SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #10

March 09, 2005

TOP OF THE NEWS

Shareholders Sue ChoicePoint
SEC Looking Into ChoicePoint Data Theft; Legislators Call for DHS, GAO Investigation
Canadian Military, US Agencies Launch Blackberry Security Project
NIST Releases Final Recommended Security Controls for Federal Systems

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Identity Theft Investigation Nets Scottish Police 28 Arrests
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Government Executives Focus on Security
SPAM & PHISHING
MCI Evicts Send-safe.com
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
New Bagle Variants
Microsoft Has No Patches for Monthly Release
Computer Associates Releases Buffer Overflow Flaw Patches
WMP Updates Don't Completely Address DRM Exploit Problem
Windows Media Player 9 Users Still Vulnerable
ATTACKS AND INTRUSIONS
Keystroke Logger Surreptitiously Installed at New Zealand Internet Cafe
Possible DNS Cache Poisoning Attack
Instructions for Accessing Business School Admissions Info Posted On Line
Terrorists Target Offshore Call Centers
STATISTICS, STUDIES AND SURVEYS
Postini: Directory Harvesting Attacks Up in February
MISCELLANEOUS
Researcher Says Individual PCs Can Be Tracked
Nuclear Power Industry Suppliers Fight Security Rule

---

************** Sponsored by LURHQ Managed Security Services *************
Increase operational efficiency, improve compliance and enhance your security posture with LURHQ's Managed Security Services. LURHQ's Services are designed to integrate scanning, intelligence, management and monitoring processes into a seamless threat and vulnerability management lifecycle that delivers these benefits, while keeping you in control. Learn more by downloading "11 Elements of a Successful MSS Partnership."

http://www.lurhq.com/MSS-Partnership.html
*************************************************************************
SANS 2005, in San Diego in early April (on the ocean) is SANS' largest security and audit training conference and expo. Extraordinary teachers present the most current tools and techniques. Late registration deadline is March 16, one week from today. Details at
http://www.sans.org/sans2005
*************************************************************************

---

TOP OF THE NEWS

Shareholders Sue ChoicePoint (7 March 2005)

After the share price dropped more than 20%, stockholders filed a class action lawsuit in California on behalf of the people who bought shares over the past 10 months. The suit alleges that ChoicePoint knew it had inadequate protection measures and that it was selling data to illegal enterprises, and that security breaches had occurred twice before.
-http://www.computerworld.com/governmenttopics/government/legalissues/story/0,108
01,100239,00.html
[Editor's Note (Schultz): This is a landmark event. Nothing wakes up boards of directors to information security faster than lawsuits, especially shareholder-initiated lawsuits. Information security professionals will be able to use this development in their struggle to achieve adequate levels of security within their organizations. ]

SEC Looking Into ChoicePoint Data Theft; Legislators Call for DHS, GAO Investigation (3 March 2005)

US legislators are calling for a Homeland Security Department and General Accounting Office investigation into how the information stored in databases could be exploited by terrorists. The call comes in the wake of the revelation that ChoicePoint unwittingly sold personal records belonging to 145,000 people to identity thieves. ChoicePoint said the Securities and Exchange Commission has already begun an informal inquiry into the circumstances surrounding the data theft. ChoicePoint also said it plans to severely limit the sale of sensitive personal data.
-http://www.computerworld.com/printthis/2005/0,4814,100161,00.html
-http://www.techweb.com/wire/ebiz/60405814
-http://www.msnbc.msn.com/id/7087572/
[Editor's Note: Interesting to watch the ChoicePoint hysteria reach a crescendo. The over-hype is good in that it should put pressure on the boards of directors of similar companies to ask their CEO if they are at risk of similar meltdowns. However, it is really a reach to try to drag in DHS and terrorists obtaining identities. Forecast is for showers of well intentioned, but misguided, draft legislation, followed by flurries of unintended consequences. ]

Canadian Military, US Agencies Launch Blackberry Security Project (4 March 2005)

The two nations have launched a joint effort to make Blackberry portable communications devices more secure, hoping to one day use them to exchange top secret information. The research will focus on protecting information in the face of terrorist threats. They plan to test the secure communications in a simulation of a US spy plane crash on Canadian territory.
-http://www.canada.com/technology/story.html?id=cbea0d6b-d96c-4db6-8fde-619b933d3
423
Editor's Note (Shpantzer): This is an important story, there are way too many people using these things without any protection. (Schneier): This is a good idea, but even better would be routine and seamless encryption of all e-mail, not just BlackBerry communications. ]

NIST Releases Final Recommended Security Controls for Federal Systems (28 February 2005)

