Learn cyber security skills you can implement immediately! Seven courses offered Jan. 20-25 in Anaheim, CA

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VI - Issue #41

October 13, 2004

One good story and one very bad story to open this issue:

The bad news first:
Microsoft's monthly security bulletin, released Tuesday, includes seven "critical" vulnerabilities and three "important" vulnerabilities. That translates directly into an overload of "critical" tasks for everyone responsible for trying to secure Microsoft software. And how long do we have (days, hours?) until Internet worms start exploiting these Microsoft programming errors? The bulletin is posted at http://www.microsoft.com/technet/security/bulletin/ms04-oct.mspx

Now for the better news:
Last week we told you about the first 2004 Computer Security Leadership Award which went to Congressman Putnam and the staff of his subcommittee. The second 2004 award was announced last Friday in London. It goes to the United Kingdom's National Infrastructure Security Co-Ordination Centre (NISCC) for succeeding at developing trust between industry and government to such a high level that information sharing is really happening. Both awards are described at http://www.sans.org/press/isla100804.php


Confusing Information from DHS on Cybersecurity's Importance
Congressional Oversight Revamped
Former Bush Advisor Named U.S. Computer Emergency Response Team Chair
Homeland Security Names New Acting Cyber Chief


Law Adds Additional Penalties For Spyware Fraud
In Cyberspace, A Dark Alliance
Government Backs IT Security Standard


Filipino Hacker A No-Show In Prelim Investigations
Netherlands Deports More 419ers
Chinese Authorities Apprehend Online Bank Robber
Copyright Bill Dies In Senate As Others Advance
FTC Pursues Former Spam King in Court
Music Industry Sues European Song-Swappers
China Awash With Viruses
ASP.Net Glitch Discovered
SANS Unveils Top 20 Security Vulnerabilities
VoIP To Proliferate In U.S. Households
Firms Failing On Security
Prosecutor Leaves Crime Files On Dumped PC

**Sponsored by Internet Security Systems(tm) A New Standard in Security**

Preemptive protection is a new standard in Internet security that stops attacks before they impact the network. Only Internet Security Systems (ISS) delivers solutions that keep your organization ahead of the threat. To learn more about ISS' intrusion prevention system, download the new whitepaper, Defining the Rules of Preemptive Protection. http://www.iss.net/proof/ipswp/sans/10134


Highlighted Cybersecurity Training Program: CDI South

Back to the Future: Find the Future of Information Security in New Orleans November 1 - 4 at SANS CDI South.

That's where SANS will introduce a program of one and two day intensive technology courses on topics ranging from Cutting Edge Hacking Techniques to Ethics, from Business Law and Computer Security to Auditing Wireless Security. If you cannot afford the time for a full week of training, or if you want to focus on two to four topics important to your security program, you won't find a better security conference anywhere. In particular, if you were thinking about attending one of the twenty or thirty old security conferences run by other organizations, compare the faculty they offer against SANS teachers, the timelines and practicality of the information, and the value you will bring back to your employer (not to mention the weather) and we think it will be easy to choose SANS CDI South in New Orleans over any other security conference.




Confusing Information from DHS on Cybersecurity's Importance (12 October 2004)

All in one day: (1) Secretary Ridge says that the Department of Homeland Security will create an Assistant Secretary position for Cybersecurity raising it to the level of physical security. (2) A DHS spokesperson for the Secretary said no final decision has been made. (3) The current Assistant Secretary for both cyber and physical security told an industry conference that he did not believe creating another assistant secretary's job was appropriate or imminent.

Congressional Oversight Revamped (10 October 2004)

The U.S. Senate, in a vote of 79 to 6, has created a new Homeland Security Committee, made a new subcommittee under the existing Appropriation Committee and strengthened the Intelligence Committee, maintaining these changes will improve the oversight system called dysfunctional by the Nine-Eleven Commission. This follows the Senate's decision to adopt its own plan rather than implement the commission's recommendations for congressional oversight.

Former Bush Advisor Named U.S. Computer Emergency Response Team Chair (08 October 2004)

Former special advisor to U.S. President George W. Bush for cyber security, Howard Schmidt, will
[not ]
be named chairman of the U.S. Computer Emergency Response Team, the operational arm of the National Cyber Security Division within the Department of Homeland Security. Schmidt, chief security officer for eBay Inc., is
[not ]
expected to keep his position at eBay.
[Editor's Note (Paller): Howard will continue at least part time at eBay, he'll be working as a consultant at DHS on partner programs not running the US Cert, and my guess is that if he gets his initiatives blocked, as Amit felt his were blocked, Howard will make so much noise that the blockage will dissolve - at least once or twice. When making noise stops working, he'll leave. ]

