SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #3
January 09, 2007
TOP OF THE NEWS
Revised Civil Procedure Rules Mean Companies Need to Retain More Digital DataCisco to Provide CVSS Scores in Advisories
AIB Corporate and Business Customers Get Security Devices
THE REST OF THE WEEK'S NEWS
LEGAL MATTERSTwo Charged with Accessing Traffic Center Computers, Disabling Signals
Teen Faces Fine, Jail Time for Allegedly Running File Sharing Site
Singapore Man Faces Charges for Unauthorized Wireless Access and Making Threat
POLICY & LEGISLATION
VA Legislators to Introduce Data Breach Bill
SPYWARE, SPAM & PHISHING
Phishers Target UK Taxpayers
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
File Sharing Program Blamed for Data Leaks
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Cisco Fixes Clean Access Flaws
Microsoft Halves Number of Bulletins for January's Patch Tuesday
Acrobat Reader Flaw Allows Access to Hard Drive; Adobe to Release Patches This Week
Fix Available for OpenOffice Flaw
********************** Sponsored By Symark Software *********************
Security and compliance go hand-in-hand. How can you meet compliance requirements and guard against unauthorized access or theft of data? Learn how PowerBroker, the most widely used solution for systems administration and controlling Unix/Linux root privileges, helps you meet data privacy and compliance requirements. Download the FREE White Paper "PowerBroker vs. sudo."
http://www.sans.org/info/2786
*************************************************************************
SECURITY TRAINING UPDATE: Several of the hands-on immersion security training courses at SANS 2007 (San Diego, March 29 - April 4) are starting to fill up. If you want a place, register early. You'll also save hundreds of dollars if you do it in the next few weeks. Full Schedule (53 courses):
http://www.sans.org/sans2007/event.php
*************************************************************************
TOP OF THE NEWS
Revised Civil Procedure Rules Mean Companies Need to Retain More Digital Data (4 January 2007)
The revised Federal Rules of Civil Procedure, which took effect on December 1, 2006, broaden the types of electronic information that organizations may be asked to produce in court during the discovery phase of a trial. The new types of digital information include voice mail systems, flash drives and IM archives. This will place a burden on organizations to retain the data in the event it is needed in a legal case. Section V, Depositions and Discovery, Rule 34 of the Federal Rules of Civil Procedure reads, in part, "Any party may serve on any other party a request to produce and permit the party making the request, or someone acting on the requestor's behalf, to inspect, copy, test or sample any designated documents or electronically stored information - including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations stored in any medium from which information can be obtained ..."-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9007162&taxonomyId=17&intsrc=kc_top
-http://www.law.cornell.edu/rules/frcp/Rule34.htm
[Editor's Note (Honan): As the legal profession has become more aware of the wealth of information available to them in electronic format, e-discovery is becoming a major issue for organisations and in particular those who manage that information. As with all policies, processes and procedures it is best that you develop one now while you (arguably) have the time rather than make it up in response to an e-discovery request. Make sure to include how to deal with personal electronic devices such as PDAs and pen drives - hint best to prohibit their use in a corporate environment in the first place. ]
Cisco to Provide CVSS Scores in Advisories (4 January 2007)
The Cisco Product Security Incident Response Team (PSIRT) plans to start including severity scores along with their security advisories. Cisco hopes the system will help users prioritize their patch management based on their particular environments. The severity score will be calculated according to the Common Vulnerability Scoring System (CVSS). Cisco will provide the base and temporal CVSS scores for vulnerabilities in all future advisories.-http://www.vnunet.com/vnunet/news/2171804/cisco-signs-security-reporting
-http://www.huliq.com/4622/cisco-adds-severity-scores-to-psirt-security-advisorie
s
[Editor's Note (Schultz): PSIRT has done the right thing. The severity scores that it produces will serve as metrics that will greatly help in determining the proper responses as well as the urgency in responding to security advisories. ]
AIB Corporate and Business Customers Get Security Devices (5 January 2007)
AIB (the leading Irish banking and insurance company) has begun providing business and corporate online banking customers in Ireland and the UK with alphanumeric Digipass 550 transaction signature devices to help guard against fraudulent transactions. AIB is the first bank in the world to use these particular devices. The devices provide customers with one-time passcodes, e-signatures and host authentication to help ensure banking transaction security.-http://www.siliconrepublic.com/news/news.nv?storyid=single7574
************************** Sponsored Links: ***************************
1) Visit Utimaco and Lenovo at RSA Booth 531 to learn about our layered security solution.
