SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VI - Issue #51
December 23, 2004
To win one of four Apple iPods, register for the big SANS Orlando Training Program by December 31. It is in early February and has 14 immersion tracks. The drawing for iPods will be on January 1.
Conference and registration details: http://www.sans.org/orlando05
TOP OF THE NEWS
Microsoft Releases Update for SP2 Firewall FlawAustralian Law Allows Police to Use Spyware to Gather Evidence
Judge Awards Iowa ISP Damages in Spam Cases
Phishing Attacks Increase in November
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESTeen Receives Suspended Sentence for Randex Trojan
NASA Cyber Intruder Sentenced
Lowe's Wardrivers Sentenced
SPAM & PHISHING
FDIC Report Offers Suggestions for Protecting Customers from Identity Theft
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Cisco Issues Security Advisories
Google Fixes Desktop Search Utility Vulnerability
IE ActiveX Vulnerability Allows Site Content Spoofing
Updates Released for PHP Vulnerabilities
Zafi.D Worm Spreading
Microsoft's December Security Advisories Address WINS Vulnerability
MISCELLANEOUS
Diebold Will Pay US$2.6 Million to California for Fraudulent Security Claims
Students Find Unix Application Bugs; Researchers Find Linux Code Less Flawed than Proprietary Code
Microsoft Recruits More NAP Supporters
Healthcare Security Workgroup to Release HIPAA Compliance Guidelines
*********************** Sponsored by BindView ***************************
How do you eliminate internal security threats? What are traditional attack vectors and their potential threats? How do you protect non-controlled assets from attack? These and other questions are answered in the BindView white paper "Internal Security Threats: Identification & Mitigation" written by Mark "Simple Nomad" Loveless.
Download the paper at: http://www.sans.org/info.php?id=688
*************************************************************************
TOP OF THE NEWS
Microsoft Releases Update for SP2 Firewall Flaw (17/16 December 2004)
Microsoft has released a Windows XP SP2 update that fixes a firewall configuration flaw. Users with file and printer sharing turned on could be sharing their files and printers with the entire Internet instead of just the local network because of a problem with how broadly local network was defined. The update narrows the definition. Even so, users are being advised to place an additional firewall in front of the network.-http://www.computerworld.com/printthis/2004/0,4814,98347,00.html
-http://www.eweek.com/print_article2/0,2533,a=141102,00.asp
-http://www.theregister.co.uk/2004/12/17/windows_bug_roundup/print.html
[Editor's Note (Paller): This vulnerability and patch was a stealth announcement from Microsoft. It was not included with the monthly patch announcement (even though it was ready the day before that announcement); it was not posted at the standard location. And on top of that, it is one of the worst vulnerabilities we've seen because it made dial-up users' files available for reading by huge numbers of people. No hacking necessary - any curious person could read your files. It's equivalent to the Post Office putting your private mail in the public library and pointing people to it if they are curious. ]
Australian Law Allows Police to Use Spyware to Gather Evidence (16 December 2004)
Australian legislators recently passed The Surveillance Devices Act, allowing law enforcement to use backdoor and keystroke-logging programs to gather evidence against suspected criminals. The warrants to use the technology would be granted in cases where the offense being investigated carries a sentence of three or more years. Some critics of the act are concerned that it gives law enforcement too much power; others are concerned that it conflicts with parts of the country's Telecommunications Interception Act. Still others fear that evidence gathered under the act would not be admissible in court, as the computer in question has already been compromised in order to install the spyware.-http://www.theregister.co.uk/2004/12/16/oz_police_surveillance/print.html
[Editor's Note (Schultz): Although this Act is controversial, there is a consolation; the conditions under which law enforcement can use backdoors and keystroke-logging programs appear to be well-defined. ]
Judge Awards Iowa ISP Damages in Spam Cases (20 December 2004)
A judge in Iowa has awarded a small ISP more than US$1 billion in damages in a default judgment against three alleged spammers. The enormous sum was determined under an Iowa law that levies a $10 fine for each spam email sent. It is unlikely the plaintiff will recover any of the awarded damages.-http://www.theregister.co.uk/2004/12/20/isp_wins_1bn_damages_from_spammers/print
.html
Phishing Attacks Increase in November (16 December 2004)
A newly released report from the Anti-Phishing Working group says that phishing attacks were up 29% in November, nearly a third higher than the figure for October. EarthLink and MSN were both highly targeted in November. The US accounted for 27% of phishing sites; China accounted for 21%.-http://asia.cnet.com/news/security/printfriendly.htm?AT=39209629-39037064t-39000
005c
*********************** Sponsored by BindView ***************************
How do you eliminate internal security threats? What are traditional attack vectors and their potential threats? How do you protect non-controlled assets from attack? These and other questions are answered in the BindView white paper "Internal Security Threats: Identification & Mitigation" written by Mark "Simple Nomad" Loveless.
