SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VI - Issue #43
October 27, 2004
Attention readers who have recently earned CISSP certification from (ISC)2, or CISA certification from ISACA, or Security+ certification from CompTIA. If you attended an outstanding test preparation course (in any language), please introduce your instructor to us (email info@sans.org with subject Instructors). SANS is developing a huge new global initiative to expand access to effective courses for the three certification programs. The opportunity for wonderful teachers is very substantial.
Alan
TOP OF THE NEWS
Average Home User's PC Rife with Spyware, Weak on Security, TooUser Education Is A Flawed Strategy For Protecting Computer Users From Internet Scams
UC Berkeley and FBI Investigating Intrusion, Possible Data Compromise
Seoul Government Bans Internet [Instant] Messenger services
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCING53 Arrested in Brazilian Phishing Case
Man sentenced to 2 1/2 Years in Prison for Accessing Computer Systems without Authorization
12 Arrests Made in Hong Kong Phishing Scheme
LEGISLATION
Singapore Likely to Increase Penalties for Piracy
SPAM & PHISHING
Judge Issues Restraining Order Against Alleged Spammer
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Malware Targets Mac OS X
Red Hat Warns of Phony Patch Messages
Google Script Injection Vulnerabilities
IE Flaws Can Bypass SP2 security
.Zip Archive Header Parsing Flaw in Multiple AV Products
STATISTICS, STUDIES AND SURVEYS
Just 5 Botnets Responsible for All Phishing Attacks, According to Research
MISCELLANEOUS
Microsoft Revises SenderID, AOL Back On Board
Officials Investigating Purdue University Computer Intrusion
Avoiding Log Analysis Mistakes
Talking to CEOs About Security
McAfee Awarded Patent for Malware Detection
******************* Sponsored by Check Point ****************************
Your internal network is vulnerable. Worms, spyware, Trojan horses, and other security threats require proactive solutions built specifically for internal protection.
Download this free Internal Security Information Kit which includes fact-filled white papers from META Group and Check Point, a special Flash demo, and much more.
Get a wealth of valuable information-free! Download now. http://www.sans.org/info.php?id=625
*************************************************************************
Highlighted Cybersecurity Training: Washington, DC, Dec. 7-13, 2004
SANS best instructors will be in DC teaching great courses for
**Auditors who want the technical skills so critical to successful audits.
**Security Managers interested in best practices and SANS exclusive "security make-over"
**Security professionals seeking CISSP (a trademark of (ISC)2) certification who want a more effective course.
**Technical security professionals with hands-on responsibility: Hacker Exploits; Intrusion Detection In-Depth; Introduction to Information Security; SANS Security Essentials; Firewalls, VPNs, and Perimeter Protection; Securing Windows; Securing Linux/Linux; System Forensics, Investigation & Response; .Net Security.