On Monday, February 28, the National Institute of Standards and Technology released the final version of SP 800-53: Recommended Security Controls for Federal Information Systems. The publication is designed to serve a guideline for federal agencies to meet Federal Information Security Management Act (FISMA) mandates.
-http://news.zdnet.com/2102-1009_22-5593256.html?tag=printthis
-http://csrc.nist.gov/publications/nistpubs/index.html#sp800-53

---

************************ SPONSORED LINKS ********************************
These links point to non-SANS sites
(1) ALERT: Hackers New Trick-Web Application Worms- Run FREE Test
http://www.sans.org/info.php?id=733

(2) Free Threat Management Software for Home Lab Use: IDP, File Integrity, Service Monitoring and More
http://www.sans.org/info.php?id=734

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Identity Theft Investigation Nets Scottish Police 28 Arrests (4 March 2005)

After a months-long investigation, Scottish police have arrested 28 people on charges of identity theft. Among the schemes used by the alleged identity thieves are collecting trash, shoulder surfing and phishing to obtain PIN numbers. Nearly 2 million GBP (US$3.83 million) was stolen as a result.
-http://software.silicon.com/security/print.htm?TYPE=story&AT=39128382-390246
55t-40000024c

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

Government Executives Focus on Security (3 March 2005)

Two thirds of federal IT managers rate security as one of their top three concerns. However the federal executives expressed concern that the government will not make significant cyber security progress in the coming year, at least in improved grades given by the House Committee on Government Reform.
-http://www.public-cio.com/newsStory.php?id=2005.03.03-93251

SPAM & PHISHING

MCI Evicts Send-safe.com (1 March 2005)

Bowing to outside pressure, MCI has removed Send-safe.com from its network. Send-safe.com offers a product that sends spam courtesy of broadband-connected, malware-infected PCs. Send-safe.com tried two other ISPs, but was soon evicted from those as well.
-http://www.theregister.co.uk/2005/03/01/send-safe_evicted/print.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

New Bagle Variants (7 March 2005)

A series of Bagle variants were detected last week, some of which try to install Trojan horse programs on machines they infected. The Trojans attempt to stop anti-virus software and connect to remote web servers to search for more malicious code.
-http://www.eweek.com/print_article2/0,2533,a=147064,00.asp
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39190498-39024165t-30000027c

Microsoft Has No Patches for Monthly Release (4 March 2005)

Microsoft says it will not be releasing any security bulletins or patches this month; normally Microsoft releases a security bulletin on the second Tuesday of each month that describes security problems and offers patches to fix them. Microsoft still plans on conducting its monthly technical webcast on Wednesday, 9 March.
-http://www.computerworld.com/printthis/2005/0,4814,100202,00.html
[Editor's Note (Schultz and Paller): The absence of Microsoft security patches this month seems very strange. Either there are no new vulnerabilities or Microsoft is not yet through with patches that it has had "in the mill." We suspect that the latter is true. ]

Computer Associates Releases Buffer Overflow Flaw Patches (2 March 2005)

Patches are available for buffer overflow flaws in Computer Associates' licensing software. The flaws could allow attackers to run unauthorized code on vulnerable machines.
-http://news.com.com/2102-1002_3-5595233.html?tag=st.util.print
-http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp

WMP Updates Don't Completely Address DRM Exploit Problem (1 March 2005)

Despite a pair of Windows Media Player updates released on February 15, a spyware infection threat remains in WMP9 in Windows XP SP2. Back in January, Microsoft said the digital rights management vulnerability was not a software flaw. A week after that, the company said they would release "tweaked" versions that would allow users more control over pop-up displays in the license acquisition process. Of the two WMP updates rolled out in mid-February, the updated WMP 9 on Windows XP SP2 appears to be still vulnerable. Microsoft recommends upgrading to WMP 10.
-http://www.eweek.com/print_article2/0,2533,a=146798,00.asp

Windows Media Player 9 Users Still Vulnerable (1 March 2005)

Nearly two months after promising to update its media player software to block the threat of malware infection, Microsoft Corp. admitted that users of its Windows Media Player 9 Series remain at risk.
-http://www.eweek.com/article2/0,1759,1771220,00.asp

ATTACKS AND INTRUSIONS

Keystroke Logger Surreptitiously Installed at New Zealand Internet Cafe (7 March 2005)

A cyber thief in Wellington, New Zealand apparently installed keystroke-logging software at an Internet cafe that allowed him to harvest user names and passwords belonging to people who conducted online banking there. Consumers are being warned to use caution while banking on line.
-http://www.nzherald.co.nz/index.cfm?c_id=5&ObjectID=10113938
[Editor's Note (Schultz): I'd also encourage people to be very careful about the use of Internet cafes in general. All kinds of people use systems in Internet cafes; you never know what anyone has done to them. Additionally, some Internet cafes are operated by less than scrupulous people.
(Schneier): I predict this is going to be an increasing problem for rather a while. At this point, I wouldn't enter sensitive data on any computer that I don't have reasonable control over. ]

