DFIRCON - Live Online: The ALL Digital Forensics, Threat Hunting and Incident Response Training Event. Save $300 thru 10/7.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VII - Issue #23

June 08, 2005

The Internet's early warning system (Internet Storm Center) has room for more individual reporters. Storm Center (http://isc.sans.org/ ) provides daily monitoring of attacks on the Internet. It is fed by volunteers at more than 6,000 companies and individuals and monitored by defenders and law enforcement around the world. Volunteers get daily feedback reports showing the sources and types of attacks on their systems. Storm Center needs more home and small business users to feed data (it's painless and safe) because of the increasing number of attacks targeting those sites. Participating in Storm Center is one of the few ways end users can fight back against cybercrime, because it informs ISPs when their clients' machines are attacking. If you are willing to help, go to http://www.dshield.org/howto.php for a list of firewalls and other supported feeders and to learn how to link to contribute.


Appeals Court Rules Presence of Encryption Program on Computer Relevant in Man's Conviction
Coordinated Malware Attack Uses a Triumvirate of Trojans
Timing Attack Could Allow Extraction of AES Keys


Sasser Worm Trial Set to Begin on July 5
Phishers Target Smaller Financial Institutions
Anti-Phishing Working Group Creates Phishing Scam Database for Members
Nortel Offers Patch for Denial-of-Service Flaw in VPN Routers
New Mytob Variant
Texas HS Student Arrested for Unauthorized Computer Access
Microsoft Removes Malicious Code from MSN Korea Web Site
Cyber Extortion Victim Describes Experience
CitiFinancial Blames UPS for Tape Loss
Stolen Laptop Holds Dept. of Justice Workers' Credit Card Data
Japanese Court Says National ID System Violates Privacy Rights
UBS Investigating Missing Disk

************************* Sponsored by Shavlik: *************************

Now Available! Introducing Shavlik HFNetChkPro(tm) 5, the next generation of security patch management. With over 50 awesome new features including detailed reporting, advanced reboot options, email notification, and distribution servers, staying up to date on patches has never been easier and your network has never been more secure. Keep your world in Chk with Shavlik. Download the trial version today at www.sans.org/info/797

Why Do Security Professionals Get More Value From SANS Than from Any Other Source?

"Years of experience downloaded into your brain in 6 days."
- Chris Koutras, Titan, Inc.

"The perfect balance of theory and hands on experience."
- James D. Perry II, University of Tennessee

"SANS courses bring the best of the best to one place to learn cutting- edge information."
- Jeremy Baca , Sandia National Labs

"SANS has opened my eyes to things I never would have considered based on my own research."
- Doug Wells, Media General, Inc.

Current Training Schedule: http://www.sans.org


Appeals Court Rules Presence of Encryption Program on Computer Relevant in Man's Conviction (25 May 2005)

A Minnesota man sought to have his conviction for child abuse overturned on grounds that the "district court erred in admitting evidence of appellant's Internet use and the encryption capability of his computer." A forensic examination of the man's computer had found PGP installed. The Minnesota State Court of appeals rejected the appeal. The case could set a precedent that the presence of encryption program on computers could be admissible as evidence of criminal intent.

[Editor's Note (Schultz): This ruling seems very reasonable and, as stated in the news item itself, is likely to set an important precedent in future cases of this nature.
(Ranum) It's important to note that in this case the conviction was achieved because of first-person testimony from one of the victims who was abused by the defendant. The judge allowed the fact that the defendant had PGP on his computer to be introduced as circumstantial evidence. ]

Coordinated Malware Attack Uses a Triumvirate of Trojans (3 June 2005)

The most recent Bagle variants are actually part of a three-stage process to create bot nets, or networks of zombie computers. The first stage is Glieder, a mass mailer which relies on people opening attachments; as many as eight variants were released last Wednesday alone. The second stage is Fantibag, which is downloaded courtesy of Glieder. Fantibag blocks antivirus software updates as well Microsoft's update site. The final stage is Mitglieder, which, after disabling firewalls and antivirus programs, forcibly recruits the PCs to be used at part of a botnet.

[Editor's Note (Grefer): "Glieder" is German for limbs or (chain) links. "Mitglieder" is German for members. "Fantibag" appears to be a concatenation of F(irewall)_anti(.exe) bag(le) variant, christened by Computer Associates in recognition of the firewall_anti.exe executable. ]

Timing Attack Could Allow Extraction of AES Keys (23 May 2005)

University of Illinois at Chicago professor Daniel Bernstein has published a paper describing how a timing attack against the Advanced Encryption Standard algorithm could be used to recover a complete AES keys from remote servers. The paper describes an attack on a server running the OpenSSL AES implementation; Bernstein said the problem lies with the AES design, not the particular library the server uses.

************************ SPONSORED LINKS ********************************
Note: These links take you outside SANS:

1) Hacking Web Applications- FREE White Paper From SPI Dynamics

2) PCI Compliance Deadline - June 30 - Log Management can help, find out how -
FREE Webcast. http://www.sans.org/info.php?id=799




Sasser Worm Trial Set to Begin on July 5 (1 June/31 May 2005)

The trial of Sven Jaschan, who has been accused of creating the Sasser worm, is scheduled to begin July 5 in Germany. Jaschan has reportedly confessed to authoring both Sasser and NetSky. He faces charges of computer sabotage and disruption of business. Jaschan will be tried in juvenile court because he was a minor when the alleged offenses took place.