Download the paper at: http://www.sans.org/info.php?id=688
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Teen Receives Suspended Sentence for Randex Trojan (20 December 2004)
A British teenager has been given a six-month suspended sentence for releasing the Randex Trojan horse program, which allegedly launched distributed denial of service attacks against several e-commerce sites.-http://www.theregister.co.uk/2004/12/20/uk_randex_worm_teenager_escapes_jail/pri
nt.html
NASA Cyber Intruder Sentenced (18 December 2004)
Gregory Aaron Herns has been sentenced to 6 months in federal prison for breaking into a NASA computer system at the Goddard Space Flight Center in 2001, causing US$200,000 in damage. Herns told federal agents he was searching for space to store downloaded movies. Herns has also been ordered to pay restitution and to have his computer use restricted for the next three years.-http://www.eweek.com/print_article2/0,2533,a=141274,00.asp
[Editor's Note (Schneier): Note to future hackers looking for places to store their downloaded movies: (theoretically) secure government sites are probably not your best option. ]
Lowe's Wardrivers Sentenced (17/16 December 2004)
Two men who broke into Lowe's wireless computer network and tried to steal customer credit card numbers have received prison sentences for their crimes. Though Brian Salcedo could have received a sentence of up to 15 years under federal guidelines, his sentence was reduced to 9 years because he helped Lowe's address the security problems he had exploited. Adam Botbyl, an accomplice, received a 26-month sentence to be followed by 2 years of court supervised release. By compromising a Lowe's store wireless network in Southfield, Michigan, the men were able to access to the company's central computer system and other systems around the country. Salcedo's sentence is the harshest ever handed down for a cyber crime in the United States.-http://www.computerworld.com/printthis/2004/0,4814,98355,00.html
-http://www.contractoruk.com/news/001872.html
-http://www.securityfocus.com/printable/news/10138
SPAM & PHISHING
FDIC Report Offers Suggestions for Protecting Customers from Identity Theft (14 December 2004)
The Federal Deposit Insurance Corporation is accepting comments on its recently published report "Putting an End to Account-Hijacking Identity Theft." To help combat the growing incidence of identity theft through phishing and other cyber crimes, the FDIC recommends that financial institutions upgrade from password authentication to two-factor authentication, use scanning software to detect and guard against phishing attacks, strengthen education for its customers to help them be savvy consumers, and share information with other financial institutions, the government and technology providers. Comments on the report will be accepted through February 11, 2005.-http://www.fdic.gov/consumers/consumer/idtheftstudy/index.html
-http://www.fdic.gov/consumers/consumer/idtheftstudy/identity_theft.pdf
[Editor's Note (Tan): The recommendation to mitigate the risks is nothing new or rocket science. Yet saying is easier than getting it done. Users, vendors, service providers and government will need to act together to achieve the result.
(Paller): I agree with Koon Yaw, but I believe it will take leadership by government using its billion-dollar FTS procurement to provide the incentive that will persuade the service providers to take substantial responsibility. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Cisco Issues Security Advisories (20 December 2004)
Cisco has issued an advisory warning of vulnerabilities in Cisco Unity unified messaging server versions 2, 3 and 4 and in Cisco Guard and Traffic Anomaly Detector products, appliances designed to protect companies from denial-of-service attacks. The simple fixes involve changing default passwords and usernames.-http://asia.cnet.com/news/security/printfriendly.htm?AT=39210036-39037064t-39000
005c
-http://www.cisco.com/warp/public/707/cisco-sa-20041215-unity.shtml
-http://www.cisco.com/en/US/products/products_security_advisory09186a008037d0c5.s
html
Google Fixes Desktop Search Utility Vulnerability (20/15 December 2004)
Google has fixed a recently discovered vulnerability in its desktop search utility. Attackers could embed a Java applet on a web page that would trick users' computers into revealing their desktop searches to the attacker. Some in the security field are concerned that the emergence of desktop search tools could be exploited by cyber criminals to steal email addresses and other personal data.-http://www.eweek.com/print_article2/0,2533,a=141305,00.asp
-http://www.internetnews.com/security/print.php/3450251
-http://news.com.com/2102-1002_3-5497885.html?tag=st.util.print
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39209364-39037064t-39000
005c
IE ActiveX Vulnerability Allows Site Content Spoofing (17 December 2004)
A vulnerability in a default ActiveX control in Internet Explorer could be exploited by phishers It could allow people to display phony web sites with all the appearances of legitimate ones. The flaw affects all versions of IE including fully patched versions of Windows XP with IE 6.0 and SP2 installed. No patch has been released; users are encouraged to turn off ActiveX or switch the Internet zone security setting to high.-http://www.eweek.com/print_article2/0,2533,a=141173,00.asp
