SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #33
August 17, 2005
Alert: Patch your Windows 2000 systems and upgrade your Windows XP systems to SP2 if you have not already done so. Zotob-C is spreading by email propagation in addition to spreading by scanning for the plug and play vulnerability announced last week by Microsoft. It's taken out newsrooms and major companies' computers. CNN made a huge story out of
its own infection. That much press will encourage piling on via more and more variants. Hence the fast patch recommendation.
http://www.cnn.com/2005/TECH/internet/08/16/computer.worm/index.html
Also, a letter to the editor raising important questions is at the end of this issue. We'd like your comments. Send them to paller@sans.org
Alan
TOP OF THE NEWS
New York Law Requires Security Breach NotificationNIST Establishes National Vulnerability Database
Zotob Worm Exploits Microsoft Plug-and-Play Vulnerability
FCC Ruling Says Certain VoIP Services Subject to CALEA Wiretap
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESBulk eMailer Guilty of Data Theft
High School Students Charged with Felonies for School Computer Misuse
Four Sentenced in ATM Card Skimming Case
LEGISLATION
Safe Intersections Act Prohibits Use of Mobile Infrared Transmitters Without Authorization
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Cabir Mobile Phone Virus Spread at Finnish Stadium
Gaim Upgrade Addresses Buffer Overflow Flaw
Symantec Issues Patches for Veritas Backup Exec Remote Agent Flaw
Verizon Fixes Flaw that Put Customer Data at Risk For Exposure
Microsoft Releases August Security Updates; Fixes Corrupt IE Patch
MISCELLANEOUS
Australians' Data Offered for Sale; Television Program Addresses Cyber Threats
George Mason University Researchers Receive NSF Grant to Develop VoIP Prototype Surveillance Tool
Honeymonkey Project Finds Zero-Day Exploit
******************** Sponsored by WatchFire Corp.************************
"Addressing Challenges in Application Security," a Watchfire Whitepaper
Today's web application attacker can use your own applications to
expose, embarrass and steal from you. Companies rely on network and host
security, but often these measures are not enough to prevent web
application attacks. Learn best practices to safeguard your web
applications from future attacks and improve your application security
throughout the development lifecycle.
https://www.watchfire.com/securearea/whitepapers.aspx?id=701
**************************************************************************
Security Training Update
"SANS is the ultimate security training program. It is the most
intensive and informative security training available -- a must have for infosec professionals." (Aaron Despain, TriWest Healthcare)
Scheduled SANS training programs over the next three months in: Boston, New York, Whippany NJ, Baltimore, Virginia Beach, Herndon VA, Orlando, New Orleans, Chicago, Dallas, Los Angeles, San Jose CA, Portland OR; Ottawa, Tokyo, Barcelona, Vancouver, Amsterdam. Details:
http://www.sans.org
Announcing the SANS Advisor
A newsletter that gets straight to the point with tips and breaking news on IT Security, Audit, and Privacy. Volume 1, Number 2 is complimentary and available for downloading from:
http://www.sans.org/newsletters/advisor/1.2.pdf
If you enjoy SANS Advisor and want to make sure you are notified when the next edition comes out, sign up at http://www.sans.org/newsletters
**************************************************************************
TOP OF THE NEWS
New York Law Requires Security Breach Notification (12/11 August 2005)
New York Governor George Pataki signed the Information Security Breach and Notification Act on August 10, 2005. The law requires that organizations, including local government agencies, notify New York state residents when their information is stolen or compromised due to security breaches. The law is similar to California's two-year-old security breach notification law.-http://www.theregister.com/2005/08/12/ny_security_breaches_disclosure/print.html
-http://www.redherring.com/Article.aspx?a=13133&hed=New+York+Signs+Security+B
ill
-http://assembly.state.ny.us/leg/?bn=A04254
[Editor's Note (Schultz): Laws requiring notification of potential victims when personal data are compromised are a step in the right direction, but laws requiring adequate protection of such data are far better. Organizations and individuals need to be held accountable for protecting data; unless this is done, we will continue to see a plethora of personal data compromises.