Homeland Security Names New Acting Cyber Chief (08 October 2004)

Following the resignation of the Department of Homeland Security's cybersecurity chief Amit Yoran, Andy Purdy, Yoran's deputy, has been appointed as acting U.S. cybersecurity chief. Yoran, who resigned with one day's notice, is said to have been frustrated with his limited lack of authority and funds for the division. Purdy will be the fourth person to hold this post in less than two years.
[Editor's Note (Schneier): One would think that if there have been four resignations from the same position in two years, the problem isn't just with the incumbents, but with the position itself.
(Ranum): This article ties nicely with the one above about Howard. Lack of authority is a consistent problem with the government's attempts to implement "security through window-dressing." This problem is not going to get better until real teeth are put into security mandates and heads roll if they aren't met. ]

************************** SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Alert: Learn the Fundamentals of Email Security *FREE WHITE PAPER* http://www.sans.org/info.php?id=615

(2) ALERT: Pen Test for the Top Web Application Vulnerabilities - FREE Product Trial http://www.sans.org/info.php?id=616



Law Adds Additional Penalties For Spyware Fraud (08 October 2004)

The U.S. House of Representatives has passed its second anti-spyware bill this month. The first bill, the Internet Spyware Prevention Act (HR 4661), would criminalize the use of spyware to commit fraud or other crimes and add two years to existing federal sentences. The Spy Act (HR 2929), the current bill, would provide civil penalties for distributing spyware or phishing tools.

In Cyberspace, A Dark Alliance (09 October 2004)

According to security consultant John Pironti, spammers and virus writers, who once worked separately, have begun to form an alliance straining current spam and virus defenses. Currently, 63 percent of e-mail is spam but even more threatening is the fact that one in twelve e-mails contain a virus. If this news weren't bad enough, Sefan Savage, a computer science professor at the University of California at San Diego, asserts that while the "bad guys" have become more sophisticated, methods to defend against their skillful and malicious attacks are basically the same as they were five years ago.
[Editor's Note (Schultz): It is certainly true that worm and virus writers often create mail engines that spew spam in systems that become infected. And it is difficult to disagree with the assertion that today's defenses against these threats have not progressed all that far.
(Tan): Virus or Trojan, no matter how sophisticated, still needs a human to make it work. Relying only on virus scanners for protection is a catch up game that doesn't work. Companies may spend tons of money on gadget to secure their system and network, but people are usually the weakness link and all the protection can be easily circumvented through human error encouraged by social engineering. Companies should pay more attention to providing awareness and education. ]

Government Backs IT Security Standard (07 October 2004)

The UK's Cabinet Office's Central Sponsor for Information Assurance (CSIA) group will begin testing the "Claims Test Mark" scheme as part of an accreditation scheme to provide the public and private sector with the assurances that products do what the vendors claim they do. Although acknowledging that the idea is a good idea, Beatrice Rogers, head of private sector at IT industry body Intellect, asserts, "The government needs to make clear what accreditation means for both the public sector authorities and the vendor adopting it."



Filipino Hacker A No-Show In Prelim Investigations (09 October 2004)

A Filipino who allegedly attempted to hack, among others, the official website of the Philippine government, both before and after the May 10 elections, has failed to show for the preliminary investigations conducted by the Department of Justice. It is likely the government prosecutor will soon file a warrant for his arrest.

Netherlands Deports More 419ers (08 October 2004)

Twenty-one scammers from Nigeria and Sierra Leone will be deported. The Dutch government believes it is easier to send them home rather than try to prosecute them in light of the defeat of the Dutch Department of Justice in a court case against 13 West African men, who allegedly had been sending thousands of scam e-mails.
Related Article: 419ers Enjoy A Five-Finger Shuffle

Chinese Authorities Apprehend Online Bank Robber (08 October 2004)

After an eight month hunt, Chinese authorities have arrested a twenty-three year old college student who allegedly broke into the Industrial and Commercial Bank of China (ICBC). Authorities charge that Song Chenglin breached the bank's computer system, gaining access to 158 accounts stealing USD 93,000.


Copyright Bill Dies In Senate As Others Advance (08 October 2004)

A bill backed by the entertainment industry, the Induce Act, which targeted online file-trading networks, has been put aside by the Senate Judiciary Committee. However, another measure sought by the industry was approved. This measure would allow U.S. copyright investigators to file civil suits against peer-to-peer users sharing more than 1,000 songs or other copyrighted works.

