Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VII - Issue #15

April 13, 2005


More than 3,000 CISOs and other security managers have discovered that
they can get the inside story on which security tools actually work.
Their secret: the WhatWorks interviews. The one this Thursday (1 PM
EST) is with a large paper company that has found a tool that eliminates
all false positives from vulnerability testing, resulting in much better
cooperation between sysadmins and security staff, and much faster
vulnerability remediation. To listen in on the interview go to
https://www.sans.org/webcasts/show.php?webcastid=90578

Alan

TOP OF THE NEWS

Agency Funding May Eventually be Tied to FISMA Compliance
Spammer Receives Nine Year Sentence
Stolen Computers Contain 185,000 People's Medical Records
Hard Drive Bought on eBay Contains Sensitive Police Information

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Ericsson Network Intruder Charged with Espionage
Outsourced Call Center Employees Arrested for Credit Card Fraud
Man Arrested for Alleged Dating Web Site Intrusion
Israeli Court Sentences Man to 16 Months in Prison for Cyber Bank Robbery
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
DHS CIO Cooper Resigns
FISMA Compliance Reporting Standards Would Be Helpful
US Dept. of Education Wants to Create Student Tracking Database
SPAM & PHISHING
Hard Drives Seized in Australian Spam Raid
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
Microsoft Lawsuits Allege Pirated Software Distribution
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Microsoft's April Security Update Will Contain Eight Patches
Cisco Patches Two IOS Vulnerabilities
Computer Associates Releases Workaround for Buffer Overflow Flaw
Two More Smart Phone Trojans Target Symbian-Based Series 60 Handsets
Windows XP SP2 Blocking Grace Period Ends
Microsoft Looking Into Reports of IE and Outlook Flaws
MISCELLANEOUS
Sybase Withdraws Threat of Legal Action Against NGS
CIO Council Honors Luigart, Paller with Azimuth Awards


********************** Sponsored by Shavlik *****************************

Now Available! Introducing Shavlik HFNetChkPro(tm) 5, the next generation of security patch management. With over 50 awesome new features including detailed reporting, advanced reboot options, email notification, and distribution servers, staying up to date on patches has never been easier and your network has never been more secure. Keep your world in Chk with Shavlik. Download the trial version today at
http://www.sans.org/info.php?id=754

*************************************************************************
Highlighted Training Program of the Week
Rocky Mountain SANS 2005, in Denver in May offers nine immersion tracks plus short programs on Cutting Edge Hacker Techniques, Security Policy Development, Security Awareness Training, and more. Wonderful teachers give you material you can put to work immediately upon returning to the office and present the most current tools and techniques. Details at
http://www.sans.org/rockymnt2005

What attendees say:
"SANS is the gold standard in network security training, in terms of relevance of material, knowledgeable instructors, and sheer usefulness."
- Steve Keifling, SGI
*************************************************************************

TOP OF THE NEWS

Agency Funding May Eventually be Tied to FISMA Compliance (7 April 2005)

House Government Reform Committee Chairman Tom Davis (R-Va.) said that if agencies do not continue to improve their grades on the Federal Information Security Management Act (FISMA) mandated cyber security report cards, they will eventually lose their funding. Davis allowed that FISMA is just a few years old and that government agencies are working to improve their IT security and report card grades. The Department of Homeland Security (DHS), which received a failing grade on its most recent report card, faces the challenge of certifying and accrediting 3,600 systems; other agencies have significantly fewer systems.
-http://www.govexec.com/story_page.cfm?articleid=30927&printerfriendlyVers=1&
amp;

Spammer Receives Nine Year Sentence (9 April 2005)

Jeremy Jaynes, who in November was convicted of violating Virginia's anti-spam statute for sending thousands of spam messages to AOL accounts, was sentenced to nine years in prison. The Loudon County judge who sentenced Jaynes has allowed him to remain free on bond while his appeal is pending. Jaynes's sister was also convicted in November, but the charges were dropped; a third defendant was acquitted. Note: this site requires free registration
-http://www.washingtonpost.com/ac2/wp-dyn/A38788-2005Apr8?language=printer

Stolen Computers Contain 185,000 People's Medical Records (8 April 2005)

