF THE WEEK'S NEWS

South Korean Government Networks Infiltrated
Industry Groups Want DHS to Broaden FOIA Protection for Critical Infrastructure Information
Senator Lugar Encourages Ratifying Council of Europe's Cyber Crime Treaty
20 Legislators Co-Sponsor Bill to Overturn DMCA Copy Protection Circumvention Provision
Coalition Formed to Raise Public Awareness of Phishing
Trusted Electronic Communications Forum to Fight Phishing, Promote Standards
Computer Thieves Caught on Closed-Circuit TV
DDoS Attack was Directed Specifically at Akamai
Sasser Informant Under Investigation as Possible Accomplice
Taiwan's Democratic Progressive Party Databases Breached
Government IT Spending Increase Just 2% for 2005
League of Women Voters Drops Paperless Voting System Endorsement
Recount Problems with Florida's Touch-Screen Voting Machines
Gaming Machines More Stringently Regulated than Voting Machines

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

Spammers Bypass Outlook 2003 Security
Cabir is Proof-of-Concept Wireless Phone Virus
Zafi.B Virus
Linux Kernel Flaw


********************* Sponsored by Symantec *****************************

Symantec Gateway Security 5400 Series provides fully integrated enterprise protection at the gateway. As the industry's most comprehensive firewall appliance, it integrates full inspection firewall technology, protocol anomaly-based intrusion prevention and intrusion detection, award-winning virus protection, URL-based content filtering, anti-spam, and virtual private networking technology. To find out more, Click Here or call 1-800-745-6054.

http://www.sans.org/click.php?id=484

*************************************************************************

Highlighted Training Program Of The Week

SANSFIRE in Monterey, CA (July 5-13) offers you 14 immersion training tracks in one of the most beautiful places in America -- Monterey California. Phenomenal training for auditors who want to master the challenges of security auditors, managers who want to build a great security program, beginners who want to get a fast start, and, of course, the only place to go for technologists who want to master the most current methods for protecting systems and networks. SANSFIRE also offers lots of evening programs, extra one-day classes ranging from Business Law to Cyberwarrior training, and vendor exhibits, too.

http://www.sans.org/sansfire2004

*************************************************************************

TOP OF THE NEWS

Davis and Putnam Propose Cyber Security Amendment to Clinger-Cohen (21/15 June 2004)

Representatives Tom Davis (R-Va.) and Adam Putnam (R-Fla.) have proposed an amendment to the Clinger-Cohen Act that would impose cyber security requirements concerned with the planning for and acquisition of government information systems planning and acquisition. H.R. 4570 would also give the Office of Management and Budget (OMB) "authority for advising agencies on information security." The Clinger-Cohen Act of 1996 directs agencies on IT investments; the Act became law before internet security issues were widely understood, and it therefore needs to be updated. Representative Davis is chairman of the House Reform Committee; Representative Putnam is chairman of the Technology, Information Policy, Intergovernmental Relations and the Census Subcommittee.
-http://www.fcw.com/fcw/articles/2004/0621/news-putnam-06-21-04.asp
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=26231

[Editor's Note (Pescatore): Forcing government programs to include security in systems planning and budgeting is a very good thing. It has had limited success in Clinger-Cohen 1996 - anything that can be done to give it more teeth now should be done. ]

House Subcommittee Approves Spyware Act (18/17 June 2004)

The US House Subcommittee on Commerce, Trade and Consumer Protection has approved the Securely Protect Yourself Against Cyber Trespass Act (or SPYACT), which would impose fines of up to USD$3 million for collecting information, "diverting browsers" and sending certain pop ups to people without express permission. The bill also requires that spyware purveyors inform and obtain consent from users before software is installed.
-http://www.securityfocus.com/printable/news/8941
-http://www.computerworld.com/printthis/2004/0,4814,93901,00.html
-http://zdnet.com.com/2102-1104_2-5238383.html?tag=printthis
[Editor's Note (Schultz): This is an intriguing piece of legislation. URL direction and pop-ups are currently a way of life for Internet users. The provisions of this bill thus at least superficially seem too austere. ]

Audit Finds Nearly One-Third of PCs Scanned in April Has Spyware (17 June 2004)

