Interactive Courses + Cyber Defense NetWars Available During SANS Scottsdale: Virtual Edition 2021. Save $300 thru 1/27.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VI - Issue #48

December 01, 2004

The Wall Street Journal ran the first installment of the biggest cyber security story of 2005 on the front page of yesterday's (November 30, 2004) newspaper. It provides a case study and other evidence of the shift of cyber attacks from recreation to a massive crime wave.
Business executives who read the story are gaining a new appreciation for the importance of cyber security. In the coming weeks and months you will read more such stories -- stories that tell about law enforcement agencies handling hundreds of cases of companies paying extortion to keep their retail web sites up and operating. You'll hear how nearly every type of hacking is now being turned to financial advantage of organized crime groups and lone criminals.

Most troubling of all, you'll hear about evidence proving that terrorist groups have used cyber crime to raise money when buying and building their bombs, and evidence that they are training hackers to undermine the financial strength of the US and its allies.

To read yesterday's the Wall Street Journal story, go to and search for "Hackers attack web sites" in the Article Search box.


Patching Tops List of Concerns for Federal CISOs
Spammers Exploit Anti-Spam Technology - DomainKeys
Lycos Screensaver Lashes Back at Spammers
Microsoft Will Try Amnesty Program for Pre-Installed Pirated Versions of XP in UK


Universities Get Minimum Security Benchmarks And Free Testing Tools
Congressional Appropriations Bill Cuts NSF Funding
Security Expert Sues Japanese Government for Alleged Censorship
Anti-Phishing Working Group Sees Sharp Increase in Phishing
Unprotected PCs Hijacked In Minutes
Finnish Citizens Urged to Use Alternative to IE Until IFRAME Flaw is Fixed
Workaround Available for WINS Flaw
Winamp Vulnerability
Tasin Worm Has Malicious Payload
Banner Ads Used as Vector of Attack
Phony Linux Security Bulletin
IBM Offers Interim Fix for DoS Holes
Muscovites' Personal Data Stolen, Sold on CD
UK Man Adds Second Factor of Identification to His Credit File
Phone Phreakers Target County Government System

***Sponsored by Internet Security Systems -- A New Standard in Security**

All intrusion prevention systems (IPS) are not created equal. Find out the difference between reactive and preemptive IPS appliances. Preemptive IPS solutions shield vulnerabilities AND block threats. Reactive IPS solutions only block attacks.

Download the FREE whitepaper, "Defining the Rules of Preemptive Protection: The ISS Intrusion Prevention System," to learn more visit

Highlighted SANS Cybersecurity Training: December 6, 7 and 9
FREE Programs to Help You Find WhatWorks Among Security Tools
WhatWorks in Intrusion Prevention and
WhatWorks in Stopping Spam and Email Viruses Sign up for these user case studies at
Immersion Training Courses
**Washington DC, December 7 - 14 [14 Hands-On Immersion tracks]
**Orlando FL, February 3 - 9 [15 Hands-On Immersion Tracks]
**Houston TX, March 10 - 16 [12 Hands-On Immersion Tracks]
**Sydney Australia, February 21-26 [6 Hands-On Immersion Tracks]


Patching Tops List of Concerns for Federal CISOs (22 November 2004)

A survey of 25 federal agency chief information security officers (CISOs) found that patching is their number one concern. Nearly half of those surveyed said that the private sector should make it a priority to improve the quality assurance of their products. The CISOs also placed network compromises and compliance with the requirements mandated by the Federal Information Security Management Act (FISMA) near the top of their list. FISMA compliance appears to be especially difficult for security managers with IT budgets under US$500,000 who spend 45% of their time on compliance issues; managers with budgets over US$10 million spend 27% of their time on compliance issues. In addition, more than 85% of the managers surveyed said that commercial software for compliance reporting would be very helpful.
[Editor's Note (Paller): The only sensible solution we've seen to the patching problem is the US Air Force's innovative contract that they estimate will save $100 million in unnecessary patching costs (and another $100 million in software costs). The contract also gives the Air Force a head start on compliance with FISMA's minimum security configuration requirements. The CIO of the Air Force has set a very high and impressive standard in using procurement to improve security. ]

Spammers Exploit Anti-Spam Technology - DomainKeys (29 November 2004)

Spammers have begun using DomainKeys to make their fake messages appear legitimate. DomainKeys was one of the more promising technologies designed to eliminate forging, but spammers appear to have co-opted it.

