SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #11

March 16, 2005

Are They Really Doing That?
A new, infrequent feature of NewsBites debuts this week (at the end of this issue). The feature exposes common practices of large companies that are likely to compromise the confidentiality of consumer information. We welcome your submissions. Our hope is that this feature will help encourage the companies to eliminate the problem and better protect their customers.

Alan

---

TOP OF THE NEWS

Government In Deal To Procure More Secure Versions Of Common Microsoft Operating Systems
Proposed Anti-Phishing Legislation
MIT, Harvard and Carnegie Mellon Business Schools Will Not Admit "Hackers"
DHS Employees to Begin Using RFID Smart Cards with Biometric Data this Spring
OMB Reports Show Improvement in e-Government and Agency Cyber Security

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
ISP Employee Arrested for Stealing Credit Card info
French Researcher Receives Suspended Fine for Posting Proof-of-Concept Code
Three Plead Guilty in Net Piracy case
Student Pleads Guilty to Piracy
Man Charged with Breaking into Sony Ericsson Site
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
GSA Will Review SmartPay Contractors' Security Policies
LEGISLATION
UK Legislator Wants Computer Misuse Act Amended to Include More Prison
Time for Convicted Hackers
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
SMB Protocol Flaw Patch Not Readily Available for NT 4.0
Worms Spreading Through MSN Messenger
LAND Attack Details Posted on Internet
Commwarrior Mobile Phone Virus
ATTACKS AND INTRUSIONS
Customer Data Stolen from DSW Shoe Warehouse Stores
Consumer Data Stolen from Seisint Databases
MISCELLANEOUS
Judge Says Apple Bloggers Must Reveal Confidential Sources
Alleged Bogus Anti-Spyware Company Shut Down
Choicepoint SEC Filing Hints There May be More Data Theft Victims
Two Factor Authentication: Too Little, Too Late
ARE THEY REALLY DOING THAT
Can Crooks Who Steal Mobile Phones Get Victims' Passwords From Sprint?

---

********************* Sponsored by SANS 2005 ***************************
SANS 2005, in San Diego in early April (on the ocean) is SANS' largest security and audit training conference and expo. Wonderful teachers who teach material you can put to work immediately upon returning to work. Extraordinary teachers present the most current tools and techniques. Late registration deadline is today. March 16.
Details at http://www.sans.org/sans2005

What attendees say:
"SANS is the gold standard in network security training, in terms of relevance of material, knowledgeable instructors, and sheer usefulness."
- Steve Keifling, SGI
*************************************************************************

---

TOP OF THE NEWS

Government In Deal To Procure More Secure Versions Of Common Microsoft Operating Systems (14 March 2005)

In a government-wide effort spearheaded by the US Air Force and expanded by the US Office of Management and Budget and the US Department of Homeland Security, agencies will be able to order Microsoft software preconfigured for improved security. Based on a consensus effort led by the not-for-profit Center for Internet Security and the US National Security Agency, Microsoft and the government have agreed on improved minimum security configuration standards that will be delivered by resellers such as Dell.
-http://www.fcw.com/article88250

Proposed Anti-Phishing Legislation (7 March 2005)

The Anti-Phishing Act of 2005, introduced by Senator Patrick Leahy (D-Vermont), would make it a crime to create phony web sites with the intent to defraud or commit identity theft. Parody sites would be exempt from the law. Those convicted could face prison sentences of up to 5 years and fines of up to US$250,000. The same penalties would apply to those convicted of pharming.
-http://www.computerworld.com/printthis/2005/0,4814,100244,00.html
[Editor's Note (Schultz): This bill would be a nice addition to the growing body of anti-crime legislation in the U.S. Anti-identity theft legislation is sorely needed given the magnitude of the identity theft problem. Hopefully, this bill will pass without significant hurdles. ]

MIT, Harvard and Carnegie Mellon Business Schools Will Not Admit "Hackers" (9 March 2005)

MIT's Sloan School of Management will join Carnegie Mellon University's Tepper School of Business and Harvard Business School in rejecting applicants who took advantage of directions posted on the Internet to access a web site that manages online school admissions. Sloan dean Richard L. Schmalensee said rejected applicants may reapply in later years; in addition, Sloan may consider appeals from individuals with extenuating circumstances. Mr. Schmalensee said that the posted instructions involved effort on the part of the information seekers; they had to know they were doing something unethical.
-http://www.boston.com/business/articles/2005/03/09/mit_says_it_wont_admit_hacker
s/

DHS Employees to Begin Using RFID Smart Cards with Biometric Data this Spring (7 March 2005)