The monthly SpyAudit conducted by EarthLink and Webroot found that almost 134,000 of the more than 420,000 PCs scanned in April contained a Trojan Horse or system monitor, like a keystroke logger, that had been deposited by spyware. The April scans also found "26.9 spyware programs or components per machine."
-http://www.techweb.com/wire/story/TWB20040617S0008
[Editor's Note (Pescatore): It isn't clear what this survey considers to be a "trojan horse"or they had any real of way of knowing that the trojan horse was delivered by spyware, but we are clearly seeing a dramatic growth in malicious payloads being delivered by spyware. Help desk calls for performance problems due to spyware are skyrocketing.
(Ranum): Corporate IT's reaction to spyware has been surprising: it's been largely swept under the rug. The problem is that you can't hide an elephant by sweeping it under the rug. It leaves quite a bulge. ]

California Secretary of State Establishes Electronic Voting Standards (15 June 2004)

California Secretary of State Kevin Shelley has established standards for voter-verifiable paper audit trails for electronic voting machines. Six months ago, Shelley mandated that as of July 2005, all electronic voting machines used in California must provide paper trails. The standards require that touch screen voting machines allow voters to view printouts of their ballots after voting; the printouts would be behind a glass partition and the voters would not take them home. The electronic ballots would be considered the official record, with the paper ballots being used in California's mandatory 1% recount or in the event of a full manual recount. In the event of a discrepancy between electronic and paper ballots, the paper ballots would prevail. Shelley has also decertified all touch screen voting machines in the state until they improve their security or can produce verifiable paper trails.
-http://www.wired.com/news/print/0,1294,63869,00.html

-http://www.ss.ca.gov/elections/ks_dre_papers/avvpat_standards_6_15_04.pdf

Switches to Incorporate More Security Options (14 June 2004)

Companies are rising to the need for switch-based security options. Among the functions being incorporated into switches are virus quarantine, policy enforcement and the ability to detect and block denial-of-service attacks.
-http://www.nwfusion.com/news/2004/0614switchsecurity.html
[Editor's Note (Northcutt): On July 1 at 1 PM EDT SANS is pleased to offer a free technical webcast on how to implement internal network segregation using Cisco switches.
-http://www.sans.org/webcasts/show.php?webcastid=90512
(Pescatore): Given the level of worm and Kazaa trash on many enterprise networks, quality of service controls being built into switches is going to be used by the network operations types just to reclaim bandwidth. This will definitely be required as VoIP converged networks start showing up in more quantity. Security groups need to facilitate getting the operations side to take over such trash removal, so security can focus on new threats and new technologies that need securing. ]


************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.


(1) ALERT: How Hackers Use LDAP Injection to Steal Your Data and Bypass
Authentication
http://www.sans.org/click.php?id=488


(2) ALERT: Learn about the software tools spammers use. You'll be
amazed.
http://www.sans.org/click.php?id=489


*************************************************************************

THE REST OF THE WEEK'S NEWS

South Korean Government Networks Infiltrated (21 June 2004)

South Korea's National Cyber Security Center (NCSC) says that someone broke into a half dozen government agency and research institute computer systems. The computers were infected with the Peep Trojan horse program. Peep infects computers when users open infected attachments; it is designed to allow attackers to write, edit and delete files on infected computers. NCSC says it took measures as soon as it found out about the infection and there is no risk of "data outflow." The infected email appeared to come via China (PRC), but that alone does not prove the attack originated there.
-http://australianit.news.com.au/common/print/0,7208,9908128%5E15331%5E%5Enbv%5E1
5306%2D15318,00.html

-http://times.hankooki.com/lpage/200406/kt2004062017114010440.htm
-http://times.hankooki.com/lpage/tech/200406/kt2004062115272612350.htm

Industry Groups Want DHS to Broaden FOIA Protection for Critical Infrastructure Information (21 June 2004)

Financial services roundtable BITS wants the Department of Homeland Security (DHS) to expand its definition of critical infrastructure information to allow more items to be exempt from public disclosure under the Freedom of Information Act (FOIA). As presently defined, protected critical infrastructure information would not include information like the switch location of a bank's high speed Internet connection.
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci970920,00
.html

Senator Lugar Encourages Ratifying Council of Europe's Cyber Crime Treaty (18 June 2004)

Senator Richard Lugar (R.-Indiana), chair of the Senate Foreign Relations Committee, encouraged swift ratification of the Council of Europe's Cyber Crime Treaty because it will allow the US to take "a leadership role in international law enforcement." Countries that ratify the treaty would be required to update their laws regarding computer crime; the treaty also provides for "mutual assistance and extradition among participating nations." The Senate is not considering ratifying an addition to the treaty that would require the imprisonment of those who use a computer system to publicly insult others based on characteristics like race or ethnic origin because it would violate First Amendment rights.
-http://zdnet.com.com/2102-1104_2-5238865.html?tag=printthis

