SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VI - Issue #52

December 29, 2004

Happy Hew Year!

---

TOP OF THE NEWS

Blood Bank Informs Donors of Possible Personal Data Compromise
News Team Investigation Raises Concerns About New Voting Technologies
Exploit Code for Unpatched Windows Flaws Released

THE REST OF THE WEEK'S NEWS

GOVERNMENT SYSTEMS SECURITY
OMB Reminds Officials to Stick With Approved Digital Signature Services Vendors
70% of Federal Systems are Secure, According to e-Gov Report
SPAM & PHISHING
Judge Refuses Guilty Plea in eMail Address Theft Case
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
IBM and Oracle Issue Fixes
Santy Worm Uses Google to Find Vulnerable Sites
MetalGear.A Trojan
STATISTICS, STUDIES AND SURVEYS
Federal Regulations Increase Workload, Improve Security, According to Survey
Survey: IT Spending to Increase 3.9% in 2005
MISCELLANEOUS
Vnunet.com Looks Ahead to 2005
Unpatched Linux Systems' Life Expectancy Increases

---

********************** Sponsored by NetIQ *******************************
Win the Spam Battle! Get a handle on your information security issues with the FREE eBook, "Content Security in the Enterprise-Spam and Beyond." Industry veteran Daniel Chenault provides the battleplan on how you can reduce or eliminate spam, protect corporate information assets and ensure that your vital resources are secure and available for authorized business purposes.

Download this free eBook now. http://www.netiq.com/f/form/form.asp?id=2395&origin=NS_SANS_122704

*************************************************************************
Highlighter Security Training Program ---

Fourteen immersion training tracks for managers, auditors, sysadmins, security professionals and for those seeking to pass the ISC2 CISSP exam.
The best teachers in security, in Florida, when it is cold in the north and Europe. Plan to bring the family along for a weekend at Disney World. Conference and registration details: http://www.sans.org/orlando05
*************************************************************************

---

TOP OF THE NEWS

Blood Bank Informs Donors of Possible Personal Data Compromise (21 December 2004)

A California blood bank has sent letters to donors whose personal information may have been compromised after one of the bank's laptop computers was stolen. The information is protected by a password and a series of steps necessary to open the database. A California law requires organizations to notify customers whose data may have been compromised in the event of a security breach. The company has said it will no longer collect social security numbers from donors and that it will revise the way it "handles computer hardware and other sensitive equipment."
-http://news.com.com/2102-1029_3-5500114.html?tag=st.util.print

News Team Investigation Raises Concerns About New Voting Technologies

An Indianapolis (Indiana) news team investigation into modern voting technology raised a number of concerns. While individual optical-scan machines counted ballots correctly, when the votes were consolidated, the tabulation was inaccurate. The team also discovered that there is no state-level testing in Indiana for certification.
-http://www.wishtv.com/global/story.asp?s=1647886&ClientType=Printable
-http://www.wishtv.com/global/story.asp?s=1649813&ClientType=Printable
[Editor's Note (Schultz): How many demonstrations of the deficiencies of electronic voting machines such as the one in this news item will it take to wake people up to the fact that these machines as currently deployed constitute very serious and genuine threat to the integrity of voting? ]

Exploit Code for Unpatched Windows Flaws Released (24 December 2004)

Exploit code for two unpatched Windows vulnerabilities has been released. The flaws are in the LoadImage function and the Windows Help program. The overflow vulnerabilities could be used for phishing, spyware and spreading mass mailing worms.
-http://www.computerworld.com/printthis/2004/0,4814,98532,00.html
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39210839-39037064t-39000
005c
[Editor's Note (Grefer): Reports to the Internet Storm Center indicate that such use of the vulnerabilities has already happened:
-http://isc.sans.org/diary.php?date=2004-12-25
-http://isc.sans.org/diary.php?date=2004-12-26
-http://isc.sans.org/diary.php?date=2004-12-27]

---

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

OMB Reminds Officials to Stick With Approved Digital Signature Services Vendors (20 December 2004)

The Office of Management and Budget has sent a memo to federal officials reminding them that choosing digital signature services from vendors who are not on the approved list could pose a security risk. The three vendors on the list "have been certified as complying with the government's certificate authority policies and security laws."
-http://www.fcw.com/fcw/articles/2004/1220/web-pki-12-21-04.asp

70% of Federal Systems are Secure, According to e-Gov Report (20 December 2004)

A recently released report from the White House Office of E-Government and IT maintains that 70% of federal IT systems are considered secure. Among the Office's goals for the coming year is getting 90% of federal systems certified and accredited as secure.
-http://www.informationweek.com/showArticle.jhtml?articleID=55801072
-http://www.whitehouse.gov/omb/egov/press/downloads/expanding_egov12-2004.pdf
[Editor's Note (Ranum): Certification and accreditation as "secure" doesn't mean a system is secure - merely that it is certified. ]

SPAM & PHISHING

Judge Refuses Guilty Plea in eMail Address Theft Case (21 December 2004)