Early registration deadline is this Friday: Details: http://www.sans.org/cdieast04
*************************************************************************
TOP OF THE NEWS
Average Home User's PC Rife with Spyware, Weak on Security, Too (25 October 2004)
A survey from America Online and the National Cyber Security Alliance found that the average home user's PC is not as secure as its owner may think. The survey included an inspection of the computers belonging to 329 respondents. Despite the fact that 77% of the participants said they believed they were protected from security threats, two-thirds lacked the combined protection of current antivirus software and a firewall, though 85% do have anti-virus software installed. 72% used their computers to conduct sensitive personal business, such as banking or the transmission of medical information. The inspections of the computers found 80% contained multiple spyware programs, and 20% were infected with a virus.-http://www.usatoday.com/tech/news/2004-10-25-internet-security_x.htm
-http://www.pcworld.com/resource/printable/article/0,aid,118311,00.asp
-http://www.washingtonpost.com/ac2/wp-dyn/A60199-2004Oct25?language=printer
(site requires free registration)
[Editor's Note (Schultz): This survey shows that the recommendations for critical infrastructure protection concerning security among home users could not have been more correct. ]
User Education Is A Flawed Strategy For Protecting Computer Users From Internet Scams 925 October 2004)
One of the "Internet's foremost experts in Web usability" (according to Business Week) and the man who ranks number six on ZDNet's "The Web's Ten Most Influential People" calls for a change in policy to thwart Internet scams, saying, "User education is not the answer to security problems." Jakob Nielsen says a strategy relying on user education puts the burden on the wrong shoulders. The only real solution, according to Nielsen, is to make security a built-in feature of all computing elements-http://www.useit.com/alertbox/20041025.html
[Editor's Note (Paller): Walt Mossberg of the Wall Street Journal said nearly the same thing a few months ago, calling on vendors like Microsoft to "stop blaming the users." A columnist in another national newspaper said called on users to get angry. The solution to this problem is entirely in the hands of governments and large users throughout the world. When they demand built-in security as a minimum qualification for bidding, vendors will fall al over each other to deliver safer systems to them. That will lead to smaller buyers finding safer systems for sale. ]
UC Berkeley and FBI Investigating Intrusion, Possible Data Compromise (22/21/20 October 2004)
University of California, Berkeley school officials along with the FBI are investigating a computer intrusion that may have exposed personal details of as many as 1.4 million California residents The compromised data was collected by a student researching the impact of wages on in-home care and includes names and social security numbers, addresses, names and dates of birth. The state of California had authorized the use of the data in the study but the individuals involved had not given their consent. The California Department of Social Services has warned residents that their information may have been compromised. The attackers exploited a known vulnerability in an unnamed, commercially available database product.-http://www.berkeleydaily.org/text/article.cfm?issue=10-22-04&storyID=19930
-http://www.securityfocus.com/printable/news/9758
-http://www.computerworld.com/printthis/2004/0,4814,96816,00.html
-http://www.computerworld.com/printthis/2004/0,4814,96793,00.html
-http://www.nwfusion.com/news/2004/1020califdisc.html
-http://www.eweek.com/print_article/0,1761,a=137660,00.asp
[Editor's Note (Ranum): This illustrates one of the big problems inherent in controlling the security of crucial data: knowing where it has been migrated or snapshotted. With today's lightweight databases, it's very easy for a researcher to have a "local" copy of something that should be well-protected and isn't. ]
Seoul Government Bans Internet [Instant] Messenger services (22 October 2004)
The Seoul (South Korea) Metropolitan Government has prohibited its employees from using Internet[instant ]
messaging, chat services and "connections to harmful Internet sites" in order to guard against information leaks. ("protect internal information")
-http://english.chosun.com/w21data/html/news/200410/200410220031.html
[Editor's Note (Schultz): Like it or not, this is going to be increasingly commonplace in the future. The risks of allowing Internet messaging services generally outweigh the job-related advantages, and the risks are likely to keep growing. ]
************************** SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) ALERT: ARE YOU VULNERABLE TO A 'SQL INJECTION' ATTACK? FREE Product Trial http://www.sans.org/info.php?id=629
(2) Register to hear Simple Nomad discuss "Internal Security: Threat Identification and Remediation" http://www.sans.org/info.php?id=630
(3) Participating in the SANS Earn and Learn Program is an excellent way to obtain a SANS Education at discount. Learn more at http://www.sans.org/info.php?id=631
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCING
53 Arrested in Brazilian Phishing Case (21 October 2004)
Brazilian police have arrested 53 people in four northern Brazilian states on phishing charges. In all, they allegedly stole US$30 million; one third of those arrested have been previously arrested for similar offenses.-http://www.vnunet.com/news/1158910
[Editor's Note (Shpantzer): This and other hacking-for-profit stories in today's newsbites illustrate how cyberspace is affecting criminal behavior via expanded opportunity for mischief. Two years ago a law professor wrote a fascinating paper, describing how the internet would affect the evolution of organized crime as it discovers and exploits the internet. Terrific blend of history and criminology, as well as a sneak peak at possible future models for organized cybercrime.
