From: The SANS Institute (NewsBitessans.org)
Date: Wed Apr 30 2003 - 12:39:01 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS NewsBites April 30, 2003 Vol. 5, Num. 17
***********************************************************************

TOP OF THE NEWS
  Virginia's Anti-Spam Law Toughest In Nation
  Judge Rules Peer-to-Peer Software Companies Not Liable for Copyright
     Infringement
  Microsoft Warns of Vulnerabilities in Internet Explorer and Outlook
     Express
  Penn. State Students Lose Internet Access for Filesharing

THE REST OF THE WEEK'S NEWS
  "Fluffi Bunni" Hacker Arrested in London
  Columbia University Finds Home Page Hacker
  Privacy and Security Regulations Open Companies Up to Potential
     Litigation
  Spammers Using Trojan Horse Programs
  Addressing Insider Security Threats
  Microsoft Windows Server 2003 Security Guide
  Cisco ACS Vulnerability
  Vulnerability in Cisco Switches
  Web Authentication Security
  Web Hosting Company Hacked
  W32/Coronex-A "SARS" Worm Not Spreading
  Patch for Windows XP Slows Some Computers; Microsoft Developing New
     Version
  LaBrea Creator Pulls Application from Website
  Proposed Law Allows CD and DVD Copying
  Opinion: Good Worms Could Patch Internet
  AT&T Voice Mail Security Measures
  Former Employee Pleads Guilty to Breaking Into Company Computers

UPCOMING SECURITY TRAINING OPPORTUNITIES
Mark your calendar:
Four security training racks in Portland, OR (May 5-10)
Six security training tracks in Monterey, CA (June 11-16)
Five security training tracks in London, UK (June 23-28)
Our largest summer conference: SANS Fire in Washington DC (July 14-19)
And the largest conference for senior security managers, the National
Information Assurance Leadership Conference (NIAL-V) in Washington
(July 21-22)
Plus smaller programs in Chicago, Raleigh, Atlanta, Melbourne (AU),
and San Francisco, Virginia Beach, Ottawa (CA) and Madrid (SP).
If you cannot travel, we have local mentor and evening programs
in forty cities, or ask to schedule an on-site course at your
location. Details on all programs at http://www.sans.org

SANS IS HOSTING A DRY T-SHIRT (DESIGN) CONTEST
(details are at the end of NewsBites)

************ Sponsored by Information Security Magazine ***************

With costly and destructive breaches and security incidents being
reported in increasing numbers, now more than ever it's critical to
stay informed and up-to-date.

INFORMATION SECURITY is the magazine that no security conscious IT
professional can risk being without. Today - for a limited time only
- - you can be part of the growing community of information security
professionals with this FREE subscription opportunity. INFORMATION
SECURITY is your most reliable source in staying one step ahead of
issues and concerns critical to the security of your organization's
information.

To subscribe, simply point your browser to:
http://www.submag.com/sub/IS?PK=0304SN

***********************************************************************

TOP OF THE NEWS

 --Virginia's Anti-Spam Law Toughest In Nation
(29 April 2003)
Under a new law that goes into effect on July 1, anyone who uses forged
addresses for high volume spam and others who send pornographic spam
to computers in Virginia are subject to penalties of up to five years
in jail and forfeiture of assets. The spammers do not need to be in
Virginia to be subject to the law.
http://seattlepi.nwsource.com/business/aptech_story.asp?category=1700&slug=Fighting%20Spam

 --Judge Rules Peer-to-Peer Software Companies Not Liable for Copyright
    Infringement
(25 April 2003)
Federal court judge Stephen Wilson ruled that StreamCast and Grokster
are not liable for copyright infringements that occur when customers
use their software. Judge Wilson compared the companies to those
that sell video recorders and copy machines, which can be used to
violate copyrights. Unlike Napster, the two companies have no control
over what users do with their software.
http://news.com.com/2100-1027-998363.html

 --Microsoft Warns of Vulnerabilities in Internet Explorer and
    Outlook Express
(23 April 2003)
Microsoft has issued security updates warning of vulnerabilities in
Internet Explorer (IE) and Outlook Express. Four flaws in IE 5.01,
5.5 and 6.0 include a buffer overflow vulnerability and a problem with
how IE handles third-party files. The flaw in Outlook Express could
allow attackers to run programs on victims' computers due to the way in
which OE handles HTML encapsulation in e-mail. Patches are available.
http://news.com.com/2100-1002-998101.html
http://www.eweek.com/article2/0,3959,1040373,00.asp
http://www.microsoft.com/technet/security/bulletin/ms03-014.asp
http://www.microsoft.com/technet/security/bulletin/ms03-015.asp

