SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #49
November 01, 2005
Update: Security Salaries Rising Faster Than Any Other IT Profession.
(October 24, 2005):
A survey of 14,000 IT workers showed that security workers received
raises 20% higher than those of any other category of IT worker in 2005,
and 40% to 60% greater than for system and network administrators who
do not have security responsibilities. In cooperation with SysAdmin
magazine, SANS is surveying the entire community to illuminate the
salaries and raises currently being earned by security and audit and
administrator professionals, in each geographic area, in each major
industry. That data can be very powerful in discussions about pay
levels. Please help us give this survey the broadest possible coverage
by completing it this week. In addition to salary questions, it covers
the major reasons for career advancement - very valuable. The only way
to get the survey results is to participate, and if you complete the
survey this week, we'll also send you a pointer to the data on security
raises outpacing those of other IT professions.
The survey: http://survey.sans.org/phpsurveyor/index.php?sid=1
P.S. If you are one of the first 1,000 security/audit professionals to
complete the survey, you'll also be entered in a drawing for one of five
new video iPods.
Alan
TOP OF THE NEWS
New US Rules for RFID-Equipped Passports Address Security ConcernsProposed Legislation in India Could Hurt Outsourcing Industry
GAO Study Finds Problems with eVoting Machines
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESThree Sentenced for eBay Fraud Scheme
Man Receives Four-Year Sentence for Identity Fraud
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Navy Networks Block Access to Web-Based Commercial email Sites
DHS Will Take Steps to Address SCADA Security Concerns
UK Info Commissioner Says Proposed ID Card Plan Oversteps Privacy Boundaries
SPYWARE, SPAM & PHISHING
Anti-Spyware Coalition Releases Definitions, Risk Model Descriptions
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Worm Spreading Through AIM
Oracle's Password Protection Criticized
ATTACKS & INTRUSIONS & DATA THEFT
Australian Government Documents Stolen from Consultancy's Computer System
UAE Bank Changes Provider After Site Attacked
************** Sponsored by LURHQ Managed Security Services *************
Enhance your security posture and painlessly comply with regulations in a cost effective manner with LURHQ's integrated suite of Managed Security Services. LURHQ's services integrate key operational processes and security technologies to deliver an effective Threat and Vulnerability Management solution. Learn more by downloading our "Delivering Threat and Vulnerability Management" presentation, featuring Gartner's Kelly Kavanagh. http://www.lurhq.com/gartner.html
*************************************************************************
TOP OF THE NEWS
New US Rules for RFID-Equipped Passports Address Security Concerns (27 October 2005)
New rules for the use of Radio Frequency ID (RFID)-equipped passports in the US went into effect on October 25, 2005. The rules include several security provisions to protect passport holders from data theft. The passport cover will contain material that will prevent the data contained in the RFID tag from being skimmed or surreptitiously read from a distance. The chip must be within four inches of a reader to gather the data and the passport cover must be open. The data stored on the chip will be just that which is already contained in passports: name, date of birth, nationality and a digitized photograph of the passport holder. The chip will also have a secure digital signature to guard against data alteration or removal. The passports will have twice the recommended minimum storage capacity in case iris scans or fingerprints need to be added at a later date. The additions would be subject to public comment periods. The State Department will begin issuing electronic passports in December 2005, starting with government workers with official or diplomatic passports, and moving toward total rollout by October 2006.-http://www.computerworld.com/printthis/2005/0,4814,105750,00.html
[Editor's Note (Hoepman): I keep wondering why the US Government choose not to use Basic Access Control (which is part of the ICAO standard and which is used by many European countries) to prevent skimming of the passports. In short, Basic Access Control requires that in order to read data off the passport, an unlock key has to be send to the passport that can be derived from the data (name, passport number among others) printed on the passport itself (on the machine readable zone). ]
Proposed Legislation in India Could Hurt Outsourcing Industry (31/29 October 2005)
Proposed amendments to India's Information Technology Act exclude business process outsourcing (BPO) companies from being service providers, which means they would not be held liable for data theft or data leaks. The draft legislation would hold cyber cafes and search engines liable for data theft. If the amendment is enacted, it could be disastrous for the BPO industry in India. The problem may be that legislators do not understand the need for a separate data protection law.-http://business-standard.com/iceworld/storypage.php?chklogin=&autono=204283&
