Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VII - Issue #1

January 05, 2005

TOP OF THE NEWS

Corporate Executives Engaging in CyberCrime
S. Korean Law Would Hold Banks Liable for Cyber Attacks
eBay Discontinues Use of Microsoft's Passport

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Iowa Man Pleads Guilty in Piracy Case
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
DHS IAIP Undersecretary Frank Libutti Resigns
SPAM & PHISHING
Microsoft Wins US$7.4 Million Civil Suit Against Spammer
Dutch Regulator Slaps Fines on Spammers
AOL Reports Significant Drop in Spam Volume
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Overflow Flaw in Mozilla 1.7.3 and Below
Phel Trojan Exploits Known IE 6.0 Hole
Cabir Source Code Posted; New Versions Spreading
Symantec Releases New Firmware Builds for Flaws in Several Appliances
Santy Variants Spreading
Anti-Santy Worm Detected
Microsoft Investigating Reported Vulnerabilities
MISCELLANEOUS
2004 Cyber Threat Wrap-Up and Trends
The Future of The Consumer Cyber Security Market


**************** Sponsored by SANS Orlando 2005 *************************
The largest security training conference in Orlando starts in just 30 days. Practical, timely, exciting training programs for every security professional. Fourteen immersion tracks for security practitioners, managers and auditors. Those seeking ISC2 CISSP certification will find the nation's top rated prep course at SANS Orlando, too. Plus seven one and two day short courses. And Orlando is comfortable in February!

Details: http://www.sans.org/orlando05/
PS. The early registration discount ends this week.

*************************************************************************

TOP OF THE NEWS

Corporate Executives Engaging in CyberCrime (December 2004)

Corporate America faces a new kind of cracker. Information-technology managers and chief technology officers-the people charged with safeguarding corporate networks-are engaging in acts of digital espionage. In the past two years, a half-dozen cases have hit the courts, charging that technology executives have broken into the computer systems of a rival. Keep the fingers of your competitors off secrets you now store on hard drives and servers.
-http://www.baselinemag.com/article2/0,1397,1744061,00.asp

S. Korean Law Would Hold Banks Liable for Cyber Attacks (30 December 2004)

Pending legislation in South Korea would hold financial institutions and e-banking providers liable for damages incurred by customers in the event of cyber attacks or computer malfunctions. The institutions would not be held liable in the event the customers cause the problems, whether deliberately or inadvertently, however.
-http://english.chosun.com/w21data/html/news/200412/200412300030.html
[Editor's Note (Schneier): I believe this is the best way to generate improvement: to make the institution that can take action be the one that's responsible. ]

eBay Discontinues Use of Microsoft's Passport (3 January 2005/31/30 December 2004)

eBay has informed its customers that it will no longer allow them to sign on using Microsoft's Passport web identity service, which allows users to store information like passwords and credit card data to be used on the Internet. An eBay spokesman said very few customers used Passport to sign on regularly. Passport has met with resistance, as evidenced by the formation of the Liberty Alliance, which hoped to develop standards for identity authentication on the Internet and promote alternatives to Passport. Microsoft has announced that it will no longer market Passport to third parties, but will continue to stand behind Passport, using it for MSN and their partners and providing support to third party sites that continue to use the service.
-http://www.computerworld.com/printthis/2005/0,4814,98677,00.html
-http://seattletimes.nwsource.com/cgi-bin/PrintStory.pl?document_id=2002136272&am
p;zsection_id=2002119995&slug=passport31&date=20041231

-http://www.eweek.com/print_article2/0,2533,a=141849,00.asp
-http://www.eweek.com/print_article2/0,2533,a=141816,00.asp
[Editor's Note (Schultz): Any kind of "one credential fits all" scheme is poor from a security perspective because it is so subject to widespread abuse by anyone who steals a credential. Electronic transactions require stronger authentication schemes than many financial and other organizations currently use. ]


************************** SPONSORED LINKS ******************************
Privacy notice: Sponsored links redirect to non-SANS web pages.

(1) Free Internal Security Information Kit from Check Point: Protect your network now.
http://www.sans.org/info.php?id=700

(2) Secure your network! FREE Configuration Management eBook - expert Tips, Tricks & Strategies.
http://www.sans.org/info.php?id=701

*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Iowa Man Pleads Guilty in Piracy Case (28 December 2004)

Jathan Desir, a 26-year-old Iowa man, has pleaded guilty to copyright infringement and conspiracy to commit copyright infringement for his part in a piracy operation that distributed music, games, software and movies over the Internet. Desir will be sentenced on March 18, 2005, and will face up to 15 years in prison. Desir was caught through Operation Fastlink, which aims to curb digital piracy on an international level.
-http://news.zdnet.com/2102-3513_22-5505610.html?tag=printthis

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

DHS IAIP Undersecretary Frank Libutti Resigns (27/23 December 2004)