Lycos Screensaver Lashes Back at Spammers (29/26 November 2004)

In a new twist in the fight against spam, Lycos has released a screensaver that requests data from the web sites that advertise the products touted in the unsolicited commercial email. The goal is to increase spammers' bandwidth costs to the point where it is no longer effective for them to continue sending spam. The goal is not, however, to bring the sites down with a distributed denial-of-service attack; the screensaver is carefully calibrated to make sure the traffic does not overwhelm the sites.
[Editor's Note (Schneier): I don't like spam, but this is not how to go about defeating it. Vigilante justice may feel good, but it's morally and ethically wrong.
(Schultz): Nobody likes spam, but the approach Lycos is taking is at best borderline from an ethical standpoint. Not only is Lycos "striking back," but in doing so it is generating a substantial increase in network traffic, the consequences of which will affect many others besides the spammers. Furthermore, malicious users can now readily slow down non-spam-related web sites by simply sending email messages that contain URLs for these sites. Lycos has in effect opened Pandora's Box. ]

Microsoft Will Try Amnesty Program for Pre-Installed Pirated Versions of XP in UK (25 November 2004)

Microsoft says it will provide free, legitimate copies of its Windows XP operating system software to UK users who suspect their pre-installed versions of the software are pirated. Microsoft will check the suspect versions and offer users new ones if theirs turn out to be pirated. Users with pirated pre-installed software will not face legal repercussions, but the suppliers could face reprisal.


[Editor's Note (Schneier): What this policy says to me is that Microsoft is finally realizing that all of those insecure pirated copies of Windows out there are a security vulnerability to their entire user base. If this move allows all copies of Windows -- legal and illegal - -- to be patched, then it's a good thing.
(Paller): A nice thought Bruce, but I think it is simply a program to force OEMs (it applies only to preinstalled versions) to pay Microsoft for the copies of Windows they preinstall. It is compiling evidence and giving free software to get the evidence. Each person submitting a copy has to send in a "witness statement." ]

************************** SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) ALERT - Spam is rising exponentially: Stop the Flood - Free Whitepaper

(2) ALERT! Hackers Gain Access to Backend Data Via Web Applications- FREE WHITE PAPER




Universities Get Minimum Security Benchmarks And Free Testing Tools (29 November 2004)

EDUCAUSE has contracted with the Center for Internet Security (CIS) to allow all 4,000 universities that are EDUCAUSE institutional members to get free licenses to use and redistribute CIS minimum security benchmarks and security testing tools on college- and university-owned systems and on students, faculty, and employee-owned systems. The partnership also allows security specialists in EDUCAUSE member institutions to become involved in the CIS consensus projects and CIS work-for-hire projects if they have Java programming skills and experience in working with XML files and tools. (Email if you have the skills and interest.)


Congressional Appropriations Bill Cuts NSF Funding (23 November 2004)

Despite the President's IT Advisory Committee recommendation to increase funding for National Science Foundation cyber security research, Congress passed an appropriations bill that actually cut the NSF's budget to $5.47 billion, $60 million less than it received for fiscal 2004, and $227 million less than the president's request.

Security Expert Sues Japanese Government for Alleged Censorship (22 November 2004)

Ejovi Nuwere, CTO of SecurityLab Technologies, Inc., has filed a lawsuit against the Japanese government, alleging that it violated his right to freedom of speech when he was asked to omit certain information in a talk he gave at a recent security conference. Nuwere was supposed to give a talk about security issues concerning Juki Net, Japan's on line citizen registry network. A security audit in which Nuwere participated last year revealed serious security concerns -- the penetration testers were able to compromise servers in one of the country's prefectures. Nuwere was allegedly asked by Japan's Ministry of Internal Affairs and Communications not to show certain slides and not to talk about the conclusions he drew from the audit. The lawsuit asks for JY 30 million (approximately US$291,000) in punitive damages.


Anti-Phishing Working Group Sees Sharp Increase in Phishing (24 November 2004)

The Anti-Phishing Working Group says that the number of phishing web sites has increased dramatically over the past few months; between September and October of this year alone, the number of phishing sites increased more than 100%. Phishers are also using increasingly large numbers of automated tools and bot networks to help them with their scams.



Unprotected PCs Hijacked In Minutes (30 November 2004)

Six PCs connected to the net via DSL broadband were barraged with more than 300,000 automated in 15 days. The Windows XP (SP1) computer was compromised nine times in those 15 days.

