SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #37
September 14, 2005
Today is the early registration deadline for SANS Network Security 2005 October 24-30 in Los Angeles. If you need a short extension, contact registration@sans.org. Program details: http://www.sans.org/ns2005">http://www.sans.org/ns2005 and for SANS security and audit training in a twenty other cities around the world: http://www.sans.org
Alan
TOP OF THE NEWS
UK Government Launches IT Security Product Quality Award SchemeMicrosoft Pulls September Security Update for Additional Testing
New Data Protection Law Likely to Spur IT Security Spending at Japanese SMBs
Proposed EU Data Retention Law Rankles ISPs, Telcos and Privacy Activists
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESIndian Call Center Employee Arrested for Alleged Data Theft
Two Reach Deals with Federal Prosecutors in DDoS-For-Hire Case
Former Student Sentenced for University Computer Intrusion and Data Theft
Consultant Arrested for Alleged eMail System Break-In
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
US Coast Guard IT Capabilities in Gulf Coast Largely Restored
SPAM & PHISHING
Ireland's First Spam Conviction
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Patch is Available for Firefox Buffer Overflow Flaw
Cisco Releases Fixes for IOS Flaw
Microsoft Looking Into Buffer Overflow Flaw in IE and Outlook
Symantec Releases Patch for AntiVirus Corporate Edition Vulnerability
ATTACKS & INTRUSIONS & DATA THEFT
Radford University Bolsters Security Following Intrusion
STATISTICS, STUDIES & SURVEYS
Forrester On-Line Banking Survey
Study: Level of On-Line Banking in US at a Standstill
MISCELLANEOUS
Hurricane Katrina Task Force to Tackle Fraud
Dutch ISPs and Telecoms to Sue Government for Wiretap Costs
RSS Feed Support in IE 7.0 Could Present New Attack Vector
Microsoft Expects to Have Law Enforcement Portal Up by November
******************** Sponsored by NetIQ *******************************
Sarbanes-Oxley Whitepaper from NetIQ
Get the best practices you need to meet Sarbanes-Oxley requirements with the whitepaper, "Meeting Sarbanes-Oxley IT Control Requirements with NetIQ." You'll learn how to reduce your time and effort spent auditing, reporting on, and controlling areas such as policies, file access rights, provisioning and change control.
Download this FREE whitepaper now. http://www.netiq.com/f/form/form.asp?id=2529&origin=NS_SANSNS_091405
***********************************************************************
Sponsored Links:
1) Latest Hacker Target: Critical Web Applications - White Paper From SPI Dynamics http://www.sans.org/info.php?id=864
2) Earn your Master's degree in Information Security from an NSA - recognized online program. http://www.sans.org/info.php?id=865
3) Need help selecting an SSL VPN solution ideal for your environment? Download security analyst Mark Bourchard's latest buyer's guide. http://www.sans.org/info.php?id=866
************************************************************************
TOP OF THE NEWS
UK Government Launches IT Security Product Quality Award Scheme (9 September 2005)
The Central Sponsor for Information Assurance (CSIA) Claims Tested Mark scheme is the UK government's newly launched system to let organizations know which off-the-shelf IT security products have met government-approved standards. The program has been in pilot phase for one year and "went live" on September 8, 2005; certifications have already been awarded to three products.-http://www.theregister.co.uk/2005/09/09/it_security_kitemark/print.html
-http://www.cabinetoffice.gov.uk/csia/claims_tested_mark/index.asp
[Editor's Note (Pescatore): There are a lot of flaws in this scheme. Common Criteria certification has been of limited use in determining the actual security of products, but at least the certification was standardized and would be recognized across many countries. This testing will only apply in the UK. Product vendors will prepare the claims documents against which the product will be tested, so only really stupid vendors will see their products fail. Crypto won't be tested at all, and overall the limited scope of the testing means it won't go much deeper than the better magazine tests, such as Network Computing does.
(Tan): While I applaud the intent, I worry about the false sense of security it may be creating. Testing only what a vendor claims does not ensure the products are secure. In many cases, vendors may just use it as a marketing gimmick to fool unsophisticated users into buying a product that the "British Government has certified."
(Schmidt): While I applaud this effort it is important to include secure coding as part of the criteria or it will not solve the bigger problem of vulnerabilities due to coding errors.]