[Editor's Note (Ranum): I expect we'll see a rush of computer security-related legislation, now that lawmakers have discovered it to be a politically safe topic that is popular with voters. ]
NIST Establishes National Vulnerability Database (15 August 2005)
The National Institute of Standards and Technology has launched the National Vulnerability Database. NVD is the new incarnation of the ICAT vulnerability database and will be updated daily. NVD "integrates all publicly available US government vulnerability resources and provides references to industry resources ... and is based on the CVE vulnerability naming standard." NVD is funded by DHS' National Cyber Security Division and is designed to complement security advisories from US-CERT which focus primarily on serious and critical flaws.-http://www.fcw.com/article89911-08-15-05-Print
-http://online.securityfocus.com/news/11278
-http://nvd.nist.gov/
Zotob Worm Exploits Microsoft Plug-and-Play Vulnerability (15/14/12 August 2005)
Within three days of the security bulletins' release, at least three versions of exploit code for a flaw in the Windows Plug-and-Play system that could give attackers complete control of vulnerable PCs were circulating. The flaw in Plug-and-Play allows remote code execution and privilege elevation. As of August 14, a worm, dubbed Zotob, which exploits the flaw has been spreading on the Internet. Zotob spreads via TCP port 445.-http://www.newsfactor.com/story.xhtml?story_id=37727
-http://online.securityfocus.com/news/11281
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1115620,0
0.html
-http://www.pcworld.idg.com.au/index.php/id;1841567960;fp;2;fpid;1
-http://www.computerworld.com/printthis/2005/0,4814,103929,00.html
-http://www.theregister.co.uk/2005/08/15/zytob_worm/print.html
Bulletin for Plug-and-Play Flaw:
-http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx
[Editor's Note (Tan): Relevant links for this piece of news:
-http://www.microsoft.com/technet/security/advisory/899588.mspx
-http://isc.sans.org/diary.php?date=2005-08-14]
FCC Ruling Says Certain VoIP Services Subject to CALEA Wiretap Requirements (11/5 August 2005)
The Federal Communications Commission has determined that certain Voice over Internet Protocol (VoIP) services "essentially replace conventional telecommunications services currently subject to wiretap rules" covered in the Communications Assistance for Law Enforcement Act (CALEA) and as such, will be required to ensure their systems be able to comply with federal wiretap orders. The affected companies have 18 months to comply with the FCC order. The ruling applies to VoIP systems that allow users "to dial from their computers to the traditional phone network." Critics believe a legal challenge is likely.-http://www.wired.com/news/privacy/0,1848,68483,00.html
-http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-260434A1.pdf
*********************** Sponsored Links *********************************
1) NADS: The Missing Layer of Your Internal Enterprise Defense.
Download FREE White Paper "Role of Network Anomaly Detection Systems
(NADS) in the Enterprise" http://www.sans.org/info.php?id=844
2) Protecting information beyond your enterprise borders requires
advanced solutions for enabling secure remote access. FREE Gartner
report. http://www.sans.org/info.php?id=845
3) Turn off Telnet and FTP. Buy SecureCRT 5.0 with new tabbed
interface -- get SecureFX free.