[Editor's Note (Schmidt): The council of Europe Cyber Crime Treaty is a piece of legislation that helps provide harmonization of Cyber Crime and establishes a means to hold people accountable for their criminal activity. This is something that was called for in the National Strategy to Secure CyberSpace and something we should do ASAP. ]

20 Legislators Co-Sponsor Bill to Overturn DMCA Copy Protection Circumvention Provision (17 June 2004)

Representative Rick Boucher (D-Virginia), along with 19 other legislators, is sponsoring a bill that would overturn a provision of the Digital Millennium Copyright Act (DMCA) that prohibits people from circumventing copy protection on digital media products, even for making a personal use copy. Legislators now seem to be feeling that the DMCA gave copyright holders too much power in certain areas. The provision in question essentially takes the interpretation of fair use away from the courts.
-http://www.wired.com/news/print/0,1294,63876,00.html
[Editor's Note (Schultz): Hopefully this bill will eventually become law. DMCA is simply too lopsided in favor of copyright holders, something that many of us have pointed out before DMCA was passed. ]

Coalition Formed to Raise Public Awareness of Phishing (17 June 2004)

The Federal Trade Commission (FTC), the Better Business Bureau, Visa USA and other organizations have formed a coalition to inform the public about the threat of phishing. The coalition aims to help people understand how to avoid falling into the traps laid by phishers and how and where to report suspicious email messages.
-http://www.securityfocus.com/printable/news/8936

Trusted Electronic Communications Forum to Fight Phishing, Promote Standards (16/15 June 2004)

17 companies from a variety of industries have joined forces to form the Trusted Electronic Communications Forum (TECF) which will fight phishing, spoofing and other methods of identity fraud. The TECF wants to focus on standardizing technologies and best practices. It also wants to help prosecute scammers and establish a system to help the reporting of phishing scams. TECF chairman Shawn Eldridge says he sees his group as complementary to the Anti-Phishing Working Group.
-http://www.infoworld.com/article/04/06/16/HNphishing_1.html
-http://www.computerworld.com/printthis/2004/0,4814,93843,00.html
-http://www.techweb.com/wire/story/TWB20040616S0009
[Editor's Note (Pescatore): If you tie the last two stories together, there are already way too many anti-phishing coalitions - we don't need more. I expect we will see a similar plethora of anti-spyware coalitions shortly.
(Schmidt): It would be great to coordinate all of these groups, as much has already been done. We can move a lot quicker by pulling these groups of common interest together. ]

Computer Thieves Caught on Closed-Circuit TV (17/16 June 2004)

A closed-circuit television system captured footage of thieves stealing computers from the pathology department of the Royal Shrewsbury Hospital in Shropshire, England. The stolen machines contain eight years worth of confidential patient data. The thieves probably stole the equipment with the intention of selling it rather than harvesting the data, according to a National Health Service spokesman. Police are scrutinizing the tapes for clues.
-http://www.theregister.co.uk/2004/06/17/hospital_break_in/print.html
-http://www.shropshirestar.com/cgi-bin/artman/exec/view.cgi?archive=5&num=187
74#

DDoS Attack Was Directed Specifically at Akamai (16 June 2004)

Akamai Technologies Inc. admitted that a recent distributed denial-of-service (DDoS) attack targeted specific Akamai customers; the company had previously stated that the attack was global in nature and not directed at Akamai specifically. The attack, which was on Akamai's enhanced DNS service, caused performance degradation but did not result in a service outage. Johannes Ullrich of the SANS Internet Storm Center said their analysis showed the attack was directed solely at Akamai. Akamai chief scientist Tom Leighton discussed the attack with Computerworld.
-http://www.computerworld.com/printthis/2004/0,4814,93862,00.html
Leighton Q & A:
-http://www.computerworld.com/printthis/2004/0,4814,93875,00.html
-http://www.infoworld.com/article/04/06/16/HNakamai_1.html

Sasser Informant Under Investigation as Possible Accomplice (16 June 2004)

German prosecutors say that one of the five people under investigation as possible accomplices in the Sasser worm case is the person who provided the tip leading to the arrest of Sven Jaschan, who has admitted to authoring the worm. Jaschan has claimed that he did not want to cause damage with Sasser, but instead that he wanted to prove that he was better than other virus writers.
-http://www.eweek.com/print_article/0,1761,a=129753,00.asp

