SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #27
July 06, 2005
TOP OF THE NEWS
Attorneys General Demand Information About CardSystems Security BreachHong Kong Banks Using Two-Factor Authentication for On-Line Transactions
IRS Contract with ChoicePoint Spurs Security Review
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESAlleged Spammer Could Face Three-Year Prison Sentence
Two UK Men Sentenced in Phishing Scheme
Government Computer Intruder Sentenced
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Industry Groups Urge Ratification of Convention on Cybercrime
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
RIAA to File More Suits Against Downloaders
Operation Shuts Down Internet Pirates' Servers Around the World
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Acknowledges IE Flaw
Fantibag Trojan Alters Packet Filtering Policies to Isolate Machines
Adobe Releases Reader and Acrobat Updates for Mac OS
US-CERT Warns of Circulating Exploit for Veritas Flaw
ATTACKS & INTRUSIONS & DATA THEFT
Rootkit Found on UConn Server
STANDARDS & BEST PRACTICES
Singapore to Establish Common Criteria Lab
STATISTICS, STUDIES & SURVEYS
Deloitte 2005 Global Security Survey
MISCELLANEOUS
Binary Difference Analysis Speeds Reverse Engineering of Patches
Microsoft Shares Vulnerability Information with Japan
******************** Security Training News******************************
1) SANS@HOME: Live courses with SANS best teachers - without leaving your home or office - amazingly effective and satisfying. Hacker Techniques, Auditing, Forensics, SANS Security Essentials, Firewalls, and Windows al start within the next three weeks. Sign up today at www.sans.org
2) Save $150 on SANS Washington 2005 by signing up by Thursday http://www.sans.org/washington2005
3) SANS Network Security 2005 in New Orleans (October) just opened for registration http://www.sans.org/ns2005
Why Attend SANS Training Instead of Less Effective Courses? "SANS reminds me of 'The Matrix'. You can take the blue pill and go on happily thinking your network is safe, or you can take the red pill and find out what the computer world is really like. This class is the red pill, and if it doesn't drive you insane in the process, you will leave better prepared to handle the real world of security." (Shawn Wenzel, Par Pharmaceutical)
*************************************************************************
Announcing the SANS Advisor
A newsletter that gets straight to the point with tips and breaking news on IT Security, Audit, Privacy. Volume 1, Number 1 is complimentary and available for downloading from: www.sans.org/newsletters/advisor/1.1.pdf If you enjoy SANS Advisor and want to make sure you are notified when the next edition comes out, sign up at http://www.sans.org/newsletters
********************************************************************
TOP OF THE NEWS
State Attorneys General Demand Information About CardSystems Security Breach (28 June 2005)
Attorneys General from 44 states have written a letter to CardSystems demanding that the payment processor inform people whose accounts were compromised in a massive breach. The letter asks that the company be forthcoming with information regarding the breach. 40 million accounts may have been exposed in the breach; at least 200,000 are known to have been stolen. The letter also said that CardSystem's action was unacceptable. The letter gives the company until July 25 to provide detailed state-by-state information about the breach, remediation efforts, and steps to avoid further compromises.-http://news.findlaw.com/scripts/printer_friendly.pl?page=/ap/o/51/06-29-2005/d58
3001a47792379.html
[Editor's Note (Schultz): CardSystems' actions were indeed unacceptable. It continually amazes me how CardSystems and other companies have shown little or no regard for the consumers whom they have endangered because of their failure to provide adequate security. ]
Hong Kong Banks Using Two-Factor Authentication for On-Line Transactions (1 July 2005)
All banks in Hong Kong are now required to use two-factor authentication to enhance security for "high risk" on-line transactions. The Hong Kong Monetary Authority mandated the upgrade and all banks in the country have complied.-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39240308-39000005c
-http://www.info.gov.hk/hkma/eng/press/2005/20050530e3_index.htm
[Editor's Note (Paller): US banks are not yet using two factor authentication (though one bank representative told us that "a user name and password were two factors.") Depositors are losing money and the banks are blaming the depositors. That's unacceptable! It is time for the US financial industry to step up to its responsibility and live up to its reputation for setting a high standard for cyber security.
