SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #13
March 30, 2005
TOP OF THE NEWS
OMB Interagency Task Force Will Examine Ways to Share Security FunctionsLegislators Introduce Spy Block Act
Service Providers for Fingerprint Alliance for Profiling Attacks
Financial Institutions Must Notify Consumers of Data Theft
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESAcxiom Data Thief Sentenced to Nearly Four Years in Prison
FBI Arrests Two in Denial-of-Service for Hire Case
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
GAO: SEC Information Security Controls are Lacking
PITAC Recommends Increased Cyber Security R&D Spending
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
Apple Settles Suit Against Developer Who Shared Mac OS Beta
Korean Bank Under Investigation for Allegedly Using Pirated Microsoft Software
Apple in Cat and Mouse Game Around iTunes Copy Protection
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Unbounded Buffer Vulnerability in Trillian 3.1
Yahoo Messenger Targeted by Phishers
Sybase Threatens Lawsuit Over Vulnerability Disclosures
Mozilla Fixes Firefox Buffer Overflow Flaw
Apple OS X Update Fixes Nine Flaws
Drever-C Trojan
ATTACKS AND INTRUSIONS
University of Nevada-Las Vegas Server Breached
STANDARDS AND BEST PRACTICES
Ten Worst Security Practices
MISCELLANEOUS
Secret Service Distributed Computing Program Cracks Crypto Key Passwords
NIST Releases Guide to HIPAA Security Rule Implementation
Law Enforcement Officials Urge Companies to Report Security Breaches
Advancing Mobile Phone Technology and Consumers' Lack of Awareness Present Security Risks
Identity Theft Unavoidable Until Data Privacy is Addressed
Security Managers Take Proactive Measures
********************** Sponsored by Shavlik *****************************
Now Available! Shavlik HFNetChkProT version 5 is here! Introducing Shavlik HFNetChkProT 5, the next generation of security patch management. With over 50 awesome new features including detailed reporting, advanced reboot options, and distribution servers staying up to date on patches has never been easier and your network has never been more secure. Keep your world in Chk with Shavlik. Download the trial version today at http://www.sans.org/info.php?id=740
*************************************************************************
Highlighted Training Program of the Week
Rocky Mountain SANS 2005, in Denver in May offers nine immersion tracks plus short programs on Cutting Edge Hacker Techniques, Security Policy Development, Security Awareness Training, and more. Wonderful teachers give you material you can put to work immediately upon returning to the office and present the most current tools and techniques. Details at
http://www.sans.org/rockymnt2005
What attendees say:
"SANS is the gold standard in network security training, in terms of relevance of material, knowledgeable instructors, and sheer usefulness."
- Steve Keifling, SGI
*************************************************************************
TOP OF THE NEWS
OMB Interagency Task Force Will Examine Ways to Share Security Functions (21 March 2005)
The Office of Management and Budget (OMB) has created an interagency task force to examine how agencies can share cyber security functions. The group will conduct a six-month study after which time it will "develop a business case for IT security functions that can be provided centrally by agencies or vendors."-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=
35313
Legislators Introduce Spy Block Act (21 March 2005)
The Spy Block Act, introduced last week by US Senators Conrad Burns (R-Mont.) and Ron Wyden (D-Ore.), is based on the premise that people have the right to know and control what software is installed on their machines. "The bill bans the surreptitious installation of software" in cases when the user did not request installation and it also takes aim at software that prevents efforts to uninstall or disable it. Also banned under the bill are the collection and transmission of information about computer users without their consent.-http://www.internetnews.com/security/print.php/3491731
[Editor's Note (Schultz): I would really like to see a bill of this nature signed into law soon. Spyware is not only becoming increasingly malicious, but it constitutes an intolerable invasion of privacy.
(Ranum): This is just political posturing. So spyware authors will have to add a few extra lines to their "clickwrap" license so that users "agree to" having their personal information shared. It's going to work about as well as CAN-SPAM did for the same reasons. The politicians know it. ]
Service Providers for Fingerprint Alliance for Profiling Attacks (28 March 2005)
The Fingerprint Alliance, which counts among its members Cisco Systems Inc. and EarthLink Inc., has established "an automated process for sharing attack profiles across service-provider network." The software the service providers are using lets them establish baselines for their networks and alerts them when anomalies are detected. If an attack is identified, the fingerprint is shared automatically.-http://www.techweb.com/wire/security/159907277
More info at
-http://www.arbor.net/fingerprint-sharing-alliance.php
Financial Institutions Must Notify Consumers of Data Theft (24/18 March 2005)
Four government banking agencies, including the Federal Deposit Insurance Corporation (FDIC) and the Federal Reserve, have issued rules that require banks and other financial institutions to inform customers as soon as possible when their information has been stolen or its security has been breached and there is reason to believe it will be misused. Notice could be delayed if a law enforcement agency determines that it would interfere with a criminal investigation. Financial institutions are also required to inform their primary federal regulators whether or not customers are being informed.-http://www.pcworld.com/news/article/0,aid,120168,00.asp
-http://news.zdnet.com/2102-1009_22-5635399.html?tag=printthis
-http://www.reuters.com/newsArticle.jhtml?storyID=7948563
[Editor Note (Schultz): This is a major step forward in fighting identity theft, but the emphasis needs to shift from requiring notification to requiring responsibility in protecting personal and financial information in the first place. ]
**************************** SPONSORED LINKS ****************************
Privacy notice: These links redirect to non-SANS web pages.
1) Upcoming webinar - "Plugging the Biggest Holes in your Network Security: Testing Firewalls and IDS/IPS".
http://www.sans.org/info.php?id=741
2) 21st Century Cyber Forensics-is your system obsolete? Find out at our webinar on March 30th.
http://www.sans.org/info.php?id=742
3) Earn your Master's degree in Information Security from an NSA-recognized online program.
http://www.sans.org/info.php?id=743
************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Acxiom Data Thief Sentenced to Nearly Four Years in Prison (24 March 2005)
Daniel J. Baas has been sentenced to 45 months in prison for breaking into Acxiom Corp.'s computer systems and downloading encrypted password files. He was able to access the files of other Acxiom clients. Although Baas stored the files on computer disks at his home, he apparently never used or shared the information he took. At the time, Baas was working as a systems administrator for a company that was doing data analysis for Acxiom.-http://www.siliconvalley.com/mld/siliconvalley/news/editorial/11220069.htm?templ
ate=contentModules/printstory.jsp
-http://arkansasbusiness.com/news/headline_article.asp?aid=40247
FBI Arrests Two in Denial-of-Service for Hire Case (22/18 March 2005)
The FBI has arrested two people in connection with a denial-of-service-for-hire case. Jason Arabo allegedly hired a 17-year-old to launch an attack on the web site of Jersey-joe.com, a business competitor. The 17-year-old allegedly used a botnet to conduct the attack. Arabo could face up to five years in prison and a fine of as much as twice the amount of loss incurred by the victims.-http://www.theregister.co.uk/2005/03/22/ddos_for_hire_plot_arrests/print.html
-http://www.freep.com/news/statewire/sw113188_20050318.htm
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
GAO: SEC Information Security Controls are Lacking (25 March 2005)
A General Accounting Office report says that the Securities and Exchange Commission needs to improve controls over user accounts and passwords, access rights and permissions, network security and audit, and monitoring of events to detect and prevent intrusions. The weaknesses put sensitive data at risk of being stolen or modified. SEC passwords were easily guessed, and former employees were not blocked from using SEC computers. In one case, someone who had not worked for the SEC for eight months still had access to the system. The SEC will incorporate the recommendations made by the GAO by June 2006.-http://www.govexec.com/story_page.cfm?articleid=30858&printerfriendlyVers=1&
amp;
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=35358
PITAC Recommends Increased Cyber Security R&D Spending (21/18 March 2005)
In a report entitled Cyber Security: A Crisis of Prioritization, the Presidential IT Advisory Committee (PITAC) has recommended significant increases in cyber security R&D spending as well as a shift in focus from short term to long term security solutions. Among PITACs recommendations: increase funding for the National Science Foundations Cyber Trust program by at least $90 million annually; the current budget is just $30 million. The report also recommends increasing funding for DHS (Department of Homeland Security) and DARPA (Defense Advanced Research Projects Agency) cyber security research budgets. The report also identifies key areas for future research, including authentication methodologies, end-to-end system security and secure networking protocols.-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.
id=35311
-http://www.fcw.com/article88363-03-21-05-Web
-http://www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf
[Editors Note (Northcutt): I was deeply troubled by a quote from page 42: "U.S. academic institutions employ fewer than 250 active cyber security or cyber assurance specialists, many of whom lack either formal training or extensive professional experience in the field." ]
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
Apple Settles Suit Against Developer Who Shared Mac OS Beta (24/23 March 2005)
Apple Computer Inc. has settled a lawsuit it brought against Doug Steigerwald, one of three men sued for distributing test copies of Mac OS X 10.4, code-named "Tiger," on a file sharing site. Steigerwald was a member of the Apple Developer Connection, which entitled him to early test copies of the new version of the operating system. Steigerwald will pay "an undisclosed sum" to Apple, and acknowledged that his actions were wrong. Steigerwald is also being investigated by the US Attorney's office.-http://www.usatoday.com/tech/news/2005-03-24-apple-tiger_x.htm
-http://www.computerworld.com/printthis/2005/0,4814,100590,00.html
Korean Bank Under Investigation for Allegedly Using Pirated Microsoft Software (23 March 2005)
Police in Seoul, Korea are investigating a complaint lodged by Microsoft Korea against a local bank for using pirated software; 61% of the bank's 11,400 computers are allegedly running pirated software. Microsoft is also charging that the bank has not renewed its contract for the 4,500 computers for which the software was initially purchased. The bank maintains that under the terms of its contract with Microsoft, it can make as many copies of the software as it pleases.-http://english.chosun.com/w21data/html/news/200503/200503230040.html
Apple in Cat and Mouse Game Around iTunes Copy Protection (23/22/21 March 2005)
In response to the appearance of the PyMusique utility, which allows Windows and Linux users to buy music from the iTunes store without the iTunes software, Apple has announced that all iTunes Music Store customers need to upgrade to version 4.7 of the company's iTunes jukebox software. PyMusique, which allows the purchase of songs without DRM restrictions, was developed by a trio of programmers including Jon Johansen, whose DeCSS DVD decryption code earned him the nickname DVD Jon. Following Apple's announcement, the programmers posted code that once again allows PyMusique to work.-http://www.theregister.co.uk/2005/03/22/apple_blocks_pymusique/print.html
-http://news.com.com/2102-1027_3-5630703.html?tag=st.util.print
-http://www.pcworld.com/resource/printable/article/0,aid,120146,00.asp
-http://www.vnunet.com/news/1162112
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39185368-20000
61744t-10000005c
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Unbounded Buffer Vulnerability in Trillian 3.1 (28 March 2005)
An unbounded buffer vulnerability in Trillian 3.1, an IM client from Cerulean Studios, could allow attackers to shut down programs on vulnerable computers or even take control of machines' operating systems. There have been no reports of exploits for the flaw. Cerulean co-founder and CEO Scott Werndorfer said the vulnerability is "extremely low risk" and that it would be fixed in the next Trillian release.-http://asia.cnet.com/news/security/printfriendly.htm?AT=39223424-39037064t-39000
005c
Yahoo Messenger Targeted by Phishers (28/25/24 March 2005)
Phishers are taking aim at Yahoo Messenger users. The attackers are sending messages that appear to come from friends and that contain a link to a phony web site. The web site looks authentic and asks for Yahoo usernames and passwords. Once in possession of this information, attackers would have access to the user's Messenger profile and contact list. A recent report from SurfControl found that while 90% of the more than 7,5000 US businesses surveyed have established policies for email use, just over half have policies that address IM and peer-to-peer technology use.-http://asia.cnet.com/news/security/printfriendly.htm?AT=39223426-39037064t-39000
005c
-http://www.informationweek.com/story/showArticle.jhtml?articleID=159906218
-http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=109&STORY=/www/story/03-23
-2005/0003243010&EDATE=
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39223034-39037064t-39000
005c
Sybase Threatens Lawsuit Over Vulnerability Disclosures (25/22 March 2005)
Sybase Inc. has sent a letter to Next Generation Security Software, LTD., informing them that they will take legal action if NGS releases information about eight buffer overflow and denial-of-service vulnerabilities it claims to have discovered in Sybase's Adaptive Server Enterprise software v.12.5.3. NGS had initially informed only Sybase of the vulnerabilities; Sybase in turn released a patched version of the affected software in February, 2005. NGS had planned to release the information about the flaws on March 28, 2005, but has decided against doing so.-http://www.computerworld.com/printthis/2005/0,4814,100637,00.html
-http://www.eweek.com/print_article2/0,2533,a=148276,00.asp
[Editors Note (Pescatore): There have been a number of formal proposal for "responsible vulnerability reporting" but the basics are pretty well understood. Notify the vendor of the product, allow 30 days to respond. If they say additional time is required to product/test a patch (which in today's software world is pretty much the norm), wait. Never give out exploit code. This doesn't mean go back to the days where vendors never admitted security bugs and only patched as part of normal product upgrades - that was a different, but equally dangerous, form of irresponsibility.
(Ranum): Having been on the sharp end of extortionate demands from "grey hat security researchers" I can only applaud Sybase's choice to hold vulnerability researchers responsible for the consequences of their actions. ]
Mozilla Fixes Firefox Buffer Overflow Flaw (25/24 March 2005)
Mozilla has released a patch for a buffer overflow flaw in its Firefox browser. The problem lies in Netscape legacy code in the browser used for animating GIF images. Mozilla released Firefox v.1.0.2 on March 23; the new version fixes the vulnerability. Mozilla is encouraging all users to upgrade to this version.-http://www.desktoplinux.com/news/NS2694483383.html
-http://www.internetweek.com/allStories/showArticle.jhtml?articleID=159905656
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39223031-39037064t-39000
005c
-http://www.mozilla.org/products/firefox/releases/1.0.2.html
-http://www.mozilla.org/projects/security/known-vulnerabilities.html
Apple OS X Update Fixes Nine Flaws (24/21 March 2005)
Apple Computer has released Security Update 2005-003 for Mac OS X. The update addresses nine vulnerabilities, including one for a flaw in Safari that could be exploited by phishers. That same flaw affects all browsers that support Internationalized Domain Names and involves the indiscernible substitution of international characters for others.-http://news.zdnet.com/2102-1009_22-5629084.html?tag=printthis
-http://www.infoworld.com/article/05/03/24/HNapplepatchesflaws_1.html
Drever-C Trojan (24/23 March 2005)
The Drever-C Trojan attacks a variety of anti-virus packages for Symbian smart phones. Drever-C pretends to be a security update. It attacks files from the boot sector and tries to overwrite certain anti-virus files. It also tries to replace binary components of other antivirus programs with corrupt ones.-http://www.theregister.co.uk/2005/03/23/mobile_trojan_targets_av/print.html
-http://news.softpedia.com/news/Trojans-pick-on-the-security-companies-822.shtml
ATTACKS AND INTRUSIONS
University of Nevada-Las Vegas Server Breached (19 March 2005)
The records of as many as 5,000 current and former international students at the University of Nevada-Las Vegas may have been exposed when an attacker gained access to the school's Student and Exchange Visitor Information System server. The breach was discovered during a routine network activity security check; analysts caught the attack as it was happening and took the server off line. UNLV has emailed all affected students and alerted them to the situation. The FBI is investigating.-http://www.lasvegassun.com/sunbin/stories/nevada/2005/mar/19/031910382.html
-http://www.reviewjournal.com/lvrj_home/2005/Mar-19-Sat-2005/news/26110200.html
STANDARDS AND BEST PRACTICES
Ten Worst Security Practices (24 March 2005)
A list of the ten worst security practices includes buying products to fix security holes as they arise, neglecting to create a security policy, treating all data as equal and backing up all data every night. The list includes tips on what to do instead.-http://www.nwc.securitypipeline.com/159900223
[Editors Note (Schultz): A ten worst security practices list is an extremely innovative idea, but I seriously wonder if the individuals who need to see this list the most will ever be motivated to look at it. As they say, ignorance is bliss. ]
MISCELLANEOUS
Secret Service Distributed Computing Program Cracks Crypto Key Passwords (28 March 2005)
Cases involving data stored on computers depend on investigators being able to decrypt encrypted data. The US Secret Service has linked 4,000 of its employees' computers into the Distributed Networking Attack program which works to crack criminal's encryption key passwords. DNA uses plaintext data from the computers to help create word lists for cracking passwords; frequently visited web sites can offer clues to criminals' interests and help generate the list. The process grows more complicated when the criminals communicate in a melange of languages and combinations of Roman and non-Roman alphabets. (Note: This site requires free registration)-http://www.washingtonpost.com/ac2/wp-dyn/A6098-2005Mar28?language=printer
[Editors Note (Pescatore): Back in the Prohibition (making alcohol illegal) days in the US, moonshiners would soup up their car engines to outrun law enforcement. Of course, this lead law enforcement to buy their own souped up patrol cars. Always good to see the good guys learn from the bad guys - distributed key cracking for fun, profit and investigation.
(Shpantzer): The Scarfo case is an interesting study in bypassing strong encryption in the days when computing power wasn't what it is today. Way back in 1999, the FBI got a 'snoop and poop' warrant to surreptitiously install a keystroke logger on the suspected mafioso's computer, looking for the passphrase to his encrypted folders. For more information, including the original search warrants, see
-http://www.epic.org/crypto/scarfo.html
for general case info. Scroll down and look for the applications for surreptitious entry and delay of notification.]
NIST Releases Guide to HIPAA Security Rule Implementation (28 March 2005)
The National Institute of Standards and Technology (NIST) has released Special Publication 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act Security Rule. It includes recommendations for types of systems needed to meet HIPAA mandates, which go into effect on April 20, 2005, and describes the similarities between the HIPAA security and the Federal Information Security Management Act.-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=35364
Law Enforcement Officials Urge Companies to Report Security Breaches (24 March 2005)
State and federal law enforcement officials speaking on an information security panel urged companies to report network security breaches. While companies are often reluctant to reveal such information for fear it will tarnish their reputation, law enforcement officials said every bit of information helps and what is withheld could be an important missing piece in another investigation.-http://www.computerworld.com/printthis/2005/0,4814,100598,00.html
Advancing Mobile Phone Technology and Consumers' Lack of Awareness Present Security Risks (24 March 2005)
Scott Granneman's column addresses the ever-expanding capabilities of mobile phones and how the added convenience of new features and the capability to store more information creates additional security concerns and attack vectors. People are not always making good security choices when it comes to the new technology; after the much-publicized cracking of Paris Hilton's Sidekick II, sales of the phone reportedly soared.-http://www.securityfocus.com/printable/columnists/310
Identity Theft Unavoidable Until Data Privacy is Addressed (23 March 2005)
March alone has seen at least 10 incidents in which people's personal data were compromised or stolen. However, none of the attacks listed involved online transactions. Merchants are allowed to sell customers' personal information to whomever they choose and to put it in a database with unknown security precautions. US legislation has focused largely on increasing penalties for identity theft rather than addressing the way in which merchants and data brokers use people's information. Identity theft and credit card fraud will remain impossible to prevent until this problem is addressed.-http://www.theregister.co.uk/2005/03/23/id_theft_cannot_be_escaped/print.html
Security Managers Take Proactive Measures (21 March 2005)
Security managers are increasingly taking a proactive stance toward network security. This shift is driven by several factors, including Sarbanes-Oxley compliance requirements, increasing use of wireless technology, remote workers and web services and the ever-shrinking lag time between the disclosure of a vulnerability and the appearance of malware to exploit it. General Motors Corp. denies network access to anyone the company has not vetted. Texas Tech University deployed network behavior modeling tools to establish baseline network behavior and quickly detect and identify anomalies. Companies are also looking to build security into application software and to encourage the software industry to incorporate security into the development process.-http://www.computerworld.com/printthis/2005/0,4814,100450,00.html
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/