SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #25
June 22, 2005
TOP OF THE NEWS
UK Warns of Trojan Attacks Targeting Critical Infrastructure OrganizationsBJ's Reaches Settlement in Data Security Case
Intermix Will Pay New York $7.5 Million in Spyware Case
Security is Banking Sector's Top IT Spending Priority Says Study
Banks Focusing on ID Theft Resolution Instead of Prevention
THE REST OF THE WEEK'S NEWS
SPAM & PHISHINGJapanese Police Arrest Phishing Suspect
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Netscape Releases Browser Update
Increase in Port 445 Traffic
Opera Releases Browser Update
Sun Releases Updates to Fix Java Flaws
ATTACKS & INTRUSIONS
FBI Investigating Security Breach at Third Party Payment Processor
Some FDIC Employees' Data Compromised
Equifax Canada Notifies People of Security Breach
STATISTICS, STUDIES & SURVEYS
Security Product Vulnerabilities on the Rise
Browser Based Attacks are Increasing
MISCELLANEOUS
Spyware Spreading Through BitTorrent Files
*************************************************************************
Why Do Security Professionals Get More Value From SANS Than from Any Other Source?
"Years of experience downloaded into your brain in 6 days."
- Chris Koutras, Titan, Inc.
"The perfect balance of theory and hands on experience."
- James D. Perry II, University of Tennessee
"SANS courses bring the best of the best to one place to learn cutting- edge information."
- Jeremy Baca , Sandia National Labs
"SANS has opened my eyes to things I never would have considered based on my own research."
- Doug Wells, Media General, Inc.
Current Training Schedule: http://www.sans.org
**********************************************************************
TOP OF THE NEWS
UK Warns of Trojan Attacks Targeting Critical Infrastructure Organizations (17/16 June 2005)
The UK's National Infrastructure Security Co-ordination Centre is warning that 300 UK organizations have been targeted by data-stealing Trojan horse programs developed by attackers in East Asia. The programs aim to harvest information from certain parts of the UK's national critical infrastructure. The attacks have been taking place for several months. The NISCC does not yet have enough evidence to accuse a country or group of people, but Roger Cumming, NISCC director says that the attacks are "industrial strength." These attacks indicate a movement away from mass mailer malware and toward targeted, tailored attacks. The attackers use the information they have stolen to blackmail employees or the company.-http://software.silicon.com/malware/print.htm?TYPE=story&AT=39131224-3800003
100t-40000041c
-http://www.theregister.co.uk/2005/06/17/niscc_warning/print.html
-http://www.computerworld.com/printthis/2005/0,4814,102595,00.html
-http://www.technewsworld.com/story/ekZ8y0ZscMAgDl/British-Security-Officials-War
n-of-Targeted-Cyber-Attacks.xhtml
-http://www.niscc.gov.uk/niscc/docs/ttea.pdf
-http://www.dsd.gov.au/_lib/pdf_doc/advisories/DA-2005-01.pdf
-http://www.ocipep.gc.ca/opsprods/info_notes/IN05-001_e.asp
[Editor's Note (Paller): Targeted trojan attacks on important commercial and government organizations, using social engineering, is one of the most important forms of cyber crime. US companies and government agencies have been targeted with waves of successful attacks for more than two years. Until NISCC took the initiative to make the problem public, it was most often denied by executives who claimed it couldn't happen (because, they said, "we have policies that would stop such attacks.") When those executives were confronted by law enforcement with proof that they had been penetrated and important data was lost, they threatened to use their political clout to thwart any further disclosure. ]
BJ's Reaches Settlement in Data Security Case (17 June 2005)
BJ's Wholesale Club Inc, and the Federal Trade Commission have reached a settlement regarding the security of BJ's customer data. The FTC said that BJ's customer information was not encrypted when it was stored and the files in which the data were stored were easily accessible using only default passwords. In addition, BJ's kept the data longer than was necessary. Furthermore, BJ's did not protect its wireless network from unauthorized access. Thousands of credit cards that had been used by BJ's customers were subsequently used to make fraudulent purchases at other businesses. Under the settlement, BJ's will "implement a comprehensive data-security system and undergo biannual security audits for the next 20 years.-http://www.computerworld.com/printthis/2005/0,4814,102602,00.html
[Editor's Note (Pescatore): In this case, and others, the FTC has been able to use existing law quite effectively (FTCA 15 USC 45a) to good use when customer data has been mishandled. We don't really need more laws, we need better enforcement using existing mechanisms.