In May 2005, Department of Homeland security employees will begin using the Department of Homeland Security Access Card (DAC) that can be used for physical, wired and wireless authentication. The cards contain a high resolution photo image of employees, a difficult-to-reproduce holographic image and a digital copy of the employee's fingerprint and use RFID and Bluetooth to communicate with reader devices. Some are concerned that the RFID chip and Bluetooth will make the cards vulnerable to compromise of confidentiality.
-http://www.wired.com/news/print/0,1294,66801,00.html
[Editor's Note (Schultz): It's funny (or perhaps better said, tragic) how critics are so quick to point out limitations in authentication solutions that are much stronger than passwords.
(Ranum): Why does DHS have to "do its own thing"? The DOD's Common Access Card (CAC) is a widely-deployed (though flawed) standard. ]

OMB Reports Show Improvement in e-Government and Agency Cyber Security (7 March 2005)

The Office of Management and Budget recently released a pair of reports indicating that government agencies have made progress in both cyber security and e-government. The 2004 Federal Information Security Management Act (FISMA) report shows "outstanding progress" in risk assessment and security control testing at a number of agencies. The 2004 e-gov report counts among its successes expanding public access to agency information and services and the development of five lines of business to avoid duplication of processes.
-http://govexec.com/story_page.cfm?articleid=30691&printerfriendlyVers=1&
-http://www.whitehouse.gov/omb/inforeg/2004_egov_report.pdf
-http://www.whitehouse.gov/omb/inforeg/2004_fisma_report.pdf

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

ISP Employee Arrested for Stealing Credit Card info (10 March 2005)

On March 8, UK police arrested an employee of Zen Internet for allegedly stealing customer credit card details. The suspect then allegedly used the information to establish gaming accounts that he sold over the Internet.
-http://www.theregister.co.uk/2005/03/10/zen_police/print.html

French Researcher Receives Suspended Fine for Posting Proof-of-Concept Code (10/9 March 2005)

French security researcher Guillaume Tena has been given a suspended fine of 5,000 euros (US$6,677) for posting proof-of-concept exploit code for vulnerabilities in a Tegam International anti-virus product. Tena will have to pay the fine if he commits another offense within the next five years. Prosecutors had asked for a 4-month jail term and fines. Tegam International is also pursuing a 9 million euro (US$12 million) civil case against Tena.
-http://www.theregister.co.uk/2005/03/10/tegam_verdict/print.html
-http://www.eweek.com/print_article2/0,2533,a=147351,00.asp
-http://news.zdnet.com/2102-1009_22-5606306.html?tag=printthis
[Editor's Note (Schneier): This is a chilling precedent, and is a setback for "full disclosure" advocates.
(Ranum) I think this kind of litigation is going to show hackers and "security researchers" that this is not a game anymore. ]

Three Plead Guilty in Net Piracy case (8 March 2005)

Three men have pleaded guilty to being members of organized groups that distribute pirated video and computer games. The men were caught as a result of "Operation Higher Education," a Net piracy sweep carried out in 12 countries.
-http://news.com.com/2102-1030_3-5604937.html?tag=st.util.print

Student Pleads Guilty to Piracy (8 March 2005)

Parvin Dhaliwal, a student at the University of Arizona, has pleaded guilty to possession of unauthorized copies of intellectual property, a Class 6 Felony under the state's new piracy law. Mr. Dhaliwal had uploaded digital copies of recently released films and music believed to be valued at $50 million dollars; some movies such as Matrix Revolutions were still playing in theaters. Mr. Dhaliwal received a sentence of 3 months in jail, 3 years probation, 200 hours of community service and a US$5,400 fine. He is also required to take a university class on copyright issues.
-http://www.msnbc.msn.com/id/7122133/

Man Charged with Breaking into Sony Ericsson Site (8 March 2005)

Csaba Richter of Hungary has been charged with industrial espionage for allegedly breaking into the Sony Ericsson AB and Ericsson AB Intranets. He told officials that he hoped the companies would be impressed with his skills and hire him. Mr. Richter has admitted to stealing documents concerning telecommunications.
-http://www.infoworld.com/article/05/03/08/HNsonyhack_1.html
[Editor's Note (Shpantzer): Hacking in order to get a job might have worked for some people in the 80's and even the 90's, but the only people who are hiring like that these days are mobsters with a need for technical skills. ]

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

GSA Will Review SmartPay Contractors' Security Policies (8 March 2005)

In the wake of Bank of America's loss of backup tapes containing personal information belonging to 1.2 million federal employees, the General Services Administration says it will be reviewing security policies at four other SmartPay contractors. A GSA spokesperson said the agency "is taking all appropriate steps to ensure that SmartPay contractors maintain security policies consistent with current industry standards." In addition, GSA and the Defense Department plan to work jointly on a risk assessment reviewing Bank of America's security procedures; BofA says it has changed its SmartPay backup procedures but declined to provide specifics as a matter of security.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=35251

LEGISLATION

UK Legislator Wants Computer Misuse Act Amended to Include More Prison Time for Convicted Hackers (11/10 March 2005)

Derek Wyatt MP, chairman of the UK's All Party Parliamentary Internet Group (APIG), plans to argue for amendments to the country's Computer Misuse Act. Specifically, Wyatt would like to see the creation of a separate denial-of-service offense as well as an increase in the maximum jail sentence for hacking from 6 months to 2 years.
-http://www.theregister.co.uk/2005/03/10/mp_pitches_denial_of_service_law_to_parl
iament/print.html
-http://www.vnunet.com/news/1161864

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

SMB Protocol Flaw Patch Not Readily Available for NT 4.0 (11 March 2005)

On February 8, 2005, Microsoft released an advisory for a vulnerability in the server message block (SMB) protocol in Windows that could allow an attacker to take control of vulnerable servers. However, Microsoft released patches for only more recent versions of Windows; there was no patch for Windows NT 4.0, as the company stopped officially supporting it on December 31, 2004. Microsoft does have a patch for NT 4.0 customers who have paid for extended support. Users could enable SMB signing as some form of protection; Microsoft is encouraging users to upgrade to Server 2003 for security reasons.
-http://www.theage.com.au/news/Breaking/Windows-NT4-servers-open-to-hackers/2005/
03/11/1110417668599.html#

Worms Spreading Through MSN Messenger (9/7 March 2005)

Researchers have detected a variety of worms that are spreading through MSN Messenger. Some are Bropia variants; two others, Kelvir and Sumom, are capable of installing the Backdoor.Rbot Trojan. The number of worms using IM to spread is increasing. In the first six weeks of 2005 alone there have been 10 IM worms, three times the number for the same period last year.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39220754-39037064t-39000
005c
-http://www.eweek.com/print_article2/0,2533,a=147185,00.asp
-http://www.computerworld.com/securitytopics/security/virus/story/0,10801,100264,
00.html
[Editor's Note (Northcutt): this is a classic security awareness problem. We need to remind our users not to click on the link for the URL sent in these IMs. ]

LAND Attack Details Posted on Internet (9 March 2005)

Details of a denial-of-service attack on Windows computers were published on an Internet forum. The attack, known as a LAND attack, consumes CPU resources by sending the target computer a data packet with the same source-host and destination-host information. The attack does not allow malicious code to run on machines, but does consume resources.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39220751-39037064t-39000
005c

Commwarrior Mobile Phone Virus (9/8 March 2005)

The Commwarrior virus targets mobile phones based on Nokia's Series 60 platform which is based on the Symbian operating system. Commwarrior spreads through multimedia messaging service (MMS) and through Bluetooth.
-http://informationweek.com/story/showArticle.jhtml?articleID=159400120
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39220702-39037064t-39000
005c

ATTACKS AND INTRUSIONS

Customer Data Stolen from DSW Shoe Warehouse Stores (10 March 2005)

Credit card and other customer data from at least 103 DSW Shoe Warehouse stores has been stolen. The thefts took place over the last three months. Julie Davis, general counsel for parent company Retail Ventures, says credit card companies have reported fraudulent activity. Data provided at the DSW web site was not affected. Ms. Davis also said that an independent computer security company will conclude an investigation within the next week two weeks, and that the Secret Service is investigating as well.
-http://news.zdnet.com/2102-1009_22-5608311.html?tag=printthis

Consumer Data Stolen from Seisint Databases (9 March 2005)

Data broker LexisNexis said that social security numbers and other personal data belonging to as many as 32,000 US consumers were stolen from databases at Seisint, a company recently purchased LexisNexis parent company Reed Elsevier. The FBI is investigating the case. The company says it will notify all those whose data was compromised and will help them monitor their credit reports and other accounts for problems.
-http://www.reed-elsevier.com/index.cfm?articleid=1258&articleaction=print&am
p;type=recent
-http://www.usatoday.com/money/industries/2005-03-09-lexinexis_x.htm
-http://www.usatoday.com/news/world/2005-03-09-data-breach_x.htm
-http://www.computerworld.com/printthis/2005/0,4814,100287,00.html
-http://news.com.com/2102-1029_3-5606911.html?tag=st.util.print
[Editor's Note (Schultz): How many more incidents of this nature must occur before national legislation that specifies penalties for failure to adequately protect personal and consumer information is passed?
(Shpantzer): It's time to make some version of California's SB 1386 a federal law.]