amp;leftnm=lmnu9&leftindx=9&lselect=2
-http://www.business-standard.com/common/storypage.php?storyflag=y&leftnm=lmn
u5&leftindx=5&lselect=1&chklogin=N&autono=204321
GAO Study Finds Problems with eVoting Machines (31 October 2005)
A recent study from the Government Accountability Office (GAO) found that some electronic voting systems allowed ballot definition files, cast ballots and audit logs to be modified, that systems had unprotected power switches, that some local voting officials misconfigured the machines and that some systems failed during use in elections. In addition, some local election officials had no idea what to do to address voting machine problems that occurred during elections. The GAO has made several recommendations, including having authorities work with the National Institute of Standards and Technology (NIST) to create process for updating the National Reference Library for voting systems regularly and encouraging the use of the library to check software.-http://www.fcw.com/article91241-10-31-05-Print
[Editor's Note (Schultz): Many states in the US rushed into electronic voting without understanding the many potential perils and pitfalls of eVoting. Studies such as the recent GAO study have almost without exception discovered significant vulnerabilities and errors in eVoting systems; these findings are bound to be only the tip of the iceberg. ]
************************** Sponsored Links: *****************************
1) ALERT: "How a Hacker Launches a LDAP Injection Attack Step-by- Step"- White Paper http://www.sans.org/info.php?id=916
2) ALERT: Independent test confirms the industry's most powerful content filtering solution. Get the full story! http://www.sans.org/info.php?id=917
3) Earn your Master's degree in Information Security from an NSA - recognized online program. http://www.sans.org/info.php?id=918
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Three Sentenced for eBay Fraud Scheme (29/28 October 2005)
A Romanian couple living in the UK has been jailed for "well planned and sophisticated fraud" using phony identities that duped eBay customers out of more than 300,000 GBP (US$530,700) over two years. Nicolae and Adriana Cretanu advertised goods on eBay; victims were contacted via email and told their bids were not successful, but were then offered the chance to purchase the same or similar items by wiring money to the couple. The couple will be deported when they complete their sentences; Nicolae Cretanu received a 42-month sentence; Adriana Cretanu received a 30-month sentence. An accomplice, George Titar, was also sentenced to 30 months in jail.-http://www.timesonline.co.uk/article/0,,2-1847827,00.html
-http://today.reuters.com/news/NewsArticle.aspx?type=internetNews&storyID=200
5-10-28T172409Z_01_MOL858020_RTRUKOC_0_US-CRIME-INTERNET-EBAY.xml
-http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2005/10/29/nebay29.xml&
sSheet=/news/2005/10/29/ixhome.html
Man Receives Four-Year Sentence for Identity Fraud (27 October 2005)
Shiva Sharma, who has committed numerous identity fraud offenses, has been sentenced to four years in prison. Mr. Sharma stole credit card information on-line and used it to purchase computer equipment and jewelry and to get more than US$50,000 in cash advances from Western Union. His previous arrests involved defrauding AOL and Amazon.com customers.-http://www.zwire.com/site/news.cfm?newsid=15465693&BRD=1860&PAG=461&
dept_id=109522&rfi=6
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Navy Networks Block Access to Web-Based Commercial email Sites (28 October 2005)
All computer networks funded by the US Department of the Navy now block access to Web-based commercial email sites as stipulated in the Navy's Information Technology User Acknowledgment Form. Every Navy computer network user has completed and signed one of these forms before being allowed access to the computer networks. In addition, all employees were expected to have completed Information Assurance training by October 1, 2005. Sailors will be able to send email from their military accounts to commercial accounts but are not permitted to set up their military email to forward messages automatically to personal email accounts.-http://www.navycompass.com/news/newsview.asp?c=171417
DHS Will Take Steps to Address SCADA Security Concerns (28 October 2005)
Andy Purdy, acting director of the US Department of Homeland Security's (DHS) National Cyber Security Division (NCSD) said there are several initiatives that will be put in place over the next year to secure the Supervisory Control and Data Acquisition (SCADA) and other systems that control and monitor much of the country's national infrastructure. SCADA systems have been attacked, but the attacks are rarely made public. Nearly 25 percent of SCADA systems did not have a firewall separating the control network from the corporate network, according to a recent survey. The NCSD has already established an information clearinghouse for control systems security that is under the auspices of the US Computer Emergency Readiness Team (US-CERT) and the Idaho National Laboratory (INL). The DHS plans to release a best practices document next year for control systems operators; the DHS will also decide whether a third-party academic institution is needed to serve as a hub for vulnerability and incident reporting. In addition, an energy bill passed in August 2005 requires that the Department of Energy create an electric reliability organization that could conceivably have the power to levy penalties against companies that do not comply with critical infrastructure protection standards.-http://www.securityfocus.com/news/11351