 --Penn. State Students Lose Internet Access for Filesharing
(21 April 2003)
More than 200 Pennsylvania State University students found their
high-speed dormitory Internet connections cut off after the university
administration became aware they were sharing copyrighted material.
The connections will be re-established once the offending material
is removed form their computers.
http://www.washingtonpost.com/wp-dyn/articles/A4823-2003Apr21.html

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

1) BE OFFENSIVE. Don't react to network intrusions. Actively prevent
       them. FREE White Paper.
http://www.sans.org/cgi-bin/sanspromo/NB163

(2) ALERT! "Outsmart Web Application Hackers" - FREE Product Trial
http://www.sans.org/cgi-bin/sanspromo/NB164

***********************************************************************

THE REST OF THE WEEK'S NEWS

 --"Fluffi Bunni" Hacker Arrested in London
(29 April 2003)
Lynn Htun, the 24 year old hacker who allegedly led the Fluffi Bunni
hacker ring, was arrested in London today. Fluffi Bunni is credited
with attacking many high profile sites such as McDonalds, Exodus,
and SANS. He is wanted in the United States for hacking and was
arrested while attending a computer security conference.
http://seattlepi.nwsource.com/business/aptech_story.asp?category=1700&slug=Fluffi%20Bunni

 --Columbia University Finds Home Page Hacker
(28 April 2003)
A hacker who allegedly defaced Columbia University's home web page
and redirected visitors to a lewd site, has been caught, according
to the assistant director of Academic Information Systems. He will
not say if the perpetrator is a student. The hacker likely obtained
access to the server through a privileged account.
http://www.columbiaspectator.com/vnews/display.v/ART/2003/04/28/3eacc57a1cf94

 --Privacy and Security Regulations Open Companies Up to Potential
    Litigation
(28 April 2003)
Although regulations like the Health Insurance Portability and
Accountability Act (HIPAA), the Gramm-Leach-Bliley Act and the
Sarbanes-Oxley Act require that companies take steps to protect
personal data, there are no standards or guidelines against which
the companies can measure compliance. Because the regulations
put the companies in the position of being legally liable for the
privacy and security of the personal data they hold, companies should
put security-audit logging in place. They should also be able to
explain who has access to their data, how access is controlled and
how infractions are dealt with.
http://www.computerworld.com/securitytopics/security/story/0,10801,80744,00.html
[Editor's Note (Grefer): Guidelines and guidance regarding HIPAA can
be found at the U.S. Department of Health & Human Services' Office
for Civil Rights - HIPAA
http://www.hhs.gov/ocr/hipaa/
http://www.hhs.gov/ocr/hipaa/privacy.html
http://www.hhs.gov/ocr/hipaa/guidelines/guidanceallsections.pdf]

 --Spammers Using Trojan Horse Programs
(25/26 April 2003)
As authorities begin cracking down on unsolicited e-mail, spammers
are turning to methods used by hackers to launch distributed denial
of service attacks. They are using Trojan horses that include their
own SMTP engines to route their unsolicited messages through unwitting
users' computers.
http://www.securityfocus.com/news/4217
http://www.theregister.co.uk/content/6/30412.html
http://news.findlaw.com/hdocs/docs/mgm/mgmgrokster42503ord.pdf

 --Addressing Insider Security Threats
(25 April 2003)
Two companies share steps they have taken to guard against insider
security threats. British Telecom employees have access to company web
applications on a need-to-know basis; the company has also deployed
intrusion detection systems and firewalls. In addition, software
that controls employee access and activity is linked to the human
resources department; when employees leave the company, their access
is revoked. Palm uses intrusion detection systems and penetration
scanner utilities among other security tools. Palm's Director of
Global IT Services Matt Archibald recommends conducting unannounced
penetration studies and checking for configuration changes.
http://www.infoworld.com/article/03/04/25/17FEinjob.sb1_1.html?security
[Editor's Note (Shpantzer): IDS, Firewalls and policy enforcement tools
are great for access control and detecting breaches. The insider
threat, however, can often be mitigated or prevented by other, less
technological means. Some insider threats arise, for example, when
an insider has financial or substance abuse problems, among others.
Awareness of these factors can help a company maintain a productive
employee through assistance plans that specialize in helping employees
get back on track with their lives.]
See http://www.dss.mil/search-dir/training/csg/security/Eap/Intro.htm