(Grefer): Interestingly enough, assessments and reports are to be provided by a GIAC, CISA or CISSP holder. Disturbingly enough, there is not penalty nor fine involved in this settlement. ]
Intermix Will Pay New York $7.5 Million in Spyware Case (16/15 June 2005)
Intermix Media has reached a settlement with New York Attorney General Eliot Spitzer in which it has agreed to pay the state of New York US$7.5 million over the next three years to settle charges it bundled spyware with its free programs. Intermix has also agreed to "permanently" refrain from distributing adware, redirect applications and toolbar programs. Incidentally, Intermix shares rose considerably in after hours trading following the announcement of the settlement.-http://news.com.com/2102-7350_3-5747733.html?tag=st.util.print
-http://www.technewsworld.com/story/W01I1N2jpGkhuv/Intermix-To-Pay-75-Million-To-
Settle-Spyware-Case.xhtml
[Editor's Note (Schultz): This ruling is likely to be viewed as a landmark ruling. Those who inject spyware into systems need to be held accountable. ]
Security is Banking Sector's Top IT Spending Priority Says Study (20 June 2005)
According to the Info-Tech Research Group 2005 IT Budget and Staffing Report, security is the banking sector's top IT spending priority. 59% of the banks surveyed plan to increase security spending; 70% of bank IT executives plan to spend money on security software.-http://www.computerworld.com/printthis/2005/0,4814,102642,00.html
Banks Focusing on ID Theft Resolution Instead of Prevention (16 June 2005)
A report from Javelin Strategy & Research says that most credit-card-issuing companies are concentrating on the resolution of identity theft rather than on prevention and detection. The survey gave 39 banks ratings for identity theft prevention, detection and resolution; the banks averaged 16.7 out of 40 points for prevention, 9.7 out of 40 points for detection and 14.4 out of 20 points for resolution. The overall average for the banks was 41 out of a possible 100 points. Prevention and detection were more heavily weighted because they have "greater potential benefits and cost savings."-http://www.informationweek.com/showArticle.jhtml?articleID=164303598
[Editor's Note (Pescatore); This is one of the dangers of disclosure laws. By making it commonplace for companies to admit ever increasing numbers of disclosures, a cathartic feeling masks the underlying problems - lack of preventing such incidents, which are *really* not that hard to prevent with standard, due diligence levels of protection. ]
************************** Sponsored Links: *****************************
1) Security Breaches, Data Loss, Regulatory Oversight, Legal Actions - Is Your Data at Risk? - Live Webcast
http://www.sans.org/info.php?id=807
2) Please join us June 23, 2005 1:00pm EDT for the Secure Software webcast series where we will look at the kind of information that must be provided in order for design and QA to properly build and test that data is appropriately protected.
http://www.sans.org/webcasts/show.php?webcastid=90571
*************************************************************************
THE REST OF THE WEEK'S NEWS
Japanese Police Arrest Phishing Suspect (14 June 2005)
Japanese police have arrested Kazuma Yabuno who is suspected of creating and operating a web site that appeared to be a known Internet auction site but which was instead used to harvest unsuspecting users' personal information. Police confiscated 12 computers from Mr. Yabuno's home; he will also face charges of copyright violation. The arrest is Japan's first related to phishing.-http://australianit.news.com.au/common/print/0,7208,15610302%5E15331%5E%5Enbv%5E
15306%2D15318,00.html
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Netscape Releases Browser Update (20/18 June 2005)
Netscape has released version 8.0.2 of its browser to address a problem that makes extensible markup language (XML) files appear as blank pages in Internet Explorer.-http://www.computerweekly.com/Articles/2005/06/20/210500/Netscapefixesbrowser's
XMLbug.htm
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39197994-20000
61744t-10000005c
-http://bloggeditnews.blogspot.com/2005/06/netscape-802-fix-released.html
Increase in Port 445 Traffic (17 June 2005)
There has been increased activity on TCP port 445, a port associated with Windows' Server Message Block protocol. It is possible that the increased activity is due to attackers searching for ways to exploit the Microsoft Incoming SMB Packet Validation Remote Buffer Overflow Vulnerability, which was patched in Microsoft's monthly security update for June.-http://www.techweb.com/wire/security/164900734
[Editor's Note (Pescatore): The SANS Internet Storm Center (isc.sans.org) is also showing increase in port 445 activity, always a useful indicator that exploit code is coming. Most enterprises have sped up their reaction time after Microsoft Vulnerability Tuesday - this increase in activity is a good reminder to make sure you have prioritized patching MS05-27 or employed shielding or work arounds until you do. ]
Opera Releases Browser Update (17/16 June 2005)
Opera Software has released an updated version of its browser in order to fix several vulnerabilities including cross-site scripting and injection flaws. Versions of Opera 8.01 for a variety of platforms are available on the company's web site.-http://www.techweb.com/wire/security/164900263