UK Info Commissioner Says Proposed ID Card Plan Oversteps Privacy Boundaries (28 October 2005)
UK information commissioner Richard Thomas said the government is not justified in its plan to store considerable personal and biometric data in a central national identity register. Specifically, Mr. Thomas does not see the need to require individuals to disclose all their former home addresses in addition to keeping the government informed of future address changes. Mr. Thomas is also concerned about the data trail that could be used to compose a virtual snapshot of individuals' lives. Additional concerns include the potential for linking the card to other identification initiatives, which could erode individual privacy.-http://www.silicon.com/publicsector/0,3800010403,39153749,00.htm
-http://www.theregister.co.uk/2005/10/28/id_card_bill_concerns/print.html
-http://www.informationcommissioner.gov.uk/cms/DocumentUploads/The_identity_cards
_bill_ICO_concerns_October_2005.pdf
SPYWARE, SPAM & PHISHING
Anti-Spyware Coalition Releases Definitions, Risk Model Descriptions (28/27 October 2005)
The Anti-Spyware Coalition released a final version of spyware definitions last week. They also released guidelines for detecting, rating and guarding against spyware. The ASC defines "Spyware and other potentially unwanted technologies" as those which are 'deployed without appropriate user consent and/or implemented in ways that impair user control over material changes that affect their user experience, privacy or system security; use of their system resources, including what programs are installed on their computers; and/or collection, use, and distribution of their personal or other sensitive information." The ASC has also released a Risk Model Description; public comment will be accepted on this document until November 27, 2005.-http://www.theregister.co.uk/2005/10/28/anti-spyware_defs/print.html
-http://news.zdnet.com/2102-1009_22-5918113.html?tag=printthis
-http://www.antispywarecoalition.org/documents/definitions.htm
-http://www.antispywarecoalition.org/documents/riskmodel.htm
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Worm Spreading Through AIM (31 October 2005)
The Sdbot-ADD worm spreads via AOL Instant Messenger (AIM) and downloads a "nasty bundle" of malware to users' machines; this includes a rootkit, a version of the Sdbot Trojan horse program and a handful of spyware and adware applications. Some of the applications try to disable security programs.-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39220038-20000
61744t-10000005c
-http://www.channelregister.co.uk/2005/10/31/aol_im_rootkit_worm/
Oracle's Password Protection Criticized (27 October 2005)
The SANS Institute's Joshua Wright and Carlos Cid of Royal Holloway College, University of London, have written a paper in which they describe how Oracle's mechanism for storing and encrypting passwords puts data at risk of exposure. The problems include a weak hashing mechanism and a lack of case preservation, meaning that all the characters are converted to uppercase before calculating the hash. The paper calls upon Oracle to strengthen the mechanism as they have discovered a method for deriving the plaintext password in just minutes. Messrs. Wright and Cid informed Oracle of their findings in July but have not yet received a response.-http://news.com.com/2102-1002_3-5918305.html?tag=st.util.print
Paper:
-http://www.sans.org/rr/special.php
ATTACKS & INTRUSIONS & DATA THEFT
Australian Government Documents Stolen from Consultancy's Computer System (28 October 2005)
Two executives from a policy consultancy will be charged with breaches of Australia's Corporations Act following an investigation into theft of government documents from the computer system of a rival consultancy.-http://australianit.news.com.au/articles/0,7204,17057335%5E15331%5E%5Enbv%5E1530
6%2D15318,00.html
UAE Bank Changes Provider After Site Attacked (23 October 2005)
The Commercial Bank of Dubai has said it will stop using its current web site provider following a defacement attack. The bank's deputy IT manager, Vijay Kumar, said the bank's IT infrastructure was unaffected; the site in question is a "static web site" with no connections to the bank's infrastructure. IT staff from a number of banks in the United Arab Emirates have been meeting regularly to discuss emerging security issues.-http://www.itp.net/news/details.php?id=18476&category=
===end===
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler,
Jaap-Henk Hoepman, Brian Honan, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz,
Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