MISCELLANEOUS

Judge Says Apple Bloggers Must Reveal Confidential Sources (13/11 March 2005)

A judge has ordered three online reporters, also known as bloggers, to reveal their confidential sources to Apple Computer, Inc. Lawyers for the defendants had argued that the web sites deserved the same First Amendment protection granted to journalists working for printed publications, who are protected from having to disclose their sources. In his ruling, Santa Clara (California) County Superior Court Judge James Kleinberg wrote "what underlies this decision is publishing information that at this early stage of the litigation fits squarely within the definition of a trade secret." Judge Kleinberg said Apple may subpoena records of the web sites that published information about an unreleased product.
-http://www.computerworld.com/printthis/2005/0,4814,100365,00.html
-http://news.zdnet.com/2102-1040_22-5611285.html?tag=printthis
-http://www.zdnet.com.au/news/business/print.htm?TYPE=story&AT=39183790-39023
166t-10000004c
[Editor's Note (Shpantzer): Trade secrets are SECRETS and should not be published by ethical journalists or bloggers. As the judge said: "The journalist's privilege is not absolute... journalists cannot refuse to disclose information when it relates to a crime." See
-http://www.eff.org/Censorship/Apple_v_Does/
for legal analysis and especially the ruling found here:
-http://www.eff.org/Censorship/Apple_v_Does/
20050311_apple_decision.pdf]

Alleged Bogus Anti-Spyware Company Shut Down (11 March 2005)

The Federal Trade Commission said that a company which has allegedly been advertising and selling phony anti-spyware software has been temporarily shut down. MaxTheater Inc.'s Spyware Assassin used pop-ups and email warning that users' computers were infected with spyware in order to sell the bogus product. Free scans offered by the company returned results reporting spyware even when machines were clean and did not remove spyware from infested machines. A US court has ordered the company and its owner to "suspend activity" until a hearing scheduled for Tuesday, March 15.
-http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=7881764

ChoicePoint SEC Filing Hints There May be More Data Theft Victims (10 March 2005)

According to ChoicePoint's recent Securities and Exchange Commission filing, the company notified people whose information was compromised on or after July 1, 2003, the effective date the California Security Breach Information Act that requires notification in the event of a security breach. the company searched only for records that had been sold during that period. This could imply that more people were affected, but that their information was compromised before July 1, 2003.
-http://news.com.com/2102-1029_3-5609253.html?tag=st.util.print

Two Factor Authentication: Too Little, Too Late (April 2005)

Bruce Schneier describes why two-factor authentication will not prove effective against Internet fraud and identity theft in the long run. While older attacks involved shoulder surfing and guesswork to obtain passwords, more recent attacks, like man-in-the-middle attacks and Trojans, take advantage of what users know to access their online bank accounts.
-http://www.schneier.com/essay-083.html
[Editor's Note (Schneier): Two-factor authentication is not useless. It just won't prevent fraud and identity theft. There are applications where it works great. If I am an organization trying to control employee access to servers and applications, two-factor authentication is a great security addition. It makes sense in that kind of scenario.
(Ranum): This is nothing new; the computer security greybeards were pointing this out back in the 1980s - authentication is useless unless there is a trustworthy path.
(Shpantzer): I fear that this essay will be misused by some in the management suites as an excuse for not providing strong authentication where it does make a difference. The subtleties of MITM and Trojan attacks versus other types of attacks that are foiled by strong authentication will elude decision-makers, and make authentication a more difficult sale for responsible security advocates. Strong authentication won't save the world, but it sure beats password-only schemes for many applications. ]

ARE THEY REALLY DOING THAT

Can Crooks Who Steal Mobile Phones Get Victims' Passwords From Sprint?

Hobbit writes:
Since your NewsBites issues occasionally deal with lame and vulnerable schemes that service providers hang out there (a la T-mobile), would you also be interested in distributing more of that dreary picture for the benefit of your readers?

Specifically, Sprint PCS's "password recovery" website interface takes a mobile number and sends the (plaintext) account PIN to the phone as a text message. Meaning that anyone who finds or steals a phone has full access to the account it is under. I cannot convince Sprint customer support that such a scheme is idiotic, and presents too great a risk for the sake of "convenience".
[Editor's Note (Paller): We hope through this new feature in NewsBites to persuade consumer product and service companies to work a little harder to protect the private information (or security of the computers) of their customers. If you have evidence of vulnerable schemes in use by large service or product providers, please let us know. Write the SANS Research Office (sansro@sans.org) ]

---

===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/