-http://www.theregister.co.uk/2005/06/17/opera_security_update/print.html
-http://news.com.com/2102-1002_3-5751713.html?tag=st.util.print
-http://www.opera.com/announcements/en/2005/06/16/
Sun Releases Updates to Fix Java Flaws (15 June 2005)
Sun Microsystems has released software updates to address two "highly critical" flaws in Java that could be used to take control of vulnerable systems. The flaws in Java Runtime Environment could be exploited to read and write files and to execute applications. The updates are J2SE 5.0 Update 2 and J2SE 1.4.2_08,-http://www.zdnetasia.com/news/software/printfriendly.htm?AT=39236690-39000001c
ATTACKS & INTRUSIONS
FBI Investigating Security Breach at Third Party Payment Processor (20/18/17 June 2005)
The FBI is investigating a security breach at CardSystems Solutions, Inc., an Atlanta-based payment processor with a processing center in Tucson, AZ. As many as 40 million credit card accounts may have been exposed after a malicious script that harvests data infiltrated the CardSystems network. The breach was discovered on May 22, but took place some time in late 2004. CardSystems Solutions CEO John M. Perry says the account data were being improperly retained, running contrary to industry practices; Visa and MasterCard have established rules requiring that payment processors not retain account data once a transaction has been completed.-http://www.businessweek.com/ap/financialnews/D8APV5G00.htm?campaign_id=apn_home_
down
-http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2005/06/18/MNGV6DASVM1.DTL&a
mp;type=printable
-http://www.boston.com/news/nation/articles/2005/06/18/firm_says_up_to_40m_credit
_card_files_stolen?mode=PF
-http://money.cnn.com/2005/06/17/news/master_card/index.htm?cnn=yes
(Please note the New York Times site requires free registration)
-http://www.nytimes.com/2005/06/20/technology/20credit.html?ei=5094&en=d0b4ff
6a62629204&hp=&ex=1119326400&partner=homepage&pagewanted=print
-http://news.com.com/2102-1029_3-5751886.html?tag=st.util.print
-http://www.msnbc.msn.com/id/8294175/
[Editor's Note (Ranum): Visa and MasterCard have rules about how data should be handled by their business partners. This is the first case I've seen come to public attention in which the Visa/MC standard was recognized but allegedly not followed. That's the basis for an interesting lawsuit. It also reveals the profound lack of teeth in policies and procedures. It doesn't matter how good your policies are on paper if they're not followed. ]
Some FDIC Employees' Data Compromised (17/16 June 2005)
The Federal Deposit Insurance Corporation has notified 6,000 current and former employees that their personal data may have been compromised in a security breach that occurred in 2004. In several cases, the stolen data were used to obtain loans at a credit union. The FDIC says the case is one of "unauthorized release" of personal information rather than an intrusion. The FBI is investigating.-http://www.techweb.com/wire/security/164900261
-http://www.fcw.com/article89296-06-17-05-Web
Equifax Canada Notifies People of Security Breach (16 June 2005)
Equifax Canada has notified 600 Canadian citizens that their credit files were illegally accessed. Most of those affected reside in British Columbia. The breach was reportedly due to "improper use of the access codes and passwords of one of Equifax's customers."-http://news.com.com/2102-1029_3-5750434.html?tag=st.util.print
STATISTICS, STUDIES & SURVEYS
Security Product Vulnerabilities on the Rise (20 June 2005)
Yankee Group analysts have published a paper asserting that because anti-virus companies have not been made to acknowledge and address vulnerabilities in their products, these vulnerabilities are looking more and more appealing to crackers. In their paper, the analysts observe that vulnerabilities in anti-virus products are being discovered at a faster rate than those in Microsoft products.-http://news.com.com/2102-1002_3-5754773.html?tag=st.util.print
[Editor's Note (Schultz): This is a very troubling assertion given the prevalence of anti-virus products running on Windows and other systems such as Macs. If this assertion is indeed true, anti-virus vendors need to be pressured to develop less vulnerability-plagued products. ]
Browser Based Attacks are Increasing (16 June 2005)
The Computing Technology Industry Association's third annual report on IT Security and the Work Force found that of the nearly 500 organizations participating in the survey, 56.6% had suffered a browser-based cyber attack; last year the figure was 36.8% and two years ago it was 25%. Viruses and worms remained the top IT security threat.-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39236946-39000005c
-http://www.comptia.org/pressroom/get_pr.aspx?prid=620
MISCELLANEOUS
Spyware Spreading Through BitTorrent Files (16 June 2005)
Purveyors of adware and spyware are reportedly turning to BitTorrent to distribute their wares. Unlike other file sharing programs such as Kazaa, BitTorrent has no central technology. Files being made available on BitTorrent sites are increasingly coming bundled with the surreptitious software that peppers users' computers with pop-up ads and drains computing/processor resources, potentially causing systems to become unstable.-http://news.com.com/2102-7349_3-5750601.html?tag=st.util.print
===end===
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/