http://www.sans.org/info/2791
2) AmbironTrustWave is a leading provider of information security and compliance management solutions, serving businesses worldwide.
http://www.sans.org/info/2796
3) Guard against security leaks! Detect rogue modems and network backdoors with our multi-line wardialer, PhoneSweep.
http://www.sans.org/info/2801
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Two Charged with Accessing Traffic Center Computers, Disabling Signals (8 & 6 January 2007)
Two Los Angeles transportation engineers have entered not guilty pleas to criminal charges for allegedly gaining unauthorized access to Los Angeles' traffic center computers. The two allegedly disconnected traffic signals at four busy intersections shortly before a labor union strike on August 21, 2006. The men have been released on their own recognizance on the conditions that they not access city computers or enter Department of Transportation facilities unless accompanied by their lawyers. One of the men is accused of one count of unauthorized access of a computer and identity theft; the other is accused of one count of unauthorized access of a computer and four counts of unauthorized disruption or denial of computer services. The actions did not cause any accidents, but it took the city days to get the traffic control system back to normal.-http://cbs2.com/local/local_story_008145026.html
-http://www.latimes.com/news/local/politics/cal/la-me-trafficlights6jan06,1,17767
56.story?coll=la-news-politics-california
[Editor's Note (Skoudis): Sometimes, people think of computer security as a glorified video game, downplaying its importance. But, at the interstitial points of computer networks and the Real World illustrated by this story, we can see how serious computer security can be. This is a good story to use for illustrating to management personnel how vital it is for us all to protect our computer networks from intruders.
(Schmidt): This is an instance where "penalty enhancements" if convicted should be applied. The danger imposed on the public based on these acts was significant even IF there were no accidents as a result of this action. ]
Teen Faces Fine, Jail Time for Allegedly Running File Sharing Site (5 January 2007)
A 16-year-old Norwegian boy who allegedly ran a file-sharing hub could face up to 60 days in jail and a fine of NOK4,000 (US$630). The teen allegedly used the Direct Connect P2P file sharing program to help make more than 150,000 songs, 7,000 movies and 20,000 video clips available for free downloading. His parents could also face a substantial fine to compensate those in the music and film industries for lost revenue.-http://www.theregister.co.uk/2007/01/05/norwegian_filesharer_charged/print.html
[Guest Editor Note (Giannoulis): An article discussing the management of P2P traffic using off the shelf network hardware has been posted on the Leadership Laboratory:
-http://www.sans.edu/resources/leadershiplab/controllingp2p.php
(Grefer): To put things in perspective, the average income in Norway is approx. US$45,000. ]
Singapore Man Faces Charges for Unauthorized Wireless Access and Making Threat (5 January 2007)
A Singapore man has been charged with accessing a wireless network and using that connection to post a bomb threat online. Lin Zhenghuang is facing 60 charges of illegal wireless network access; each count carries a maximum jail sentence of three years and a fine of as much as S$10,000 (US$6,510). Lin could also face additional penalties of up to seven years in prison and a fine of as much as S$50,000 (US$32,540) dollars if he is convicted on the bomb threat charges.-http://www.theage.com.au/news/Technology/Singaporean-faces-jail-for-tapping-wire
less-network-to-make-bombthreat/2007/01/05/1167777273625.html
POLICY & LEGISLATION
VA Legislators to Introduce Data Breach Bill (7 January 2007)
Virginia state legislators plan to introduce a data security breach bill when the State Assembly convenes on Wednesday, January 10. The proposed legislation would require government and private agencies to notify individuals whenever their personal information has been accessed without authorization or stolen. The law would give state agencies one year to implement tightened database security.-http://www.wtopnews.com/index.php?nid=600&sid=1025457
[Editor's Note (Schmidt): I am sure the legislators are well meaning and looking to protect the public but trying to comply with 50 plus state data breach laws is a nightmare. If there is not consistency and harmonization of these laws we will be swamped in notifications until we are numb to them. One of the few times where federal preemption might be in order. While not a popular concept it would be much easier to comply with IF crafted properly. ]
SPYWARE, SPAM & PHISHING
Phishers Target UK Taxpayers (8, 4 & 3 January 2007)
Phishers have targeted UK taxpayers, sending phony email messages that appear to come from HM Revenue and Customs claming the recipients are entitled to a GBP70 (US$136) refund. The email includes a link to what is supposed to be a form to fill out to get the refund. In a separate story, the US Computer Emergency Response Team (US-CERT) has warned that phishers are targeting US taxpayers.-http://www.theregister.co.uk/2007/01/08/hm_revenue_phish/print.html