(Pescatore): The FDIC (Federal Deposit Insurance Organization) has published a study on compromise of reusable passwords, and in the third quarter of 2005, the FFIEC (Federal Financial Institutions Examination Council) is expected to issue recommendations to ensure financial institution risk assessment approaches include on-line customer authentication issues. ]
IRS Contract with ChoicePoint Spurs Security Review (29/28 June 2005)
The Internal Revenue Service has awarded ChoicePoint a five-year, US$20 million contract to provide the agency with public records it can use to "locate assets owned by delinquent taxpayers." In light of ChoicePoint's recent security compromises involving consumer data, the IRS has ordered a security review to ensure that taxpayer confidentiality will not be breached. The IRS has had a contract with ChoicePoint in the past and said it experienced no security problems (of which it was aware). For its part, ChoicePoint spokesman Dan McGinn says the data broker has exceeded the commitments it set for itself in March regarding the protection of consumer data. ChoicePoint has created an Office of Privacy, Credentialing and Compliance to oversee company policies regarding compliance with privacy laws.-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=36239
-http://www.informationweek.com/showArticle.jhtml?articleID=164903626
-http://news.com.com/2102-1029_3-5768426.html?tag=st.util.print
[Editor's Note (Pescatore): Hmmm, perhaps the IRS is operating on the "lightning won't strike twice" theory?
(Schultz): On the surface it seems troubling that the IRS would award ChoicePoint such a large sum of money to provide records when ChoicePoint proved itself unable to properly secure consumer data. It appears, however, that ChoicePoint has "seen the light" as far as security goes, hopefully to the point that subsequent security breaches will be extremely unlikely. ]
*************************** Sponsored Link ******************************
1) ALERT! Hackers gain access to backend data via web applications. FREE WHITE PAPER:
http://www.sans.org/info.php?id=813
2) Free Offers from SANS:
A) Free monthly newsletter for security awareness for general users: by far the best such newsletter at any price. (More than 200 organizations help create it every month; hundreds of thousands of users get it.)
B) Free weekly summary of all new critical vulnerabilities and all newly discovered vulnerabilities. More than 120,000 very technical security people get it every month.
Sign up for either or both at http://www.sans.org/newsletters
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Alleged Spammer Could Face Three-Year Prison Sentence (30 June 2005)
A Florida man could face a prison sentence of up to three years for sending unsolicited email messages. Peter Moshou said he would plead guilty to one count of violating the CAN-SPAM Act. Moshou allegedly sent millions of spam messages through EarthLink; the messages used phony "from" addresses, deceptive subject lines and did not provide a means to unsubscribe electronically, all of which are violations of the law. Moshou could also be fined as much as US$350,000.-http://www.messagingpipeline.com/showArticle.jhtml?articleID=164904289
Two UK Men Sentenced in Phishing Scheme (28 June 2005)
Two UK men have been sentenced to jail for their roles in a phishing scheme that netted the pair approximately GBP 6.5 million (US$11.4 million). Douglas Havard received a six-year sentence while Lee Ellwood received a four-year sentence. Their arrests were the result of a British National Hi-Tech Crime Unit (NHTCU) investigation into Eastern European phishing schemes.-http://www.theregister.co.uk/2005/06/28/phishing_duo_jailed/print.html
-http://www.computerworld.com/printthis/2005/0,4814,102839,00.html
[Editor's Note (Schultz): I suspect that these arrests are no small accomplishment; tracking down and arresting phishers who operate out of other countries must be a daunting task. The National Hi-Tech Crime Unit thus deserves considerable praise. ]
Government Computer Intruder Sentenced (28 June 2005)
