SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #24
June 15, 2005
TOP OF THE NEWS
Companies Scramble to Encrypt Backup TapesGAO Report: Agencies Need Better Guidelines for Reporting Security Threats
Academic Paper Says Vendors' Stock Prices Fall in Response to Vulnerability Disclosure
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESMan Founds Guilty of Disruption of University of Texas Web Services and Stealing Data
Man Sentenced to Probation and Community Service for Signing Boss Up for Unwanted eMail
Alleged NASA Cyber Attacker Will Fight Extradition
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
NIST to Release Assessment Guidelines for Mandated Security Controls
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
Microsoft Denies Reports of Piracy Amnesty Program for Indonesian Government
Malaysian Software Piracy Rate Drops to 61%
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Adobe Issues Patch for Flaw in License Management Service
Skulls.L Trojan
Apple Patches 11 Security Flaws
Microsoft Security Update for June Will Have 10 Patches
Microsoft Takes Down Part of MSN Web Site to Address Cross Site Scripting Vulnerability
New Versions of Mozilla Browsers Have Old Flaw
MISCELLANEOUS
Stolen Computers Contain Motorola Employee Data
********************* Sponsored by CipherTrust **************************
Don't let your confidential data leak out! Ensure your critical communications stay private! Secure business communications should be as easy as traditional, non-encrypted messaging. Learn best practices in email encryption and how to ensure regulatory compliance by downloading CipherTrust's whitepaper "Contributing to Regulatory Compliance with E-Mail Encryption".
http://www.ciphertrust.com/files/forms/landing_template.php?sp=SSQ2_SANS_Newsbit
es_Jun15
*************************************************************************
Why Do Security Professionals Get More Value From SANS Than from Any Other Source?
"Years of experience downloaded into your brain in 6 days."
-Chris Koutras, Titan, Inc.
"The perfect balance of theory and hands on experience."
-James D. Perry II, University of Tennessee
"SANS courses bring the best of the best to one place to learn cutting- edge information."
-Jeremy Baca , Sandia National Labs
"SANS has opened my eyes to things I never would have considered based on my own research."
-Doug Wells, Media General, Inc.
Current Training Schedule: http://www.sans.org
**********************************************************************
TOP OF THE NEWS
Companies Scramble to Encrypt Backup Tapes (13 June 2005)
Companies that have recently experienced customer data losses are taking steps to protect their backup data. CitiFinancial, Bank of America and Time Warner all plan to or have already begun to encrypt their backup tapes. BofA is also "transitioning" to computer-to-computer data transfer where possible.-http://www.usatoday.com/tech/news/2005-06-13-encrypt-usat_x.htm
[Editors' Note (Multiple): Request for ideas and implementations from readership: Two questions: (1) What do you do if you want to send encrypted data to a partner, say a credit bureau? How do you manage the keys with the partner? You have an encrypted backup tape, but the bureau needs that key. (2) How do you encrypt data that you store in high volume applications? Do the database companies help or make it harder? Which tools really work effectively? Send reports on your actual experiences to sansro@sans.org ]
GAO Report: Agencies Need Better Guidelines for Reporting Security Threats (13 June 2005)
A report from the Government Accountability Office says that federal agencies need better and clearer guidelines for reporting security threats and incidents. The study found that although the Federal Information Security Management Act requires that incidents be reported, most agencies are unsure which incidents to report and how and where to report them. The result of the confusion is that the Department of Homeland Security's (DHS) US Computer Emergency Readiness Team is unable to coordinate responses to attacks that target multiple agencies. Auditors recommend that the Office of Management and Budget (OMB) "increase their oversight of agencies' efforts to detect, report and respond to emerging cyber security threats." They also want OMB to work with DHS cyber security experts and the US Attorney General to develop guidelines for dealing with and reporting cyber security threats.-http://www.fcw.com/article89234-06-13-05-Web
[Editor's Note (Pescatore): This is a common flaw in the incident response policies and programs at many businesses, too. Especially the definition of escalation levels: when and who makes the decisions to involve law enforcement or government, and who within corporate legal and public relations to notify internally.
(Grefer): As long as each agency establishes a clear internal structure for reporting incidents, as seems to be the case at the Department of Labor, the centralized processing (i.e. by DHS) can be discussed at the agency CIO level (i.e. within the CIO Council) and as such would be reasonably easy to facilitate. Calling for more guidelines appears to be a fog screen.
