SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #22
June 01, 2005
Setting priorities in cyberspace
One of cyberspace's top thinkers has penned a list of five "highest priorities" for improving cybersecurity. We are seeking input from the SANS community to help us rank them, expand them, or tune them. The list and request for input is at the end of this issue of NewsBites.
Alan
TOP OF THE NEWS
GAO Report: SEC Security Controls are WeakCIA Conducted Cyber Attack Exercise
GAO Report: DHS Not Doing Enough to Protect Critical Infrastructure
House Bills Would Increase Penalties in Phishing and Spyware Convictions
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESArrests Made in Cyber Espionage Case
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
GAO Report: Agencies Need to Strengthen Contractor Security Policies
Homeland Security Spending Bill Would Increase Cyber Security Funding
SPAM & PHISHING
Private Citizen Files Suit Against Alleged Spammer
Site Registration and Password Reminder Attacks Help Spammers Tailor eMail
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
Feds Shut Down Network Offering Pirated Movie Downloads
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Researchers Claim Witty Worm Was Likely the Work of an ISS Insider
Cisco Warns of DNS Vulnerability in IP Telephony Kit
DNS Protocol Flaw Could be Used to Crash Servers
ATTACKS AND INTRUSIONS
FBI Investigating Stanford University Cyber Intrusion
Cyber Intrusion at Georgia University Exposes 40,000 People's Data
MISCELLANEOUS
Bank of America to Roll Out Anti-Phishing and Anti-Spyware Technologies
FTC and International Counterparts Urge ISPs to Pay Attention to Suspicious eMail Activity
Stolen Laptop Holds MCI Employee Data
RESEARCH PROJECT
Setting Priorities in Cyberspace
************************ Sponsored by Shavlik ***************************
Now Available! Introducing Shavlik HFNetChkPro(tm) 5, the next generation of security patch management. With over 50 awesome new features including detailed reporting, advanced reboot options, email notification, and distribution servers, staying up to date on patches has never been easier and your network has never been more secure. Keep your world in Chk with Shavlik. Download the trial version today at
http://www.sans.org/info.php?id=783
*************************************************************************
TOP OF THE NEWS
CIA Conducted Cyber Attack Exercise (26 May 2005)
The Central Intelligence Agency conducted a three-day cyber attack simulation aimed at testing government and private sector response to escalating Internet attacks. The scenario for the unclassified exercise, which has been dubbed "Silent Horizon," was a cyber assault of unprecedented magnitude.-http://www.securitypipeline.com/163701322
-http://www.computerworld.com/printthis/2005/0,4814,102065,00.html
GAO Report: DHS Not Doing Enough to Protect Critical Infrastructure (26 May 2005)
According to a recently released report from the GAO, the Department of Homeland security is not taking adequate measures to protect the nation's critical information infrastructure. None of the department's 13 key cyber security responsibilities has been completely addressed. Among the issues cited were the absence of national cyber threat and vulnerability assessments and of government and private sector cyber security contingency recovery plans.-http://www.computerworld.com/printthis/2005/0,4814,102049,00.html
-http://news.com.com/2102-7348_3-5722227.html?tag=st.util.print
-http://www.gao.gov/new.items/d05434.pdf
House Bills Would Increase Penalties in Phishing and Spyware Convictions (27/24 May 2005)
The US House of Representatives passed two bills that would increase penalties for those convicted of phishing and using spyware. The legislation prohibits reprogramming users' start pages on web browsers, logging keystrokes to steal passwords and other sensitive information, and launching pop-ups that necessitate shutting down computers to be closed. Those convicted could face jail sentences of up to two years and fines of as much as US$3 million per incident. People who use spyware to commit other crimes, like identity theft, would face an additional five years tacked on to their jail sentences.-http://www.eweek.com/print_article2/0,2533,a=152596,00.asp
-http://www.computerworld.com/printthis/2005/0,4814,102085,00.html
************************ SPONSORED LINK *********************************
Note: This url take you outside SANS:
1) Earn your Master's degree in Information Security from an NSA-
recognized online program. http://www.sans.org/info.php?id=784
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Arrests Made in Cyber Espionage Case (31/29 May 2005)
An Israeli husband and wife living in London have been remanded in custody after Israeli police requested their extradition. Michael and Ruth Haephrati were arrested for allegedly designing Trojan horse software that other businesses used to spy on rivals' computer systems. 18 people in Israel have also been arrested for using the software.-http://www.guardian.co.uk/israel/Story/0,2763,1495716,00.html
-http://www.debka.com/article_print.php?aid=1031
-http://www.cbc.ca/cp/business/050529/b052902.html
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
GAO Report: Agencies Need to Strengthen Contractor Security Policies (23 May 2005)
