From: The SANS Institute (NewsBitessans.org)
Date: Wed May 21 2003 - 11:57:46 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
SANS NewsBites May 21, 2003 Vol. 5, Num. 20
***********************************************************************

TOP OF THE NEWS
  Baiting the Trap for Cyber Criminals
  Operation E-Con Nets 135 Arrests, Millions in Assets
  Open Relay Warnings Sent To ISPs In Several Countries
  SEC Files Charges Against Alleged Spammer

THE REST OF THE WEEK'S NEWS
  W32/Palyh Worm Pretends to be From Microsoft
  NIST Releases Draft of New Federal Information Processing Standard
  Malware Myths Debunked
  Taking the Fizz Out of Fizzer
  Australian ISP Hacker Convicted on Appeal
  South Korean Official Says North Korea is Training Hackers
  UK Small Business Security is Lagging
  DHS to Establish Cybersecurity R & D Office
  Bank of America Customers Targeted by Fraud Artist
  Fending off DoS Attacks
  Targeted Attacks on the Rise
  DMCA Researcher Exemption Hearings
  RIAA Withdraws Errant Copyright Violation Notices
  Survey Says External Threats More Prevalent than Internal Threats

TUTORIAL
  Secure Installation and Configuration of Apache 1.3.x Web Server

NEW SECURITY TRAINING PROGRAMS ANNOUNCED
SANS has added several cities to its schedule of immersion security
training programs:
  Chicago, IL, May 18-23 (2 tracks)
  Atlanta, GA, June 2-7 (The auditing track still has seats)
  Monterey, CA, June 11-26 (6 tracks)
  San Francisco, June 18-23 (The new management track still has seats)
  London, UK, June 23-28 (5 tracks)
  Washington, DC, July 14-19 (9 tracks -including new management track)
  Washington, DC, July 21-22 (Nat'l. Info. Assurance Leadership Conf.)
  Melbourne, AU, July 28 - Aug 2 (2 tracks)
  Ottawa, ON, Aug. 11-16 (3 tracks)
  Denver, CO, Aug. 14-19 (6 tracks)
  Plus online courses and local mentor programs in 45 cities.
     See www.sans.org

********************* Sponsored by Qualys, Inc. ***********************

Discover Rogue Devices on Your Network for FREE

Qualys FreeMap is a Web-based technology that let's you discover systems
on your network including routers, VPN servers and wireless access
points and rogue devices. Take advantage of this service before someone
takes advantage of your network.

Get your FreeMap now! https://freemap.qualys.com/?lsid=599

***********************************************************************

TOP OF THE NEWS

 --Baiting the Trap for Cyber Criminals
(18/19 May 2003)
A fascinating three-part series of articles detailing how two Russian
men turned to cyber security extortion, how they were ultimately
captured in an FBI sting (when they came to the US for a purported job
interview), and how the threat continues to build because of differences
in legal approaches between the US and Russia.
http://www.washingtonpost.com/ac2/wp-dyn/A2619-2003May17?language=printer
http://www.washingtonpost.com/ac2/wp-dyn/A7774-2003May18?language=printer
http://www.washingtonpost.com/ac2/wp-dyn/A12984-2003May19?language=printer

 --Operation E-Con Nets 135 Arrests, Millions in Assets
(16 May 2003)
Federal officials have arrested 135 cyber criminals and have seized over
$17 million in assets as a part of "Operation E-Con." Alleged crimes
include setting up phony bank web sites to steal account information
from unsuspecting customers and taping and selling unreleased movies.
Among the agencies participating are the FBI, the US Postal Inspection
Service and the Federal Trade Commission.
http://www.washingtonpost.com/wp-dyn/articles/A60804-2003May15.html
http://www.cnn.com/2003/TECH/internet/05/16/cybercrime.feds.ap/index.html
http://www.informationweek.com/story/showArticle.jhtml?articleID=10000129

 --Open Relay Warnings Sent To ISPs In Several Countries
(15 May 2003)
US federal and state law enforcement agencies will work with their
counterparts in Australia, Canada and Japan in a concerted effort to
combat spam. Letters have been sent to operators of more than 1,000
e-mail servers around the world, warning them that open relays could be
used to send unsolicited e-mail. The letters explained that spam
appears to be coming from their systems. The spam can cause network
traffic to increase significantly and their ISPs could cut off their
service. The letters concluded by advising the operators to close their
relays.
http://news.com.com/2100-1028_3-1001868.html

 --SEC Files Charges Against Alleged Spammer
(13 May 2003)
The US Securities and Exchange Commission (SEC) has filed fraud charges
against K.C. Smith who allegedly stole more than $100,000 from unwitting
on-line investors by setting up two phony web sites, including one for
the nonexistent US Deposit Insurance Corp. (USDIC) that had the SEC's
official seal on it. Smith allegedly sent 9 million spam messages
promoting his scheme and used other fraudulent means to hide his
identity while conducting business. Smith agreed to repay the allegedly
stolen funds plus interest, but has neither admitted nor denied the
allegations against him.
http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,81188,00.html

************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.

(1) Alert! Securing healthcare organizations with firewalls and VPNs -
FREE HIPAA COMPLIANCE REPORT!
http://www.sans.org/cgi-bin/sanspromo/NB171

(2) ALERT: Top 8 SPAM BLOCKING methods. ***FREE White paper***
http://www.sans.org/cgi-bin/sanspromo/NB172

(3) Instantly stop DDoS attacks. Prevent worm propagation. Hands-on,
online demo--launch and mitigate live attacks.
http://www.sans.org/cgi-bin/sanspromo/NB173
***********************************************************************

THE REST OF THE WEEK'S NEWS

 --W32/Palyh Worm Pretends to be From Microsoft
(19 May 2003)
A worm called Palyh travels as a .pif attachment to e-mail designed to
look like is comes from supportmicrosoft.com. The worm copies itself
to the Windows folder and sends itself to e-mail addresses found in the
infected computer.
http://news.bbc.co.uk/1/hi/technology/3040247.stm
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,81344,00.html
http://www.msnbc.com/news/915499.asp?0dm=C217T
http://news.com.com/2100-1002_3-1007603.html

 --NIST Releases Draft of New Federal Information Processing Standard
    (FIPS)
(15 May 2003)
The National Institute of Standards and Technology's (NIST's) Computer
Security Division has released a draft of the new Federal Information
Processing Standard (FIPS) which tells agencies how to categorize their
computer systems based on security risks. There is a 90-day comment
period.
http://www.fcw.com/fcw/articles/2003/0512/web-nist-05-16-03.asp
http://csrc.nist.gov/publications/drafts/FIPS-PUB-199-ipd.pdf
[Editor's Note (Paller): Although this NIST document is just the first
step in a series that will lead to useful new standards, it is still
extremely important. Its unique value arises because it is the first
federal document that explains to federal agencies (and any other
readers) why they must bring all systems up to a minimum standard of
due care for security before they conduct in-depth risk assessments to
target additional security controls on the greatest risks.]

 --Malware Myths Debunked
(19 May 2003)
The first of a series of three articles about malware and misinformation
debunks the belief that not using Microsoft products offers immunity to
malware.
http://www.securityfocus.com/infocus/1695

 --Taking the Fizz Out of Fizzer
(14/16/19 May 2003)
The chat network security group IRC/Unity has figured out the algorithm
that determines the user nickname that is able to send commands to
machines infected with the Fizzer worm. Once someone knows the
nickname, which is dependent on the current date, that person can send
controls to the infected machine. The worm has overwhelmed some IRC
networks., and some administrators say there are ways to address the
problem, but they involve executing code on victim's computers, a
possible violation of the US Computer Fraud and Abuse Act.
http://news.com.com/2100-1009_3-1007743.html
http://news.com.com/2100-1002_3-1003894.html
http://news.com.com/2100-1002_3-1001601.html

 --Australian ISP Hacker Convicted on Appeal
(16 May 2003)
Stephen Craig Dendtler, who initially received a suspended sentence for
illegally accessing account information belonging to more than 400,000
customers of Australia's Optus network, was convicted on appeal.
Dendtler will pay a fine of AU$4,000 and is on a two-year "good
behaviour" bond. Authorities had been concerned that the absence of a
conviction would send the wrong message to other would-be
cyber-criminals.
http://www.zdnet.com.au/newstech/security/story/0,2000048600,20274570,00.htm
http://www.theregister.co.uk/content/55/30744.html

 --South Korean Official Says North Korea is Training Hackers;
(16 May 2003)
A South Korean military official says that North Korea is training
approximately 100 hackers each year to boost its cyber warfare
capability. Because of its reliance on computers, South Korea would be
particularly vulnerable to a cyber attack. Song Young-keun, commanding
general of Seoul's Defense Security Command, says the South Korean
military is working on bolstering cyber security, and needs help from
research institutions and private sector businesses.
http://www.cnn.com/2003/TECH/internet/05/16/korea.hackers.reut/index.html

 --UK Small Business Security is Lagging
(15 May 2003)
A Symantec survey found that while 97% of small businesses in the UK
use anti-virus software, 30% do not use firewalls and 63% do not monitor
their networks. In addition, only 26% of the businesses install
software patches as soon as they are available.
http://news.bbc.co.uk/2/hi/technology/3029955.stm
[Editor's Note (Grefer): Businesses may be well advised to delay
installing patches on production systems immediately upon availability.
Patches should be tested on systems that are not business-critical prior
to their deployment.]

 --DHS to Establish Cybersecurity R & D Office
(14 May 2003)
The Department of Homeland Security plans to establish a cybersecurity
office; no one has yet been named to run that office. Responsibilities
of the new office will include the development of a cybersecurity
disaster recovery plan. It will also coordinate cybersecurity efforts
in both the public and private sectors. The creation of the office is
seen by some as evidence that the administration is committed to
protecting the Internet from security threats. It is still uncertain
how many employees will be assigned to the new office and how much
finding it will receive. The office will have partnerships with the
National Science Foundation and the National Institute of Standards and
Technology (NIST).
http://www.washingtonpost.com/wp-dyn/articles/A56254-2003May14.html
http://www.fcw.com/fcw/articles/2003/0512/web-cyber-05-14-03.asp

 --Bank of America Customers Targeted by Fraud Artist
(13/14 May 2003)
Bank of America customers have been targeted by a con artist who tries
to get them to visit a phony website and provide their personal account
data. They received spoofed e-mails directing them to the phony site.
Bank of America has warned its customers about the scam and encourages
them to be proactive about their on-line habits.
http://www.eweek.com/article2/0,3959,1085451,00.asp
http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,81211,00.html
[Editor's Note (Ranum) Similar scams are being launched against Ebay
users. This is going to be a major problem because, unfortunately,
authenticated e-mail is still an unsolved problem.]

 --Fending off DoS Attacks
(13/14 May 2003)
Carnegie Mellon graduate students presented two papers at the recent
IEEE (Institute of Electrical and Electronic Engineers) Symposium on
Security and Privacy describing methods of countering denial-of-service
attacks. One involves requiring a computer to solve a puzzle before
being granted access to a website; the more requests sent by one
computer, the more difficult the puzzles become. The other involves
modifying data in request headers.
http://news.com.com/2100-1009_3-1001200.html
http://www.newscientist.com/news/news.jsp?id=ns99993729

 --Targeted Attacks on the Rise
(13 May 2003)
Hackers are increasingly launching "targeted attacks" in which specific
tools are used against specific cyber targets, instead of releasing
worms and viruses that spread indiscriminately across the Internet.
Statistics from security services provider Riptech show that 40% of
attacks suffered by their client base were targeted, significantly above
the expected 15%.
http://news.com.com/2010-1071-1001016.html

 --DMCA Researcher Exemption Hearings
(13 May 2003)
The US Copyright Office is holding hearings to decide if it should
broaden the exemptions to the Digital Millennium Copyright Act (DMCA)
to include researchers looking for vulnerabilities. There are two
exemptions now in place, both of which expire in October of this year.
The first allows researchers to crack censoring software to see which
sites are blocked; the second covers old programs and databases with
defective or obsolete access control mechanisms.
http://www.securityfocus.com/news/4729
[Editor's Note (Schultz): I've said it before and I'll say it again--the
DMCA is bad news for information security. Let's hope that those who
are considering the exemptions are more rational than those who
originally wrote and passed this act.]

 --RIAA Withdraws Errant Copyright Violation Notices
(13 May 2003)
The Recording Industry Association of America (RIAA) has sent 24
withdrawal notices to entities which had erroneously received
cease-and-desist notices. The notices alleged the recipients were in
violation of the Digital Millennium Copyright Act (DMCA) for offering
copyrighted files for downloading.
http://news.com.com/2100-1025_3-1001319.html

 --Survey Says External Threats More Prevalent than Internal Threats
(12/15 May 2003)
A Deloitte Touche Tohmatsu (DTT) survey found that 39% of banks and
financial services companies reported computer security breaches last
year. 16% of those came from external sources, 10% from internal
sources and 13% from both. 175 senior IT executives were surveyed.
DTT's Simon Owen said the figures show that the biggest threat to
companies is not from employees; cyber attacks are becoming increasingly
sophisticated.
http://news.zdnet.co.uk/story/0,,t269-s2134573,00.html
http://www.theregister.co.uk/content/55/30722.html
http://www.vnunet.com/News/1140907
[Editor's Note (Schultz): The old (and, unfortunately, still often
quoted) adage, "More attacks come from the inside than outside," has
been untrue for years.]

TUTORIAL
 --Secure Installation and Configuration of Apache 1.3.x Web Server
(14 May 2003)
This article provides step-by-step instructions for installing and
configuring the Apache 1.3.x Web server. Advice includes enabling only
necessary modules, chrooting the server and configuring the software so
that its version number is hidden.
http://www.securityfocus.com/infocus/1694

==end==

NewsBites Editorial Board:
Kathy Bradford, Dorothy Denning, Roland Grefer, Stephen Northcutt, Alan
Paller, Marcus Ranum, Eugene Schultz, Gal Shpantzer
Guest Editor: Bruce Schneier

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+y2zi+LUG5KFpTkYRAgcrAJ9B5+aiwSTJ1o2GrxNwui14MCBMqwCfUF0m
HEL7v4y4iN79nyhC1+u8m+A=
=BJfA
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]