Two computers containing the financial and medical records of nearly 185,000 current and former patients were stolen from the offices of the San Jose Medical group late last month. The group's vice president for information technology says he believes the thieves were interested in the computers and not the information they contained. Nonetheless, the affected patients are being notified pursuant to California's Security Breach Information Act. The company had been transferring patient data from secured servers to the PCs; some of the data were encrypted.
-http://news.zdnet.com/2102-1009_22-5660514.html?tag=printthis

Hard Drive Bought on eBay Contains Sensitive Police Information (7 April 2005)

Jorg Schnobohm, Minister of the Interior of the State of Brandenburg, Germany, has launched an investigation into how a 20GB hard drive containing sensitive intelligence information came to be sold on eBay. A student bought the hard drive for 20 euros. Pointsec, a company which last year purchased hard drives on the Internet to see just how prevalent this sort of problem is, recommends that if the data on old drives is not encrypted, the drives should be reformatted at least eight times or the special wipe-clean software be used before they are sold. Pointsec found that data on seven of ten used drives it purchased was still readable.
-http://www.channelregister.co.uk/2005/04/07/hard_drive_with_police_info_sold_on_
ebay/



**************************** SPONSORED LINKS ****************************
Privacy notice: Some of these links redirect to non-SANS web pages.

1) You're invited to a LIVE WEBCAST on 4/21: Gartner & Experian Discuss Secure File Transfer
http://www.sans.org/info.php?id=755

2) Free Threat Management Software from Demarc Security: IDP, File System Integrity, Service Monitoring and More
http://www.sans.org/info.php?id=756

3) SANS is happy to bring you the latest in our complimentary series of Secure Software Webcasts. Database risks explored in depth at
https://www.sans.org/webcasts/show.php?webcastid=90568

*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Ericsson Network Intruder Charged with Espionage (9 April 2005)

A Hungarian man has been charged with espionage for breaking into the internal, global computer network of the Ericsson Group and downloading sensitive information. Csaba Richter told law enforcement officials during questioning that he intended to demonstrate the network's security problems to Ericsson in the hopes of landing a job with the company. If convicted of the charges against him, Richter could be facing eight years in prison.
-http://www.thelocal.se/article.php?ID=1076&date=20050309
[Editor's Note (Tan): It is like trying to rob a bank in the hope of landing a security guard job. There are other ways to convey the message and demonstrate his skills without breaking the law. ]

Outsourced Call Center Employees Arrested for Credit Card Fraud (7 April 2005)

Three former employers of a business outsourcing operation in Pune, India have been arrested for allegedly defrauding Citibank credit hard holders of approximately US$300,000. The three worked at a call center and apparently obtained personal identification numbers from four cardholders. Nine other individuals have been arrested in connection with the case, which involved transferring money into various accounts using the Society for Worldwide Interbank Financial Telecommunication.
-http://www.computerworld.com/printthis/2005/0,4814,100900,00.html

Man Arrested for Alleged Dating Web Site Intrusion (7/6 April 2005)

A UK man has been arrested on suspicion of breaking into the web site of London-based loveandfriends.com, and taking over member profiles. The man allegedly threatened to destroy the company's database if he did not receive payment. The suspect is currently out on bail; the Metropolitan Police Computer Crime Unit is conducting a forensic investigation on his computer. The man is also suspected of being involved with authoring the Mirsa.A and Mirsa.B viruses.
-http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=4a22
7c59-fc75-49f4-aad1-d9e041315e10&newsType=News

-http://www.channelregister.co.uk/2005/04/07/dating_site_hack_arrest/

Israeli Court Sentences Man to 16 Months in Prison for Cyber Bank Robbery (6 April 2005)

The Haifa, Israel magistrate's court has sentenced David Sternberg to 16 months in prison for "breaking into" a bank network and transferring large sums of money into accomplices' accounts. Six collaborators were also arrested. Sternberg allegedly broke into a bank branch and connected a remotely controlled access point to the bank's computer network, then rented a room nearby so he could be within range.
-http://www.jpost.com/servlet/Satellite?pagename=JPost/JPArticle/Printer&cid=
1112754019642&p=1078027574097

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

DHS CIO Cooper Resigns (11/6 April 2005)

Homeland Security Department CIO Stephen Cooper has announced his resignation. Mr. Cooper was appointed DHS CIO in January 2003 at the department's inception. Cooper has recommended that the acting CIO be drawn from within DHS IT leadership. Cooper's successor will face the tasks of consolidating systems procurement, "closing the gaps in the department's IT infrastructure" and overseeing the implementation of programs such as US-VISIT.
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=35471

-http://www.fcw.com/article88555-04-11-05-Print

FISMA Compliance Reporting Standards Would Be Helpful (7 April 2005)

Federal agency officials and inspectors general agreed that there need to be standards for analyzing agencies' FISMA compliance reports. Lacking such standards, the numbers generated by the reports could be seen as questionable. Despite an increase in the percentage of systems certified and accredited, inspectors general for seven agencies said that the processes for certification and accreditation at their particular agencies were poor. Agencies said they would like more guidance on FISMA compliance from the Office of Management and Budget (OMB).
-http://www.fcw.com/article88516-04-07-05-Web
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=35481

US Dept. of Education Wants to Create Student Tracking Database (1 April 2005)

The Department of Education has asked Congress to approve the creation of a database that will be used to track the post-secondary education of individual students. The database would contain personally identifiable information about post-secondary students including names, Social Security numbers and education costs; the database which this one would replace holds only aggregate data for individual educational institutions. A study from the National Center for Education Statistics says it is prepared to handle the technological, privacy and security requirements of such a database. The NCES "operates under legislation that makes it a Class E felony to violate data confidentiality rules."
-http://www.fcw.com/article88461-04-01-05-Web
[Editor's Note (Schultz): This could turn out to be another gigantic invitation for disaster. Legislation that punishes those who violate data confidentiality rules is in place, true, but this won't motivate those who are responsible for any student database that is created to adequately *protect* the information in this database. Those who fail to adequately protect such information should also face punishment such as large fines. ]

SPAM & PHISHING

Hard Drives Seized in Australian Spam Raid (7 April 2005)

The Australian Communications Authority has raided a Perth company suspected of sending millions of spam messages. Inspectors have seized hard drives and other property as part of their investigation.
-http://www.pcworld.idg.com.au/pp.php?id=1946285050&fp=2&fpid=1

COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT

Microsoft Lawsuits Allege Pirated Software Distribution (11 April 2005)

Microsoft has filed lawsuits against eight US companies for distributing pirated versions of its Windows and Office software, alleging copyright and trademark infringement. Microsoft had preceded the lawsuits with cease-and-desist letters. The pirated software was discovered as part of a Microsoft program that purchases software from distributors to test for authenticity.
-http://www.computerworld.com/printthis/2005/0,4814,100999,00.html
-http://msnbc.msn.com/id/7462645/

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

Microsoft's April Security Update Will Contain Eight Patches (8 April 2005)

Preceding the release of its scheduled monthly security update, Microsoft has announced that it will be releasing eight patches, five of which are for vulnerabilities in Windows. Several of the Windows patches are for critical vulnerabilities; there will also be patches for critical flaws in Office, MSN Messenger and Exchange. In addition, Microsoft plans to release a new version of its malicious software removal tool.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39225144-39037064t-39000
005c

Cisco Patches Two IOS Vulnerabilities (8 April 2005)

Cisco has released patches for two IOS vulnerabilities. The first vulnerability, which involves the IOS Secure Shell Server, could allow IOS-based Cisco devices to be targeted by denial-of-service attacks; the second, an Internet Key Exchange Xauth Implementation vulnerability, could allow attackers to gain unauthorized access to vulnerable networks.
-http://www.networkingpipeline.com/showArticle.jhtml?articleID=160503400
-http://www.cisco.com/en/US/products/products_security_advisory09186a008042d51b.s
html

-http://www.cisco.com/en/US/products/products_security_advisory09186a008042d519.s
html

[Editor's Note (Tan): Another new release. This one looks as bad if not worse:
-http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
-http://www.niscc.gov.uk/niscc/docs/al-20050412-00308.html?lang=en]