Phishers Target Smaller Financial Institutions (6 June 2005)

A report from the Anti-Phishing Working Group indicates that phishers are broadening their base of attack targets to include small financial institutions such as credit unions. The Anti-Phishing Working Group also said that the number of phishing attempts reported in April rose to 14,411, although the number of unique phishing messages dropped from 4,100 in March to 3,930 in April.


Anti-Phishing Working Group Creates Phishing Scam Database for Members (2 June 2005)

In hopes of becoming a clearinghouse for phishing data, the Anti-Phishing Working Group has created a database of phishing scams that can be used to share information with other Anti-Phishing Working Group members; there is also an XML form that can be used to submit attack data.


Nortel Offers Patch for Denial-of-Service Flaw in VPN Routers (1 June 2005)

Nortel has issued a patch for a denial-of-service vulnerability in several models of its VPN router line. An Internet Key Exchange packet with a malformed Internet Security Association and Key Management Protocol header could be used to crash or reboot vulnerable routers. All products in VPN Router 600, 1000, 2000, 4000 and 5000 lines are affected. Nortel recommends upgrading to software version 5.05.200 or to install patched software versions 4.76, 4.85, 4.90 or 5.00 which will be made available some time later this month.

New Mytob Variant (1 June 2005)

A new Mytob variant pretends to be an error message from an IT administrator warning users that their accounts are about to be suspended and asking them for validation. Infected machines could be vulnerable to remote access and command execution. The worm also sends itself out to addresses it finds in the Windows Address Book and tries to prevent infected machines from accessing certain anti-virus and security web sites by redirecting them to other machines.


Texas HS Student Arrested for Unauthorized Computer Access (4 June 2005)

A South Houston (Texas) High School student has been arrested on charges of breaching computer security for allegedly using software he obtained from the Internet to gain unauthorized access to the school district's computer network. The student's actions hastened the district's security implementation activities.

Microsoft Removes Malicious Code from MSN Korea Web Site (3 June 2005)

Microsoft has removed malicious code from its MSN web site in Korea, www.msn.co.kr. The company that hosts the site had neglected to apply necessary patches; a vulnerability allowed the placement of the Trojan horse code.
[Editor's Note (Shpantzer): Unlike the one in the U.S. and most other international MSN sites, was not hosted by Microsoft but by a partner. That partner likely did not completely secure the servers, Microsoft has said." This week's edition alone includes the cautionary tales of Citibank/UPS, DoJ's travel agency, and the Microsoft hosting provider. Your data is only as secure as the weakest partner in the chain of custody for your data.]

Cyber Extortion Victim Describes Experience (27 May 2005)

Asif Malik, founder of online payment system NoChex, found his site under attack from extortionists after he ignored an initial email asking for payment in exchange for leaving the site alone. He then asked the extortionists for a day to gather the money during which time he convinced his ISP to deploy a solution to reroute traffic and weed out the malicious traffic. The extortionists sent threatening email when they did not receive the money and attacked again but it had no effect on Malik's site. Malik now uses a number of penetration testing companies to ensure that his site is well protected.


CitiFinancial Blames UPS for Tape Loss (7/6 June 2005)

Citigroup Inc. subsidiary CitiFinancial says a box of computer tapes being transported by United Parcel Service has been lost. The missing tapes hold unencrypted data, including names and Social Security numbers, for approximately 3.9 million customers. The company has sent letters to all affected customers, warning them to pay special attention to their accounts for suspicious activity. CitiFinancial videos show the UPS driver failing to observe the agreed upon "special security procedures." The tapes were sent in early May; there have been no reports of unauthorized account activity. CitiFinancial has been planning to switch to encrypted data sent electronically in July of this year. The Secret Service is investigating.


[Editor's Note (Schultz): The "blame game" for loss of personal and financial data may help companies such as CitiFinancial save face in situations such as this one, but these companies are ultimately responsible for the care and protection of customer, employee and other data. As I have said before, the US desperately needs federal legislation that mandates suitable levels of protection of such data. ]

Stolen Laptop Holds Dept. of Justice Workers' Credit Card Data (31 May 2005)

A laptop computer stolen from Fairfax, Virginia-based Omega World Travel contains names and credit card numbers of approximately 80,000 US Department of Justice employees. The data were password-protected. The FBI and local police are investigating the theft.
[Editor's Note (Ranum): Inevitably, the consequence of having data distributed all over the place is having it compromised in unexpected places. Transitive trust and control of distributed data are two of the hardest problems in computer security - and we've largely been ignoring them because the current state of affairs (hackers being able to walk in through host/application vulnerabilities) is more compelling of attention. Remember: even if we had perfectly invulnerable apps and hosts, transitive trust and distribution of data will be huge problems waiting in the wings. ]

Japanese Court Says National ID System Violates Privacy Rights (31 May 2005)

A prefectural government in western Japan has been ordered to remove personal data belonging to 28 people from its computerized ID system after a court said that Juki Net violates constitutionally protected privacy rights. Juki Net holds the names, birth dates, addresses and genders of all 126 million Japanese citizens.

UBS Investigating Missing Disk (31/30 May 2005)

The Tokyo branch of UBS is investigating the disappearance of a computer disk that may contain sensitive data about the investment bank's clients. The missing disk holds data from the equities division. The disk was scheduled to be destroyed. The metal case that held the disk has been found, but no one is certain what has become of the disk itself.


NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit