Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VI - Issue #33

August 18, 2004


Today is the deadline for early registration discounts for SANS Network Security 2004 in Las Vegas, but if you need an extra day or two, email registration@sans.org.

TOP OF THE NEWS

Unpatched PCs Infected In Minutes
FCC Will Require Wireless Telecoms to Report Outage Information
eMail Security Companies Say They Will Support Sender ID
AOL and Yahoo to Use Authentication Technology in Fight Against Spam and Phishing
DoJ Publishes Guidelines for Preserving Electronic Evidence
WINDOWS XP SP2 CHALLENGES
Microsoft Releases List of Products that Could Conflict with XP SP2
Windows Firewall Lacks Outbound Traffic Blocking
Group Will Stop Distributing XP SP2 on P2 Network

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Teenager Pleads Guilty to Creating and Spreading Blaster-B
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
FCC is Reviewing Emergency Alert System
DoE Inspector General Report Says Los Alamos National Laboratory Has Weak Inventory Controls
Philippine Government Plans National Cyber Security System
LEGISLATION
Zambia Cyber Crime Law Awaits Presidential Nod
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Yahoo Update Addresses PNG Vulnerability
MyDoom.S Spotted
UK Police Warn of Phishing Scam that Uses Key-Logger Trojan
Microsoft August Security Release is Small
Apple OS X Update Fixes PNG Vulnerability
Bagle.AQ Spreads
MISCELLANEOUS
MPAA Says Case Shows Copyright Infringement Will Not be Tolerated
One Year Later: What We Learned From Blaster
Copier Security
Trojan Turns Out to be Old Copy Protection Scheme
Biometrics Gradually Appearing in Consumer Applications
Illinois College Student Allegedly Downloaded Information from Student Database


************************** SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.


1) View Geographical Spam Statistics - Download CipherTrust's
Whitepaper: "Selecting an Email Security Solution" -
http://www.sans.org/info.php?id=555


2) ALERT: Top 14 Web Application Attack Techniques and Methods to
Combat Them
http://www.sans.org/info.php?id=556


*************************************************************************

TOP OF THE NEWS

Unpatched PCs Infected In Minutes

New, unpatched and unprotected computers survive only about 20 minutes before being exploited. Last year the survival time was nearer 40 minutes.
-http://www.gcn.com/vol1_no1/daily-updates/26967-1.html

FCC Will Require Wireless Telecoms to Report Outage Information (11 August 2004)

The Federal Communications Commission (FCC) has issued new rules requiring wireless telecommunications companies to provide information about serious service outages. The information will be sent over an encrypted reporting system and will be exempt from Freedom of Information Act (FOIA). Telecommunications providers, along with the Department of Homeland Security, convinced the FCC to make the exception because the information could be exploited by terrorists to conduct attacks on the nation's communications infrastructure. The FCC is requiring that the information be reported to ensure that communications systems used in emergency situations, including cellular and satellite phones, remain secure and protected from terrorist attacks.
-http://www.wired.com/news/print/0,1294,64528,00.html
[Editor's Note (Pescatore): There are a lot of bad decisions being made in the name of homeland security. Allowing wireless carriers to hide reliability and availability problems from consumers will reduce competitive pressure to have higher availability and will not harden the systems from attack - the net result is a less secure system. ]

eMail Security Companies Say They Will Support Sender ID (12 August 2004)

A number of email security companies voiced support for Microsoft's Sender ID sender authentication standard and said they would incorporate it into their products. The companies had gathered at a summit requested by the eMail Service Provider Coalition (ESPC) and hosted by Microsoft.
-http://www.techweb.com/wire/story/TWB20040812S0004
[Editor's Note (Tan): In addition to limiting spamming and phishing emails, this approach will also limit the spoofed emails often generated by viruses.
(Schmidt): The increasing industry support for two- factor/strong authentication will do much to cure many of the security problems we face today. Hacking, DDoS, phishing, fraud etc. will all be harder as we deploy strong authentication.]

AOL and Yahoo to Use Authentication Technology in Fight Against Spam and Phishing (12 August 2004)

America Online and Yahoo both plan to begin using email authentication technology to fight the worsening problem of spam and phishing scams. AOL plans to use Microsoft's Sender ID authentication architecture to verify that incoming email is legitimate; Yahoo will use DomainKeys technology to sign outgoing email.
-http://www.computerworld.com/printthis/2004/0,4814,95185,00.html

DoJ Publishes Guidelines for Preserving Electronic Evidence (16 August 2004)

The US Justice Department's National Institute of Justice has published Forensic Examination of Digital Evidence: A Guide for Law Enforcement. The guidelines are intended to help law enforcement agents preserve the integrity of digital evidence so it will be admissible in court. The publication recommends that digital evidence should be examined only by trained professionals and that examinations should be conducted on copies of digital evidence while the original remains intact. This publication is the second in a series; future guidelines will cover using technology in investigations, investigating IT crimes, creating a digital evidence forensic unit and presenting digital evidence in court.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=26961

WINDOWS XP SP2 CHALLENGES

Microsoft Releases List of Products that Could Conflict with XP sp2 (16 August 2004)

Microsoft has issued a document that lists about 50 applications and games that may have trouble with the recently released Windows XP Service Pack 2. Among the problems: the new firewall may limit the ability of some applications to receive information from outside networks. Other companies have been posting information about functionality problems encountered as a result of installing SP2.
-http://zdnet.com.com/2102-1104_2-5311280.html?tag=printthis

[Editor's Note (Pescatore): Most SP2 compatibility problems are from the Windows Firewall improvements and the changes in how RPCs are handled in Windows. Since the Windows Firewall still doesn't enforce many policy controls that enterprises require, and since the RPC fixes were badly needed, most applications that don't work with SP2 were badly broken from a security perspective anyway. ]

Windows Firewall Lacks Outbound Traffic Blocking (13/11 August 2004)

Though Windows Firewall, which arrived as part of Windows XP Service Pack 2, is a welcome addition to PC security, it doesn't provide certain functions expected from commercial firewalls. Windows Firewall does not block outbound traffic, a function which prevents computers from being used as spam or denial-of-service zombies. In addition, other applications could potentially turn Windows Firewall off.
-http://www.pcworld.com/resource/printable/article/0,aid,117380,00.asp
[Editor's Note (Tan): Security savvy users will either know how to get a better firewall or safeguard their system from being trojanized. The great improvement of this Windows Firewall is that it provides protection before network starts up.
Editor's Note (Schultz): No security solution is perfect, nor can a single control measure such as a host-based firewall do everything. Critics often overlook the fact that Microsoft by all appearances is making a very concerted effort to improve security in its products. Perhaps WXP SP3 will be able to block outbound connections. ]

Group Will Stop Distributing XP SP2 on P2 Network (13 August 2004)

Peer-to-peer advocacy group Downhill Battle said it will stop distributing Microsoft's Windows XP SP2 update over peer-to-peer networks after it received notices from the company citing possible Digital Millennium Copyright Act (DMCA) violations. In the past, Downhill Battle has stood up to DMCA threats, but backed off from their activity this time because they believe they've made their point that P2P networks can be an efficient method of distribution for software updates. In response to concerns that files downloaded from P2P networks could be tainted, Downhill Battle co-founder Holmes Wilson remarked that files from the networks can be authenticated using a secure hash.
-http://zdnet.com.com/2102-1104_2-5309197.html?tag=printthis

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Teenager Pleads Guilty to Creating and Spreading Blaster-B (12 August 2004)

19-year-old Jeffrey Lee Parson has pleaded guilty in federal court to creating and distributing the Blaster.B worm one year ago this month. Parson also admitted he added a Trojan horse program to Blaster.B that let him gain access to infected computers. He could face a prison term of up to just over three years when he is sentenced in November, and may also be required to pay millions of dollars in fines.
-http://www.computerworld.com/printthis/2004/0,4814,95199,00.html

-http://www.theregister.co.uk/2004/08/12/blaster_kiddie_pleads_guilty/print.html

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

FCC is Reviewing Emergency Alert System (12 August 2004)

The Federal Communications Commission (FCC) has launched a review of the US Emergency Alert System (EAS), which allows officials to interrupt television and radio broadcasts to deliver emergency information. EAS does not incorporate authentication measures; it also has flaws which make it vulnerable to denial-of-service attacks and which could allow attackers to broadcast phony emergency messages.
-http://www.securityfocus.com/printable/news/9324

DoE Inspector General Report Says Los Alamos National Laboratory Has Weak Inventory Controls (13/12 August 2004)

According to a report from the Energy Department's inspector general, Los Alamos National Laboratory (LANL) has weak internal controls over computers used for both classified and unclassified research, which means the computers and the data they contain are vulnerable to loss or theft. The report indicated that some of the laboratory's computers were never entered into an inventory database. Classified work at LANL was suspended last month in the wake of the apparent loss of two removable data storage units.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=26895

