Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VI - Issue #6

February 11, 2004

Late Breaking News:
Microsoft released three new security bulletins yesterday.One of them affects the Abstract Syntax Notation (ASN) library which is used by many of the security and authentication services on Windows OSes.

This is a CRITICAL update which needs to be addressed as soon as possible. The ASN library is used in essentially every network daemon. VPN clients, HTTPs, NTLM authentication. If you remember, ASN.1 issues where behind the spree of OpenSSL bugs last year. Run Windows update now. Don't delay.
Microsoft's Security Bulletin:

You'll notice in this issue an increase in stories about information security in Asia.For the expanded coverage we can thank Koon Yaw Tan of the Infocomm Development Authority of Singapore, who has graciously agreed to join the NewsBites editorial board.



DHS Creates Three New IT Security Organizations
OMB: Security Must Come First
Study Shows Most Web Applications Have Vulnerabilities
Tracking Legal Liability For Security Breaches


Pentagon Won't Use SERVE Internet Voting System
Michigan Goes Ahead with Internet Voting


South Korea Spammers Fined
Music Industry Investigators Raid KaZaA Offices
DHS's Amit Yoran Interviewed
Man Pleads Guilty in PayPal Phishing Case
Senator Calls for Mandatory Alerts
Bill Would Increase Penalties for Cyber Criminals Who Falsify Web Registration Information
Treasury Department Warns of Fraudulent Fee Notices and Phishing Scheme
Microsoft Releases Hidden Data Removal Tool
Chinese Government to Crack Down on Spam
Mobile Phone Spam a Growing Problem in Asia


New Mydoom Variant
Microsoft Releases XML Update for IE Patch
Denial-of-Service Attack Vulnerability in OpenBSD Implementation of IPv6
Check Point Firewall Vulnerabilities
RealNetworks Update for Media Player Vulnerabilities
Cisco Offers Upgrades for Flaw in Catalyst 6000/6500 Switches and Cisco 7600 Routers


Matt Bishop Clarifies the eVoting Vulnerability Study

************************* Sponsored by Check Point **********************

Check Point Software presents InterSpect, the first and only complete Internal Security Gateway that blocks the spread of worms and attacks inside the network.

Built specifically to protect internal networks, Check Point InterSpect provides intelligent worm defense, network zone segmentation, quarantine capabilities, and LAN protocol protection all in one easy to deploy appliance that protects your network from threats within.

View a FREE Analyst webinar on Internal Network Security

This Week's Featured Security Training Program:

Security managers and analysts, system and network administrators, auditors and forensic analysts will each find immersion training focused on their special needs, and all taught by the highest-rated instructors in the US. And it is all in Orlando Florida, in early April.



DHS Creates Three New IT Security Organizations (9 February 2004)

The Homeland Security Department (DHS) has created three organizations to bolster IT defenses and coordinate system threat responses. The new organizations are the Government Forum of Incident Response Teams (G-FIRST), the Chief Information Security Officers Forum and the Cyber Interagency Incident Management Group.
[Editor's Note (Schultz): Why three organizations when there are already too many incident response teams and capabilities within the US government? ]

OMB: Security Must Come First (5 February 2004)

The Office of Management and Budget (OMB) Administrator for E-Government and IT Karen Evans wants agencies to spend money getting their IT security up to snuff before they "develop, modernize or enhance" any systems. Agencies that have demonstrated good security (practices) are exempt from this requirement.

[Editor's Note (Schneier): Doesn't upgrading security count as "developing, modernizing, or enhancing" systems? Seems like a false dichotomy, even if it's a good priority. ]

Study Shows Most Web Applications Have Vulnerabilities (5 February 2004)

A four-year test of more than 250 Web applications found that at least 92% of them were vulnerable to attacks including cross-site scripting, SQL injection and parameter tampering. WebCohort's Application Defense Center conducted the test, which looked at applications on "e-commerce, online banking, enterprise collaboration and supply chain management web sites."

Tracking Legal Liability For Security Breaches (4 February 2004)

Scott Berinato of CIO Magazine provides a summary of recent litigation in which user organizations are paying for their security mistakes. A new case filed against Microsoft claiming that the company's dominance may give it an affirmative responsibility for foreseeable losses -- including identity theft.
[Editor's Note (Schultz): The fact that software vendors have for so long successfully evaded responsibility for the problems bugs in their software have caused is troubling. Hopefully, a change in which vendors are increasingly held responsible for faulty software is imminent.
(Ranum): I've seen discussions of this article in which people with a greater understanding of the law have pointed out that the conclusions drawn from this article are much more far-reaching than they should be, given the significance of the litigation. ]

************************ SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.

(1) FREE White Paper: "Why the web browser is the most dangerous hacking tool"

(2) Invest in the best network protection. Introducing the Microsoft(r) Security Readiness Kit.

