From: The SANS Institute (NewsBitessans.org)
Date: Wed May 05 2004 - 13:22:19 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites May 5, 2004 Vol. 6, Num. 18
*************************************************************************

TOP OF THE NEWS
  Sasser Variants Spreading
  Sasser is Possible Culprit in Australian Train Outage
  Legislators Want Answers on Cyber Security
  Legislators Prepare to Address Spyware
  FTC Brings First Charges Under Can-Spam Act

SECRITY AND ELECTRONIC VOTING
  California Secretary of State Bans Touchscreen Voting Machines in Four Counties
  Irish Commission Recommends Against Electronic Voting for Now
  Voting Concerns Groups Want Legislation Requiring Paper Trail

THE REST OF THE WEEK'S NEWS
  DHS Publishes Incident Response and Reporting Guidelines
  DHS and NSF Fund Security Research Test Bed
  Student Pleads Guilty to Computer Misuse Charges in Theft Case
  Alleged Government Web Site Defacer Charged
  Looming Sarbanes-Oxley Deadlines Have Firms Scrambling for Skilled Auditors
  IRS Warns of Phishing Scam
  Australian Tax Office Warns of Virus-Laden Phony eMail
  Wireless Phones Vulnerable to Assortment of Attacks
  UK's National Hi-Tech Crime Unit Arrests Alleged Phisher
  Service Pack 2 for Windows XP Release Delayed Until Third Quarter
  Barnesandnoble.com Reaches Agreement in Customer Data Exposure Case
  Patch Causes Windows Slowdowns
  Survey Says Cost of Breaches is Down in UK, But Volume is Up
  Security Training and Certification are Wise Investments
  Microsoft Rethinks External Patch Testing
  SSL Flaw Being Used to Attack Bank Systems
  Team of Mathematicians Gets to Root of RSA Encryption

VULNERABILITY UPDATES AND EFFECTS
  Apple Issues Patch or QuickTime Flaw
  Bagle.AA, NetSky.AB Emerge
  Worm Exploits Windows SSL Vulnerability
  Bagle Reaches the End of the Alphabet

******** Sponsored by LURHQ Managed Security Services *****************

LURHQ empowers security professionals by forming a true partnership with
clients to achieve Threat Management. A true partnership requires
transparent service delivery, real-time enterprise security visibility
and no security product conflicts of interest. Download our "11
Elements of a Successful MSS Partnership" to see why we are the leader
in MSS for security professionals.
 
http://www.lurhq.com/MSS-Partnership.html

*************************************************************************
Highlighted Training Programs Of The Week
1. SANS Security Bootcamp (May 9-16 in Baltimore) will be one of the
best training opportunities of the year - smaller classes, plus evening
bootcamps. You won't find a better opportunity for immersion training.
http://www.sans.org/bootcamp04

2. SANSFIRE offers you 14 immersion training tracks in one of the most
beautiful and romantic places in America -- Monterey California - in
early July. Phenomenal training for auditors who want to master the
challenges of security auditors, managers who want to build a great
security program, beginners who want to get a fast start, and, of
course, the only place to go for technologists who want to master the
most current methods for protecting systems and networks. SANSFIRE also
offers lots of evening programs, extra one-day classes ranging from
Business Law to Cyberwarrior training, and vendor exhibits, too.

Register soon to get a seat at your choice of courses.
http://www.sans.org/sansfire2004
*************************************************************************

TOP OF THE NEWS
 --Sasser Variants Spreading
(3 May 2004)
At least three versions of the Sasser worm are circulating on the
Internet. Sasser exploits a vulnerability in the Local Security
Authority Subsystem Service (LSASS) of certain editions of Windows.
http://www.eweek.com/print_article/0,1761,a=125859,00.asp
http://www.computerworld.com/printthis/2004/0,4814,92851,00.html
http://isc.sans.org/diary.php?date=2004-05-01
http://isc.sans.org/diary.php?date=2004-05-02

 --Sasser is Possible Culprit in Australian Train Outage
(3 May 2004)
The Sasser worm may be responsible for an outage that stranded as many
as 300,000 Sydney train commuters on Sunday.
http://www.news.com.au/common/printpage/0,6093,9454774,00.html
http://australianit.news.com.au/common/print/0,7208,9455677%5E15318%5E%5Enbv%5E,00.html
[Editor's Note (Ranum): Repeat after me: put mission critical systems
on isolated networks. Put mission critical systems on isolated networks.
Is this so hard to understand?
(Shpantzer): One of the earlier casualties of note for this worm is a
UK Coast Guard facility where they switched to manual tracking via
plotting ship movements on paper charts, instead of computerized
mapping, for several hours. "But search and rescue operations have not
been affected."
(Schneier): The computer systems we use on our desktops are not reliable
enough for critical applications like controlling trains. Neither is
the Internet. The more we rely on them in our critical infrastructure,
the more vulnerable we become. The more our systems become
interconnected, the more vulnerable we become.]

 --Legislators Want Answers on Cyber Security
(3 May 2004)
Legislators are growing increasingly frustrated with what they see as
a lack of progress and strong leadership regarding the nation's cyber
security. At a recent House subcommittee hearing, representative Adam
Putnam (R-Fla.) grilled OMB administrator of e-government and
information technology Karen Evans on the specifics of the effectiveness
of OMB's budget guidance. Earlier this year, Senator Joseph Lieberman
(D-Conn.) wrote a letter to DHS secretary Tom Ridge describing the
National Strategy to Secure Cyber Space as "vague and weak." Just last
week, members of the House Select Committee on Homeland Security also
wrote to Secretary Ridge, asking him for a "detailed plan linking the
department's program to the cyber space strategy." The letter also
asked him to comment on the National Cyber Security Division's placement
and effectiveness within the DHS. The letter requests a response by
May 10.
http://www.fcw.com/fcw/articles/2004/0503/pol-cyber-05-03-04.asp
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=25781
[Editor's Note (Ranum): DHS may be the scapegoat in this scenario. Since
they have no enforcement authority and can't order government agencies
to change their practices, they aren't likely to accomplish anything in
their mission.]

 --Legislators Plan to Address Spyware
(28 April 2004)
Two anti-spyware bills are being prepared in the US House of
Representatives. One bill, sponsored by Representative Jay Inslee
(D-Wash.) would charge spyware authors with criminal penalties and allow
state attorneys general to bring civil cases. The other, sponsored by
Representative Mary Bono (R-Calif.), would ban spyware that does not
obtain specific end-user consent and provide a warning before
installing; it would also grant the Federal Trade Commission power to
create regulations requiring companies to allow spywear and adware to
be uninstalled. Both bills would preempt existing state laws.
http://zdnet.com.com/2102-1104_2-5201819.html?tag=printthis
[Editor's Note (Schneier): I expect that legislation will work against
spyware about as well as CAN-SPAM is working against spam. The solution
is to build operating systems that aren't vulnerable to foreign
executables.
(Grefer); As witnessed with the (I) CAN-SPAM Act, preemption of existing
state laws is not always the smartest idea. In a lot of cases it would
be more beneficial if Federal law provided for a minimum standard, but
would leave the option for more restrictive/stringent state law(s).]

 --FTC Brings First Charges Under Can-Spam Act
(30/29/28 April 2004)
Federal authorities have charged four Detriot-area men under the
Can-Spam Act; this is the first case in which the new law has been
invoked. The four are accused of hiding their identities while sending
huge quantities of unsolicited commercial email. The FTC has also filed
charges against an Australian concern that is allegedly responsible for
large quantities of spam in the US.
http://www.usatoday.com/tech/news/2004-04-28-spam-charges-filed_x.htm
http://www.computerworld.com/printthis/2004/0,4814,92756,00.html
http://www.news.com.au/common/printpage/0,6093,9429772,00.html
http://www.infoworld.com/article/04/04/29/HNcanspam%20_1.html

************************ SPONSORED LINKS ******************************
Privacy notice: These links may redirect to non-SANS web pages.