-http://www.vnunet.com/vnunet/news/2171829/phishers-look-happy-tax-season
-http://www.us-cert.gov/current/#irspham
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
File Sharing Program Blamed for Data Leaks (9 January 2007)
Between fiscal 2002 and the end of October 2006, there were 27 incidents in which members of Japan's Ground Self-Defense Force inadvertently exposed information through the Winny file-sharing program. Four additional incidents have been reported in FY 2006. In some cases, sensitive information was exposed.-http://www.yomiuri.co.jp/dy/national/20070109TDY01004.htm
[Editor's Note (Honan): According to the article the 27 leaks were from the personal computers belonging to members of the Japanese Ground Self-Defense Force. It strikes me that the bigger issue here is not the leaks via the Winny software but more so what was the leaked information doing on personal computers in the first place and what control re in place to prevent this happening again? ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Cisco Fixes Clean Access Flaws (8 January 2007)
Cisco has fixed two vulnerabilities in its Clean Access networking software that could be exploited to access database files without authorization. Users can protect their systems by upgrading their Clean Access software to versions 3.4.6.2, 4.0.4 and 4.1.0 and later; Cisco has also made a patch available for those who choose not to upgrade at this time. Internet Storm Center Notes:-http://isc.sans.org/diary.html?storyid=2000
-http://www.cisco.com/warp/public/707/cisco-sa-20070103-CleanAccess.shtml
-http://www.vnunet.com/vnunet/news/2172005/cisco-patches-flaws-clean
Microsoft Halves Number of Bulletins for January's Patch Tuesday (8 & 6 January 2007)
Microsoft has cut in half the number of security bulletins it plans to release on Tuesday, January 9. Last week, the software company announced it would release eight bulletins to address flaws in a variety of products; the notice on the Microsoft web site has been amended to say they will release four bulletins, three for Microsoft Office and one for Windows, at least two of which have severity ratings of critical. The bulletins that have been postponed were for Windows, Office and Visual Studio; three had severity ratings of important and one a severity rating of critical. A critical rating indicates a flaw could be exploited to run malicious code on vulnerable systems without any user interaction. Internet Storm Center Notes:-https://isc.sans.org/diary.html?storyid=2003
-http://blogs.technet.com/msrc/archive/2007/01/04/january-2007-advance-notificati
on.aspx
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9007438
-http://www.zdnet.co.uk/misc/print/0,1000000169,39285366-39001093c,00.htm
[Editor's Note (Skoudis): Last week, I lamented that these numbers were not going down. And, now they've been cut in half! However, holding back patches for flaws wasn't what I had in mind as a method of lowering these numbers. Seriously, though, if the patches need further testing and widespread exploitation is not yet occurring, it is a reasonable policy to hold a patch for longer. ]
Acrobat Reader Flaw Allows Access to Hard Drive; Adobe to Release Patches This Week (8 & 5 January 2007)
The recently disclosed flaw in Adobe Acrobat Reader presents a greater risk than previously believed. At first, it was thought that the flaw, which can be exploited with malicious JavaScript, could expose users to phishing attacks and allow attackers to access web-related information. Now it appears that the flaw could be exploited to gain access to all files on users' hard drives. Adobe plans to issue patches for the vulnerability this week.-http://www.usatoday.com/tech/products/cnet/2007-01-05-pdf-risk_x.htm
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=278323&source=rss_topic17
[Editor's Note (Grefer): Apparently this flaw only affects Adobe Reader and Acrobat Versions 7.0.8 and older running in Firefox, and Adobe 6.x and older versions running in Internet Explorer. According to Pam Deziel, director of Adobe's platform business unit, said that users can "address the issue immediately" by upgrading to Adobe Reader 8 and Acrobat 8. ]
Fix Available for OpenOffice Flaw (5 & 4 January 2007)
OpenOffice.org has issued a patch for a buffer overflow flaw in the way the application suite handles .wmf files. The vulnerability could be exploited to execute malicious code on vulnerable systems. Users have the option of installing a patch by replacing the problematic file with a new one available on the OpenOffice web site, or by upgrading to OpenOffice 2.1.-http://www.zdnet.co.uk/misc/print/0,1000000169,39285348-39001093c,00.htm
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9007101
=========================================================================
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/