Microsoft Pulls September Security Update for Additional Testing (9 September 2005)
Microsoft has decided not to release a security update that was scheduled for release on Tuesday, September 13; it was to have been the only bulletin in the company's September security release. Microsoft made the decision after discovering that the update requires more testing before it is released to the public. The update was given a critical rating in the September 8 advance notification.-http://news.zdnet.com/2102-1009_22-5857338.html?tag=printthis
-http://www.microsoft.com/technet/security/bulletin/advance.mspx
Internet Storm Center Commentary:
-http://isc.sans.org/diary.php?date=2005-09-09
New Data Protection Law Likely to Spur IT Security Spending at Japanese SMBs (9 September 2005)
Small and medium sized businesses in Japan are likely to increase their IT security spending to comply with the country's Personal Information Protection Law, which took effect April 1, 2005. The law requires organizations holding personal information of 5,000 or more people to take certain precautions to protect those data; failing to protect the data could result in stiff penalties. AMI-Partners predicts that small and medium businesses in Japan will spend US$824 million on IT security in 2005; that figure is expected to grow to US$1.5 billion in 2009.-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39253182-39000005c
Proposed EU Data Retention Law Rankles ISPs, Telcos and Privacy Activists
The European Union is considering legislation that would require ISPs and telecoms to retain traffic and phone call data for between one and three years. Mobile phone companies and ISPs are unhappy with the requirements in the proposed law, which places a significant financial burden on their shoulders. In addition, the Open Rights Group says that the proposal might breach the European Convention on Human Rights.-http://www.theregister.co.uk/2005/09/09/clarke_under_fire/print.html
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Indian Call Center Employee Arrested for Alleged Data Theft (8 September 2005)
Police in India have arrested a man who worked at the Saffron Global call center for allegedly stealing customer data. Company officials say the man was discovered copying data onto a CD; they then alerted police. The suspect was booked under the Information Technology Act and the Indian Penal Code and has been placed in judicial custody for 14 days.-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39253172-39000005c
[Editor's Note (Schmidt): I do not see why this is making news, it happens in places more then just India or even overseas so why is it being reported as something significant? The insider threat has been with us for a long time and will continue to be an issue for many more years. The fact that was discovered indicates that someone was paying attention and caught this AND reported it.
(Shpantzer): This is a case of insider threat, similar to the AOL employee who sold email lists to spammers, for example. The main issue that makes this newsworthy is the fact that it's more complicated (if not impossible) to prosecute someone on foreign soil for this type of thing, depending on the location of the crime. India's authorities must surely understand that confidence in their digital justice system is directly related to the amount of business they can outsource, which brings in billions in revenue every year. Many countries have no laws in place addressing digital crime and if they do they have virtually no resources to bring to bear in a prosecution, not to mention extradition treaties etc. ]
Two Reach Deals with Federal Prosecutors in DDoS-For-Hire Case (8 September 2005)
Richard Roby and Paul Ashley have both reached deals with federal prosecutors regarding their roles in a series of distributed denial of service (DDoS) attacks that Jay Echouafni, a satellite TV businessman, paid to have launched against his competitors. Mr. Roby pleaded guilty in an Ohio federal court to intentionally damaging a protected computer. Mr. Ashley, who has not yet entered a guilty plea, admitted to recruiting people to launch attacks for Mr. Echouafni. Mr. Ashley is the former operator of the Foonet hosting service, which boasted hosting that could withstand DDoS attacks. Mr. Echouafni is a fugitive from a federal indictment; he skipped out on US$750,000 bail and is believed to be in Morocco.-http://www.wired.com/news/print/0,1294,68800,00.html
Former Student Sentenced for University Computer Intrusion and Data Theft (7 September 2005)
Christopher Andrew Phillips, formerly a student at the University of Texas at Austin, has been sentenced to five years of probation for breaking into the school's computer system and stealing people's personal data, including Social Security numbers. In addition, Mr. Phillips has been ordered to pay more than US$170,000 in restitution to the university. Mr. Phillips is prohibited from accessing the Internet except with the approval and supervision of his parole officer, and even then may use it only for school and work.-http://www.chron.com/cs/CDA/ssistory.mpl/metropolitan/3342919
-http://www.technologynewsdaily.com/node/1381
[Editor's Note (Schultz): Here we go again-someone who commits an egregious computer crime gets off without any jail time. What good are laws against computer crime if sentences that are given are so lenient?
(Ranum): I am noticing an up-trend in sentencing for computer crimes. Several years ago, he would have gotten a slap on the wrist and a year's probation, written a book, and become a keynote speaker for conferences. Inevitably, societies get tired of people causing the same kind of problems over and over and the "cute factor" begins to wear thin. ]
Consultant Arrested for Alleged eMail System Break-In (1 September 2005)
Computer networking consultant Brooks M. Roy has been arrested and charged with computer trespass, criminal use of a communication facility and unlawful use of computers. Mr. Roy allegedly broke into the South Side Beaver School District's email system, which he helped design and install, to look at a competitor's bids. The school district's technology coordinator noticed that "someone had logged into the district's email server and accessed his email without authorization." Mr. Roy was reportedly tracked down through his IP address.-http://pittsburghlive.com/x/tribune-review/trib/pittsburgh/s_369618.html
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
US Coast Guard IT Capabilities in Gulf Coast Largely Restored (6 September 2005)
Most of the US Coast Guard's Gulf Coast IT systems, which were disabled by Hurricane Katrina, have now been restored. With the exception of a Coast Guard Data Network hub in New Orleans, systems along the Gulf Coast are "up and running, and most are up to pre-Katrina status."-http://www.fcw.com/article90676-09-06-05-Web&RSS=yes
SPAM & PHISHING
Ireland's First Spam Conviction (7 September 2005)
Ireland has seen its first conviction under its new anti-spam law; a company called 4's A Fortune Limited was found guilty of sending unsolicited commercial messages to five mobile telephones. The company actually made 165,000 calls, but only five complaints were registered. The law under which 4's A was found guilty took force in November 2003. 4's A was fined 300 Euros for each call and ordered to pay court costs of 1,000 Euros. The law allows fines of as much as 3,000 Euros per message sent. There is presently no provision for jail time in spam cases in Irish law, but that may change in the future.-http://www.theregister.co.uk/2005/09/07/irish_spam_conviction/print.html
[Editor's Note (Shpatzer): We need to go after the people who finance the spammers. The reason there's so much spam is because there's so much money being made by companies who use spammers as cutouts for their marketing departments. "He did point out that another offence - that of causing an email to be sent - could be applied to a company that paid for an email promotion if someone can be shown to profit from the spam." ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Patch is Available for Firefox Buffer Overflow Flaw (10/9 September 2005)
A buffer overflow flaw in all versions of Firefox could allow remote code execution on vulnerable computers. An advisory and proof-of-concept have been posted; Mozilla is displeased that the flaw was disclosed before they were given the opportunity to create a fix for the problem; they have now posted both a patch and a workaround.-http://news.com.com/2102-1002_3-5856201.html?tag=st.util.print
-http://www.computerworld.com/printthis/2005/0,4814,104552,00.html
-https://addons.mozilla.org/messages/307259.html
Internet Storm Center Commentary:
-http://isc.sans.org/diary.php?date=2005-09-10
-http://www.incidents.org/diary.php?date=2005-09-09
[Editor's Note (Schultz): Mozilla is whining and complaining, but there is another side to this story. I have talked to Tom Ferris, the security researcher who discovered and reported this vulnerability. Among other things, he told me that Mozilla acted in a less than professional manner when he reported this vulnerability to them. Readers should see
-http://news.com.com/Unpatched+Firefox+flaw+may+expose+users/2100-1002_3-5856201.
html?tag=cd.top
(Tan) Netscape has the same vulnerability. See:
-http://incidents.org/diary.php?date=2005-09-10
-http://secunia.com/advisories/16766/]
Cisco Releases Fixes for IOS Flaw (8 September 2005)
Cisco Systems has released fixes for a vulnerability in its Internetwork Operating System. The warning has prompted several security vendors to elevate the flaw's threat level. The flaw could be exploited to crash systems or for remote code execution. The vulnerability exists in devices running 12.2ZH and 12.2ZL as well as 12.3, 12.3T, 12.4 and 12.4T if the firewall authentication proxy for FTP and Telnet sessions in use.-http://www.forbes.com/technology/2005/09/08/cisco-security-flaw-cx_vnu_0908cisco
.html
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1122996,0
0.html
Cisco advisory:
-http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml
Microsoft Looking Into Buffer Overflow Flaw in IE and Outlook (8/7 September 2005)
Microsoft is investigating a report of a buffer overflow in Outlook and Internet Explorer that could allow attackers to execute malicious code on vulnerable systems. The affected products are default installations of Outlook, Outlook Express and Internet Explorer on Windows 2000 and XP SP1. Microsoft expects to release a fix for the flaw soon, and says it is not aware of any exploit code for the vulnerability.-http://www.vnunet.com/vnunet/news/2142042/unpatched-bugs-ms-outlook
-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4353
Symantec Releases Patch for AntiVirus Corporate Edition Vulnerability (6 September 2005)
Symantec has released a patch for a vulnerability in version 9 of its AntiVirus Corporate Edition. The problem lies in the LiveUpdate client that comes with the product; after it receives the updates, it stores transaction data, including the server login name and the administrative password in clear text in a log file that is accessible to all system users. Symantec also advised customers to create unique usernames and passwords for LiveUpdate.-http://www.pcworld.com/news/article/0,aid,122420,00.asp
-http://securityresponse.symantec.com/avcenter/security/Content/2005.09.02.html
ATTACKS & INTRUSIONS & DATA THEFT
Radford University Bolsters Security Following Intrusion (7 September 2005)
In early June 2005, someone broke into the Radford University computer system and tried to install tools in a database that contained student and faculty names and Social Security numbers. The server was taken off line immediately after the intrusion was discovered. An outside consultant traced the attack to Germany; the perpetrator was apparently looking for servers on which to store pirated movie files. The university has taken steps to tighten the security of its computer systems including establishing a full-time staff position of network security officer, purchasing intrusion detection software and implementing mandatory software updates and anti-virus protection and clean access procedures.-http://www.thetartan.com/vnews/display.v/ART/2005/09/07/431f26220fca1
[Editor's Note (Schneier): Security is always an ongoing battle between attacker and defender. X attacks the network and Y strengthens it is an old, old story that will never change.
(Pescatore): Back in the caveman era, the Neanderthal News ran an article "Cavepeople Carl and Carole Bolster Security Following Intrusion." I'm pretty sure the Jetson Journal in the year 2929 will report "George and Judy Jetson Bolster Security Following Intrusion." This type of "it is not raining/the roof isn't leaking/why fix it now/don't worry/be happy" haiku is pretty well engraved in human nature. If you are not lucky enough to work somewhere with a more proactive philosophy, using these accounts of other people's woes can help convince management that "this could be us." ]
STATISTICS, STUDIES & SURVEYS
Forrester On-Line Banking Survey (7 September 2005)
Forrester Research surveyed 11,300 Internet users in the UK about on-line banking. Extrapolating from the data they gathered, Forrester estimated that 600,000 of 15 million UK Internet users have stopped using on-line banking due to security concerns. Forrester recommends that banks improve customer education regarding on-line fraud and use stronger authentication for on-line transactions. An additional one-fifth of the people surveyed said they would never use Internet banking at all.-http://www.theregister.co.uk/2005/09/07/forrester_ebanking_survey/print.html
Study: Level of On-Line Banking in US at a Standstill (6 September 2005)
An Ipsos Insight survey of 1,000 US Internet users found that 39 percent use on-line banking; Internet banking has stalled out at that level in the 12-month period ending in August 2005. Nearly 83 percent of the people surveyed said they were concerned about the possibility of phishers or other attackers stealing their personal information and about the possibility that banks would sell their information to third parties. Ipsos Insight senior VP Doug Cottings says that if the banking industry wants to see on-line banking levels grow, they should communicate to their customers the efforts they are making to protect their personal data.-http://news.com.com/2102-1038_3-5851061.html?tag=st.util.print
[Editor's Note (Tan): The heartening news that can be derived from the survey is that people are more aware of phishing, fraud and other security threat. But avoiding the net is not a good solution. Instead they should be educated on how to better protect themselves. ]
MISCELLANEOUS
--Hurricane Katrina Task Force to Tackle Fraud (9 September 2005)Dutch ISPs and Telecoms to Sue Government for Wiretap Costs (9/6 September 2005)
Dutch Internet Service Providers (ISPs) and telecom operators plan to sue their government for the cost of installing wiretaps on their networks. The Dutch telecommunication Act of 1998 requires wiretapping capabilities; Xs4all, an ISP, spent 500,000 Euros to bring its systems into compliance with the law. The Dutch government recently lowered the reimbursement for wiretap orders to 13 Euros per tap.-http://www.theregister.co.uk/2005/09/06/dutch_wiretapping/print.html
[Editor's Note (Shpantzer): We went through this cycle in the 90's with the FBI's administration of CALEA and the telecoms were not happy being stuck with the bill.
-http://www.askcalea.net/
is a good resource for learning about this program, and
-http://www.askcalea.net/
cost.html for the scale of the spending involved. ]
RSS Feed Support in IE 7.0 Could Present New Attack Vector (7 September 2005)
Because Microsoft's forthcoming Internet Explorer 7.0 will support RSS feeds, the technology will become ubiquitous, presenting a new vector of attack for cyber criminals. RSS has not been the target of attacks largely because there is presently no prevalent reader application. Because RSS feeds are automated, even if a phony site is discovered and taken down, malicious content may already have been downloaded to unsuspecting subscribers' computers. RSS feeds do, however, use port 80 for which there are already a number of security tools.-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1121852,0
0.html
Microsoft Expects to Have Law Enforcement Portal Up by November (31 August 2005)
Microsoft plans to have a portal to help law enforcement perform cyber investigations up and running by November 2005. The site will have on-line training in basic cyber forensic skills, tools and details on recent legislation pertinent to cyber crime. There will also be contact information for people within Microsoft who are equipped to respond to law enforcement requests for help. Access to the web site will be limited to law enforcement officials.-http://news.com.com/2102-7348_3-5845205.html?tag=st.util.print
===end===
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan
Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier,
Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/