Finnish Citizens Urged to Use Alternative to IE Until IFRAME Flaw is Fixed (29 November 2004)

The Finnish Communications Regulatory Authority is urging citizens to refrain from using Internet Explorer until Microsoft issues a patch for the IFRAME vulnerability. An exploit for the vulnerability has already been spotted on the Internet. The vulnerability affects Windows 2000 and Windows XP with Service Pack 1.

Workaround Available for WINS Flaw (29 November 2004)

Microsoft has made a workaround available for a vulnerability in WINS (Windows Internet Name Service) that could be exploited to gain remote control of a vulnerable server and possibly execute malicious code. The flaw affects Windows NT 4.0 Server, Windows NT 4.0 Server Terminal Server Edition, Windows 2000 Server and Windows Server 2003. Microsoft recommends blocking TCP port 42 and UDP port 42 at the firewall level; it also encourages organizations that don't need WINS to remove it from their systems. Microsoft says it plans to address the problem in a future monthly security bulletin.

Winamp Vulnerability (25 November 2004)

A buffer overflow flaw in a library file used by the Winamp media player could allow attackers to take control of machines running Winamp. In order for the exploit to work, users have to be tricked into running specially crafted files. The vulnerability is known to affect Winamp versions 5.05 and 5.06; earlier versions may be vulnerable as well. Proof-of-concept code has already been released.

Tasin Worm Has Malicious Payload (23 November 2004)

The Tasin worm, which presently has three known variants (A, B and C) arrives as an attachment to a Spanish-language email. Tasin.A displays windows that imply it is a game, but this is merely a distraction while it executes its payload -- placing several files, including copies of itself, on the infected computer and deleting system files. It also makes an entry in the Windows registry to ensure that it is run every time the system is started up.

Banner Ads Used as Vector of Attack (23/21 November 2004)

The Register, an often-edgy publication that frequently covers information security stories, suspended ad serving from Falk AG after it became apparent that banner ads it was serving were infected with the Bofra virus, which exploits the IFrame vulnerability in Internet Explorer 6.0 in all versions of Windows except for Windows XP SP2.

Phony Linux Security Bulletin (20 November 2004)

A phony security bulletin warning of a vulnerability in fileutils in certain Linux distributions has been circulating on the Internet. The email provides a link to what it says is a patch, but which actually downloads a backdoor Trojan onto the user's computer.

IBM Offers Interim Fix for DoS Holes (19 November 2004)

IBM has made available an interim fix for 2 denial-of-service vulnerabilities in its HTTP Server 2.0.

Muscovites' Personal Data Stolen, Sold on CD (25 November 2004)

Russian cyber thieves stole information from the Russian Tax Authority's database and are selling it for approximately US$30 on a CD. The stolen data includes the incomes, addresses and financial histories of most people in the Moscow area. Officials from the Interior Ministry had no comment; Federal Tax Service officials said it was important to find out how the information could have been compromised.
[Editor's Note (Ranum): This kind of thing will only become more pervasive, as insiders continue to have overly high amounts of access. In virtually every organization, access to data is more pervasive than it needs to be. ]

UK Man Adds Second Factor of Identification to His Credit File (24 November 2004)

A UK man has requested that a "Notice of Correction" be placed on his credit file stating that a thumbprint must accompany any credit applications made in his name. He has also submitted his fingerprint to each of the three main credit agencies. If credit is extended in his name without a fingerprint, he will not be liable for any incurred losses. Lenders would not be required to match fingerprints; if a phony fingerprint were submitted, police would have another mode of identification when trying to catch the thief.

[Editor's Note (Schneier): This is creative, but I wonder how practical it would be if it became more popular. If someone applying for a fraudulent credit card uses someone else's fingerprint, how will this help trace the actual culprit? And if Citibank's experiments with photos on the back of credit cards is any indication, merchants will simply ignore it.
|(Grefer): More importantly, the burden of proof that it was not him is going to be minimal. ]

Phone Phreakers Target County Government System (23 November 2004)

Phone phreakers managed to break into the Linn County (New York) telephone system and alter the outgoing message on several voice mailboxes to sound as if they were accepting third-party charges for long distance collect phone calls. Part of the problem was that some employees used their extension numbers as their voice mailbox passwords. The system has been changed not to accept third-party collect calls.


NewsBites Editorial Board: Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit