SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #4
January 26, 2005
With the HIPAA deadline only weeks away, the new guide to HIPAA Security Implementation is just in time, and it's excellent. See table of contents and sample pages at
https://store.sans.org/store_item.php?item=117
This year's Security Roadmap poster (380,000 were mailed out over the past three weeks) is completely new. The "Defense In Depth" side shows exactly what tools leaders in security are implementing to protect their organizations, and it helps you select short lists of tools that actually work. Gartner's John Pescatore helped us get the categories right. If you threw your copy away (thinking it was like last year) or someone "borrowed" yours, you can order more at
https://store.sans.org/store_category.php?category=merchandis
TOP OF THE NEWS
Treasury IG Says IRS Security Tracking is FlawedDOJ Nets First two P2P Copyright Theft Convictions
University of California at San Diego Computers Compromised Again
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESWoman Charged with Illegally Accessing Ex's Game Account
Spanish Police Arrest Alleged Webcam Malware Author
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Liscouski's Departure from DHS Could Allow Elevated Role for NCSD Director
SPAM & PHISHING
Financial Services Hardest Hit by Phishers
Korea to Come Down Hard on Mobile Spammers
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
Two US Citizens on Trial for Piracy in China
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Microsoft Office Encryption Flaw
Gavno Trojan Horse Programs a Threat to Symbian-based Phones
"Evil Twin" Wireless Access Points
Oracle Releases First Quarterly Security Update
Microsoft Will Address DRM Issues in Windows Media Player
MISCELLANEOUS
US Considers Reviewing IBM/Levono Deal for National Security Risks
Korean Celebrities Take Legal Action Against Advertising Company, Reporters Over Leaked Document
eBay Sellers Offering eMail Addresses, Spam Tools
Looser Domain Transfer Rules Helped Panix.com Hijackers
******************** Sponsored by: AlterPoint ***************************
FREE eBook on Network Compliance & Security This eBook helps you plan for compliance at the network infrastructure level and walks you through the process step-by-step. Whether you have industry standards (GLBA, SOX), best practice guidelines (ITIL), or corporate security standards to meet, this is a must-have resource guide. You'll get valuable how-to tips on accomplishing compliance with new technology and techniques.
http://www.alterpoint.com/support/r?c=701300000000vDz
*************************************************************************
Featured Security Training Program
SANS Lone Star, Houston, TX March 10-16, 2005 Enjoy smaller classes and more time with the instructors. Three tracks for auditors, six for security professionals, plus three special courses on legal aspects of security.
http://www.sans.org/lonestar05/
*************************************************************************
TOP OF THE NEWS
Treasury IG Says IRS Security Tracking is Flawed (24/21 January 2005)
The Treasury Inspector General for Tax Administration says the Internal Revenue Service's system for tracking cyber security weaknesses is flawed which means that the information the agency has provided to both the Treasury Department and the Office of Management and Budget (OMB) regarding compliance with the Federal Information Security Management Act (FISMA) is inaccurate.-http://www.informationweek.com/showArticle.jhtml?articleID=57703333
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=34887
DOJ Nets First two P2P Copyright Theft Convictions (19 January 2005)
Two men arrested as a result of last summer's Operation Digital Gridlock have been convicted of copyright theft. William R. Towbridge and Michael Chicoine each pleaded guilty to one count of conspiracy to commit felony criminal copyright infringement which carries a maximum penalty of five years in prison, a US$250,000 fine and restitution to victims; sentencing is scheduled for April 29. The men are also required to destroy all copies of copyrighted software, games, music and movies and the equipment used to create them.-http://www.internetnews.com/xSP/print.php/3461501
University of California at San Diego Computers Compromised Again (18 January 2005)
For the third time in one year, computers containing information belonging to at University of California San Diego students and alumni have been breached. The university has been phasing out the use of Social Security numbers as identifiers, but these computers were among the last that still contained this data. While there is no evidence that the data has been used to steal identities, those whose personal information was compromised have been informed in compliance with California law. The intruder used the servers to store music and video files.-http://www.nbcsandiego.com/education/4103051/detail.html
-http://www.signonsandiego.com/news/education/20050118-9999-1m18hack.html
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Woman Charged with Illegally Accessing Ex's Game Account (20 January 2005)
A woman in Japan is being charged with illegally accessing for signing on to a former boyfriend's game account and deleting information. The man did not suffer financially as a result of her actions, which she admitted doing in retaliation for the breakup.-http://mdn.mainichi.co.jp/news/20050120p2a00m0dm012000c.html
[Editor's Note (Schneier): I'm not sure why this is even considered "news." It's the kind of petty annoyance that's all too common in bad breakups.
(Shpantzer): This victim should consider himself lucky. Many cyberstalking/cyberfraud victims are brushed off because of a lack of specialized investigative resources for cybercrimes. ]
Spanish Police Arrest Alleged Webcam Malware Author (19 January 2005)
Spanish police have arrested a computer programmer who allegedly wrote malware that allowed him to spy on people with webcams. The man, identified only by the initials J.A.S., allegedly distributed his creation over a peer-to-peer file-sharing network in the guise of a music or picture file. He also allegedly stole online banking passwords.-http://news.zdnet.com/2102-1009_22-5541974.html?tag=printthis
-http://www.computerworld.com/printthis/2005/0,4814,99034,00.html
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Liscouski's Departure from DHS Could Allow Elevated Role for NCSD Director (18/14 January 2005)
Robert Liscouski's resignation from his position of assistant secretary of the Information Analysis and Infrastructure Protection Directorate at DHS opens the door for the possibility of elevating the position of National Cyber Security Division director to that of assistant secretary for cyber-security. Liscouski had expressed reluctance to giving up those responsibilities. A number of other DHS officials have announced their resignations, including DHS chief security officer Jack Johnson and IAIP undersecretary Gen. Frank Libutti.-http://www.eweek.com/print_article2/0,2533,a=142731,00.asp
-http://www.fcw.com/fcw/articles/2005/0117/web-johnson-01-18-05.asp
SPAM & PHISHING
Financial Services Hardest Hit by Phishers (24 January 2005)
According to figures from the Anti-Phishing Working Group, there were 9,019 distinct new phishing attacks in December 2004, a 6% increase over the number recorded in November. The number of active phishing sites reported in December was 1,707. Eighty-five percent of the attacks in December targeted financial services institutions.-http://asia.cnet.com/news/security/printfriendly.htm?AT=39214571-39037064t-39000
005c
-http://www.vnunet.com/news/1160719
-http://antiphishing.org/APWG
Phishing Activity Report - December 2004.pdf
[Editor's Note (Pescatore): Just like with viruses, phishing is common enough now that statistics about numbers of incidents are pretty worthless. It's time now to focus on what percentage of financial institutions have taken steps to protect their customers. ]
Korea to Come Down Hard on Mobile Spammers (24 January 2005)
Korea's Ministry of Information and Communication (MIC) plans to crack down on mobile spammers by imposing higher fines and possibly interfering with their ability to conduct business. MIC has in the past never imposed fines of more than 10 million won (approximately US$9,700), though it has the authority to levy fines of up to 30 million won (approximately US$29,000) on spammers. The Ministry says it will also tell the country's mobile carriers to stop providing services to the spammers.-http://times.hankooki.com/lpage/tech/200501/kt2005012417141211800.htm
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
Two US Citizens on Trial for Piracy in China (18 January 2005)
Chinese authorities report that two US citizens are on trial for allegedly selling more than 180,000 counterfeit DVDs, valued at nearly US$1 million, on the Internet. Two Chinese accomplices are reportedly on trial as well. Randolph Hobson Guthrie and Abram Cody Thrush could face 15 years in prison if they are convicted. A verdict has not been reached in the case.-http://seattlepi.nwsource.com/printer/ap.asp?category=1310&slug=China%20US%2
0Piracy
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Microsoft Office Encryption Flaw (24 January 2005)
A flaw in the way encryption has been implemented in Microsoft Office applications could allow intruders to gain access to password encrypted files. The flaw could be exploited if an intruder is able to access two files with the same name that are protected with the same password. Microsoft plans to review the information regarding this vulnerability and if necessary address it in a future monthly security update. Bruce Schneier has written about the problem also.-http://asia.cnet.com/news/security/printfriendly.htm?AT=39214570-39037064t-39000
005c
-http://www.infoworld.com/article/05/01/19/HNmsofficeflaw_1.html
-http://www.schneier.com/blog/archives/2005/01/microsoft_rc4_f.html
Gavno Trojan Horse Programs a Threat to Symbian-based Phones (24 January 2005)
Proof-of-concept wireless phone Trojan horse programs, dubbed Gavno.a and Gavno.b, pretend to be patches in order to fool users into downloading them. The programs disable phones running the Symbian operating system, requiring users to reset them to factory settings. Gavno.b also includes the Cabir worm, which tries to send a copy of the Trojan to other phones using Bluetooth technology.-http://www.infoworld.com//article/05/01/24/HNmalwarekillssymbian_1.html
"Evil Twin" Wireless Access Points (24/20/19 January 2005)
Researchers at Cranfield University (UK) are warning that "evil twin" wireless access points could be used to intercept sensitive information such as passwords and user names. Attackers could jam legitimate access points and send a stronger wireless signal from a base station close to the client. Wireless users should make sure that the security measures on their devices are activated, and should be cautious about using wireless networks to transmit sensitive data. It is also recommended that personal firewalls are used. Security writer Wayne Rash offers advice on ensuring a secure hotspot experience.-http://asia.cnet.com/news/security/printfriendly.htm?AT=39214556-39037064t-39000
005c
-http://informationweek.com/story/showArticle.jhtml?articleID=57702643
Wayne Rash:
-http://www.securitypipeline.com/57702370
[Editor's Note (Pescatore): Using a cute new name like "Evil Twins" just causes confusion - this is just spoofing or a man in the middle attack. The hotspot industry does need to come up with a solution for spoofing for registered subscribers.
