SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #48
October 28, 2005
SANS inaugural training program in Baltimore for secure web applications
has filled up and is closed, but we are scheduling onsite training now
for the coming months. We also have expanded our onsite training
programs for system administrators, auditors, penetration testers and
security managers. Email info@sans.org with the subject Onsite if you
want to arrange a SANS course at your site.
Alan
TOP OF THE NEWS
BBC Suspends Blackberry Use After Chunks of Messages Spread RandomlyFinancial Institutions to Create Database of Employees Who Pose Security Risks
Universities, Nonprofits and Telecoms Challenge Wiretapping Rules
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESAir Force Web Site Intruder Likely to be Deported
Man Sentenced to Five Months for Attempted Cyber Scam
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
DHS Inspector General Audit of Secret Service Networks Turns Up Security Concerns
SPYWARE, SPAM & PHISHING
Microsoft Files Suit Against Suspected Botnet Operators
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Sweden Nets First File-Sharing Conviction
Hong Kong Court Convicts Man for Distributing Movies On Line
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Oracle's Approach to Security Criticized
Flaw Forces Skype to Release Updated Version of Telephony Client
Yahoo Repairs Cross-Site Scripting Flaw in Web-Based eMail Service
STANDARDS & BEST PRACTICES
Visa and MasterCard Release Self-Assessment Tools for PCI Data Security Standard Compliance
MISCELLANEOUS
Internet Explorer 7 Security Improvements
A First Answer To The Question About Which Bank Is Best At Protecting Customers
*******************Sponsored By The SANS Institute***********************
Amazingly Effective Security Training Programs in Baltimore and San Diego and Amsterdam and Ten Other Cities: Hacker Exploits, Certification Training for DoD GIAC Cert requirements, more. http://www.sans.org
************************ Sponsored Links ********************************
1) SANS WEBCAST: Learn how to safely exploit vulnerabilities in your network with a CORE IMPACT automated penetration-test http://www.sans.org/info.php?id=913
2) Need help selecting an SSL VPN solution ideal for your environment? Download security analyst Mark Bouchard's latest buyer's guide. http://www.sans.org/info.php?id=914
*************************************************************************
TOP OF THE NEWS
BBC Suspends Blackberry Use After Chunks of Messages Spread Randomly (27/26 October 2005)
The BBC has suspended its Blackberry email service after portions of people's email began appearing on others' devices. A spokesman for Blackberry manufacturer Research in Motion said they are aware of the problem that exists in service pack release 4.02. The problem was due to an unusual memory allocation error, which appended partial messages to other email. The spokesman said that the messages would not have gone past the corporate firewall so there was no external data exposure threat.-http://technology.guardian.co.uk/news/story/0,16559,1601197,00.html
-http://news.zdnet.co.uk/internet/security/0,39020375,39233646,00.htm
-http://www.theregister.co.uk/2005/10/27/bbc_blackberry_bug/print.html
Financial Institutions to Create Database of Employees Who Pose Security Risks (26 October 2005)
US financial institutions are working together to establish a database of employees who are known to pose scam risks. People included in the database will be those who compromised customer data or "knowingly caused financial losses."-http://news.com.com/2102-1029_3-5915678.html?tag=st.util.print
[Editor's note (Schultz): This initiative will pay rich dividends to the financial institutions, but the implications for privacy and individual rights are truly frightening. A person whose name is entered into this database will for all practical purposes be "blackballed" throughout the financial industry, per the intention of this initiative. But what if an individual was falsely accused and then was fired anyway? There appears to be no appeal or review process for such an individual. ]
Universities, Nonprofits and Telecoms Challenge Wiretapping Rules (24 October 2005)
Educators, nonprofit organizations and telecommunications companies are challenging new federal wiretapping rules, which require that they rewire their networks to allow the FBI to conduct surveillance of email and web browsing. They are asking the US Court of Appeals to overturn the rules, which are an expansion of 1994's Communications Assistance for Law Enforcement Act, or CALEA. The rules apply to all types of broadband Internet access and many Internet phone services, and are scheduled to take effect in April 2007.-http://news.zdnet.com/2102-1009_22-5911676.html?tag=printthis
[Editor's Note (Pescatore): Extending CALEA out to any "any type of broadband Internet access service" is a big, scary deal. Universities are rightly worried, but hotels, coffee shops, airports and any other place with a wireless hot spot could be seen as providing broadband Internet access. The original intent of CALEA was to make it possible to continue to do narrowly focused wiretaps as PBXs went from analog (with convenient places to tap a particular line) to digital, without those convenient points to connect the recorders. CALEA also came with $500M to the telecomms industry to build the legal interception capabilities in - so far this expansion of CALEA is a totally unfunded mandate.]
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Air Force Web Site Intruder Likely to be Deported (26 October 2005)
Rafael Nuez-Aponte, who has served seven months in prison for his role in breaking into and defacing an Air Force training web site in June 2001, will likely be deported to Venezuela. He is presently in the custody of US immigration officials. However, his deportation could be delayed if the National Aeronautics and Space Administration (NASA) decides to pursue charges against him for allegedly stealing more than 40MB of sensitive data.-http://www.securityfocus.com/news/11350?ref=rss
Man Sentenced to Five Months for Attempted Cyber Scam (21 October 2005)
A man in Norway was sentenced to five months in prison for a cyber extortion scam. The man had created a web site for the Inner Norwegian Seamen's Church and placed pornographic images on it; he then blamed the offensive photographs on unknown cyber attackers and charged the church 84,000 NOK ($US13,059) as a deposit to clean up the site, which he never did. The man was also ordered to return the payment he received.-http://www.aftenposten.no/english/local/article1139982.ece
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
DHS Inspector General Audit of Secret Service Networks Turns Up Security Concerns (25 October 2005)
A Department of Homeland Security inspector general's audit of the Secret Service web system found that protection of online data about operations is inadequate. There are vulnerabilities in access controls, configuration management procedures and continuity of operations safeguards. In addition, some default passwords were not changed when new software was installed. These findings mean that people could possibly gain unauthorized access to Secret Service data. The Secret Service agreed in general with the findings, which included recommendations to "ensure adequate controls for user access, review systems to facilitate the detection of inappropriate access, complete a configuration management plan and develop an IT contingency plan. A second DHS inspector general report on certain Secret Service wire-based sensitive but unclassified networks found security controls to be ineffective.-http://www.washingtontechnology.com/cgi-bin/udt/im.display.printable?client.id=w
tdaily-test&story.id=27276
-http://www.dhs.gov/interweb/assetlibrary/OIGr_05-37_Sep05.pdf
-http://www.dhs.gov/interweb/assetlibrary/OIGr_05-38_Sep05.pdf
SPYWARE, SPAM & PHISHING
Microsoft Files Suit Against Suspected Botnet Operators (27 October 2005)
Microsoft has filed a lawsuit against "a number of entities" it believes are using networks of zombie computers, or botnets, to send spam. The move to target those responsible for setting up the networks of compromised computers is a new one. Zombie computers are infected with malware that enables them to be controlled remotely and used to send spam or launch distributed denial-of-service attacks.-http://news.com.com/2102-7349_3-5917817.html?tag=st.util.print
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Sweden Nets First File-Sharing Conviction (25 October 2005)
A twenty-eight year old man became the first person to be convicted in Sweden of using a file-sharing network to distribute a movie in violation of Swedish copyright law. Andreas Bawer was fined 16,000 SEK (US$2040). The case dates back before a law banning the download of copyrighted material came into effect; however, distributing the movie was still a violation of Swedish law at the time. Mr. Bawer could have received up to two years in prison but the court determined that he was not trying to profit from his actions and thus limited the sentence to the fine.-http://news.bbc.co.uk/1/hi/technology/4376470.stm
Hong Kong Court Convicts Man for Distributing Movies On Line (25 October 2005)
A Hong Kong court has convicted Chan Nai-Ming of trying to distribute three movies with the Bit Torrent file-sharing tool, marking the first time someone has been prosecuted for using the tool. It is also Hong Kong's first successful action against file sharing. He will be sentenced on November 7 and faces up to four years in prison and a fine. Other countries are moving toward prosecuting those who use the technology to violate copyright laws. BitTorrent technology enables people to download very large files very quickly. People who use BitTorrent illegally are likely to be found liable as its creator has been very careful not to encourage its use for illegal activities.-http://technology.timesonline.co.uk/article/0,,19509-1841351,00.html
-http://news.bbc.co.uk/1/hi/technology/4374222.stm
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Oracle's Approach to Security Criticized (27 October 2005)