-http://news.zdnet.com/2102-1009_22-5495719.html?tag=printthis
Updates Released for PHP Vulnerabilities (17 December 2004)
Two security updates are now available for vulnerabilities in versions of PHP 4 and 5. Versions 4.3.10 and 5.0.3 address critical flaws, including one that could be exploited to take control of vulnerable web servers.-http://news.zdnet.com/2102-1009_22-5496086.html?tag=printthis
-http://www.hardened-php.net/advisories/012004.txt
Zafi.D Worm Spreading (17 December 2004)
The Zafi.D worm spreads in the guise of a Christmas greeting and sends itself out to email addresses found on infected machines. Zafi is capable of terminating applications with the words "firewall" or "virus" in them and reportedly disables certain Windows tools.-http://www.pcadvisor.co.uk/index.cfm?go=news.view&news=4397
-http://www.datafuse.net/page.php?news=398
-http://www.contractoruk.com/news/001871.html
-http://www.eweek.com/print_article2/0,2533,a=141027,00.asp
Microsoft's December Security Advisories Address WINS Vulnerability (14 December 2004)
Microsoft's monthly security release for December includes fixes for a known name validation vulnerability in the WINS name server, two code execution vulnerabilities in WordPad, a buffer overflow flaw in Windows HyperTerminal utility, two flaws in DHCP and privilege elevation vulnerabilities in Windows Kernel and LSASS. Microsoft also re-released an advisory for a JPEG parsing flaw.-http://www.eweek.com/print_article2/0,2533,a=140928,00.asp
-http://news.zdnet.com/2102-1009_22-5491114.html?tag=printthis
-http://www.microsoft.com/technet/security/bulletin/ms04-dec.mspx
MISCELLANEOUS
Diebold Will Pay US$2.6 Million to California for Fraudulent Security Claims (17 December 2004)
Diebold has reached a settlement with the State of California and Alameda County, both of which had sued the voting machine manufacturer for fraudulent claims about the security of its products. The State of California will receive US$2.6 million and the county US$100,000; the court that approved the settlement has ordered that US$500,000 of the money be spent on a voter education and poll worker training program.-http://www.internetnews.com/bus-news/print.php/3449691
[Editor's Note (Schultz): It's good to see this controversial voting machine manufacturer taken to task. It is very possible that this settlement will pave the way for legal actions against Diebold by others, something that may in the long run be beneficial to the integrity of electronic voting. ]
Students Find Unix Application Bugs; Researchers Find Linux Code Less Flawed than Proprietary Code (15 December 2004)
Students in a graduate level computer science course at the University of Illinois at Chicago were required, as part of their coursework, to find 10 security flaws in various Unix applications. A total of 44 different flaws were found by the 25 students. In a related story, a four-year Linux source code analysis project found just 985 bugs in 5.7 million lines of code. The average for commercial software is 20-30 bugs for every 1,000 lines of code; the findings of the study suggest that the Linux kernel code is more secure than most commercial software.-http://news.com.com/2102-1002_3-5492969.html?tag=st.util.print
-http://www.wired.com/news/print/0,1294,66022,00.html
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39209224-39037064t-39000
005c
[Editor's Note (Schneier): More eyes, shallower bugs? This doesn't necessarily mean it's more secure, though. One killer security hole can trump any number of minor bugs.
Microsoft Recruits More NAP Supporters (14 December 2004)
18 more security and networking suppliers have agreed to support Microsoft's Network Access Protection scheme which will ship with Longhorn in 2007. NAP provides policy enforcement that allows administrators to restrict network access for machines that do not have current operating system and anti-virus updates. The technology is aimed at stopping the spread of malware like Nimda and Blaster.-http://www.theregister.co.uk/2004/12/14/ms_adds_nap_partners/print.html
[Editor's Note: Sygate and other companies are already providing effective network access protection. They stop vulnerable systems from gaining full network access and they automatically fix the problems so the users can quickly reconnect. SANS WhatWorks project has found more than a dozen security products that actually meet their promises today and has posted live interviews with users who provided the proof. Visit www.sans.org/whatworks for the user interviews and for the list of security tools that have actually been proven to be effective. ]
Healthcare Security Workgroup to Release HIPAA Compliance Guidelines (13 December 2004)
The Healthcare Security Workgroup says it will release guidelines to help health care organizations comply with the data security requirements established by the Health Insurance Portability and Accountability Act (HIPAA). The security provisions of the Act take effect in April 2005.-http://www.computerworld.com/printthis/2004/0,4814,98232,00.html
-http://www.urac.org/committees_sworkgroup.asp
===end===
NewsBites Editorial Board: Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