(Schneier): This is an interesting attack, and one that I suspect would be all too easy for even an experienced wireless user to get caught by, especially if he's using an unfamiliar wireless network.
(Shpantzer): This is an issue with the basic design of some wireless systems: The implicit trust that is given to the access point by the wireless endpoints. Some firmware in the wireless endpoints also looks for the strongest available signal and connects to it, again, without authenticating the access point as a legitimate source of connectivity.
(Guest Editor Joshua Wright): This weakness has been actively exploited by attackers since early 2003, commonly targeting hotspot wireless networks to steal password or other sensitive information. Organizations using mutual-authentication systems such as PEAP or EAP/TLS will mitigate this threat, since a client will identify the "twin" access point as a rogue device. ]
Oracle Releases First Quarterly Security Update (18 January 2005)
Oracle's first quarterly patch release contains fixes for 23 vulnerabilities in its database products; the flaws allow escalation of privileges, data exposure, denial-of-service and remote data manipulation. The advisory is being praised for its inclusion of a risk matrix that provides details about each flaw, including the privileges required to exploit the flaw, availability of a workaround, categorized risk for each vulnerability and the earliest supported release of the product affected by the flaw.-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1045710,0
0.html
-http://www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdf
Microsoft Will Address DRM Issues in Windows Media Player (18 January 2005)
Microsoft will now fix the way its Windows Media Player (WMP) handles downloading digital rights management (DRM) licenses. There have been reports of malicious .mrv files capable of infecting computers with spyware, adware, dialers and viruses. The WMP update, which is expected to be released within 30 days, will allow users more control over when and how pop-ups appear during license acquisition.-http://www.eweek.com/print_article2/0,2533,a=142839,00.asp
MISCELLANEOUS
US Considers Reviewing IBM/Levono Deal for National Security Risks (25 January 2005)
The Committee on Foreign Investments in the United States is considering launching an investigation into whether IBM's proposed sale of IBM's PC business to Chinese computer manufacturer Levono Group Ltd. poses a threat to national security. Some have expressed concern that Chinese computer experts could use an IBM facility to conduct industrial espionage.-http://www.washingtonpost.com/ac2/wp-dyn/A33869-2005Jan24?language=printer
Korean Celebrities Take Legal Action Against Advertising Company, Reporters Over Leaked Document (20 January 2005)
Nearly 100 Korean celebrities have joined together to take legal action against Cheil Communications, Donsego Research and ten entertainment reporters because a document containing personal and possible damaging information was released on the Internet. Lawyers for the celebrities say Cheil Communications, the advertising firm that ordered the report, should shoulder the brunt of the responsibility for the information leak. The event has prompted at least one legislator to propose making privacy laws in the country more stringent.-http://times.hankooki.com/lpage/culture/200501/kt2005012016054511680.htm
-http://times.hankooki.com/lpage/200501/kt2005011922091410220.htm
eBay Sellers Offering eMail Addresses, Spam Tools (20 January 2005)
Despite eBay's recent effort to protect its customers from spam, sellers on the auction site are offering millions of email addresses and spamming tools. Certain lots have been removed from the site, but Steve Linford of anti-spam organization Spamhaus believes eBay should pay closer attention to what is sold on its site and be a leader in the fight against spam.-http://www.silicon.com/research/specialreports/thespamreport/print.htm?TYPE=stor
y&AT=39127213-39025001t-40000011c
Looser Domain Transfer Rules Helped Panix.com Hijackers (20 January 2005)
Australian domain registrar Melbourne IT has admitted some responsibility in last week's hijacking of New York ISP Panix.com. The company acknowledged that it failed to verify a domain name transfer. The rules for transferring domain names were changed last November and some believe that the changes make it easier to hijack domains.-http://www.theregister.co.uk/2005/01/20/panix_recovery_continues/print.html
-http://news.netcraft.com/archives/2005/01/18/lapse_at_melbourne_it_enabled_panix
com_hijacking.html
-http://pcworld.co.nz/news.nsf/PrintDoc/1C8F0FB59723E255CC256F8F0006DCBF?OpenDocu
ment&pub=PCWorld
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/