SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #41

October 04, 2005

TOP OF THE NEWS

New Rule: US Agencies Must Build Cyber Security into Acquisition Planning
Governor Schwarzenegger Signs Anti-Phishing Law

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Interior Department Computers Vulnerable to Intrusions
Coast Guard Database System Access Controls are Deficient, Says IG
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Software Pirate to Pay More Than US$1 Million in Restitution
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Mozilla Releases Thunderbird Update
Trojan Exploits Unpatched Microsoft Office Vulnerability
IM Malware on the Rise
ATTACKS & INTRUSIONS & DATA THEFT
Visa Extends Deadline for Severing Ties with CardSystems Solutions
MISCELLANEOUS
Voice Of America Cyber Security Series features Internet Storm Center
Gartner: Unattended PCs Pose Risk

---

*********************** Sponsored by Bindview ***************************

Free Security Compliance Reality Check

Run a quick check of your IT security compliance for specific regulations with this FREE Compliance Assessment Tool. You'll get a "compliance score" as an example of how BindView solutions can help you monitor and report on compliance---all through a single compliance architecture for managing multiple regulations.

http://www.bindview.com/bvCat/index.cfm?AD=NS-SANS1014BVCatDLU-Q305

*************************************************************************

---

TOP OF THE NEWS

New Rule Says Agencies Must Build Cyber Security into Acquisition Planning (30 September 2005)

As of September 30, 2005, contracting officers at federal agencies are required to incorporate cyber security requirements in their acquisition planning. The Federal Acquisitions Regulation Council issued an interim rule and will accept comments on the rule through November 29, 2005. The rule says that acquisition professionals must get advice from IT security specialists, requires contracting officers to abide by FIPS standards and to incorporate "appropriate agency security policy and requirements in IT acquisition."
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=37162
-http://a257.g.akamaitech.net/7/257/2422/01jan20051800/edocket.access.gpo.gov/200
5/05-19468.htm
[Editor's Note (Pescatore): While requiring that security be included in all technology acquisition plans is a good thing, this "new" rule is pretty much deja vu all over again. OMB had initiatives for risk based acquisition management that required input from security as far back as 2000. However, the focus has only been on large complex projects, not on *all* buys of commercial off the shelf software, for example or every day services, such as Internet services. The government should use its buying power to drive software and Internet services to higher levels of security and reliability. ]

Governor Schwarzenegger Signs Anti-Phishing Law (1 October 2005)

Phishing is now a civil offense in California. Governor Arnold Schwarzenegger signed a bill on September 30, 2005, that allows people to sue the senders of deceptive emails that attempt to steal personal data; they can seek to recover actual damages or US$500,000 for each violation, whichever is greater.
-http://www.msnbc.msn.com/id/9547692/
[Editor's Note (Schneier): Unfortunately, this is a feel-good measure that's not going to have much actual effect. The real cure is to make vendors responsible for fraudulent transactions, because they're the ones who can do something about the core problem. ]

---

************************ Sponsored Links: *******************************

1) "Fearless Wireless: AirWave's software automatically enforces WiFi security policies, detects rogues, and conducts compliance audits."
http://www.sans.org/info.php?id=888

2) ALERT: Independent test confirms the industry's most powerful content filtering solution. Get the full story!
http://www.sans.org/info.php?id=889

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

Interior Department Computers Vulnerable to Intrusions (30 September 2005)

Independent penetration testers hired by the Inspector General were able to break into computer systems at the US Department of the Interior. The testers were able to break into the National Park Service computer system and create a web page to demonstrate that they had control of the server. They were also able to alter data in a grant application. In addition, investigators were able to change an address in the Federal Personnel/Payroll System in the National Business Center system; they believe they would also be able to change bank routing information that would allowed malicious intruders to divert funds.
-http://www.fcw.com/article90981-09-30-05-Web

Coast Guard Database System Access Controls are Deficient, Says IG (28 September 2005)

A report from the Department of Homeland security inspector general Richard Skinner says that the Coast Guard has not implemented adequate access controls and contingency plans for its Marine Information for Safety and Law Enforcement (MISLE) system. The vulnerabilities could allow attackers to access the web-based database system, which is "used to track marine safety and law-enforcement activities involving commercial and recreational vessels." MISLE holds sensitive but unclassified Coast Guard mission information.
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=37140
-http://www.dhs.gov/interweb/assetlibrary/OIGr_05-35_Aug05.pdf

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Software Pirate to Pay More Than US$1 Million in Restitution (29 September 2005)

Li Chen has pleaded guilty to one count of copyright infringement and will pay US$1.1 million in restitution to Symantec and Microsoft for software piracy under the terms of his plea agreement. A Symantec spokesperson said, "This guy was one of the largest distributors of pirated software. He had direct ties to China, where the counterfeit product was being produced."
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39270628-39000005c
[Editor's Note (Shpantzer): It's entirely possible this counterfeit is trojanized as well. One of the reasons to buy legitimate software is that there's a reasonable effort to thwart malicious code in the product. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Mozilla Releases Thunderbird Update (30 September 2005)