Robert Lyttle, one half of the Deceptive Duo team that broke into government computers and defaced web sites, was sentenced to four months in jail. Lyttle pleaded guilty to five counts of unlawfully accessing computer systems in April 2002. He was also ordered to pay US$72,000 in damages and will remain on probation for three years following his release from federal prison; for the first four months of his probation, he will be confined to his home by electronic monitoring. Mr. Lyttle's accomplice, Benjamin Stark, pleaded guilty last year, to similar offenses, but has not yet been sentenced.-http://www.theregister.co.uk/2005/06/28/deceptive_duo_hacker_jailed/print.html
-http://www.usdoj.gov/usao/can/press/assets/applets/2004_07_16_Lyttle_ind.pdf
-http://www.usdoj.gov/usao/can/press/html/2005_03_11_lyttle.html
-http://www.usdoj.gov/usao/dc/Press_Releases/2004_Archives/May_2004/04185.html
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Industry Groups Urge Ratification of Convention on Cybercrime (29 June 2005)
A coalition of industry organizations has sent a letter to the Senate Foreign Relations Committee asking them to ratify the Council of Europe's Convention on Cybercrime. The Convention on Cybercrime is an international multilateral treaty that facilitates cooperative investigation and prosecution of cyber crimes. The US signed the treaty in November 2001, but has yet to ratify it. The treaty would require the adoption of similar laws around the world. The Electronic Privacy Information Center is opposed to the ratification because it would provide for "invasive investigative techniques while failing to provide meaningful privacy and civil liberties safeguards."-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=36257
-http://news.com.com/2102-7348_3-5768462.html?tag=st.util.print
-http://www.commsdesign.com/press_releases/prnewswire/showPressRelease.jhtml?&
;CompanyId=1&HeadlineId=X342870
-https://www.csialliance.org/resources/pdfs/Letter_to_SFRC_on_Co170ABD.pdf
-http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm
-http://www.usdoj.gov/criminal/cybercrime/COEFAQs.htm
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
RIAA to File More Suits Against Downloaders (1 July 2005)
The Recording Industry Association of America (RIAA) says it plans to take legal action against 784 people suspected of illegally downloading music to their computers. Those being targeted include users of Grokster and Limewire.-http://news.bbc.co.uk/2/hi/entertainment/4640415.stm
Operation Shuts Down Internet Pirates' Servers Around the World (1 July 2005)
Raids on suspected Internet piracy groups in 11 countries around the world netted seven arrests and the seizure of US$50 million worth of pirated materials, including software, games and movies. In addition, eight servers used to distribute the pirated material were shut down.-http://news.bbc.co.uk/2/hi/technology/4640439.stm
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39200019-20000
61744t-10000005c
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Acknowledges IE Flaw (1 July/30 June 2005)
Microsoft has published a security bulletin acknowledging a vulnerability in all supported versions of Internet Explorer. The flaw could allow an attacker to take control of a vulnerable system. In the advisory, Microsoft states that it is unaware of any exploits for the vulnerability but recommends that users' IE Internet and local intranet security zone settings be on "high" until the company takes action to address the problem.-http://www.techweb.com/wire/security/165600276
-http://news.com.com/2102-1002_3-5771759.html?tag=st.util.print
-http://www.microsoft.com/technet/security/advisory/903144.mspx
Fantibag Trojan Alters Packet Filtering Policies to Isolate Machines (30 June 2005)
The Fantibag.a or .b Trojan uses a new technique to cut users off from anti-virus and security updates and web sites. While other Trojans modified the Windows HOSTS file so that security vendor domains were redirected to local hosts, Fantibag creates packet-filtering policies with the Microsoft RAS packet filtering API that drop inbound and outbound packets between the infected computer and the filtered addresses, of which there are more than 100.-http://www.techweb.com/wire/security/164904273
Adobe Releases Reader and Acrobat Updates for Mac OS (27 June 2005)
Adobe has released updates to Adobe Reader and Adobe Acrobat for Mac OS; Adobe Reader 7.0.2 and Adobe Acrobat 7.0.2 are available to download from the Adobe web site. The updates address two flaws. The first involves the way in which both applications handle JavaScript embedded in PDF files; it could be exploited to allow arbitrary application execution; the second involves elevated folder permissions in the Reader and Acrobat updater.-http://www.adobe.com/support/techdocs/331709.html