(1) FREE WHITE PAPER: Control spam, viruses, phishing. "Selecting an
     Email Security Solution"
http://www.sans.org/click.php?id=426

(2) Security information management systems facilitate Sarbanes-Oxley
     compliance.
Request white paper at http://www.sans.org/click.php?id=427

(3) Knowledge Improves Security.
     Visit www.securitywhitepaper.com
     for a complimentary white paper from Microsoft.
http://www.sans.org/click.php?id=428

***********************************************************************

SECURITY AND ELECTRONIC VOTING

 --California Secretary of State Bans Touchscreen Voting Machines in
    Four Counties
(1 May 2004)
California secretary of State Kevin Shelley has decided to ban the use
of touchscreen voting machines in four counties and may extend the ban
to cover ten more counties if they fail to meet certain conditions.
http://edition.cnn.com/2004/ALLPOLITICS/04/30/electronic.voting.ap/index.html
[Editor's Note (Schultz): Diebold didn't seem to take the security
issues that had been raised very seriously until it became apparent that
some of its voting systems were about to be banned. Then suddenly
Diebold issued an apology, professing eagerness to fix the problems
found in some of its systems, but this didn't stop California Secretary
of State Shelley from banning the use of these systems in several
counties. Sooner or later companies wake up to the fact that ignoring
security doesn't pay.]

 --Irish Commission Recommends Against Electronic Voting for Now
(30 April 2004)
Ireland's Commission on Electronic Voting has published an interim
report on electronic voting, recommending that the government "not
implement the system" because it is constantly being updated and
therefore cannot be accurately tested for reliability. In the report,
the Commission said that before it could be in favor of electronic
voting, there would need to be "a final definitive version of the
software and all related software and hardware components, and a full
independent review and testing of the final source code." The
commission also wants the system to be tested in parallel with a paper
ballot, preferably "in a live electoral context."
http://www.theregister.co.uk/2004/04/30/ireland_evote/print.html
[Editor's Note (Schultz): Ireland is approaching the issue of electronic
voting in a systematic, careful manner, providing an excellent role
model for other countries that are considering using electronic voting.
For better or for worse, electronic voting is inevitable in most nations
around the world, but rushing into it (as certain nations have done)
without the type of scrutiny that Ireland is performing is a huge
mistake.]

 --Voting Concerns Groups Want Legislation Requiring Paper Trail
(28 April 2004)
Two voting concerns groups are encouraging congress to enact legislation
that would require electronic voting machines to provide paper audit
trails to allow recounts. VerifiedVoting.org and Common Cause want
Congress to move ahead with the Voter Confidence and Accessibility Act
to make electronic voting systems accountable; the bill would allow
voters to view paper versions of their ballots before they leave polling
places but would not allow them to take them home.
http://www.computerworld.com/printthis/2004/0,4814,92731,00.html
http://www.security-survey.gov.uk/
http://www.zdnet.co.uk/print/?TYPE=story&AT=39153186-39020330t-10000025c

THE REST OF THE WEEK'S NEWS
 --DHS Publishes Incident Response and Reporting Guidelines
(30 April 2004)
The US Department of Homeland Security has issued "The Incident Response
and Reporting Guidelines." The publication describes possible symptoms
of a cyber intrusion or infection, and offers guidelines for reporting
suspicious cyber events. FedCIRC, which is part of the DHS National
Cyber Security Division, has both telephone and online alert hotlines.
FedCIRC will use the information it collects from the hotlines to build
a threat database to deepen their understanding of the "threats" and
possibly issue warnings to other agencies.
http://www.pcworld.com/resource/printable/article/0,aid,115955,00.asp
[Editor's Note (Schultz): NIST just came out with a superb set of
guidelines on the same subjects not too many months ago. Isn't anyone
in the US government looking for ways to avoid duplication of effort?]

