SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #42

October 07, 2005

The stories in Top of the News this week illuminate the challenges we
face when security vendors deliver software that puts us at risk. Smart
attackers are actively targeting security and back up applications.
Those products showed up prominently in both the first and second
quarter 2005 updates to SANS Top 20 Internet Security Vulnerabilities.
Vendors of those products have asked their buyers to trust them. Are
they doing enough to earn that trust?
Alan

---

TOP OF THE NEWS

Antivirus Firms Acknowledge and Issue Fixes for Security Flaws
Zone Labs Warns of Flaw in Multiple Products

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Man Fined GBP400 for Running Afoul of Computer Misuse Act
Florida Man Arrested for Alleged Fraudulent Donation Solicitation
Eight People Arrested in Scheme to Defraud Red Cross
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Law Enforcement Data Sharing System Switches to IP
SPAM & PHISHING
FTC Asks Court to Shut Down Alleged Spyware Company
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
China Expels American Convicted of Piracy to US to Face More Charges
ATTACKS & INTRUSIONS & DATA THEFT
Former White House Aide Allegedly Stole Intelligence Documents
Mozilla Will Rebuild Spreadfirefox.com After Attempted Attack
MISCELLANEOUS
Researchers Say Zombie Networks Could be Used to Attack Cellular Phone Networks
City University of New York Notifies Those Affected by Data Leak
Security Consultants' Fees on the Rise

---

************************ Sponsored by Lancope ***************************

YOU vs ZOTOB? Is Your Internal Network Safe?

Explore how Network Anomaly Detection Systems (NADS) protect internal enterprise networks by providing zero-hour detection of and response to network threats, like Zotob, that easily bypass traditional security defenses. Download the FREE White Paper "Zotob: Zero-Hour Detection and Response" at http://www.sans.org/info.php?id=890">http://www.sans.org/info.php?id=890

*************************************************************************

SECURITY TRAINING UPDATE Immersion programs in the next two months (everything form hacker exploits to wireless and more) in Atlanta, Orlando, Dallas, Portland, Los Angeles, Chicago, Baltimore, and San Diego and in Barcelona, Vancouver and Amsterdam. Details: http://www.sans.org/

*************************************************************************

---

TOP OF THE NEWS

Antivirus Firms Acknowledge and Issue Fixes for Security Flaws (5 October 2005)

Symantec has posted patches for a buffer overflow flaw in the Web-based Administrative Interface of the Symantec AntiVirus Scan Engine. The flaw could be exploited to execute arbitrary code on vulnerable machines. The interface is in a number of Symantec antivirus products. In addition, Kaspersky Labs has released a fix for a heap overflow vulnerability in its antivirus software running on Windows-based machines.
-http://www.eweek.com/print_article2/0,1217,a=161774,00.asp
-http://news.zdnet.com/2100-1009_22-5889518.html
-http://www.newsfactor.com/story.xhtml?story_id=38496
[Editor's Note (Tan): Antivirus software is supposed to protect your system from malicious code. Unfortunately, it has been actively targeted for vulnerability discovery since last year. Most of the antivirus software flaws require no user interaction and can be exploited remotely. Users could be affected unknowingly if their software is not kept up-to-date.
(Honan): It begs the question as to whether the developers of the products designed to secure our systems have been trained in how to develop secure code.
(Paller) See the San Francisco Chronicle article this morning for a Microsoft announcement that could provide pressure on the other security vendors to improve their software security.
-http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2005/10/07/BUG
UFF3FFC17.DTL&type=tech]

Zone Labs Warns of Flaw in Multiple Products (30/29 September 2005)

Zone Labs has issued a security advisory warning of a vulnerability in the ZoneAlarm firewall that could be exploited by malicious code to trick the firewall into allowing it to connect to the Internet. The flaw affects the free ZoneAlarm firewall, default installations of versions 5.5 and earlier of the paid firewall as are default installations of the Check Point Integrity Client; paid ZoneAlarm products 6.0, which were released in July, do not have this vulnerability. Zone Labs does not plan to fix the vulnerability in its free product as it considers the flaw "low risk"; the paid products are protected because of their additional technology.
-http://news.com.com/2102-1002_3-5886488.html?tag=st.util.printhttp://download.zo
nelabs.com/bin/free/securityAlert/35.html
[Editor's Note (Honan): I hope the reasons for not patching the free version of Zone Alarm is because the vulnerability is a "low risk" and not a ploy to force people to purchase the professional version of the software. Many ordinary non-IT users protect their machines using the Zonealarm's free product and these users are the very ones often targeted for attacks. This "low risk" vulnerability could prove not to be the case. ]

---

************************* Sponsored Links: ******************************

1) ALERT: Independent test confirms the industry's most powerful content filtering solution. Get the full story! http://www.sans.org/info.php?id=891

2) Earn your Master's degree in Information Security from an NSA - recognized online program. http://www.sans.org/info.php?id=892

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Man Fined GBP400 for Running Afoul of Computer Misuse Act (6 October 2005)

Daniel James Cuthbert of Whitechapel, London has been convicted of violating Section One of the Computer Misuse Act of 1990 for attempting a directory traversal attack on the donate.bt.com site that handles credit card payments on behalf of the Disasters Emergency Committee. Cuthbert claims he carried out two "tests" because he was concerned it may have been a phishing site. Mr. Cuthbert has been fined GBP400 and must pay an additional GBP600 in court costs; he lost his job as a security consultant as a result of his arrest and has only recently found work again. The judge understood that Mr. Cuthbert meant no harm by his actions, but adhered to a strict interpretation of the law, which does not require that the prosecution prove the defendant had intended to cause harm.
-http://www.channelregister.co.uk/2005/10/06/tsunami_hacker_convicted/
-http://news.zdnet.co.uk/0,39020330,39226548,00.htm
[Editor's Note (Honan): While Mr. Cuthbert's actions may have been noble in spirit it still does not detract that he broke the law. There were many other legal ways that he could have determined if the site was a Phishing site such as www.antiphishing.org or contacting the charity directly.
(Shpantzer): Unless you're specifically authorized to perform 'testing' on a site or resource, there's trouble brewing for you. A cautionary tale from the 90's
-http://www.lightlink.com/spacenka/fors/
(Schneier): This is a chilling legal precedent. It was stipulated on both sides that there was no malicious intent, merely an attempt to verify the legitimacy of a website. And the defendant was nevertheless fined and lost his job as a result of the arrest. Given the level of fraud on the Internet, it's reasonable not to take everything at face value. Where does one draw the line between reasonable investigation and "hacking"? ]

Florida Man Arrested for Alleged Fraudulent Donation Solicitation (4 October 2005)

A Florida man has been arrested and charged with four counts of wire fraud for allegedly using a web site to solicit donations for medical supplies and evacuation flights to hurricane-ravaged Louisiana; Gary Kraser allegedly never made any of the flights, though he wrote stories of having done so on the web site. Mr. Kraser allegedly raised US$40,000 in just two days. According to the indictment, he collected the money through PayPal accounts and through direct wire transfers to his bank account.
-http://www.theregister.co.uk/2005/10/04/katrina_fbi/print.html
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39273558-39000005c

Eight People Arrested in Scheme to Defraud Red Cross (4 October 2005)

Eight people have been arrested and one more person is being sought in connection with a scheme to defraud the American Red Cross. Some of the people hired to work a Red Cross call center in Bakersfield, California that was set up to provide hurricane evacuees with PIN numbers they could use to obtain relief aid through Western Union gave those numbers to friends and family. So far, US$25,000 has been documented as stolen, but a US attorney expects that figure to increase. If convicted of the wire fraud charges against them, the defendants could face up to 20 years in prison and fines of US$250,000. Law enforcement officials say they expect to make more arrests.
-http://www.cnn.com/2005/LAW/10/04/redcross.scheme/
[Editor' Note (Schmidt): How many ways can we spell, 10 years in prison as a minimum? If there ever was a reason to pass a new law (which I generally am against) it should be that when someone exploits an emergency like we had, that person should get double the normal sentence. It does not get lower then this! ]

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

Law Enforcement Data Sharing System Switches to IP (30 September 2005)

The National Law Enforcement Telecommunication System (NLETS), which allows approximately 30,000 public safety and law enforcement agencies in the US and Canada to securely share motorist, criminal record, immigration, citizenship and aircraft data, has upgraded from a frame relay infrastructure to an IP-based network, which will allow them to encrypt the data they share. An FBI mandate requires all public safety agencies to provide end-to-end encryption as of September 30, 2005.
-http://www.fcw.com/article90976-09-30-05-Web&RSS=yes
[Editor's Note (Honan): The proposed plans to expand this network globally to include Interpol, raises concerns that proper controls need to be implemented to ensure the information is not abused by unauthorised personnel and complies with the various Data Protection requirements within each jurisdiction. ]

SPAM & PHISHING

FTC Asks Court to Shut Down Alleged Spyware Company (5 October 2005)

The Federal Trade Commission has filed a complaint with a US court in New Hampshire asking that a company in that state be shut down. Odysseus Marketing maintains that its Kazanon software is anonymous peer-to-peer file sharing software, but the FTC alleges that it behaves as a Trojan horse, allowing other programs to infiltrate users' computers and deliver pop-up advertisements and track their web surfing activities. In addition, people's search results have been meddles with to send them to look-alike search engines that display Odysseus customers prominently in the search results. A software tool from Odysseus that is supposed to correct the problem actually brings in more spyware, according to allegations. The FTC asked court to permanently halt downloads from Odysseusmarketing.com.
-http://www.computerworld.com/printthis/2005/0,4814,105164,00.html
-http://www.pcworld.com/news/article/0,aid,122868,00.asp
[Editor's Note (Schultz): The judge in this case appears to have made a good ruling. The differences in security implications of spyware and peer-to-peer sharing are, after all, often miniscule.
(Ranum): Just shutting them down - no punishment? That's interesting. Does this mean one can operate trojan/spyware with impunity as long as you accept the risk of periodically being shut down until you change your name and relocate? ]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

China Expels American Convicted of Piracy to US to Face More Charges (4/3 October 2005)

Randolph Hobson Guthrie, who has been convicted in China of trafficking in pirated digital media, has been expelled from that country to face additional charges in the US. Mr. Hobson was scheduled to appear in US federal court for a bond hearing on October 4; he will then be sent to Mississippi to face charges of copyright infringement, trafficking and money laundering. Mr. Hobson was sentenced to two years in prison in China in April. He and another American convicted along with him were ordered deported after completion of their sentences; it has not been made clear why Mr. Guthrie was released early.
-http://www.usatoday.com/tech/news/techpolicy/2005-10-03-dvd-piracy-china_x.htm
-http://www.securitypronews.com/insiderreports/insider/spn-49-20051004ChinaTheUSA
ndDVDPiracy.html

ATTACKS & INTRUSIONS & DATA THEFT

Former White House Aide Allegedly Stole Intelligence Documents (6 October 2005)

US federal investigators say an FBI analyst who had previously worked as an aide in the office of the Vice President from 1999-2001 used his top-secret security clearance to steal classified intelligence documents from White House computers. Leandro Aragoncillo was allegedly spying for a group in the Philippines who was opposed to the government there. A US District Court judge in Newark, NJ has signed an order to continue the case in order that the defendant's attorney may negotiate a plea agreement, indicating that Mr. Aragoncillo is likely to be cooperating with federal investigators.
-http://www.app.com/apps/pbcs.dll/article?AID=/20051006/NEWS/510060478

Mozilla Will Rebuild Spreadfirefox.com After Attempted Attack (5 October 2005)

The Mozilla Foundation has shut down the Spread Firefox web site, spreadfirefox.com, after learning that the server hosting it had been accessed without authorization; the unknown attackers attempted to exploit a vulnerability in TWiki software installed on the server. While it does not appear that any data have been stolen, Mozilla says it will rebuild the site from scratch. Mozilla has emailed site members alerting them to the situation. The site is expected to be available again around October 15, 2005; users will need to change their passwords once the new site is up. The site suffered a similar attempted attack in July 2005.
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39215715-20000
61744t-10000005c

MISCELLANEOUS

Researchers Say Zombie Networks Could be Used to Attack Cellular Phone Networks (6/5 October 2005)

Security researchers from Pennsylvania State University have published a report in which they describe how a "moderate-sized" zombie network could be used to knock out cellular phone service across the United States. By exploiting vulnerabilities in Short Messaging Service (SMS), attackers could launch denial-of-service attacks on cellular networks. By overwhelming a target with SMS messages, the attack could block other machines from connecting to the network. Pennsylvania State University professors Patrick McDaniel and Thomas La Porta say the risk could be somewhat mitigated if mobile operators separate "the text messaging and phone call initiation features within the control channel" and limit the amount of information that is published on the Internet.
-http://www.computerworld.com/printthis/2005/0,4814,105183,00.html
-http://money.cnn.com/2005/10/05/technology/hacker_cellphones/
[Editor's Note (Honan): If combined with a physical attack, disabling the cellular network would pose major problems for emergency workers communicating with each other. Limiting the information available on the Internet does not prevent security breaches. Understanding the issues and addressing them does. ]

City University of New York Notifies Those Affected by Data Leak (6/5 October 2005)

City University of New York (CUNY) has informed more than 750 students and current and former employees that their personal information, including Social Security numbers, may have been compromised. A law student Googling her own name found among the results documents that contained sensitive personal student data. School administrators apparently posted the documents on the university's central web site. Even after the school became aware of the situation and removed the files, Google's caching feature made the information available for a few more days.
-http://www.columbiaspectator.com/vnews/display.v/ART/2005/10/05/434384081af2a
-http://www.nynewsday.com/news/local/manhattan/nyc-cuny1006,0,7717293.story?coll=
nyc-topheadlines-left

Security Consultants' Fees on the Rise (4 September 2005)

According to research from the Association of Technology Staffing Companies, the average hourly rate for computer security consultants has risen from 40GBP (US$71.15) in 2004 to 50GBP (US$88.94) in 2005, an increase of 25% in just one year. The increase in pay is the result of increased demand for professionals with the skills to conduct application testing, penetration testing and bring systems into compliance with regulations. The research also noted an increase in the number of people training in these areas, even from non-security IT professionals.
-http://management.silicon.com/careers/0,39024671,39153018,00.htm

[Editor's Note (Pescatore): There has been a lot of automation of straightforward vulnerability scanning, but the success of targeted attacks has increased demand for more thorough penetration testing - at both the application and the network level. Throw in Sarbanes Oxley mania and the Payment Card Industry Data Security Standards required audits, and you get greatly increased demand for experienced people to perform the tests. Which means the next wave will be more automation of penetration testing techniques, leading to prices going back down - until the next new wave of threats.
(Shpantzer): It's easy to hire good pen testers and call it security, but how many organizations actually follow-up with ongoing mitigation efforts?]

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Brian Honan, Stephen
Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt,
Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/