According to a recently released report from the GAO, just five of 24 executive branch agencies have policies to make sure federal contractors keep government data safe on computer networks. GAO auditors found that an effort to update information security language to comply with information security laws enacted in 2002 in the Federal Acquisition Regulation has not yet been completed. The auditors have also recommended that the National Institute of Standards and Technology develop "a government-wide guidance document to help agencies oversee contractors' information security policies, procedures and practices."-http://www.fcw.com/article88948-05-23-05-Web
[Editor's Note (Shpantzer): Richard Clarke addressed a conference in Seattle I attended in the pre-9/11 days. He told the audience to not wait for the government to save the private sector in terms of cyber security. He wasn't kidding. ]
Homeland Security Spending Bill Would Increase Cyber Security Funding (23 May 2005)
The US House of Representatives has passed a $30.8 billion fiscal 2006 Homeland Security spending bill with funding increases earmarked for cyber security programs. The bill would allocate US$43.6 million for the Secret Service's electronic crimes special agent program, US$5 million for Immigration and Customs Enforcement and US$73.3 million for the Information Analysis and Infrastructure Protection project to coordinate preparedness and cyber attack response efforts between government and the private sector.-http://www.govexec.com/story_page.cfm?articleid=31337&printerfriendlyVers=1&
amp;
[Editor's Note (Shpantzer): The Secret Service's Electronic Crimes Task Forces around the country are in need of forensically trained investigators to help locate and prosecute digital crime against our financial institutions. This is one program I'm glad to see our taxpayer dollars going towards. Perhaps we should have found more than 43 million dollars for recruiting and training these specialists in all those billions of dollars of DHS budget. I imagine this unit, along with its FBI counterpart, is already strained for human resources after this spring's bumper crop of mega-hacks against banks, universities and data brokers. ]
SPAM & PHISHING
Private Citizen Files Suit Against Alleged Spammer (30 May 2005)
A New York attorney has filed a lawsuit against China Digital Media for using his email address to send spam. Between April 29 and May 3, attorney Scott Ziegler saw his email box fill up with bounced promotional emails with his business address in the "From" field. He contacted the owner of the company being promoted and got told they hired a promoter but didn't know anything about spam. He sued the unknown spanners and is seeking millions of dollars in damages.-http://asia.cnet.com/news/security/printfriendly.htm?AT=39232992-39037064t-39000
005c
Site Registration and Password Reminder Attacks Help Spammers Tailor eMail (27/23 May 2005)
Phishers and spammers are reportedly using site registration and password reminder attacks to gather information about their targets in order to customize their scams. People are more likely to open email that appears to come from sites they are familiar with, and customized email messages are less likely to be caught by spam filters.-http://asia.cnet.com/news/security/printfriendly.htm?AT=39232363-39037064t-39000
005c
-http://www.securitypipeline.com/163700275
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
Feds Shut Down Network Offering Pirated Movie Downloads (26 May 2005)
US law enforcement authorities executed search warrants in a raid targeted at administrators and content providers of a network that allowed people to download new release movies including Star Wars -- Episode III. The main server of the Elite Torrents network was seized in the raid. After the raid the site displayed the following notice: "This site has been permanently shut down by the Federal Bureau of Investigation and the US Immigration and Customs Enforcement."-http://www.computerworld.com/printthis/2005/0,4814,102027,00.html
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Researchers Claim Witty Worm Was Likely the Work of an ISS Insider (26 May 2005)
Information compiled by researchers indicated that the Witty worm, which appeared in March 2004 and carried a malicious payload that corrupted infected machines' hard drives, may have been created by an Internet Security Systems (ISS) insider. Because the initial infection targeted 110 systems at a particular military installation, researchers believe that the author knew about the ISS systems at the installation and had inside knowledge about the vulnerabilities that Witty exploited.-http://www.zdnet.co.uk/print/?TYPE=story&AT=39200183-39020375t-10000025c
[Editor's Note (Schultz): This is a startling accusation. I'm anxious to hear ISS's response. From what I have read about this news item, ISS has refused to comment so far. ]
Cisco Warns of DNS Vulnerability in IP Telephony Kit (26/24 May 2005)
Cisco has warned of a security flaw in the way its IP telephony kit handles DNS packets; the vulnerability could be exploited to launch of denial-of-service attacks. Cisco is offering free upgrades to address the problem.-http://www.theregister.co.uk/2005/05/26/cisco_dns_glitch/print.html
-http://news.com.com/2102-1002_3-5719098.html?tag=st.util.print
-http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml
-http://www.niscc.gov.uk/niscc/docs/al-20050524-00433.html
DNS Protocol Flaw Could be Used to Crash Servers (24 May 2005)
The UK's National Infrastructure Security Co-ordination Centre has issued a public advisory warning of a vulnerability in the Domain Name System protocol that could be exploited to crash servers. The flaw lies in the recursion process some DNS implementations use to decompress DNS messages.-http://www.eweek.com/print_article2/0,2533,a=152631,00.asp