 --DHS and NSF Fund Security Research Test Bed
(3 May 2004)
The Department of Homeland Security and the National Science Foundation
have provided US$10.8 million to develop a national test bed for
Internet security research. An array of 64 nodes is running at the
University of Southern California's Information Sciences Institute in
Los Angeles; ultimately, the goal is to have 1,000 nodes with additional
sites in Berkeley, California and in Virginia.
http://gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=25798

 --Student Pleads Guilty to Computer Misuse Charges in Theft Case
(3 May 2004)
A Vietnamese student studying computer engineering in Singapore has
pleaded guilty to charges of computer misuse for sending friends a
keystroke logging program hidden in a game, and using the information
he reaped from that program to steal money from another student. Nguyen
Van Phi Hung faces a fine of up to SGD$50,000 and a ten-year jail
sentence for three of the four charges; the fourth charge carries a
maximum fine of SGD$10,000 and a three-year jail sentence.
http://australianit.news.com.au/common/print/0,7208,9456274%5E15322%5E%5Enbv%5E,00.html

 --Alleged Government Web Site Defacer Charged
(3 May 2004)
Twenty-two-year-old Benjamin Stark of Florida has been charged in
federal court for his part in a spate of US government web site
defacements. Stark and a cohort, who called themselves "The Deceptive
Duo," placed messages on the sites urging the government to address
cyber security of the nation's critical infrastructure. The form of
the charges indicates that Stark may have made a plea agreement with
prosecutors. Stark has also been charged with selling credit card
numbers in an IRC chat room in June 2001.
http://www.securityfocus.com/printable/news/8559

 --Looming Sarbanes-Oxley Deadlines Have Firms Scrambling for Skilled Auditors
(3 May 2004)
The approach of the first wave of Sarbanes-Oxley compliance deadlines
has companies scrambling to find auditors with enough knowledge,
experience and expertise to gather the documentation required by section
404 of the financial reporting law.
http://www.computerworld.com/printthis/2004/0,4814,92819,00.html

 --IRS Warns of Phishing Scam
(1 May 2004)
The US Internal Revenue Service has issued a warning about a phishing
scam that tells people they are the subjects of tax investigation and
encourages them to visit a web site and provide personal information
such as credit card and Social Security numbers to dispute the alleged
allegations.
http://edition.cnn.com/2004/TECH/internet/04/30/identity.theft.ap/index.html

 --Australian Tax Office Warns of Virus-Laden Phony eMail
(30 April 2004)
The Australian Tax Office (ATO) has issued a warning about forged emails
that purport to be from the ATO and may contain a virus. In addition,
the National Australia Bank has warned of forged emails that can trick
people into downloading a keystroke logging program onto their machines.
http://australianit.news.com.au/common/print/0,7208,9423066%5E15306%5E%5Enbv%5E,00.html

 --Wireless Phones Vulnerable to Assortment of Attacks
(30 April 2004)
A Times (UK) investigation found that numerous mobile phones used at
some of Britain's largest companies were susceptible to a variety of
attacks, including downloading text messages and phone lists as well as
manipulating the phones to act as listening devices.
http://business.timesonline.co.uk/article/0,,8209-1092789,00.html

 --UK's National Hi-Tech Crime Unit Arrests Alleged Phisher
(29 April 2004)
The UK's National Hi-Tech Crime Unit (NHTCU) has arrested a man who
allegedly targeted customers of an online banking service with a
phishing scam. The NHTCU says it is also investigating organized
criminal gangs suspected of being behind large scale phishing
operations.
http://news.bbc.co.uk/2/hi/uk_news/3668941.stm

 --Service Pack 2 for Windows XP Release Delayed Until Third Quarter
(29 April 2004)
Service Pack 2 for Windows XP, which was due to be released in the first
half of 2004, now will not be released until July, according to a
company spokesman, because it does not yet meet company standards. In
addition to the usual fixes and updates, XP2 will alter the operating
system's software to improve its security.
http://www.computerworld.com/printthis/2004/0,4814,92740,00.html
http://www.crn.com/Components/printArticle.asp?ArticleID=49808