-http://www.adobe.com/support/techdocs/331711.html
-http://news.zdnet.co.uk/internet/security/0,39020375,39205941,00.htm
US-CERT Warns of Circulating Exploit for Veritas Flaw (1 July/30 June 2005)
The US Computer Emergency Readiness Team (US-CERT) has issued a warning of malicious code that can be used to exploit a buffer overflow flaw in Veritas' Backup Exec Remote Agent for Windows; there has also been a noticeable increase in scanning on TCP Port 10000, suggesting attackers are searching out vulnerable systems. Veritas recently released fixes for this vulnerability and for several others.-http://news.com.com/2102-7349_3-5770428.html?tag=st.util.print
ATTACKS & INTRUSIONS & DATA THEFT
Rootkit Found on UConn Server (28 June 2005)
The University of Connecticut has taken a server off-line after discovering that it has been compromised by a rootkit since October 2003. Though there is no evidence that the data on the server were accessed because a backdoor component of the attack failed to install, the University is notifying the 72,000 students, faculty and staff whose information may have been compromised.-http://www.techweb.com/wire/security/164903436
[Editor's Note (Pescatore): UCONN is my alma mater, and it was a lot more fun when it made the headlines because the men's and women's basketball teams were winning championships. Their PR response to this (
-http://www.uconn.edu/newsmedia/2005/june05/rel05049.html)
was pretty wiggly - a rootkit was installed on a server over 18 months ago and they only recently noticed. The PR release emphasizes vague promises about moving away from using SSN as an identifier and a long list of other universities that have had security incidents. The release is less mea culpa, more notta my faulta. ]
STANDARDS & BEST PRACTICES
Singapore to Establish Common Criteria Lab (29 June 2005)
Singapore plans to establish a Common Criteria certification laboratory. Common Criteria is a global standard recognized by governments and organizations around the world with seven levels of certification for security components of IT products and systems. Having a Common Criteria laboratory in Singapore will allow the country's companies to broaden their customer base to foreign markets; additionally, certification will be less expensive because they will not have to go abroad.-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39239505-39000005c
-http://www.commoncriteriaportal.org/
[Editor's Note (Shpantzer): So sad... Common Criteria (CC) is so misunderstood. People wrongly think CC means something in terms of what is actually going on when a system is connected to a network. It doesn't. ]
STATISTICS, STUDIES & SURVEYS
Deloitte 2005 Global Security Survey (29 June 2005)
According to Deloitte's 2005 Global Security Survey, financial services organizations are experiencing more internal security breaches than external security breaches. 28% of those responding to the survey had an IT security breach last year, a decrease of 55% from last year's figures. However, internal breaches rose from 14% last year to 35% this year.-http://www.zdnetasia.com/news/security/0,39044215,39239481,00.htm
-http://www.deloitte.com/dtt/cda/doc/content/
MISCELLANEOUS
Binary Difference Analysis Speeds Reverse Engineering of Patches (1 July 2005)
Binary difference analysis can be used to determine differences in virus variants as well as to detect intellectual property violations in software. The process can also be used to reverse engineer software patches rather quickly; malicious coders could use it to create exploits for vulnerabilities that aren't widely patched.-http://www.securityfocus.com/news/11235
Microsoft Shares Vulnerability Information with Japan (29 June 2005)
Microsoft is sharing vulnerability data with Japan's National Police Agency High-Tech Crime Technology Division before the flaws are publicly disclosed. The agreement, which was signed in April, provides for a hotline for cyber attack information sharing and training to help fight on-line crime.-http://www.computerworld.com/printthis/2005/0,4814,102851,00.html
===end===
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/