DHS Secretary Tom Ridge announced that Frank Libutti has resigned from his position as undersecretary for information assurance and infrastructure protection (IAIP); Ridge himself plans to leave DHS in February. Libutti did not say when he will officially step down, nor did DHS name anyone to fill the role as interim chief. Recently enacted legislation removed authority over counterterrorism investigations and information sharing from the IAIP directorate. Libutti has worked to retain control of national cyber security, but his efforts have met with resistance from legislators.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=31418

-http://www.fcw.com/fcw/articles/2004/1227/web-libutti-12-27-04.asp

SPAM & PHISHING

Microsoft Wins US$7.4 Million Civil Suit Against Spammer (1 January 2005)

Microsoft has filed notice in Pima County (AZ) Superior Court that is has won a US$7.4 million civil judgment in King County, Washington, against Glenn Hannifin. Microsoft says that Hannifin has sent millions of spam emails. The lawsuit claims that Hannifin violated both federal and Washington state anti-spam laws.
-http://www.dailystar.com/dailystar/dailystar/55002.php

Dutch Regulator Slaps Fines on Spammers (30/29 December 2004)

Dutch telecommunications regulator OPTA has imposed large fines on three spammers; the Netherlands banned unsolicited email to consumers in May, 2004. The fines ranged from 20,000 Euros to 42,500 Euros (approximately US$27,000 to US$57,000). One of the scams used SMS (short messaging service) to send mail to mobile phones. People who opened the mail were automatically charged 1.1 Euros (US$1.49). OPTA is coordinating an information sharing effort within the EU to help cut down the volume of spam; eight of 25 EU member nations have signed up for the program.
-http://www.computerworld.com/printthis/2004/0,4814,98634,00.html
-http://business.newsfactor.com/story.xhtml?story_id=193.5674200
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39182754-39020375t-10000025c

AOL Reports Significant Drop in Spam Volume (28 December 2004)

America Online said that it has seen spam drop significantly to its customers. The average number of spam emails blocked daily dropped from 2.4 billion in 2003 to 1.2 billion in late 2004. AOL received 2.2 million spam complaints in November 2004, compared with 11 million in November 2003. AOL users report spam by clicking a "report spam" button. AOL says that anti-spam legislation along with its spam filtering tools are responsible for the decline in volume. Other Internet providers say they have not seen a decrease in the amount of spam on their networks over the past year; this may be attributable to AOL's aggressive stance regarding legal action against spammers.
-http://www.washingtonpost.com/ac2/wp-dyn/A30433-2004Dec27?language=printer
(this site requires free registration)
[Editor's Note (Schultz): Reports that spam is decreasing are exceedingly rare. I only partially agree with AOL. This ISP is doing a really good job in combating spam and malware, but I'm not convinced that anti-spam legislation has made much of a difference so far. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

Overflow Flaw in Mozilla 1.7.3 and Below (30 December 2004)

A heap-based buffer overflow flaw in Mozilla versions 1.7.3 and earlier could allow attackers to execute malicious code on vulnerable machines. The vulnerability lies in a boundary error in the "MSG_UnEscapeSearchUrl()" function in "nsNNTPProtocol.ccp" when processing NNTP URIs. Users are encouraged to update to Mozilla version 1.7.5.
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1037799,0
0.html

Phel Trojan Exploits Known IE 6.0 Hole (30/29 December 2004)

The Phel Trojan horse program exploits the "Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass" vulnerability in Internet Explorer 6.0; this vulnerability is in the way Internet Explorer handles help files called from web pages. The flaw affects Windows XP, even with Service Pack 2 installed. Maliciously constructed web pages infect vulnerable machines with the Trojan horse program which allows attackers remote access to the infected computer.
-http://news.zdnet.com/2102-1009_22-5506709.html?tag=printthis
-http://www.computerworld.com/printthis/2004/0,4814,98636,00.html
-http://www.theregister.co.uk/2004/12/30/ms_phel_vuln/print.html
-http://www.techweb.com/article/printableArticle.jhtml?articleID=56200634&sit
e_section=700028

[Editor's Note (Grefer): Given the regularity with which IE vulnerabilities are exposed, and also considering its tight integration with the Windows operating systems, users might want to consider switching to alternate browsers, such as Mozilla/Firefox (www.mozilla.org) or Opera (www.opera.com), for regular activities. ]

Cabir Source Code Posted; New Versions Spreading (29/28 December 2004)

The source code for the Cabir worm has apparently been made available on the Internet. Cabir uses Bluetooth to infect mobile phones that are running the Symbian operating system. The worm disguises itself as a utility and is not particularly malicious, but it can be used to spread other malicious code, like the Skulls Trojan horse program. Newer variants (Cabir.H, Cabir.I and Cabir.J) of the worm have the potential to drain the batteries of infected phones because a bug which slowed down the worm's spread in older versions has been repaired.
-http://www.techweb.com/article/printableArticle.jhtml?articleID=56700137&sit
e_section=700026