 --Microsoft Windows Server 2003 Security Guide
(25 April 2003)
Microsoft has published a security guide for its newly released Windows
Server 2003. The guide includes "guidance, tools and templates"
for securing Windows Server 2003 in a variety of environments.
http://news.com.com/2100-1012-998390.html
http://microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en

 --Cisco ACS Vulnerability
(24/25 April 2003)
A buffer overflow vulnerability in Cisco's Secure Access Control
Server (ACS) for Windows could allow an attacker to take control of
the service. The vulnerability affects ACS versions 2.6.4, 3.0.3
and 3.1.1. Cisco recommends that users install patches; administrators
are encouraged to block TCP port 2002 until patches are applied.
http://news.com.com/2100-1002-998160.html
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,80702,00.html
http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-acs-win

 --Vulnerability in Cisco Switches
(24/25 April 2003)
A vulnerability in Cisco's Catalyst OS software version 7.5(1)
running in Catalyst 4000, 6000 and 6500 series switches could allow
attackers to circumvent password authentication and gain control
over the vulnerable switch. A new version of Catalyst OS software
[version 7.6(1)] that fixes the problem is available.
http://www.eweek.com/article2/0,3959,1041766,00.asp
http://www.theregister.co.uk/content/55/30402.html
http://www.cisco.com/warp/public/707/cisco-sa-20030424-catos.shtml

 --Web Authentication Security
(24 April 2003)
The first half of a two-part article describes an audit procedure for
evaluating the security of web authentication procedures, covering
questions about usernames and passwords
http://www.securityfocus.com/infocus/1688
[Editor's Note (Northcutt): Everyone associated with information
security needs to stay current with security of web applications.
In addition to the article referenced above, the SCORE project has
a checklist for auditing the security of web applications. We urge
you to review it and welcome your comments.
http://www.sans.org/score/webappschecklist.php]

 --Web Hosting Company Hacked
(24 April 2003)
A hacker broke into a server belonging to Bargainhost, a web hosting
company, stole passwords and defaced websites. Customers are being
advised to change their passwords, though at least one customer has
already reported losing valuable data. Website backups have also
been corrupted.
http://news.bbc.co.uk/2/hi/technology/2967749.stm

 --W32/Coronex-A "SARS" Worm Not Spreading
(23/24 April 2003)
The W32/Coronex-A worm purports to offer information about the SARS
(Severe Acute Respiratory Syndrome) virus, but instead uses its own
SMTP engine to mass mail itself to everyone in the infected machine's
address book. Computer users are apparently becoming more savvy about
attachments as the worm has failed to spread in any significant way.
http://news.zdnet.co.uk/story/0,,t269-s2133789,00.html
http://www.zdnet.com.au/newstech/security/story/0,2000048600,20273926,00.htm
http://www.infoworld.com/article/03/04/23/HNsarsworm_1.html

 --Patch for Windows XP Slows Some Computers; Microsoft Developing
    New Version
(23/24 April 2003)
A recently released patch for a vulnerability in the Windows kernel
causes some computers running Windows XP to slow down, taking up
to ten seconds before launching applications. Removing the patch
reverses the problem. Microsoft is investigating. The patch was
released with Microsoft Security Bulletin MS03-013 on April 16.
http://www.computerworld.com/securitytopics/security/story/0,10801,80605,00.html
Microsoft is developing a revised version of the patch, but recommends
that XP users still install the first version until the new one
is ready.
http://www.nwfusion.com/news/2003/0424micropulls.html
[Editor's Note (Schultz): There is another side to this story.
Critics have been quick to point out that Microsoft did not adequate
test this patch, something they say is "business as usual" with
this vendor. Microsoft says it wants to expand testing to include
testing by customers.]