-http://www.jolt.unc.edu/Vol4_I1/Web/Brenner-V4I1.htm]
Man sentenced to 2 1/2 Years in Prison for Accessing Computer Systems without Authorization (19 October 2004)
Daniel Baas has been sentenced to 2 1/2 years in prison for breaking into business and law firm computer systems to access legal documents, financial data and other material that he copied for himself. Baas pleaded guilty to unauthorized computer access. Baas is also awaiting sentencing for his role in breaking into Acxiom Corp.'s computer system.-http://www.cincypost.com/2004/10/19/baas101904.html
12 Arrests Made in Hong Kong Phishing Scheme (18 October 2004)
Law enforcement officials have arrested 12 people in connection with a phishing scheme in Hong Kong that allegedly resulted in the loss of HK$600,000 (approximately US$77,000). Six of the suspects have been charged with theft and face sentences of up to 10 years in jail if they are convicted.-http://www.theregister.co.uk/2004/10/18/hk_phishing/print.html
LEGISLATION
Singapore Likely to Increase Penalties for Piracy (20 October 2004)
Singapore's parliament is considering amendments to the country's Copyright Act which would impose a maximum sentence of 6 months in jail and a fine of S$20,000 (US$12,000) for people convicted of Internet piracy for the first time. Repeat offenders would face three years in jail and fines of S$50,000 (US$30,000). The amendments are likely to pass in mid-November and become law on January 1, 2005.-http://australianit.news.com.au/common/print/0,7208,11127694%5E26199%5E%5Enbv%5E
15306%2D15319,00.html
[Editor's Note (Paller, Tan): Singapore is one of the countries that seriously enforces laws against piracy. The larger fines will make people think twice before sharing copyrighted music and other files.
(Grefer): To put these numbers into perspective, the average household income in 2000 was around S$60,000 (US$36,000). ]
SPAM & PHISHING
Judge Issues Restraining Order Against Alleged Spammer (24 October 2004)
US District Judge Joseph DiClerico has issued a restraining order against Stanford Wallace, known as the "Spam King," and his companies, ordering them to disable spyware programs. A hearing is scheduled for November 9, 2004.-http://australianit.news.com.au/common/print/0,7208,11172502%5E15331%5E%5Enbv%5E
15306%2D15318,00.html
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Malware Targets Mac OS X (25 October 2004)
The Opener or Renepo-A malware is a Mac OS X rootkit that includes a keystroke logger and backdoors. Opener is a shell script requiring superuser privileges for installation and is not spreading.-http://www.theregister.co.uk/2004/10/25/mac_rootkit_opener/
Red Hat Warns of Phony Patch Messages (25/23 October 2004)
Red Hat has published a warning about phony security alerts circulating on the Internet; the messages purport to be a Red Hat patch for a critical vulnerability but in fact contain malicious code. Red Hat says all updates from them are digitally signed and that the signature should be verified before anything is installed.-http://www.computerworld.com/printthis/2004/0,4814,96916,00.html
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39164067-20000
61744t-10000005c
-http://www.redhat.com/security/
Google Script Injection Vulnerabilities (21 October 2004)
Google has patched one script injection vulnerability in its search engine, and planned to have a second one patched by Thursday, October 21. The vulnerabilities could be exploited to modify the appearance of the Google search results page, steal search data and trick people into believing they were viewing trusted content.-http://news.zdnet.com/2102-1009_22-5420211.html?tag=printthis
-http://www.nwfusion.com/news/2004/1021googlpatch.html
IE Flaws Can Bypass SP2 security (21/20 October 2004)
Danish security company Secunia says it has found two critical flaws in Internet Explorer 6.0 that could be exploited to circumvent Windows XP SP2 Local Computer zone security lockdown feature. The flaws are in IE's "drag and drop" and security zone restriction feature. Secunia recommends that users either disable Active Scripting in IE 6.0 or switch to another browser.-http://security.itworld.com/4345/041021iehole/pfindex.html