Taiwan's Democratic Progressive Party Databases Breached (16 June 2004)

China-based cyber attackers have broken into Taiwan's Democratic Progressive Party (DPP) databases and stolen classified information, according to a cabinet official. They allegedly accessed the personal itineraries of the president and other party officials.
-http://www.taipeitimes.com/News/front/archives/2004/06/16/2003175231/print

-http://www.securitypipeline.com/news/showArticle.jhtml;jsessionid=2URMRRLAV5OUIQ
SNDBCCKHY?articleId=22100244&printableArticle=true

Government IT Spending Increase Just 2% for 2005 (16/15 June 2004)

US government spending on IT will increase just 2% in fiscal 2005, according to a study from market research firm Input. Spending increased 15% in 2004, 50% in 2003 and 100% in 2002. One reason for the decline is the fact that many agencies have failed to heed federal security requirements and therefore cannot receive money for new initiatives from the Office of Management and Budget (OMB). Input expects that spending will rise again toward the end of the decade, but increases will remain in the single digits from now on.
-http://www.govexec.com/story_page.cfm?articleid=28750&printerfriendlyVers=1&
amp;

-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=21800461

League of Women Voters Drops Paperless Voting System Endorsement (14 June 2004)

Delegates at the League of Women Voters conference in Washington DC last week voted overwhelmingly in favor of a resolution supporting "voting systems and procedures that are secure, accurate, recountable and accessible." The resolution stands in contrast to the League's endorsement of paperless electronic voting machines last year.
-http://www.securityfocus.com/printable/news/8901

Recount Problems with Florida's Touch-Screen Voting Machines (14 June 2004)

Problems with the touch-screen voting machines used in Florida could make it impossible to conduct a manual recount. Though a spokesperson for Florida's secretary of state called it "minor technical hiccups," others are concerned that state officials certified equipment they knew to be problematic.
-http://www.wired.com/news/print/0,1294,63837,00.html

Gaming Machines More Stringently Regulated than Voting Machines (13 June 2004)

An editorial originally published in the New York Times observes that gambling machines in Las Vegas are subject to more stringent regulation, certification and testing than are electronic voting machines used across the country. For instance, the Nevada Gaming Control Board has copies of every gambling device software currently in use, and inspectors do unannounced spot checks at casinos to ensure the code on the machines is untainted. Voting machine software, on the other hand, is proprietary, and alterations would be hard to detect as the same sort of inspections are not required.
-http://www.verifiedvoting.org/article.asp?id=2400&print=yes

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

Spammers Bypass Outlook 2003 Security (21 June 2004)

Spammers have discovered how to bypass Outlook 2003's anti-spam security that scans incoming email for language that indicates it could be spam and which also allows users to prevent HTML email from downloading content from the Internet. The spammers attach an image file to the email and then use HTML code to display the image, which can contain words the filter would otherwise have caught.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39158241-39020369t-10000025c

Cabir is Proof-of-Concept Wireless Phone Virus (16/14 June 2004)

A proof-of-concept virus called Cabir affects wireless phones and other devices running the Symbian operating system. Cabir is the first virus that spreads through wireless phones. Once a phone is infected, it scans the area for other phones every time it is turned on, looking for other devices to infect. Copies of the virus were sent to anti-virus firms but it has not been spotted in the wild; it is possible, however, that others could use the worm as a jumping off point to create something more malicious and release it into the wild. Analysis of Cabir has shown that it would not spread easily because it would require users to approve downloads from unknown sources.
-http://news.bbc.co.uk/2/hi/technology/3809855.stm

-http://zdnet.com.com/2102-1105_2-5233517.html?tag=printthis
-http://asia.cnet.com/newstech/security/printfriendly.htm?AT=39183547-39001150t-3
9000005c

Zafi.B Virus (15 June 2004)

The Zafi.B virus spreads through email attachments and reportedly terminates any applications that contain the words "firewall" or "virus" in their filenames. It can also send itself in a variety of languages.
-http://zdnet.com.com/2102-1105_2-5236264.html?tag=printthis

Linux Kernel Flaw (15/14 June 2004)

Patches are available for a Linux kernel vulnerability that allows anyone with a normal user account on vulnerable systems to crash the server. The problem affects most distributions using 2.4 and 2.6 kernels running on x86 architectures.
-http://www.computerworld.com/printthis/2004/0,4814,93833,00.html
-http://www.eweek.com/print_article/0,1761,a=129564,00.asp


===end===


NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/