 --LaBrea Creator Pulls Application from Website
(23 April 2003)
Tom Liston has pulled his LaBrea "digital tar pit" from his website for
fear that he could be prosecuted under a four-month-old "super-DMCA"
law in Illinois.
http://www.informationweek.com/story/showArticle.jhtml?articleID=8800603
[Editor's Note (Grefer): This is neither the first, nor will it be
the last of such cases of self-imposed censoring in reaction to the
"Super-DMCA" legislation passed in various U.S. states. For further
reading on this subject, go to
http://www.freedom-to-tinker.com/superdmca.html
http://www.freedom-to-tinker.com/archives/cat_superdmca.html
See a description of one of the irritating side-effects of such
legislation under the heading, "Use a Firewall, Go To Jail" at
http://www.freedom-to-tinker.com/archives/000336.html]

 --Proposed Law Allows CD and DVD Copying
Representative Dick Boucher (D-Virginia) has authored the Digital
Media Consumer Rights Act (HR 107) which would allow people to make
archival copies of the CDs and DVDs they purchase.
http://www.wired.com/wired/archive/11.05/view.html?pg=3

 --Opinion: Good Worms Could Patch Internet
(21 April 2003)
The author of this article opines that a trusted security entity,
like CERT or SANS, should create good worms to address unpatched
vulnerabilities in computers connected to the Internet. He reasons
that though such worms would be intruding on people's systems, they
have "abdicated responsibility" for the systems' security by virtue
of neglecting to apply available fixes.
http://www.eweek.com/article2/0,3959,1037127,00.asp
[Editor's Note (Schultz): There is nothing new here. The issue of
"good worms" has been debated for years. It's difficult to claim
that code that runs without authorization is "good."]

 --AT&T Voice Mail Security Measures
(21 April 2003)
AT&T has implemented security measures to protect customers from
phone phreaking; recently, hackers have been manipulating people's
voice mail systems to accept unauthorized long-distance calls.
AT&T customers will be required to use random codes rather than saying
"yes" to accept collect calls. Customers are also encouraged to use
complex voice-mail passwords, to change them frequently and to check
their announcements to see if they have been changed.
http://www.computerworld.com/securitytopics/security/story/0,10801,80554,00.html

 --Former Employee Pleads Guilty to Breaking Into Company Computers
(17 April 2003)
Alan Giang Tran, a former Airline Coach Service and Sky Limousine
Company employee, has pleaded guilty to breaking into the company's
computers, deleting critical data and changing passwords, locking
employees out of their accounts. Tran could face up to ten years in
federal prison; sentencing is scheduled for July 28.
http://www.fbi.gov/fieldnews/april/la041703.htm

SANS HOSTING A DRY T-SHIRT (DESIGN) CONTEST
Call for T-shirt Designs

Have you ever wondered where all those unique SANS conference t-shirts
come from? We thought it might be fun to get some fresh ideas,
so SANS is having a T-shirt Design Contest. We will announce the
winning designer at SANS Monterey, June 11-16, 2003. The design will
debut on the t-shirt for SANSFIRE 2003 in Washington, DC this July.
SANS will award winner and runner up. Put your creative cap on and
have some fun.

The winning T-shirt will state "designed by <winner's name> and the
winner will receive their choice of any five SANS Step-by-Step books.
The runner up will receive a SANS polo shirt.

Go to http://www.sans.org and look at the SANSFIRE Conference
information. While you are there, register for the conference!

Submit as many designs as you want. Send to knorthcaol.com

The logo will be printed in either 2 or 3 colors. The winner's name
will also appear on the shirt. The shirt will print on an ash grey
or natural background most easily; keep the background color in mind
as you are designing.

If we are using a photo in the design it should be a minimum of 300
dpi in resolution. Artwork provided should be done in a graphics
format such as Adobe Illustrator (Mac) or Corel Draw (Windows).
If you do not have access to this type of program, we can take
your design and convert it for you. Obviously, no offensive
language/vulgar/racial art or language will be considered. Refrain
from political propaganda. Respect others' intellectual property; use
original designs. No brand names, logos, etc. other than SANS. All
designs submitted become the property of SANS. The final design may
have to be formatted or changed slightly, to fit printing requirements.

This contest is open only to those who are 18 years of age or older
at time of entry.

Employees of SANS Institute, their affiliates, subsidiaries,
advertising and promotion agencies and their immediate family members
and/or those living in the same household of each are not eligible.

Void in Puerto Rico and where prohibited by law.

SANS will decide on the top designs, which will then be posted to
the web. Anyone logging onto the site will be able to vote for
the design they like best. The top two will be chosen, based on
those votes. Winners will be notified by surface mail and their
names will be posted on the SANS web site after June 16th, 2003.

In the event that no winner is chosen, SANS will design in house.

- ---end---

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt,
Alan Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+r8Kt+LUG5KFpTkYRArU6AJ9cjlrjyy87CU7LW8RZ0VyGCjVmrACfVA0q
RWUwrBscRbNt2XDIKSt/xlQ=
=+6cG
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]