ATTACKS AND INTRUSIONS
FBI Investigating Stanford University Cyber Intrusion (27/25 May 2005)
The FBI is investigating a computer intrusion at Stanford University's Career Development Center. Social Security numbers, resumes, financial information and some credit card numbers belonging to nearly 10,000 people were exposed in the breach.-http://www.computerworld.com/printthis/2005/0,4814,102075,00.html
-http://news.com.com/2102-7349_3-5720754.html?tag=st.util.print
[Editor's Note (Schultz): The proportion of news items in which personal and/or financial information has been compromised or potentially compromised is growing beyond belief. Until national legislation requiring certain safeguards for such information and holding owners of such information accountable in case of a compromise is passed, this proportion will continue to dramatically increase. ]
Cyber Intrusion at Georgia University Exposes 40,000 People's Data (21 May 2005)
As many as 40,000 people may be at increased risk for identity theft after a computer intrusion at Valdosta State University in Georgia. The breached server held information for VSU 1cards, combined identification and debit cards that can be used to purchase food and books on campus and check out library materials. All students from 1997 onward are at risk, as are current employees and employees who left the school between 1997 and 1999.-http://www.wsbtv.com/news/4515697/detail.html
MISCELLANEOUS
Bank of America to Roll Out Anti-Phishing and Anti-Spyware Technologies (26 May 2005)
Bank of America is planning to introduce a system to protect its customers from phishing, spoofing and spyware. The program will use visual images from a list and a customer-generated text passage to verify that they are visiting an authentic BoA web site instead of a phishing site. The program, called SiteKey, is scheduled to premiere in Tennessee and will remain optional until it is available nationwide. SiteKey also connects the users' PC to the online banking service; if an attempt is made to access the account from a different computer in the future, the user will be required to answer one of three previously selected security questions.-http://news.com.com/2102-1029_3-5722035.html?tag=st.util.print
[Editor's Note (Schultz): The Bank of America would also be well-advised to stop sending out email messages asking customers to verify account information, as it did to former Fleet customers a little over one month ago. Sending out such messages makes customers more susceptible to phishing schemes. ]
FTC and International Counterparts Urge ISPs to Pay Attention to Suspicious eMail Activity (23 May 2005)
The US Federal Trade Commission and more than 30 counterparts around the world plan to encourage Internet Service Providers to be attentive to customers' on line activities, including identifying suspicious patterns of email, quarantining those machines and providing help removing the zombie code. The FTC would also like to see ISPs block port 25, which would prevent email from leaving the network unless it comes through their own internal servers.-http://news.com.com/2102-1071_3-5715633.html?tag=st.util.print
Stolen Laptop Holds MCI Employee Data (23 May 2005)
A laptop computer stolen from the car of an MCI financial analyst in Colorado contains the names and Social Security numbers of approximately 16,000 current and former employees. A company spokesperson said the computer was password-protected but declined comment on whether or not the data were encrypted and on whether or not the employee was authorized to have the data on the laptop. Those whose data have been put at risk were notified, and the company is investigating the incident; the employee may face disciplinary action if the investigation determines that company policies were violated.-http://www.eweek.com/print_article2/0,2533,a=152505,00.asp
[Editor's Note (Shpantzer): Did MCI have clear policy prohibiting such large collections of personal information from going onto mobile devices? If so, did they put in place any countermeasures for data theft on the mobile devices that were deemed authorized to hold such information? Which people were specifically trained to 'handle with care' such mobile devices with these countermeasures (if any)? Employee discipline comes from fair enforcement of reasonable policies and procedures. Training, Policy and Technology must complement each other. ]
Setting Priorities in Cyberspace
The following list was developed by one of the best thinkers in cyberspace. If you want to help improve the list, please choose one of these five, or some single one that is not on the list and write 100 words or less about why it is the single most important initiative that would improve cybersecurity. We'll acknowledge your help in the resulting white paper if we can use it effectively.- Elevation of security officers above the IT management level so that security isn't always diluted.
- Training for C level executives (CEOs, CFOs, on the risks and what needs to be done)
- Two-factor authentication
- Annual risk assessments and audits of all critical infrastructure, including, out-sourcers, too
- Securing wireless networks
Send your input, along with name, title, and employer (we will keep all input confidential and not use names without explicit permission) to info@sans.org with subject "Priorities in Cyberspace"
===end===
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