-http://www.securitypipeline.com/showArticle.jhtml;jsessionid=EY03U3NM1BEKUQSNDBC
CKH0CJUMEKJVN?articleId=50900278&printableArticle=true
.Zip Archive Header Parsing Flaw in Multiple AV Products (18 October 2004)
A .zip file vulnerability in multiple antivirus products could allow attackers to evade detection. The flaw lies in the parsing of .zip archive headers. This could allow malicious code to slip past security protection. No exploits have been found in the wild.-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1017026,0
0.html
STATISTICS, STUDIES AND SURVEYS
Just 5 Botnets Responsible for All Phishing Attacks, According to Research (20 October 2004)
CipherTrust recently published research claiming that all phishing attacks on the Internet are conducted with the use of one of five zombie networks, or botnets. Each botnet comprises roughly 1,000 PCs. In addition, the research shows that 70% of zombie PCs are also used to send spam.-http://www.zdnet.co.uk/print/?TYPE=story&AT=39170848-39020375t-10000025c
-http://www.theregister.co.uk/2004/10/20/phishing_botnet/print.html
MISCELLANEOUS
Microsoft Revises SenderID, AOL Back On Board (26 October 2004)
Microsoft made modifications to Sender ID, its proposed e-mail authentication scheme, to make it work better with existing SPF records. It also narrowed its patent applications for the underlying technology in an effort to appease open-source critics. AOL immediately supported the initiative.-http://www.informationweek.com/story/showArticle.jhtml?articleID=51200627
[Editor's Note (Paller): Sender ID is one of the vendor initiatives that may lead to a huge reduction in spam and phishing. If all the vendors work together on a single authentication scheme, their efforts can significantly reduce spam and phishing attacks. ]
Officials Investigating Purdue University Computer Intrusion (22/21 October 2004)
Purdue University officials are urging students, faculty and staff to change their passwords after a breach of the school's computer network was detected. The school has not determined whether or not the intruder(s) accessed any personal information.-http://www.cnn.com/2004/TECH/internet/10/22/us.purduehack.ap/index.html
-http://www.indystar.com/articles/7/188156-5277-102.html
Avoiding Log Analysis Mistakes (21 October 2004)
Some organizations may not be reaping the complete benefits of a log collection and analysis infrastructure due to five mistakes: failure to look at the logs, storing the logs for too short a period of time, failing to normalize logs, failure to prioritize log records and looking at only the bad things in logs.-http://www.computerworld.com/printthis/2004/0,4814,96587,00.html
[Editor's Note (Schneier): Log analysis systems are only as good as the people doing the actual log analysis. You have two choices: hire those people to sit in front of the machines 24/7 yourself, or hire a Managed Security Monitoring company to do it for you. I think that eventually everyone will be doing the latter. ]
Talking to CEOs About Security (20 October 2004)
Larry Ponemon serves as a board member of the Security Leadership Institute, a think tank which recently talked with CEOs about their perception of the value of security to their enterprise. Ponemon offers some issues IT professionals can raise in meetings with CEOs that will engage their attention.-http://www.computerworld.com/printthis/2004/0,4814,96803,00.html
McAfee Awarded Patent for Malware Detection (20 October 2004)
McAfee has announced that it has been awarded US patent 6,775,780, "Detecting Malicious Software by Analyzing Patterns of System Calls Generated During Emulation." McAfee's director of Intellectual Property Chris Hamaty acknowledged that the patent is broad and is intended to protect the company's intellectual property and give them a competitive edge in the security software market.-http://www.internetnews.com/security/print.php/3424581
[Editor's Note (Grefer): Not again! I had hoped we were past the stage of such attempts of overly broad patent applications. ]
===end===
NewsBites Editorial Board: Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/