Mozilla has released Thunderbird version 1.0.7, an update that addresses a handful of security holes, including an "extremely critical" Linux command line URL parsing security flaw that could allow attackers to run malicious code on vulnerable systems. Other flaws addressed in the update flaw are similar to those fixed in recent updates for the Firefox browser and Mozilla Suite. The Thunderbird email client is available for Windows, Linux and Mac OS X.
-http://news.zdnet.com/2102-1009_22-5886726.html?tag=printthis

Trojan Exploits Unpatched Microsoft Office Vulnerability (30 September 2005)

A Trojan horse program called Backdoor.Hesive exploits an unpatched hole in Microsoft Office and could allow attackers to take control of vulnerable machines. Machines become infected when users are tricked into opening a specially crafted .mdb file in Microsoft Access. All recent Windows releases are vulnerable. Backdoor.Hesive exploits a flaw in Microsoft's Jet Database Engine. Microsoft was alerted to the problem in April, 2005, but has not yet issued a patch.
-http://news.zdnet.com/2102-1009_22-5886543.html?tag=printthis
-http://www.computerworld.com/printthis/2005/0,4814,105131,00.html
[Editor's Note (Dhamankar): Looks like Microsoft underestimated this vulnerability. The exploit for this flaw was available as early as April 11, 2005. The Trojan horse Ryejet.B was also sighted way back in April.
-http://www.sans.org/newsletters/risk/display.php?v=4&i=15#exploit1
-http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ryejet.b.html]

IM Malware on the Rise (28 September 2005)

A recent report noted 25 IM viruses circulating in September and 47 in August, the highest monthly total recorded since they began keeping track a year-and-a-half ago. The report also noted that in the past, IM viruses have been variants of email viruses, but they are increasingly seeing malware created specifically to spread over IM systems. According to the report, attackers are using IM malware to take control of computers and use them in zombie attacks.
-http://www.eweek.com/print_article2/0,1217,a=161315,00.asp

ATTACKS & INTRUSIONS & DATA THEFT

Visa Extends Deadline for Severing Ties with CardSystems Solutions (30 September 2005)

Visa International has extended its deadline for cutting ties with CardSystems Solutions by three months. The credit card company had initially set a deadline of October 31, 2005 for ending its business relationship with the payment processor in the wake of the widely publicized and massive data security breach at the end of October, 2005; Visa now says it will give CardSystems until January 31, 2006, to facilitate the company's acquisition by CyberSource; the extension requires both CardSystems and CyberSource to comply with Visa's data security rules. Visa says its decisions to extend the deadline beyond which it would require banks to switch to other payment processors in order to facilitate the acquisition of CardSystems by CyberSource. Visa retains the right to end the extension should their security requirements not be met and if the proposed acquisition does not take place. CyberSource is reportedly in talks with Visa about a business relationship following the acquisition.
-http://www.infoworld.nl/idgns/bericht.phtml?id=00256F6C005C22FC0025708B007A4747
-http://today.reuters.com/investing/financeArticle.aspx?type=mergersNews&stor
yID=2005-09-29T175347Z_01_N2959514_RTRIDST_0_FINANCIAL-CARDSYSTEMS-UPDATE-1.XML
-http://australianit.news.com.au/articles/0,7204,16769019%5E15336%5E%5Enbv%5E1530
6-15316,00.html

MISCELLANEOUS

Voice of America Cyber Security Series features Internet Storm Center (30/28 September 2005)

A three-part series on cyber threats and the future of the Internet features the Internet storm Center. The links include the text of the reports and links to the videos.
-http://isc.sans.org/diary.php?storyid=717
-http://www.voanews.com/english/2005-09-28-voa22.cfm
-http://www.voanews.com/english/2005-09-28-voa40.cfm
-http://www.voanews.com/english/2005-09-30-voa9.cfm
[Editor's Note (Tan): We are grateful to all our readers whom have contributed to the success of Internet Storm Center. Their contribution and participation are amazing, and often provide us information on the latest security threats which we in turn share with the rest of the community. If you want to play a part in ISC but wonder how, check this out:
-http://isc.sans.org/diary.php?storyid=680
-http://isc.sans.org/contact.php
This link provides an overview and history of ISC:
-http://isc.sans.org/about.php]

Gartner: Unattended PCs Pose Risk (29 September 2005)

Recent Gartner research indicates that organizations tend to overlook the security threats posed by unattended PCs that are logged onto corporate networks. The situation could allow people to access and alter confidential information to commit fraud or to send email from others' accounts. In addition, when network connected PCs are left unattended, employees can offer the "someone else used my machine" defense when faced with evidence that their machine was improperly used. Some companies would benefit from using timeouts, which make users of back on to the system after specified periods of inactivity. Another solution would be to use proximity tokens, which disconnect users and log back onto on the system based on their proximity to their PCs.
-http://www.computerworld.com/printthis/2005/0,4814,105043,00.html
-http://www.theregister.co.uk/2005/09/29/unattended_pc_peril/print.html

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan
Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier,
Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/