US District Judge Alvin Hellerstein refused to accept a guilty plea from Jason Smathers, a former AOL employee who allegedly stole and sold 92 million email addresses to spammers. Despite the fact that Smathers had reached a plea agreement with federal prosecutors, the judge said he was not convinced that Smathers had deceived anyone by his actions. He cannot be prosecuted under the CAN-SPAM Act if he did not intend to deceive anyone.
-http://www.messagingpipeline.com/55801389
-http://news.com.com/2102-1030_3-5499701.html?tag=st.util.print

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

IBM and Oracle Issue Fixes (23 December 2004)

IBM and Oracle have issued security fixes for a handful of vulnerabilities. Flaws in Oracle's Application Server and Database Server (versions 10g or 9i) could grant unauthorized access to intruders. IBM's fixes address buffer overflow flaws in its DB2 Universal Database.
-http://asia.internet.com/news/print.php/3451651
-http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html

Santy Worm Uses Google to Find Vulnerable Sites (23/22 December 2004)

The Santy worm exploits a flaw in phpBB and searches Google for vulnerable sites. Google has blocked certain queries to help stop the worm's spread. However, the worm's source code has been made public, raising concerns that it could be modified to use other search engines.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39210431-39037064t-39000
005c

-http://www.eweek.com/print_article2/0,2533,a=141518,00.asp
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39210616-39037064t-39000
005c
[Editor's Note (Pescatore): This type of concern is reminiscent of when SATAN came out. If a relatively simple Google search allowed Santy to find its targets, sys admins should learn that using simple vulnerability analysis tools can keep them ahead of the attackers by making sure their systems are patched.
(Schultz): This is the second instance of which I am aware in which worms have used search engines to locate victims. The use of search engines in this manner is disconcerting because it makes finding potential victims so much easier than ever. ]

MetalGear.A Trojan (22 December 2004)

The MetalGear.A Trojan infects mobile phones, disables antivirus programs and spreads the Cabir virus, which uses the Bluetooth short-range wireless protocol to spread to other vulnerable phones in the area.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39181939-39020375t-10000015c
-http://www.techweb.com/article/printableArticle.jhtml;jsessionid=2ZHIULZRZ11U4QS
NDBCCKHSCJUMEKJVN?articleID=56200144&site_section=700028
-http://www.theregister.co.uk/2004/12/22/metal_gear_virus/print.html

STATISTICS, STUDIES AND SURVEYS

Federal Regulations Increase Workload, Improve Security, According to Survey (22 December 2004)

A RedSiren survey of more than 300 IT professionals found that 66% believe government information management regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act, have improved their overall network security. 62% of those surveyed said they spend more time complying with the regulations than they do on other security issues and more than 38% said that compliance requirements have caused them to "scale back" other security projects. However, 19% of respondents said they would be comfortable spending less time actively monitoring their systems due to the increased automation of patch management and incident response systems.
-http://news.com.com/2102-7348_3-5500894.html?tag=st.util.print
-http://www.redsiren.com/pressreleases_redsiren_survey_122204.htm

Survey: IT Spending to Increase 3.9% in 2005 (20 December 2004)

A survey from Forrester Research indicates that in organizations with more than 1,000 employees, IT spending will increase by an average of 3.9% in 2005. Forrester still rates security high on the list of priorities for IT spending, but has dropped it from first to fourth since last year's survey.
-http://www.informationweek.com/story/showArticle.jhtml?articleID=55801280
[Editor's Note (Pescatore): I've always said viruses have a 6 week enterprise security attention span (ESAS) and worms have a 6 month ESAS. We didn't have a serious worm in 2003 after Sasser and the lack of damage causes bad habits to come back. One reason why the worms of 2003 hit so hard is that there weren't any worms in 2002 to sustain ESAS. Since there were three worms in 18 months from early 2003 to early 2004, ESAS was sustained for a long time, leading some enterprises to operationalize some good security practices, but many others will get lax again. ]

MISCELLANEOUS

Vnunet.com Looks Ahead to 2005 (22 December 2004)

Vnunet.com predictions for 2005 security trends include moving away from signature-based anti-virus software toward signatures combined with heuristics, spam accounting for 90% of Internet email, and the advent of new automated tools limiting or denying network access to machines with inadequate security.
-http://www.vnunet.com/news/1160190

[Editor's Note (Pescatore): This is a lot of rear view mirror predicting. Host IPS has been growing in use for two years (which is why Cisco, McAfee, Microsoft and Symantec all acquired HIPS technology), spam control is actually starting to be effective and blocking infected machines from connecting to the network (Network Access Control) has been growing since early 2003 due to increased ESAS (Enterprise Security Attention Span). ]

Unpatched Linux Systems' Life Expectancy Increases (21 December 2004)

A report from the Honeynet Project has found that unpatched Linux systems are sitting an average of three months on the Internet before becoming compromised; in 2001, the amount of time before an unpatched Linux system is compromised was around three days. Honeynet president Lance Spitzner attributes the lengthening lifespan of the systems to two things: newer default installations are more secure than older ones, and attackers are focusing on the more ubiquitous Windows systems.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39210602-39037064t-39000
005c
-http://www.techweb.com/article/printableArticle.jhtml;jsessionid=GTAR0EED2ZP4MQS
NDBCCKHSCJUMEKJVN?articleID=56200327&site_section=700028

---

===end===

NewsBites Editorial Board: Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/