(3) Event Log Strategies: Free white paper plus archiving, monitoring, and analysis software!

(4) From SANS: HIPAA Security Implementation is a step by step guide for IT staff of hospitals. Thorough and extremely cost effective.



Pentagon Won't Use SERVE Internet Voting System (5 February 2004)

Citing concerns about the security of the Secure Electronic Registration and Voting Experiment (SERVE), the US Defense Department has decided against using it in the forthcoming elections. The decision came just over a week after a report was released questioning the system's integrity. The system may be used if, after further study, it appears that voting integrity can be assured. SERVE was developed to allow Americans living abroad, including those in the armed forces, to use the Internet to vote. Seven states had hoped to use the system in upcoming elections.
Text of the Panel's Report:
[Editor's Note (Schneier): I suspect that this is more a nod to publicity and realpolitik than to any perceived need on the Pentagon's part to fix security, but it's nevertheless the right choice at this point. Of course, the correct choice would have been to build a system that didn't fall over at the first push. ]

Michigan Goes Ahead with Internet Voting (6 February 2004)

Despite the Pentagon's decision, Michigan decided to go ahead with its Internet voting system. Michigan Democratic Party spokesman Jason Moon said their system is different from the Pentagon's but scientists who found flaws in the Pentagon system said the Michigan system has many of the same problems.


South Korea Spammers Fined (9 February 2004)

South Korea's Fair Trade Commission has fined 25 spammers between 1 million and 7 million KRW ($860-$6020 USD) for violations of the E-Commerce Consumer Protection Law.
[Editor's Note (Shpantzer): Unless the fines and subsequent penalties for re-offending get heavier, this is a low cost of doing business for spammers. ]

Music Industry Investigators Raid KaZaA Offices (6 February 2004)

Music Industry Piracy Investigations, an industry-owned group, raided the offices of peer-to-peer network KaZaA to gather evidence in a copyright breach case/music piracy. They also raided the offices of Sharman Networks, KaZaA's parent company, as well as the homes of two company executives, several universities and service providers.

DHS's Amit Yoran Interviewed (6 February 2004)

The first story is an interview with Amit Yoran, head of the Homeland Security Department's (DHS) National Cyber Security Division. In the second story, Yoran says DHS is exploring alternatives to the Patch Authentication and Dissemination Capability (PADC).

Man Pleads Guilty in PayPal Phishing Case (5 February 2004)

Alec Scott Papierniak of Minnesota has pleaded guilty in federal court to wire fraud; he admitted to using a phishing scheme to steal funds from PayPal customers and to sending keystroke-logging software to some of his victims. Papierniak has agreed to pay restitution; he will be sentenced in May.

Senator Calls for Mandatory Alerts (4 February 2004)

Senator Charles Schumer (D-NY) would like to see the Homeland Security Department's (DHS) National Cyber Security Division (NCSD) to "become the functional equivalent of the Centers for Disease Control," sending mandatory alerts to critical infrastructure and service providers through secure channels when cyber attacks reach a prescribed threshold. Schumer spoke critically of the NCSD's newly launched plan, which sends virus alerts via e-mail; he fears that format could be exploited to spread viruses.

Bill Would Increase Penalties for Cyber Criminals Who Falsify Web Registration Information (4/7 February 2004)

Representatives Howard Berman (D-Calif.) and Lamar Smith (R-Texas) last week introduced the Fraudulent Online Identity Sanctions Act, a bill that calls for increased penalties for cyber criminals who falsify information in their web site registrations. While one of the bill's sponsors initially wanted to criminalize all false web site registrations, he changed his mind after it was pointed out to him that some people have a legitimate need to protect their identities on line. Berman also wants the bill expanded to hold registrars accountable for ensuring the registration information is accurate.
[Editor's Note (Pescatore): This is a touchy issue, and legislation should be the last resort. The first resort should be ICANN forcing registrars to enforce existing guidelines on the accuracy of registration information. ]

Treasury Department Warns of Fraudulent Fee Notices and Phishing Scheme (4 February 2004)

The US Treasury Department has issued an alert, warning of two "fraudulent schemes." The first is a phishing scam, which has already generated some press; in the second, bank customers receive phony "ANTI-TERRORIST STOP ORDER letters" telling them they must pay a $25,000 fee for a certificate in order to conduct further transactions.

Microsoft Releases Hidden Data Removal Tool (2 February 2004)

Microsoft has released Remove Hidden Data Add-In Tool, which will remove data such as change tracking and comments from documents. The tool works with Microsoft Word, Excel and PowerPoint files for Office XP/2003.