http://www.sans.org/info.php?id=846
**************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Bulk eMailer Guilty of Data Theft (14/11 August 2005)
A Florida jury found Scott Levine guilty on 120 counts of unauthorized access to data, two counts of access device fraud and one count of obstruction of justice; Mr. Levine was found not guilty on 15 other counts, including conspiracy and unauthorized access of a protected computer. Mr. Levine ran the now-defunct bulk email company Snipermail.com. According to prosecutors, Mr. Levine and Snipermail.com stole 1.6 billion customer records including names, home addresses, email addresses and bank account and credit card numbers from the Acxiom Corp. data management company. Mr. Levine is to be sentenced on January 9, 2006. Six of Mr. Levine's Snipermail.com employees pleaded guilty to conspiracy charges and testified against him in this case.-http://www.usatoday.com/tech/news/computersecurity/2005-08-14-levine-conviction_
x.htm
-http://today.reuters.com/news/newsarticle.aspx?type=technologyNews&summit=&a
mp;storyid=2005-08-13T005633Z_01_DIT303326_RTRIDST_0_TECH-CRIME-ACXIOM-DC.XML
-http://www.smh.com.au/news/breaking/verdict-awaited-in-hacking-trial/2005/08/11/
1123353411040.html?oneclick=true
High School Students Charged with Felonies for School Computer Misuse (9 August 2005)
13 Pennsylvania high school students have been charged with felony computer trespass for breaking school rules regarding the use of their school-issued laptop computers. The state defines the offense "as altering computer data, programs or software without permission." The students discovered the administrative password that allowed them to reconfigure their machines and bypass Internet filters. Some students turned off a remote monitoring function and some used that function to view administrators' computer screens; some students also downloaded instant messaging tools. There is no evidence that the students altered grades, disabled the school's network or otherwise acted maliciously. School district officials maintain the students violated the code of conduct and acceptable use policy that warned of legal repercussions. The school had tried detentions and suspensions before turning the matter over to police. A hearing is scheduled for August 24, 2005.-http://www.wired.com/news/print/0,1294,68480,00.html
Four Sentenced in ATM Card Skimming Case (12/11 August 2005)
Four men have received four-year prison sentences for their roles in an ATM card-skimming scheme that netted 200,000 GBP. The gang was caught when staff members at a hotel they were operating out of became suspicious; police found equipment that made it evident that they "were engaged in a well-organised and highly sophisticated operation to defraud banks of thousands of pounds," according to the court.-http://www.theregister.co.uk/2005/08/12/atm_scam_gang_jailed/print.html
-http://icwales.icnetwork.co.uk/0100news/0200wales/tm_objectid=15845568&metho
d=full&siteid=50082&headline=warning-over--card-skimming--gang-name_page
.html
LEGISLATION
Safe Intersections Act Prohibits Use of Mobile Infrared Transmitters Without Authorization (12 August 2005)
The Safe Intersections Act, which was signed into law on August 10, 2005, makes it a misdemeanor for people to use mobile infrared transmitters without authorization. Police, fire departments and ambulances have the devices so they can manipulate the traffic signals. The devices have been found to be available for sale on the Internet. At least one later-generation device uses pulsed infrared serial numbers for authentication.-http://www.wired.com/news/print/0,1294,68507,00.html
[Editor's Note (Northcutt): Northcutt: I was able to find such a device with one google search; it costs about $300:
-http://www.themirt.com/
There are controls in place. The dealer requires police, rescue, or fire letterhead and the like. This is not to say these devices will not get into the wild; at that price point, they will. A well written article to expand on the topic can be found at:
-http://www.drivers.com/article/651/]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Cabir Mobile Phone Virus Spread at Finnish Stadium (15/12 August 2005)
Finnish officials are warning that there has been an outbreak of the Cabir mobile phone virus at the World Athletic Championships at Helsinki's Olympic Stadium. In order for a phone to become infected, users must accept a download. Cabir uses Bluetooth to spread from phone to phone; the virus can spread at Bluetooth coverage distances of up to 10 meters, which is significant in close quarters like a stadium.-http://www.networkworld.com/news/2005/081505-mobile-viruses.html?fsrc=netflash-r
ss
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39213100-39020375t-10000025c
-http://www.theregister.co.uk/2005/08/12/cabir_stadium_outbreak/print.html
Gaim Upgrade Addresses Buffer Overflow Flaw (12 August 2005)
Users of the Gaim cross-platform instant messaging client should upgrade to version 1.5.0, which was released on August 11, 2005. A buffer overflow flaw in earlier versions of Gaim could be exploited to crash the client and potentially run malicious code.-http://news.zdnet.co.uk/software/applications/0,39020384,39212978,00.htm
-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4199
Symantec Issues Patches for Veritas Backup Exec Remote Agent Flaw (15/12 August 2005)
Symantec has released patches for a vulnerability in Veritas Backup Exec Remote Agent for Windows Servers. The flaw exists because the agent uses hard-coded administrative authentication credentials; someone with knowledge of the credentials and access to the remote agent could access files on vulnerable systems. Exploit code for the flaw is available; reports of increased scanning on port 10000/tcp could indicate "attempts to locate vulnerable systems." Affected versions of Backup Exec for Windows Server include 8.x, 9.0, 9.1 and 10.0.-http://www.computerworld.com/printthis/2005/0,4814,103941,00.html
-http://www.pcworld.com/news/article/0,aid,122215,00.asp
-http://www.us-cert.gov/cas/techalerts/TA05-224A.html
Verizon Fixes Flaw that Put Customer Data at Risk For Exposure (12 August 2005)
Verizon has fixed a flaw that allowed Verizon Wireless customers who had opted for on-line billing services to view the details of other customers' accounts. The information that could have been exposed includes cell phone model numbers and account numbers as well as the number of minutes used and the number of free minutes remaining that month. The vulnerability may have been present for as long as five years, though there is no evidence that anyone has exploited it with malicious intent.-http://www.siliconvalley.com/mld/siliconvalley/business/technology/12367199.htm?
template=contentModules/printstory.jsp
[Editor's Note (Ranum): This is being over-hyped. Who cares if someone can find out what cell phone type I've got? Calling this a vulnerability is stretching things a bit... ]
Microsoft Releases August Security Updates; Fixes Corrupt IE Patch (12/11/9 August 2005)
Microsoft's monthly security release for August included six bulletins, three of which address critical security issues. One of the bulletins, MS05-038, addresses three flaws in Internet Explorer; of those the most concerning of which is a problem in the way it handles JPEG images; a maliciously crafted image could allow an attacker to take control of a computer when the user simply views the image. The vulnerability could be exploited to install Trojan horse programs, spyware or other malicious code. The other IE flaws could also be exploited to gain control of vulnerable computers. An initial release of MS05-038 was corrupt; Microsoft pulled the problematic patch within hours of its release and had a new one ready the next day.-http://www.networkworld.com/news/2005/081205-microsoft-bugs.html?fsrc=rss-securi
ty
-http://news.zdnet.com/2102-1009_22-5825669.html?tag=printthis
-http://news.com.com/2102-1002_3-5829102.html?tag=st.util.print
Security Update for IE:
-http://www.microsoft.com/technet/security/Bulletin/MS05-038.mspx
Links to all August 2005 Security Bulletins:
-http://www.microsoft.com/technet/security/bulletin/ms05-aug.mspx
MISCELLANEOUS
Australians' Data Offered for Sale; Television Program Addresses Cyber Threats (15 August 2005)
The Australian Broadcasting Corporation's Four Corners television program says it was offered personal data on 1,000 Australians. The information was believed to have been taken from a call center in India. The data include names, addresses, Medicare and ATM numbers as well as passport information. Four Corners was able to verify that the information belongs to real people; one person whose data were included in the batch says he was asked for his passport number during a phone call from a telemarketer in India.-http://australianit.news.com.au/articles/0,7204,16265416%5E15331%5E%5Enbv%5E1530
6%2D15318,00.html
-http://www.abc.net.au/4corners/content/2005/s1435556.htm
George Mason University Researchers Receive NSF Grant to Develop VoIP Prototype Surveillance Tool (9 August 2005)
The National Science Foundation is funding the development of a tool that can be used to detect when people under law enforcement surveillance use Voice over Internet Protocol (VoIP) to communicate. The technique, which is being developed by researchers at George Mason University, involves embedding a digital watermark into the packet flow and making slight adjustments to the timing of certain packets. A paper on the research is due to be delivered at a security conference in November. The technique tries to determine the identities of those communicating via VoIP, but does not try to gather the content of their conversations.-http://news.zdnet.com/2102-1009_22-5825932.html?tag=printthis
Honeymonkey Project Finds Zero-Day Exploit (9 August 2005)
The Honeymonkey projects uses unpatched Windows XP clients to surf the web and be exploited by malicious web sites. In a recently released paper, the project said that it found more than 750 web pages containing programs that try to install code on visitors' machines without any action from the user. The project is part of Microsoft's efforts to detect security threats before they become widespread. Each address found to contain malicious programs is visited by Windows XP clients with various levels of patching to see how strong the exploit is. In July 2005, the project found a zero-day exploit - an exploit for an undisclosed vulnerability. The project found that the sites tend to share these zero-day exploits among themselves, so the project could prove especially helpful in detecting these and get patches out more quickly.-http://www.securityfocus.com/news/11273
Correction:
In last week's NewsBites, we misidentified a school that had suffered a
computer security breach; the school is the University of North Texas.
We regret the error and apologize for any confusion it may have caused.
https://www.securityid.unt.edu/
Letter to the Editor
Dear SANS Newsbites Editorial Board,
In Issue #32 (Aug. 10th 2005), a new section appeared in the newsletter
specifically related to University break-ins. It was prefaced by an
editorial opinion that indicated the necessity for universities to focus
more on security of their own systems. For those institutions who
suffer these break-ins and spend tens of thousands of dollars in
notification and cleanup, to suggest or believe that these schools are
not spending time or energy in securing these systems is naive and
unrealistic.
Many of these schools are complex and most security implementations
typically used at a corporate or government level don't fit a university
model because a broader range of network activities is permitted on
university networks, in large part due to a much more limited set of
policies and controls compared to government and commercial entities.
Many times, the tools to secure these environments don't exist and
changing the culture in these heterogeneous environments to one which
promotes secure computing is very difficult.
Our overall approach to our networking is about promoting research and
information sharing and our security architecture needs to take that
into account. Many schools uphold the concept of the 'End-to-End'
nature of the original Internet for both research and communication of
ideas. These ideas on full connectivity have merit and cannot be
dismissed because the nature of faculty research or inter-university
collaboration might rely on unfettered access to the Internet. The
concept of a DMZ is not feasible for many schools compared to many in
government and business which cannot live without one.
Also, many of these disclosures are on the part of schools which are
subject to federal or state disclosure laws because of their students
and former alumni who live in a wide geographic area. Many disclose
breaches not because they know data was lost, but because it may have
been lost and it is to the benefit of students, staff, and alumni that
they are informed of any breach. In similar situations where
stakeholders live all over the world like credit card companies,
information clearing houses, and insurance agencies, there have been
just as many disclosures based on similar incidents. At the end of the
day, the open disclosures of these incidents are beneficial to both the
communities that these universities support as well as the community at
large. When a school discloses that a major system break-in occurred,
it often comes with a description of how, which helps other schools and
corporations identify their own security soft spots.
Although Mr. Pescatore's opinion is his own, it is unfair and misleading
to use such a preface to single out higher education institutions,
especially following high profile exposures at major financial
institutions and corporations. There is no corresponding sweeping
declaration prefacing a "corporate compromises" section. Basic server
management is the most easily solvable portion of the problem and is
handled at every higher education institution, large corporation, and
government office to the best of their ability and break-ins still
happen. In the future, we ask that university break-ins not be singled
out, but just included in a section about information disclosures from
any organization. We also ask the editors to bear in mind that higher
education has had its mind on security problems for a long time, but the
solutions to these problems take equally as long to solve and no one
solution works for everyone.
It is also incorrect to say that copyright infringement notices are the
driving force behind university security. Copyright infringement and
security are two different issues, sometimes requiring entirely
different full time employee staffers. The requirements for validating
and responding to DMCA notices means validating network involvement,
tracking students, contacting and informing them on each issue, and
notification of the notifying organization of the resolution or passing
the issue on to university legal counsel. True university security
efforts happen on two fronts, policy and education of issues relating
to proper data handling, and the more technical aspects of detection,
analysis, and basic administration. Security in these areas is driven
by specific needs of each department or of the school and usually has
very little overlap to copyright infringement notices.
As members of the academic security community, we thank you for your
time and efforts at SANS, and will continue to work in the best manner
possible to ensure the security of our campuses while the freedom to
learn and collaborate lives on.
Thank You,
This letter expresses the opinions of the undersigned, and does not
necessarily reflect those of the respective institutions.
Jason Alexander, Sr. Security Analyst, University of Iowa
Josh Ballard, Network Security Specialist, Kansas State University
Phillip Deneault, Network Security Officer, Worcester Polytechnic Institute
David Escalante, Director of Computer Policy & Security, Boston College
Harry Hoffman, Network Security Analyst, Drexel University
Huba Leidenfrost, IT Security Analyst, University of Idaho
Ellen Mitchell, Chief Security Analyst, Texas A&M University
Eric Pancer; Security Analyst; DePaul University
Addam Schroll, IT Security Analyst, Purdue University
Alex Tirdil, Network Control Specialist, Salisbury University
Wes Young, Network Security Analyst, University at Buffalo
SANS would like your comments on this letter. Send them to
paller@sans.org
===end===
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan
Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier,
Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