Computer Associates Releases Workaround for Buffer Overflow Flaw (7 April 2005)

A buffer overflow vulnerability in Computer Associates' eTrust Intrusion Detection System could be exploited to cause denial-of-service. The flaw is the result of "insufficient checking of values passed to Microsoft's Crypto API function CPImportKey." Computer Associates has released a workaround for the vulnerability; it is available for versions 3.0 and 3.0 SP1.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39224954-39037064t-39000
005c

-http://www.eweek.com/print_article2/0,2533,a=149415,00.asp

Two More Smart Phone Trojans Target Symbian-Based Series 60 Handsets (7/6 April 2005)

The Fontal-A SIS file Trojan horse program targets Nokia Series 60 smart phones. It spreads thought file sharing or Internet relay chat (IRC) and tries to install a corrupted file that will cause the phone to fail the next time it is rebooted. It also damages the application manager which prevents the trojan from being uninstalled. In order to fix phones infected by Fontal-A, they need to be reformatted, which will result in the loss of all the data stored on the handset. The Mabir Trojan horse targets a broader range of Series 60 smart phones, not just Nokias. Mabir replicates via MMS messages.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39224769-39037064t-39000
005c

-http://asia.cnet.com/news/communications/printfriendly.htm?AT=39224950-39037080t
-39000002c

-http://www.channelregister.co.uk/2005/04/06/mobile_killer_trojan/

Windows XP SP2 Blocking Grace Period Ends (6/5 April 2005)

As of April 12, Windows XP users who have not downloaded Service Pack 2 will no longer be able to block the update from downloading onto their machines without blocking other updates at the same time; users can prevent SP2 from downloading by disabling Automatic Update. One survey shows that only about 25% of corporate PCs running XP have downloaded XP2.
-http://www.cio-today.com/wrldwd/story.xhtml?story_title=Microsoft-To-End-Service
-Pack---Download-Block-Feature-on-April---&story_id=32440&category=wrldw
d

-http://www.pcworld.com/news/article/0,aid,120288,00.asp
[Editor's Note (Schultz): There are definitely some problems associated with this Service Pack. Installing this Service Pack on my main WXP machine caused my system drive to start to become full. I had to move many files and folders to another drive and then defragment to regain the space that I needed. ]

Microsoft Looking Into Reports of IE and Outlook Flaws (4&1 April/31 March 2005)

Microsoft is investigating reports of two "high-risk" vulnerabilities in default installations of Internet Explorer and Outlook. The flaws could allow code execution with virtually no action required of the user beyond visiting a web site that contains the malicious code. The flaws affect all versions of Windows NT 4.0, 2000, XP including XP SP2 and Windows Server 2003. There are no known exploits for the vulnerabilities.
-http://www.pcmag.com/print_article2/0,2533,a=148871,00.asp
-http://www.technewsworld.com/story/security/ie-outlook-security-flaw-41978.html
-http://news.com.com/2102-1002_3-5650238.html?tag=st.util.print

MISCELLANEOUS

Sybase Withdraws Threat of Legal Action Against NGS (11/5 April 2005)

Sybase will not take legal action against Next Generation Security Software that had said it was planning to disclose details of vulnerabilities in the database maker's products. The companies have issued a joint statement about the six vulnerabilities which pointed readers to both a technical advisory from NGS and information on Sybase's web site about fixes that were released in February.
-http://www.securityfocus.com/printable/news/10827
-http://www.computerworld.com/printthis/2005/0,4814,100965,00.html

CIO Council Honors Luigart, Paller with Azimuth Awards (6/5 April 2005)

At last week's FOSE 2005 information technology conference in Washington DC, the CIO Council honored Veterans Affairs' strategic planning executive Craig B. Luigart and SANS Institute founder Alan Paller with Azimuth Awards for the contributions their work has made to the government information technology community. Mr. Luigart is known "for focusing the government on Section 508 accessibility standards" and Mr. Paller for his work on IT security. "Azimuth Awards are given to public and private sector executives who have demonstrated far-reaching vision, leadership in technology and direction setting for their organizations in pursuing the goals of the United States government."
-http://www.washingtontechnology.com/news/1_1/daily_news/25950-1.html


---end---

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/