[Editor's Note (Shpantzer): Unfortunately the vast majority of users still haven't switched to the latest versions of office, so this will continue to be a problem for quite a while. One does not need to be a sophisticated hacker to get the metadata, it is retrievable with a hex editor, or even at the end of the data stream if you open a Word doc with the notepad application. Go to and search 'metadata' for tips on how to remove this from your documents.
(Schneier): About bloody time. Hidden data has been a problem with Office files since before Word, Excel, et al. were clumped into Office. Of course, it would have made more sense to build the applications without the hidden data problems in the first place. It'll be interesting to see if there's any fallout from data missed or unintended consequences, of course. ]

Chinese Government to Crack Down on Spam (2 February 2004)

Chinese government ministries are working together to fight spam; the government hopes that by June, 90% of the country's e-mail servers will have measures in place to prevent spam. The government is especially concerned with spam's potential for distributing pornography and subversive political material.

Mobile Phone Spam a Growing Problem in Asia (2 February 2004)

Spammers are increasingly targeting mobile phone users in Asia. DoCoMo is taking measures like blocking messages that don't have specified recipients; it has also cut off more than 2,000 lines for spam abuse and in some instances has sought damages.
[Editor's Note (Ranum): This is inevitable. As statistical anti-spam filters and heuristic methods improve, most end-point software will be increasingly able to react to spam. It's the captive devices, in which a user will be unable to update the firmware, that will be unable to react. Pagers, cell phones, PDAs, bluetooth devices, etc., will all be targeted by spammers. ]


New Mydoom Variant (9 February 2004)

The Mydoom.C virus, also known as SyncZ or Doomjuice, uses computers infected with the original Mydoom virus to launch a denial of service attack on Microsoft's web site. It does not spread through e-mail; it does, however, leave a copy of the original Mydoom source code on the hard drive of each infected computer, possibly as an attempt to obscure the code's origin.

Microsoft Releases XML Update for IE Patch (6 February 2004)

The update is part of recently released Service Packs.

Denial-of-Service Attack Vulnerability in OpenBSD Implementation of IPv6 (6 February 2004)


Check Point Firewall Vulnerabilities (4/6 February 2004)

Attackers are already aware of and exploiting one of the flaws to install backdoors on vulnerable systems, according to Internet Security Systems (ISS). Check Point has released a patch for one of the flaws but not the other because they no longer support the software in which the flaw exists.


RealNetworks Update for Media Player Vulnerabilities (5/6 February 2004)



Cisco Offers Upgrades for Flaw in Catalyst 6000/6500 Switches and Cisco 7600 Routers (4 February 2004)



Matt Bishop Clarifies the eVoting Vulnerability Study

Matt Bishop, America's leading security academic and the author of the definitive college text on Information Security, wrote to us about an item in last week's NewsBites regarding a study of the security of Diebold electronic voting machines. Obviously he played a role in the study.

Our summary of the news read:
--Study Finds Vulnerabilities in e-Voting Hardware (29 January/1 February 2004)
A study conducted by RABA Technologies found that the Diebold electronic voting system slated to be used in Maryland's March presidential primary elections found that while the system tabulated votes accurately, it remained vulnerable to tampering that could affect the authenticity of each vote. The study, which was commissioned by Maryland's legislative services department, focused on the system's hardware.
RABA's Report:

Matt commented:
The study did not "focus(ed) on the system hardware", nor did the study find problems in the hardware only; it also found problems in the software. The hardware problems arose in four places: first, in the ability to pick the locks on the machines; second, in the ability to disconnect the wires connecting the monitor; third, in the ability to put the machine into an internal loop by repeatedly shoving the voter card in as it tried to eject; and fourth, to use a bogus smart card. The rest of the problems were in software, and I'd argue that the smart card problem was a software problem as well, since once the passwords that protected the smart cards were discovered (and they were very easy to find; the report explains that they were first guessed, then found in another way), bogus cards could be made.

Further, all the attacks on the GEMS server were software-based; the only hardware components were the lack of protection of the USB port and a potential attack on the phone switch (which wasn't necessary; a bit of social engineering would have worked just as well).

Newsbites item made it sound like the study targeted only the hardware, and that the only flaws the study found were in the hardware, so if you protected the hardware of the systems, you were fine. All of this is completely false; the study targeted the systems as they would be used in an election, flaws were found in the software, and protecting the hardware is not enough; changes had to be made to the software too (see for example recommendations 1, 3, 4, 5, 6, 7, 8, and 9 on p. 22; the general recommendations go even further).


NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit