SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #39

September 27, 2005

Our European subscriber base crossed 25,000 this week, and we are
overdue to improve our coverage of European security initiatives and
events. So, just as Koon Yaw Tan from Singapore has provided pointers
to Asian security stories, we seek a new editorial board member who can
help us keep up with the leadership role the British are playing in
global cyber security and other news about cybersecurity and privacy
throughout Europe, and comment on the news from time to time with a
European perspective.

If you want to volunteer, we'd love to meet you at SANS Europe in
Amsterdam (November 7-12). This is a great technical security training
conference bringing together experts from more than 12 countries. It
will be a good chance to talk and perhaps establish SANS European
special interest groups where there is high concentration of security
technical talent. Email paller@sans.org if you have special
qualifications. More data on SANS Europe:
http://www.sans.org/europe2005/

Also this week marks a change in NewsBites to two issues per week
(Tuesday and Friday) so that stories are more up-to-date and so the
issues can be read more quickly. (Shorter issues will start on Friday;
this issue covers nearly a week).

Alan

---

TOP OF THE NEWS

Judge Says Visa and MasterCard Do Not Have to Inform Card Holders of Security Breach, For Now
Appellate Court Upholds Ruling Against Unsolicited Text Messaging
Authors Sue Google for Copyright Infringement
Average Number of Bots Doubles in Six Months; DoS Attacks Approach 1,000 a Day

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
GAO Report Says FAA Still has Cyber Security Problems to Address
South Korean Government Halts On-line Document Service to Fix Security Holes
SPAM & PHISHING
Phishing Attack Targets Yahoo Photos Users
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
UK Trade Group Releases Peer-to-Peer Detection Tool
Musician Posts Instructions for Circumventing His CD's DRM
Microsoft Files Lawsuits Against Alleged Software Pirates
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Mozilla Releases Updated Versions of Firefox and Mozilla Suite; Exploit Code for IDN Flaw Circulating on Internet
Cardtrap.A Trojan Tries to Jump from Phones to PCs
More Disclosed Vulnerabilities in Mozilla Browsers than in IE During First Half of 2005
ATTACKS & INTRUSIONS & DATA THEFT
UK ISP Apologizes for Data Leak
STANDARDS & BEST PRACTICES
US Credit Bureaus to Adopt Common Encryption Standard
MISCELLANEOUS
Common Malware Enumeration Initiative to be Launched in October
BREAK-IN LOG
Information Stolen from Berkeley Graduate Students
Hacker Breaks into Radford University Database to Store Movies
Ex-Student Sentenced for Computer Hacking
America Under CyberAttack from China

---

****************** SPONSORED BY SANS Network Security 2005 ********************

Los Angeles, CA October 24-30. Sixteen immersion training tracks and many special short courses on the hottest technologies (wireless) and techniques used by attackers. Special programs for auditors and security managers along with a huge offering for security professionals. Plus a big exposition and many evening sessions. A great conference.
Information: http://www.sans.org/ns2005/
Why people who care about security attend SANS training: "This training is like nothing else. No vendor-bias, no marketing spiel, just detailed theory and practice that will make a real, immediate difference to my job." Jon King, VANCO

*************************************************************************

---

TOP OF THE NEWS

Judge Says Visa and MasterCard Do Not Have to Inform Card Holders of Security Breach, For Now (23 September 2005)

A California judge has denied a request for a preliminary injunction against Visa and MasterCard, which asked that they notify people that the security of their personal information was compromised when cyber thieves broke into CardSystems Solutions. Visa and MasterCard maintained that their relationship is with the issuing banks, not the actual credit card customers. San Francisco Superior Court Judge Richard Kramer said the issue of adequate notice is at the heart of the case and needs more careful consideration, and "there is no showing of an immediate threat."
-http://news.com.com/2102-7350_3-5879179.html?tag=st.util.print

Appellate Court Upholds Ruling Against Unsolicited Text Messaging (21 September 2005)

A unanimous ruling from an Arizona appellate court upheld a ruling that said that the Telephone Consumer Protection Act of 1991, which prohibits the use of auto dialers to call cellular phones, also applies to unsolicited email text messages with advertisements. Rodney L. Joffe brought the original suit against Acacia Mortgage for sending unsolicited text messages to his cellular phone. The court of appeals rejected the mortgage company's claim that the decision violated the company's First Amendment right to free speech.
-http://www.wired.com/news/print/0,1294,68932,00.html
Ruling:
-http://www.cofad1.state.az.us/opinionfiles/CV/CV020701.pdf
[Editor's Note (Schultz): A legal precedent, namely that preventing organizations from bombarding people with unwanted mail is not a violation of the right to free speech, is being set in the U.S. This is the second ruling of this nature within the last several months. ]

Authors Sue Google for Copyright Infringement (21 September 2005)

The Authors Guild, which represents 8,000 authors in the US, has filed a lawsuit against Google for copyright infringement. As part of its Google Print for Libraries program, the company has been scanning selections from five US libraries to make the content available on its search index. Activity on the project was suspended in August, 2005.
-http://www.theregister.co.uk/2005/09/21/authors_sue_google/print.html
[Editor's Note (Schneier): We have here yet another case where the law hasn't caught up what would be a clear public good. It would be a shame if the project ended up stalled. ]

Average Number of Bots Doubles in Six Months; DoS Attacks Approach 1,000 a Day (20 September 2005)

Using data compiled from 24,000 network-monitoring sensors in 180 countries, Symantec noted an average of 10,352 bots on-line every day during the first six months of 2005. In December 2004, that number averaged 5,000 a day. In July 2004, the number of bots detected daily reached 30,000; that number dropped significantly with the August 2004 release of Windows XP SP2. In addition, the number of denial-of-service (DoS) attacks grew 680 percent over the first six months of this year to an average of 927 a day.
-http://www.washingtonpost.com/wp-dyn/content/article/2005/09/19/AR2005091901697.
html
[Editor's Note (Shpantzer): Ask your big pipe Internet providers about services to filter out some of the crud in these kinds of attacks. Also, some companies offer protection from DDoS as a managed service. For a great site by a DDoS researcher, I recommend David Dittrich's page:
-http://staff.washington.edu/dittrich/misc/ddos/]

---

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

GAO Report Says FAA Still has Cyber Security Problems to Address (26 September 2005)

According to a Government Accountability Office (GAO) report, the Federal Aviation Administration (FAA) needs to take further steps to protect its computer systems from attacks. Though the FAA has fixed some previously identified security weaknesses, the GAO recommends the agency address outdated security plans, inadequate security awareness training, and inadequate system testing and evaluation programs, and others. The FAA says that because many of their systems are custom built with proprietary interfaces and older equipment, the chances of an intrusion are slim.
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=37127

[Editor's Note (Schneier): Relying on security through obscurity (proprietary interfaces and older equipment) is always a chancy proposition.
(Shpantzer): Security by obscurity may work for opportunistic threats but determined threats targeting a particular network love this model. As the report says on page one: "The proprietary features of these systems cannot fully protect them from attacks by disgruntled current or former employees who are familiar with these features, nor will they keep out more sophisticated hackers." ]

South Korean Government Halts On-line Document Service to Fix Security Holes (24 September 2005)

South Korea's Ministry of Government Information and Home Affairs has suspended the practice of issuing civil documents on-line after becoming aware of security holes in a system that allowed attackers to forge documents. The on-line service began in 2003 and has issued approximately 20,000 documents since that time. An Administration Ministry official estimated that it will take a month to establish the new security system.
-http://joongangdaily.joins.com/200509/23/200509232253101239900090609061.html

SPAM & PHISHING

Phishing Attack Targets Yahoo Photos Users (26 September 2005)

A new phishing attack targeting Yahoo Photos users arrives as an email or instant message that appears to come from someone they know, asking them to look at vacation or birthday party photos. A link in the message sends them to a phony site that collects login details, then forwards them to the real Yahoo Photos web site.
-http://www.computerworld.com/printthis/2005/0,4814,104946,00.html

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

UK Trade Group Releases Peer-to-Peer Detection Tool (22 September 2005)

The BPI, the UK record company trade association, has released a tool designed to detect and block or uninstall P2P software and attendant media files lurking on people's computers. The tool is called Digital File Check and was developed by the International Federation of the Phonographic Industry (IFPI). It is aimed at organizations and parents who may not be aware of what their employees and children have downloaded onto their computers. The BPI plans to send a brochure to IT managers at large UK companies warning them of the dangers of allowing employees to access P2P services while using computers at work.
-http://www.theregister.co.uk/2005/09/22/bpi_digital_file_check/
-http://www.bpi.co.uk/index.asp

Musician Posts Instructions for Circumventing His CD's DRM (21 September 2005)

Musician Tim Foreman posted instructions on his band's web site for disabling the digital rights management protection that comes on their lasted CD; he included a link to open source software that aids the process. Mr. Foreman is not aiming to help people pirate his music; instead, he wants to help his listeners overcome the limitations the DRM places on their ability to listen to their legitimately purchased music; some people reported having difficulty importing music from the CD to iTunes. Mr. Foreman's actions could be seen as a violation of the US Digital Millennium Copyright Act of 1998, or DMCA, which bans DRM circumvention.
-http://www.theregister.co.uk/2005/09/21/christian_rockers_drm_tips/print.html

Microsoft Files Lawsuits Against Alleged Software Pirates (20 September 2005)

Microsoft has filed lawsuits against eight companies for allegedly distributing pirated copies of its software. Microsoft became aware of the companies' activities through its Windows Genuine Advantage program, that requires users to validate Windows operating system before they are allowed to use Microsoft's download services, and from customer reports of suspected counterfeit software. Microsoft generally files such lawsuits only after the companies have been informed of what they are doing wrong and offered help to remedy the situation.
-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4435
-http://www.zdnetasia.com/news/software/printfriendly.htm?AT=39255886-39000001c

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Mozilla Releases Updated Versions of Firefox and Mozilla Suite' Exploit Code for IDN Flaw Circulating on Internet (23/22/21 September 2005)

Firefox users are urged to download the recently released version 1.0.7, which fixes two critical security holes in the web browser. A buffer overflow flaw in the way earlier versions of Firefox handle International Domain Names could allow arbitrary code execution which could be exploited to take control of vulnerable machines. In addition, a flaw in the way earlier versions of Firefox handles Unix and Linux shell commands could allow unauthorized software to run on vulnerable machines. The Mozilla foundation plans to release an update for the Mozilla Suite browser by September 23. The flaw also affects Netscape but there is no fix available yet. Just days after the release of the Firefox update, exploit code for the IDN vulnerability was posted on the Internet.
-http://www.computerworld.com/printthis/2005/0,4814,104825,00.html
-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4449
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39256904-39000005c
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39257515-39000005c
-http://www.mozilla.org/products/firefox/releases/1.0.7.html

Cardtrap.A Trojan Tries to Jump from Phones to PCs (22 September 2005)

The Cardtrap.A Trojan horse program, that attacks the operating system of Symbian mobile phones, tries to jump to PCs when users place infected phones' memory cards into their computers. Cardtrap pretends to be pirated software for mobile phones. Although it takes user interaction for the PC to become infected and fails to launch on several Windows operating systems, other, more potent and insidious worms could jump the gap between mobile devices and PCs in the future.
-http://news.com.com/2102-7349_3-5876664.html?tag=st.util.print
-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4459

More Disclosed Vulnerabilities in Mozilla Browsers than in IE During First Half of 2005 (21/19 September 2005)

According to Symantec's latest Internet Security Threat Report, almost twice as many vulnerabilities were reported in Mozilla browsers as were publicly disclosed about Internet Explorer during the first half of 2005; of those, 72% of the Mozilla flaws and 62% of the IE flaws were given a high severity rating. Symantec says the data indicates that the validity of switching to Mozilla browsers from IE for security reasons is losing strength. The report also says that "Mac users may be operating under a false sense of security," calls OS X "an emerging target" and predicts an increase in attention paid to the operating system as its user base grows.
-http://www.securityfocus.com/news/11327
-http://www.theregister.co.uk/2005/09/19/symantec_threat_report/print.html
[Editor's Note (Grefer): It might also be worthwhile to note that Opera software released version 8.5, which fixes a few security concerns and finally has gone freeware; previously only paying customers were able to surf without the advertising bar. ]

ATTACKS & INTRUSIONS & DATA THEFT

UK ISP Apologizes for Data Leak (26 September 2005)

UK Internet Service Provider Tiscali has apologized after a scripting error allowed customers to view other customers' account details. Tiscali took the website in question offline while it fixed the problem. After logging into a web site, customers found that someone else's name and address were displayed; subsequent logins revealed different customers' data each time. The error did not expose any financial data.
-http://www.theregister.co.uk/2005/09/26/tiscali_data_security_flap/print.html

STANDARDS & BEST PRACTICES

US Credit Bureaus to Adopt Common Encryption Standard (23/21 September 2005)

The three major US credit reporting agencies plan to adopt a common encryption standard in order to better protect individuals' data. A recently released report indicates that three-quarters of all viruses/worms reported during the first six months of 2005 were created specifically to steal sensitive data. Security experts from Visa International and MasterCard say it is important to work together to thwart the data thieves; they are cooperating to fight fraud. Furthermore, the experts say that the cyber thieves are keeping pace with the companies' security developments; not only are the thieves getting smarter about what they do, but they are helped by lax security policies and third party processor non-compliance with established standards. The companies are looking into new ways of protecting customer data, but the effort will take a great deal of time and money.
-http://www.computerworld.com/printthis/2005/0,4814,104886,00.html
-http://www.computerworld.com/printthis/2005/0,4814,104810,00.html
[Editor's Note (Schultz): To say that this will take a considerable amount of effort is a huge understatement. It seems that every security countermeasure that involves cryptography takes a disproportionate amount of effort. In this case, however, it will be more than worth it. ]

MISCELLANEOUS

Common Malware Enumeration Initiative to be Launched in October (22 September 2005)

The Common Malware Enumeration (CME) initiative assigns a unique alpha-numeric identifier to each piece of identified malware; security and anti-virus companies can still use their own naming systems, but with the identifier, organizations will know which piece of malware they are dealing with. This could be especially helpful at organizations that use products from a variety of vendors, each of whom could give the malware a different name. The program has been in a test phase; the US Computer Emergency Readiness Team (US-CERT) plans to introduce it more broadly next month. The initiative's success will depend on voluntary industry participation.
-http://news.com.com/2102-7349_3-5876293.html?tag=st.util.print
[Editor's Note (Tan): Having a common dictionary is definitely useful for understanding malware information and events better. This is especially so when different antivirus vendors name a malware differently. Unlike CVE where the vulnerability is specific, malware may come in different variants. This could be tricky. ]

BREAK-IN LOG

This is a new service, compiled and edited by Barbara Rietveld, designed will serve as the security community's continuous log of reported cyber attacks and consequences. We'll include each quarter's log in NewsBites with the final issue of each quarter, and we'll post all of them at the www.sans.org. If you know of any reported attacks in late August or September of this year, that are not on the list, please send information about them to Barbara at brietveld@sans.org Other constructive comments about the log are also welcome.

Information Stolen from Berkeley Graduate Students (15 September 2005)

Personal data, including names, birthdates and Social Security numbers of nearly 100,000 individuals were on a laptop stolen from the University of California at Berkeley's Graduate Division in March 2005. When the computer was recovered, the hard drive had been erased and a new operating system installed.
-http://www.pcworld.com/resource/printable/article/0,aid,122576,00.asp
-http://www.theregister.co.uk/2005/09/16/berkeley_laptop_theft_arrest/print.html

Hacker Breaks into Radford University Database to Store Movies (7 September 2005)

Radford University student and faculty names and social security numbers stored on the university database were on the computer server broken into by an unknown hacker using a server located in Germany. The hacker was looking for space to store illegal movies.
-http://www.thetartan.com/vnews/display.v/ART/2005/09/07/431f26220fca1

Ex-Student Sentenced for Computer Hacking (6 September 2005)

Social Security numbers and other personal information from tens of thousands of people were stolen by a former University of Texas at Austin student. A federal jury found him guilty in June of damaging the university's computer system and illegally possessing almost 40,000 Social Security numbers.
-http://austin.bizjournals.com/austin/stories/2005/09/05/daily12.html

America Under CyberAttack from China (26 August 2005)

Information from computer networks in the US Defense Department and other agencies has been stolen, reportedly by attacks that used web sites in China as a staging ground. Officials were concerned that data pulled together from different agencies could become useful intelligence to an adversary.
-http://news.zdnet.co.uk/internet/security/0,39020375,39215173,00.htm

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan
Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier,
Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/