Related Article: Entertainment Industry Looks For Supreme Relief
Related Article: Hollywood Files P2P Appeal


FTC Pursues Former Spam King in Court (08 October 2004)

The Federal Trade Commission (FTC) has filed charges in the U.S. District Court of the District of New Hampshire against Sanford Wallace. The FTC also filed charges against the two companies he owns, SmartBot.net and Seismic Entertainment Productions. It is alleged that Wallace, once known as the undisputed king of spam, has been secretly installing advertising and other software programs on users' computers, which among other things, generate pop-up ads. The companies then use these ads to sell software to remove the spyware they themselves have installed on the user's computer. The FTC is seeking a temporary restraining order to halt these practices while the civil action is pursued.


Music Industry Sues European Song-Swappers (07 October 2004)

The trade group International Federation of the Phonographic Industry (IFPI), has filed 459 criminal and civil lawsuits against Internet file-sharing networks in the UK, France and Austria and expects to expand to other countries by January 2005. The lawsuits are specifically targeting users of file-sharing networks such as Kazaa, eDonkey and Gnutella who upload music collections to share with others.

Related Article: Sony to take on iTunes in Europe


China Awash With Viruses (11 October 2004)

According to Chinese state media, there is a low level of awareness regarding virus prevention, and many of China's 78 million online users fail to comply with the nation's security regulations. Officials say these factors are responsible for enabling virus attacks affecting 60 percent of computer networks in Chinese offices in 2004, including those of the national defense department and other government offices.

ASP.Net Glitch Discovered (11 October 2004)

Microsoft has released a software module, the "Microsoft ASP.NET ValidatePath" module (VPModule.msi), which when applied to Internet Information Server 5.0, 5.1 or 6.0 web servers, will prevent exploitation of the ASP.NET vulnerability discovered a week ago. The vulnerability allows an attacker to bypass security features on a web server and view sensitive material. The vulnerability affects all versions of ASP.NET, which is the latest use of Microsoft's Active Server Page technology.


SANS Unveils Top 20 Security Vulnerabilities (08 October 2004)

A Top-20 list of Internet security vulnerabilities has been released by the SANS Institute, an IT security and research organization, giving organizations a starting point to address the critical issues in security vulnerabilities they are facing. The list, which is actually constituted of 2 lists of 10, covers the 10 most commonly exploited vulnerabilities in Windows, and in Unix and Linux. According to Ross Patel, director of the Top-20 list, the hot topic this year was web browsers for Windows as a number of vulnerabilities in the Microsoft Corp.'s Internet Explorer browser made the news. The top 20 included instructions on how to deal with flaws on various software platforms.

The Top20 document may be found at


VoIP To Proliferate In U.S. Households (07 October 2004)

A study released by research firm Jupiter Research estimates about 17 percent of U.S. households will be using Net phone technology by 2009; an estimated 12 million households. However, companies offering Voice over Internet Protocol (VoIP) services will be facing two major hurdles; landline companies with strong brand recognition by customers and the increasing popularity of wireless telephony among the younger population.

Related Article: Yes, But Can Your VoIP Service Do This?

[Editor's Note (Shpantzer): VoIP will bring a whole new meaning to SPAM as 'lonely housewife' and black market Viagra pitches will cross from annoying email-based messages to voice messages.
(Ranum) There's a third hurdle: VOIP spam. As usual, a major new technology that serves as a spam-enabler is being rolled out with no effective mechanism to protect it. ]

Firms Failing On Security (07 October 2004)

According to the Global Information Security Survey conducted by Ernst and Young, which polled more than 1,233 organizations in 70 countries, despite increased awareness of internal security risks, organizations are not acting on this knowledge. Also, the report found that although corporations are increasingly outsourcing business abroad to third party vendors, 80 percent of the organizations surveyed failed to regularly assess the vendor's compliance with the organization's security regulatory requirements.


Prosecutor Leaves Crime Files On Dumped PC (08 October 2004)

A taxi driver in Amsterdam contacted a crime reporter when he discovered the old computer he found in the trash of a Dutch public prosecutor, Joost Tonino, contained files of a highly sensitive nature. The computer contained files on the murder of a real estate owner and an investigation of a tax fraud case against a soccer team, as well as Tonino's credit card number, social security number and personal tax files. The computer, which had not been used in two years, was discarded by Tonino because he thought it had a virus; the operating system would not start.
[Editor's Note (Shpantzer): Full-disk encryption with pre-boot authentication is the only way to protect against these careless acts. It's cheap and it works because it requires no active participation by the user after shutting off the laptop. The real question is why this technology is not more widely deployed, especially among governmental bodies such as prosecution offices.
(Grefer): In a day and age where a gigabyte of disk space can be bought for less than a dollar, anybody discarding a computer system should take care to destroy the disk drive prior to disposing of or donating the system; Depending on the sensitivity of the data, a sledge hammer might be sufficient. ]

NewsBites Editorial Board: Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/