-http://www.computerworld.com/printthis/2004/0,4814,95262,00.html
[Editor's Note (Schultz): The problem is far greater than only weak inventory controls, and it is by no means peculiar to LANL. The bigger problem is setting up and maintaining a suitable overall control structure, something that is difficult and expensive to do, but that needs to be done if an organization wants to avoid being plagued with missing equipment, security incidents, outages, and other catastrophes that so often plague the IT arena. ]

Philippine Government Plans National Cyber Security System (10 August 2004)

The Philippine government has outlined its plan for a national cyber security system to protect government and business systems from cyber attacks. There are six priority initiatives designed to help get the program going. They include enacting a Computer Crime Law, reducing the risk of threat to the country's electronic critical infrastructure with the help of a risk and vulnerability assessment plan and the creation of an Incident Response Team Coordinating Center.
-http://security.itworld.com/4367/040810cyber1/pfindex.html

LEGISLATION

Zambia Cyber Crime Law Awaits Presidential Nod (11 August 2004)

Zambia's Computer Misuse and Crimes law sets jail sentences for convicted cyber criminals at up to 25 years. The legislation has passed Zambia's parliament and is awaiting presidential assent.
-http://www.theage.com.au/articles/2004/08/11/1092102488282.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

Yahoo Update Addresses PNG Vulnerability (16 August 2004)

Yahoo has issued a security update that fixes a vulnerability in the way its Yahoo Messenger software handles the portable network graphics (PNG) format.
-http://asia.cnet.com/newstech/personaltech/printfriendly.htm?AT=39190144-3900114
7t-39000004c

MyDoom.S Spotted (16 August 2004)

Yet another MyDoom Variant -- MyDoom.S, also known as MyDoom,Q and MyDoom.R -- has been spreading. This version arrives as an attachment pretending to be funny pictures. Once MyDoom.S has infected a machine, it sends itself out to addresses it finds on that computer as tries to download a Trojan horse program that could allow the compromised machine to be used remotely to send spam or launch attacks.
-http://www.theregister.co.uk/2004/08/16/mydoom_spam/print.html

UK Police Warn of Phishing Scam that Uses Key-Logger Trojan (13 August 2004)

The UK's National Hi-Tech Crime Unit (NHTCU) has issued a warning about a key-logging Trojan horse program that attempts to steal online banking account numbers and PINs. Phishers send out spam email that appears to be an invoice and provides a link for recipients to view more details about the order. The link in fact leads to a site that downloads a Trojan horse program onto vulnerable computers.
-http://www.vnunet.com/news/1157314
-http://www.theregister.co.uk/2004/08/13/trojan_phish/
[Editor's Note (Pescatore): The growth over the last 9 months of both phishing and spyware was cause keystroke logging trojans to be much more widespread. This is happening at the same time that many enterprises have begun to allow employees to use home PCs and other un-managed PCs to access corporate networks. Reusable passwords are back under attack - - one time passwords or two factor authentication are needed.
(Shpantzer): There should be more emphasis on tools that detect spyware, as most of the major antivirus tools are not designed to find keystroke loggers. The two types of tools are complementary, and both should be included in a minimum security package. ]

Microsoft August Security Release is Small (11/10 August 2004)

Microsoft's monthly security release for August contains just one patch. The vulnerability, which received a moderate rating, is a cross-site scripting and spoofing flaw in the Outlook Web Access feature of Exchange Server 5.5. Outlook Web Express for Exchange Server 2000 and 2003 do not contain the flaw.
-http://www.theregister.co.uk/2004/08/11/ms_august_patch_batch/print.html

-http://zdnet.com.com/2102-1105_2-5304284.html?tag=printthis

Apple OS X Update Fixes PNG Vulnerability (10 August 2004)

Apple recently released an update to OS X. OS X 10.3.5 includes a new libpng which fixes a vulnerability in the way the older OS handled PNG graphics. The PNG fix is also available as a patch for users who have not upgraded to Panther.
-http://www.computerworld.com/printthis/2004/0,4814,95146,00.html
-http://www.theregister.co.uk/2004/08/10/apple_osx_10-3-5/print.html

Bagle.AQ Spreads (9 August 2004)

Another Bagle variant, Bagle.AQ, spreads in an infected .zip file with a spoofed sender address. It has its own SMTP engine and collects email addresses from the infected computer to spread itself.
-http://www.eweek.com/print_article/0,1761,a=133137,00.asp
-http://www.computerworld.com/printthis/2004/0,4814,95148,00.html