 --Barnesandnoble.com Reaches Agreement in Customer Data Exposure Case
(29 April 2004)
Barnesandnoble.com has reached an agreement with New York State Attorney
General Eliot Spitzer regarding a vulnerability on the site which
exposed customers' names, billing addresses and account information.
The problem stemmed from the site's "cookieless" shopping. Under the
terms of the agreement, Barnesandnoble.com will pay $60,000 (USD) in
costs and fines, establish an information security program, and hire an
external auditor to ensure the company is complying with the agreement.
http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=4990565&section=news
http://www.computerworld.com/printthis/2004/0,4814,92804,00.html

 --Patch Causes Windows Slowdowns
(29 April 2004)
A recently released Microsoft patch for Windows apparently slows down
some machines that are running Windows 2000.
http://www.computerworld.com/printthis/2004/0,4814,92757,00.html
[Editor's Note (Tan): To patch or not to patch, that is the question.]

 --Survey Says Cost of Breaches is Down in UK, But Volume is Up
(28 April 2004)
According to the Department of Trade and Industry's 2004 Information
Security Breaches Survey, the average cost of serious security incidents
dropped from GBP 30,000 in 2002 to just GBP 10,000 in 2004. However,
the number of incidents is on the rise. While information security
spending has increased, most companies responding to the survey viewed
it as a cost rather than as an investment.
http://www.theregister.co.uk/2004/04/28/dti_security_survey/print.html

 --Security Training and Certification are Wise Investments
(28 April 2004)
According to a Computing Technology Industry Association (CompTIA)
study, companies that invest in security training and certification for
their employees are less likely to suffer major security violations than
those that don't. In addition, the companies surveyed said that
vendor-neutral training and certification was better than that focused
on a specific vendor.
http://www.idg.com.hk/cw/printstory.asp?aid=20040428001

 --Microsoft Rethinks External Patch Testing
(28 April 2004)
Though Microsoft announced last year that it might introduce an external
patch testing system, a year later, Microsoft UK CSO Stuart Okin
expressed concern that such an arrangement could allow less-than-honest
people to obtain and reverse-engineer the patches, allowing them to
create exploits for unpatched vulnerabilities.
http://www.theregister.co.uk/2004/04/28/ms_testing_u-turn1/print.html

 --SSL Flaw Being Used to Attack Bank Systems
(27 April 2004)
According to Internet Security Systems, attackers are attempting to
exploit an SSL vulnerability in Microsoft Windows to break into banks
and other financial institutions in Australia.
http://www.smh.com.au/articles/2004/04/27/1082831541968.html

 --Team of Mathematicians Gets to Root of RSA Encryption
(27 April 2004)
A team of eight European and North American mathematicians using 100
workstations took three months to crack RSA Security's most recent
encryption puzzle. The team won a $10,000 (USD) prize for figuring out
the two prime numbers used to generate eight other values in RSA's
576-bit encryption. Typical products use 1024 bit keys; the next
challenge will involve a 640-bit key.
http://news.com.com/2102-7355_3-5201037.html?tag=st.util.print

VULNERABILITY UPDATES AND EFFECTS

 --Apple Issues Patch for QuickTime Flaw
(30 April 2004)
http://zdnet.com.com/2102-1105_2-5203525.html?tag=printthis

 --Bagle.AA, NetSky.AB Emerge
(28 April 2004)
http://www.eweek.com/print_article/0,1761,a=125626,00.asp
[Editor's Note (Tan): And now the authors of Netsky claim to also have
authored the Sasser worm,
http://zdnet.com.com/2100-1105_2-5204930.html]

 --Worm Exploits Windows SSL Vulnerability
(27 April 2004)
http://www.eweek.com/print_article/0,1761,a=125527,00.asp

 --Bagle Reaches the End of the Alphabet
(26 April 2004)
http://zdnet.com.com/2102-1105_2-5200017.html?tag=printthis

===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz,
Gal Shpantzer, Koon Yaw Tan Guest Editor: Eugene Spafford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFAmMh2+LUG5KFpTkYRAjeMAJ9OKwjkZUjQ3cNjPw75IImYJoFuAQCfbV6l
MRKDtYHwS8ds/gIgpt9Eyt8=
=yjK/
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]