-http://www.eweek.com/print_article2/0,2533,a=141669,00.asp
-http://www.computerworld.com/printthis/2004/0,4814,98578,00.html
-http://news.zdnet.com/2102-1009_22-5505854.html?tag=printthis

Symantec Releases New Firmware Builds for Flaws in Several Appliances (31/28 December 2004)

Symantec has fixed 3 "high risk" remotely exploitable vulnerabilities in its Symantec Firewall/VPN, Symantec Gateway Security and legacy Nexland Firewall Appliances. The vulnerabilities could allow a denial-of-service attack against the firewall appliance, identify active services in the WAN interface and exploit the services to gain information about and alter the firewall's configuration. Symantec has released firmware builds 1.63 for the Symantec Firewall/VPN Appliance models 100, 200 and 200R, 622 for Symantec Gateway Security Appliance models 320, 360 and 360R, and 16U for Nexland Firewall Appliances. The denial-of-service vulnerability does not affect the Gateway Security Appliances.
-http://securityresponse.symantec.com/avcenter/security/Content/2004.09.22.html
-http://www.eweek.com/print_article2/0,2533,a=141841,00.asp

Santy Variants Spreading (28/27 December 2004)

New variants of the Santy worm are spreading with the help of information gathered through Google as well as through Yahoo and AOL. Santy uses the search engines to find web pages running vulnerable versions of phpBB (PHP Bulletin Board) software and proceeds to deface those pages. Perl.Santy.B affects web pages running versions phpBB 2.x prior to 2.0.11. Other variants attack a range of programming errors in PHP web pages. Protecting the vulnerable pages may require recoding them because the new variants exploit the unsecure use of include() and require() functions.
-http://news.zdnet.com/2102-1009_22-5504769.html?tag=printthis
-http://www.computerworld.com/printthis/2004/0,4814,98553,00.html

Anti-Santy Worm Detected (31 December 2004)

There have been a handful of reports of a worm that seeks out pages with the phpBB vulnerability and tries to install a patch to make the site more secure. It also reportedly defaces the sites with a warning such as: "viewtopic.php secured by Anti-Santy-Worm V.4. Your site is a bit safer, but upgrade to >=2.0.11." The defacement pages lead to IP addresses that indicate that Anti-Santy may have originated in Argentina. Though it may seem to be doing a good deed, Anti-Santy causes an increase in traffic and the safety of the patch it installs is unknown.
-http://news.com.com/2102-7349_3-5508607.html?tag=st.util.print
-http://www.eweek.com/print_article2/0,2533,a=141843,00.asp

Microsoft Investigating Reported Vulnerabilities (27 December 2004)

Microsoft is investigating reports of several vulnerabilities in its products. The company has said it is "disappointed" that standard disclosure procedures were not followed. Normally vendors are informed of flaws discovered before the information is released to the public. The flaws are in the Windows LoadImage API Function, the Help system and the Windows ANI format authentication.
-http://www.eweek.com/print_article2/0,2533,a=141645,00.asp

MISCELLANEOUS

2004 Cyber Threat Wrap-Up and Trends (2 January 2005/29 December 2004)

Security threats of all kinds have increased significantly over the past year. Phishing attacks grew 30% a month according to the Anti-Phishing Working Group, and the number of botnets, that has fed the spam problem, increased. What has dwindled, however, is the number of worms written simply for the glory of seeing how quickly and widely it can spread. Instead, malware writers are turning an eye to financial gain. Also new in 2004 was Cabir, the first mobile phone worm that uses wireless protocol to spread itself. On the bright side, 2004 was a good year for apprehending and prosecuting cyber criminals: eight virus writers were arrested and two sites used to trade stolen credit card numbers were shut down.
-http://news.bbc.co.uk/1/hi/technology/4105007.stm
-http://www.computer-security-news.com/artman/publish/printer_plague-4998.shtml

The Future of The Consumer Cyber Security Market (26 December 2004)

The ubiquity of spyware has raised the question of what direction providing Internet security to consumers will take. If consumers are not comfortable with the level of security in the Internet, ISPs, commerce and banking sites could lose customers, and vendors would also lose business. As ISPs have increased anti-virus and anti-spyware protection for their subscribers, anti-virus specialists will try to stay in the market, perhaps providing anonymous bulk rate service through ISPs.
-http://www.usatoday.com/money/industries/technology/2004-12-26-protect-cover_x.h
tm

[Editor's Note (Schneier): Yes, the Internet is insecure. But it's the only game in town, and people aren't going to stop using it anymore than they're going to stop driving because they might have a traffic accident.
(Ranum): Oh, please. If customers were going to stop using the Internet because of security concerns, it would have already happened by now.
(Tan): There is no free lunch. Every client computer needs to be configured correctly, too.
(Grefer): While anti-virus and anti-spyware utilized at the ISP level as a perimeter defense is helpful, it does not protect from threats introduced via venues other than the ISP's connections. As a result, readers would be well advised to adhere to a defense-in-depth paradigm, utilizing locally installed anti-virus, anti-spyware and personal firewall products. ]


===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/