(Tan): All security incidents whether they are critical or less critical should be reported. Minor incident collectively may eventually evolve into a critical case. To be consistent in reporting, agencies could have a common reporting system that will route the incident report to a central agency. A common reporting format will provide a better correlation, coordination and assessing of the overall security health of the Federal Government. ]
Academic Paper Says Vendors' Stock Prices Fall in Response to Vulnerability Disclosure (10/6 June 2005)
A paper published by two Carnegie Mellon University researchers says that software vendors' stock value tends to fall when security flaws in their products are disclosed. The paper examined the effect of 146 vulnerability disclosures on 18 publicly traded companies. Nearly two-thirds of the announcements were followed by a decrease in the company's stock value as compared with the NASDAQ market average. When problems are divulged by the press or the manufacturer, the drop was nearly 1% from the NASDAQ market average; when the disclosure came from another source, the drop was 0.63%. In addition, if a flaw was disclosed prior to the availability of a patch, the drop averaged 1.49%; if a patch was already available at the time of the disclosure, the value dropped an average of 0.37%. In comparison, companies that were victims of security breaches saw a 2.1% decrease in stock value; auto recalls averaged a 0.81% decrease.-http://www.securityfocus.com/news/11197
-http://software.silicon.com/malware/0,3800003100,39131116,00.htm
[Editor's Note (Pescatore): This is good ammunition for security managers trying to get software development organizations to integrate security testing into the development process, but the authors admit that the statistical connection doesn't hold for more than 2 days after the vulnerability announcement.
(Schultz): Studies like these as well as others such as the similar one done at the University of Maryland several years ago will in time help convince skeptical senior managers that there is indeed a relationship between information security and a company's "bottom line." At the same time, however, it is important to realize that studies of this nature are correlational; correlation does not necessarily imply causation. ]
******************** Sponsored Links: *********************************
1) Earn your Master's degree in Information Security from an NSA- recognized online program.
http://www.sans.org/info.php?id=803
2) Are you ready for the PCI Compliance June 30th deadline? LogLogic can help, find out how - FREE Webcast.
http://www.sans.org/info.php?id=804
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Man Founds Guilty of Disruption of University of Texas Web Services and Stealing Data (13 June 2005)
Former University of Texas computer science major Christopher Andrew Phillips was found guilty of "recklessly knocking out UT Web services ... and stealing thousands of Social Security numbers belonging to students, staff and faculty." Phillips was acquitted of two more serious charges of intending to use the information he stole for financial gain. Phillips could face up to five years for the reckless damage conviction and one year for the theft of the Social Security numbers.-http://www.dailytexanonline.com/media/paper410/news/2005/06/13/TopStories/Ut.Hac
ker.Guilty.Of.Stealing.Information.Damaging.Network-957016.shtml
Man Sentenced to Probation and Community Service for Signing Boss Up for Unwanted eMail (10 June 2005)
Scott Huffines has been sentenced to probation and 100 hours of community service for signing his boss up to a number of email lists that sent her unsolicited messages.-http://www.theregister.co.uk/2005/06/10/spam_harrassement_lawsuit/print.html
[Editor's Note (Schultz): This is another very interesting case, one that will undoubtedly set a precedent. Electronic harassment manifests itself in a wide variety of ways, of which signing others up for mailing lists against their will constitutes one. ]
Alleged NASA Cyber Attacker Will Fight Extradition (8 June 2005)
London (UK) police have arrested Gary McKinnon who was indicted in the United States in 2002 on charges he gained unauthorized access and "made modifications" to NASA, DoD and other US government computer systems. McKinnon is scheduled to appear at an extradition hearing on July 27; he has been released on bail. McKinnon's lawyer says they will fight extradition vigorously. McKinnon does not deny his actions, but maintains he was searching for proof that the US government was covering up evidence supporting the existence of UFOs.-http://news.bbc.co.uk/2/hi/uk_news/4071708.stm
-http://www.computerworld.com/printthis/2005/0,4814,102321,00.html
-http://www.thisislondon.com/news/articles/19164714?source=Evening%20Standard
-http://www.theregister.com/2005/06/08/brit_hack_suspect_arrest/print.html
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
NIST to Release Assessment Guidelines for Mandated Security Controls (10/9 June 2005)
The National Institute of Standards and Technology plans to release NIST Special Publication 800-53A, formal assessment guidelines for federal agencies to help them comply with mandatory security rules. The rules were described in NIST SP800-53, which was published in February. Each mandated security control will have an assessment method and procedure.-http://www.computerworld.com/printthis/2005/0,4814,102409,00.html
-http://www.fcw.com/article89154-06-09-05-Web
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
Microsoft Denies Reports of Piracy Amnesty Program for Indonesian Government (9 June 2005)