Possible DNS Cache Poisoning Attack (4 March 2005)

The Internet Storm Center is investigating a potential DNS cache poisoning attack. The center has received reports of traffic being redirected from sites like google.com and ebay.com to other sites. Users are redirected to specially crafted sites that contain malicious URLs that allow adware and spyware to be installed on the computers. DNS cache poisoning attacks involve planting phony information in a name server's cache. DNS hijacking, which is similar, changes the domain server to reroute traffic.
-http://www.techweb.com/wire/security/60405913
-http://isc.sans.org/diary.php?date=2005-03-04

Instructions for Accessing Business School Admissions Info Posted On Line (4/3 March 2005)

Several business school applicants took advantage of directions posted on line for logging onto web sites and gaining access to internal admission records at Harvard, Stanford, MIT, Dartmouth and other business schools to check their admission status. Though few people actually succeeded in gathering the information they were after, once the schools find out who tried to break into the servers, those people are likely to be rejected, as the action runs counter to the ethics the schools seek in their students. The schools affected were using an online application and notification system called ApplyYourself; apparently the students were able to access only their own records.
-http://www.computerworld.com/printthis/2005/0,4814,100206,00.html
-http://www.siliconvalley.com/mld/siliconvalley/11044063.htm?template=contentModu
les/printstory.jsp
-http://www.thecrimson.com/printerfriendly.aspx?ref=506140

Terrorists Target Offshore Call Centers (7 March 2005)

A terrorist cell that was planning attacks on an offshore call center was broken up by police in India. Three of the men were killed in the raid.
-http://www.theregister.co.uk/2005/03/07/offshore_goes_bang/

STATISTICS, STUDIES AND SURVEYS

Postini: Directory Harvesting Attacks Up in February (4 March 2005)

According to statistics from message filtering company Postini, directory harvesting attacks climbed to new heights in February. Directory harvesting attacks are brute force attacks used to gather legitimate email addresses to be used by spammers. In February, Postini customers suffered an average of 224 attacks daily; each attack comprised an average of 166 "invalid message delivery attempts."
-http://www.techweb.com/wire/security/60405705
[Editor's Note (Northcutt): if you run exchange, there is a nice blog on how to prevent harvesting:
-http://blogs.msdn.com/evand/archive/2005/01/21/358155.aspx
(Shpantzer): Microsoft came out with a small download to help address this issue:
-http://support.microsoft.com/default.aspx?scid=kb;en-us;842851
(Guest Editor: Johannes Ullrich of Internet Storm Center): If you see a number of entries in your log file with similar names: 66708: msg 947652 to local jullrich-mcwilliams@euclidian.com 66709: msg 947652 to local jullrich-mead@euclidian.com then your mail server is probably undergoing a directory harvest attack. Also, you will see delivery failure notes: Mar 8 01:49:35 server2 qmail: 1110246575.271041 delivery 17: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/ qmail, like exchange, first accepts the message, and later checks whether the mailbox exists or how the message has to be routed. ]

MISCELLANEOUS

Researcher Says Individual PCs Can Be Tracked (4 March 2005)

A University of California doctoral student has found techniques for fingerprinting individual computers wherever they connect to the Internet. The research says the techniques could be used to track laptops as the are carried to different locations.
-http://news.com.com/Tracking+PCs+anywhere+on+the+Net/2100-1029_3-5600055.html?ta
g=cd.top
[Editor's Note (Schneier): This is fascinating research. As the article points out, it's just another step in the arms race between snooping and anonymity. My prediction is that anonymity will lose in the end, but it'll be interesting to see what the next volley brings.
(Northcutt): It appears this can be disabled on Server 2003, see the knowledgebase section, better RTT Estimation:
-http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/prodd
ocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/pro
ddocs/en-us/sag_TCPIP_ovr_newfeatures.asp]

Nuclear Power Industry Suppliers Fight Security Rule (4 March 2005)

Companies that make control systems for the nuclear power industry are urging the Nuclear Regulatory Commission to delay or water down rules intended to improve security of those systems. The proposed rule infuses security standards into every stage of a system's lifecycle. Claiming that the rules could deter plant operators from installing new digital control systems.
-http://www.securityfocus.com/news/10618
[Editor's Note (Schultz): Nobody should be very shocked by what has happened here. Even though security works best and is very often most cost-effective when it is built into systems throughout system life cycles, there will always be short-sighted people who view security as an unnecessary obstruction. ]

---

===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/