Security researchers are speaking out in criticism of Oracle's approach to security. The company's most recent quarterly update included fixes for a number of flaws, but ignored others. Other criticisms include a lack of timeliness with patch releases and low quality of patches. In some cases, Oracle apparently did not address the underlying vulnerabilities but merely used a "Band-Aid" to block the specific sample exploit code provided by the researchers.-http://news.com.com/2102-1002_3-5916171.html?tag=st.util.print
Flaw Forces Skype to Release Updated Version of Telephony Client (26 October 2005)
Skype Technologies SA is encouraging users of its Internet telephony client to upgrade to version 1.4.*.84 or later. A buffer overflow flaw in Skype for Windows could allow an attacker to gain control of vulnerable systems. The flaw can be exploited by enticing a user to click on a specially-crafted link or "when importing user data from a VCARD." In addition, a flaw in Skype for all platforms could be exploited in a denial-of-service attack.-http://isc.sans.org/diary.php?storyid=792
-http://www.computerworld.com/printthis/2005/0,4814,105727,00.html
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39285192-39000005c
-http://www.skype.com/security/skype-sb-2005-02.html
Yahoo Repairs Cross-Site Scripting Flaw in Web-Based eMail Service (24 October 2005)
Yahoo has fixed a cross-site scripting vulnerability in its web-based email service. The flaw could have been exploited by a variety of attacks, including phishing and hijacking. The flaw is because Yahoo's web site failed to "detect certain script tags in combination with certain special characters." The flaw existed in Yahoo email with Internet Explorer 6.-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39218590-20000
61744t-10000005c
-http://www.webpronews.com/topnews/topnews/wpn-60-20051024YahooDeletesCrossScript
ingEmailProblem.html
STANDARDS & BEST PRACTICES
Visa and MasterCard Release Self-Assessment Tools for PCI Data Security Standard Compliance (25 October 2005)
Visa and MasterCard have released free self-assessment tools for merchants to test their compliance with the Payment Card Industry Data Security Standard (PCIDSS). PCIDSS marks joining Visa's Account Information Security standard and MasterCard's data protection standards. Merchants are not permitted to store magnetic stripe authentication data. The standards have different requirements for merchants, which are dependent on their volume of transactions.-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4650
SANS is offering a free Webcast on the Payment Card Industry Data Security Standard on Wednesday, November 2 at 1:00 PM EST (1800 UTC/GMT). Tune in if you have anything to do with PCI compliance:
-https://www.sans.org/webcasts/show.php?webcastid=90656
MISCELLANEOUS
Internet Explorer 7 Security Improvements (27/26 October 2005)
Microsoft's forthcoming Internet Explorer 7 will support the Transport Layer Security (TLS) protocol to encrypt user data by default. Current versions of IE use the Secure Sockets Layer (SSL) 2.0, which is not as strong. Microsoft will disable SSLv2 in IE7, but will support SSLv3. In addition, IE7 will not allow users to view unsecure content within an HTTPS web page; IE6 allowed users to decide whether or not to view the questionable content via a dialog box. If IE7 users want to view that content, they will have to deliberately choose to access it through the information bar. In addition, if IE7 users choose view sites with certificate problems, the address bar will remain red while they view it.-http://news.zdnet.com/2102-1009_22-5917001.html?tag=printthis
-http://www.pcworld.com/news/article/0,aid,123215,00.asp
-http://www.theregister.co.uk/2005/10/25/ie7_crypto_boost/print.html
-http://www.microsoft.com/windows/IE/ie7/default.mspx
A First Answer To The Question About Which Bank Is Best At Protecting Customers
[Editor's Note (Paller): We've received many submissions about banks protecting their customers with two-factor authentication. This one stood out. "Rabodirect,
-http://www.rabodirect.ie
, is the first Internet only bank in Ireland and is part of the Rabobank Group. One of their key selling points is they are the only bank in Ireland that offers two factor authentication using Vasco Digipass devices and therefore claim to offer the most secure online banking service to the Irish public. Other Irish banks are now reviewing how they can provide more secure solutions to their Internet banking customers. Nice to see information security becoming a business/competitive issue rather than an IT problem."
===end===
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler,
Jaap-Henk Hoepman, Brian Honan, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz,
Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