MISCELLANEOUS

MPAA Says Case Shows Copyright Infringement Will Not be Tolerated (11/10 August 2004)

The Motion Picture Association of America has reached a settlement in a copyright violation case with 321 Studios over the company's DVD copying software. Citing the expense of fighting lawsuits, 321 Studios ceased operations after the settlement. MPAA views its victory in the suit as a clear message from the courts that copyright infringement will not be tolerated. A Taiwanese site, DVDXCopy2.com, was reportedly offering to sell the software once sold by 321 Studios, but the site was down as of August 12.
-http://news.com.com/2102-1025_3-5303946.html?tag=st.util.print
-http://www.extremetech.com/article2/0,1558,1634770,00.asp

One Year Later: What We Learned From Blaster (13 August 2004)

One year after Blaster's appearance, analysts offer their opinions about the worm's impact. Blaster made clear just how quickly and widely a worm can spread; it required no human interaction to spread and targeted both home and business users. Furthermore, Blaster didn't focus on one Microsoft product but instead on basic windows functions. One result is the development of "scan and block" technologies that check systems' security before they are allowed access to computer networks.
-http://informationweek.com/shared/printableArticle.jhtml?articleID=29100173

Copier Security (12 August 2004)

As copiers gain functions like the ability to scan, fax and store documents, they become increasingly vulnerable to cyber attacks. Embedded operating systems in copiers make them vulnerable to MSBlast and similar malware. Some copier manufacturers have begun offering security features like firewalls, secure network interface cards and the ability to electronically shred data after it has been stored on the copier's hard disk.
-http://www.pcworld.com/resource/printable/article/0,aid,117354,00.asp
[Editor's Note (Shpantzer): See this IEEE link for more information on how to mitigate these vulnerabilities.
-http://standards.ieee.org/announcements/pr_p2600.html
So far three vendors' (Canon, Xerox and Sharp) have security-related certifications for copiers/printers. Check out the Common Criteria site for details:
-http://niap.nist.gov/cc-scheme/vpl/vpl_type.html#dcemisc]


(Paller): Sadly, the printer security specifications used for the certifications often ignore several of the most dangerous vulnerabilities in printers. If the Common Criteria program continues to allow vendors to "spin" the program and deliver unsafe systems marketed as "safe" because of Common Criteria, the federal initiative will lose the respect of the community and may lose its funding. ]

Trojan Turns Out to be Old Copy Protection Scheme (12 August 2004)

What was believed to be a Trojan SMS dialer in pirated versions of the Mosquitos game on mobile phones is actually a function of the game's copy protection. The function was included to prevent people from buying less expensive versions of the game in other countries; it would send an SMS to a premium rate number and then unlock the game. Customers complained and the company removed the code, but pirated versions apparently contain the old code.
-http://software.silicon.com/malware/0,3800003100,39123118,00.htm

Biometrics Gradually Appearing in Consumer Applications (11 August 2004)

Public lockers at the Statue of Liberty now use fingerprint readers rather than keys. Biometric technologies, which have been used in military and corporate settings, are moving into the public arena. A Boston hotel uses an iris scanner to let guests into their luxury suite. And a southern grocery store chain has begun using a pay-by-fingerprint system. Biometrics will eventually be used to allow immigration officials to track travelers from foreign countries.
-http://www.securityfocus.com/printable/news/9309
[Editor's Note (Pescatore): Interesting to see biometrics making sense not for security but for cost reduction. Eliminating physical keys and cards from public lockers, hotel rooms, even public and academic libraries results in a cost reduction, since with biometrics the keys or cards are never lost or stolen. Low cost readers and higher false positive rates work for these applications and mass adoption here can lower product costs overall which benefits higher security applications. The remaining hurdles are the privacy issues and the long term reliability of sensors where physical contact is required. ]

Illinois College Student Allegedly Downloaded Information from Student Database (11 August 2004)

Three computers have been seized and three Southern Illinois University Evansville students questioned in connection with a database intrusion. A student allegedly downloaded the names and passport information of 500 foreign students, according to a search warrant filed by university police. The database was established by the university to comply with USA PATRIOT Act provisions. A university spokesman says he expects the university to seek criminal charges. The breach was discovered during a university Office of Information Technology daily log check. While the system does not allow the alteration of data, it was set up to allow database access without a password.
-http://www.stltoday.com/stltoday/emaf.nsf/Popup?ReadForm&db=stltoday%5Cnews%
5Cstories.nsf&docid=A3F75AB9CA0230BB86256EEE0012DF3B



===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/