Microsoft has denied reports that it has made a software piracy amnesty agreement with Indonesia's government. A report in the Jakarta Post said that a meeting between Bill Gates and Indonesian President Susilo Bambang Yudhoyono resulted in an agreement to pay US$1 for each pirated version of Windows on Indonesian government computers. In return, Indonesia would purchase legal copies of Microsoft products in the future.-http://seattletimes.nwsource.com/html/businesstechnology/2002323655_webmspiracy0
9.html
Malaysian Software Piracy Rate Drops to 61% (8 June 2005)
Despite a 2% drop in software piracy in Malaysia in the past year and a 20% decrease over the last 10 years, the overall rate of software piracy in the country remains at 61%. The Business Software Alliance study finds that piracy rates in the Asia-Pacific range from a high of 92% in China and Vietnam to a low of 23% in New Zealand.-http://www.zdnetasia.com/news/software/printfriendly.htm?AT=39235281-39000001c
[Editor's Note (Pescatore): Open source software sort of changes the piracy dynamics. The network effect says that when a piece software is used by lots of people, it makes it harder for other software to compete with this large "network" of users. Some level of piracy, rather than defections to free open source software or being forced to lower the price of the product, may be preferable to a software vendor to maintain that network effect. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Adobe Issues Patch for Flaw in License Management Service (14 June 2005)
Adobe has issued a patch for a flaw in its Adobe License Management Service that could allow an attacker to gain unauthorized access to vulnerable computers. The flaw affects Windows versions of Adobe Photoshop CS, Adobe Creative Suite 1.0 and Adobe Premiere Pro 1.5. Systems running Photoshop CS2 or Adobe Creative Suite CS2 are not affected.-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39196954-20000
61744t-10000005c
Skulls.L Trojan (10 June 2005)
The Skulls.L Trojan horse program infects Symbian-based mobile phones by pretending to be antivirus software from F-Secure. The malware tries to disable applications on the phone and replace icons with skull images. Skulls.L also puts two different versions of the Cabir worm on devices it infects.-http://news.com.com/2102-7349_3-5741033.html?tag=st.util.print
Apple Patches 11 Security Flaws (10 June 2005)
Apple has released a security update that contains fixes for 11 vulnerabilities in its OS X operating system. Some of the flaws are buffer overflow problems that can result in denial of service or unauthorized root access on vulnerable systems.-http://www.technewsworld.com/story/nw5ACVdv9UyVc2/Tiger-Jaguar-Get-Patched-Up.xh
tml
-http://www.informationweek.com/showArticle.jhtml?articleID=164302227
Microsoft Security Update for June Will Have 10 Patches (10/9 June 2005)
Microsoft's monthly security update release for June, 2005 will include 10 patches for vulnerabilities and flaws in its products. Several vulnerabilities have a "critical" designation; some of the patches will require restarts. Seven of the updates will be for Windows, two for Windows Services for Unix, ISA Server and Small Business Server, and one for Exchange servers. Microsoft also plans to release an update of Microsoft Windows Malicious Software Removal Tool.-http://news.bbc.co.uk/2/hi/technology/4079818.stm
-http://www.computerworld.com/printthis/2005/0,4814,102399,00.html
-http://news.com.com/2102-1002_3-5739542.html?tag=st.util.print
-http://www.microsoft.com/technet/security/bulletin/advance.mspx
Microsoft Takes Down Part of MSN Web Site to Address Cross Site Scripting Vulnerability (7 June 2005)
Microsoft has taken its-http://ilovemessenger.msn.com/
web site offline after the discovery of a cross site scripting vulnerability. The flaw could have been exploited to grab Hotmail users' cookies which would allow them access to the users' Hotmail accounts. The site will be restored once the problem has been remedied.
-http://software.silicon.com/security/0,39024655,39131015,00.htm
New Versions of Mozilla Browsers Have Old Flaw (7 June 2005)
Some of the most recent versions of Mozilla browsers, Firefox 1.0.4, Mozilla 1.7.8 and Camino 0.x, include a variation of a flaw that makes them vulnerable to spoofing. Mozilla is investigating the report of the flaw variant; users are advised to close other windows and tabs before they access web sites that require them to input personal information. The problem lies in the fact that the applications do not check to ensure that all the frames being displayed in a given window originate from the same web site. Therefore, attackers could insert content onto a trusted web site that would trick the user into divulging personal data, such as passwords and account numbers.-http://software.silicon.com/security/0,39024655,39131016,00.htm
-http://www.computerworld.com/printthis/2005/0,4814,102313,00.html
MISCELLANEOUS
Stolen Computers Contain Motorola Employee Data (13 June 2005)
Two computers stolen from the Chicago-area office of a human resources outsourcing company contained the names and Social Security numbers of an undisclosed number of Motorola employees. Motorola has sent email messages to those whose data were compromised. The theft took place over the Memorial Day weekend; police are investigating.-http://www.theregister.co.uk/2005/06/13/motorola_worker_data_security_breach/pri
nt.html
-http://www.computerworld.com/printthis/2005/0,4814,102458,00.html
===end===
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/