SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #56

November 25, 2005

If you are feeling the cold (it was 18 degrees F this morning where we
live), consider how great it would be to spend a week in Phoenix or
Brisbane (AU) in January or in Orlando in February. And if you cannot
come to a SANS program, SANS will be bringing onsite training to more
than 60 organizations during 2006, and we'll present most of our courses
in SANS@HOME and Mentor and Self Study formats. Schedule and details:
http://www.sans.org

---

TOP OF THE NEWS

NISCC Director Says Foreign Governments are the Number One Cyber Threat
BitTorrent Reaches Anti-Piracy Agreement with MPAA

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Dept. of Interior Asks OMB for FISMA Compliance Clarification
DHS Inspector General: FEMA Core Databases are Not Secure
SPYWARE, SPAM & PHISHING
Verizon Files Lawsuit Against Florida Company for Allegedly Spamming Mobile Customers
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
New Sober Variant Spreading Quickly
Microsoft Will Patch IE Flaw
Opera Update Addresses Several Vulnerabilities
MISCELLANEOUS
Browser Developers Meet to Discuss Security Enhancements
Allied Irish Bank Updates On Line and Telephone Transaction Security

---

*********************** Sponsored by SANS Webcasts **********************

Please join us for the SANS Tool Talk Webcast, "The Security Pager is Sounding - Can You Respond? How to Build an Effective Incident Management Program" Tuesday, November 29 at 1:00 PM EST (1800 UTC/ GMT) http://www.sans.org/info.php?id=937

*************************************************************************

---

TOP OF THE NEWS

NISCC Director Says Foreign Governments are the Number One Cyber Threat (23/22 November 2005)

According to Roger Cummings, director of the UK's National Infrastructure Security-Coordination Centre (NISCC), the chief cyber threat faced by the country's critical infrastructure comes from foreign governments using targeted Trojan horse programs to steal information. NISCC is working with its counterparts in other, similarly affected countries to thwart the attacks.
-http://news.com.com/2102-7348_3-5967532.html?tag=st.util.print

BitTorrent Reaches Anti-Piracy Agreement with MPAA (23 November 2005)

Following negotiations with the Motion Picture Association of America (MPAA), BitTorrent creator Bram Cohen has said his company will remove links to pirated films from the bittorrent.com search engine. The agreement is limited to content owned by MPAA members and does not cover other search engines listing BitTorrent files. Mr. Cohen's proactive effort ostensibly demonstrates that he has made good faith efforts to prevent his company's technology from enabling the distribution and/or sharing of pirated movies, distinguishing it from other file sharing networks.
-http://www.theregister.co.uk/2005/11/23/bittorrent_mpaa_deal/print.html
-http://news.bbc.co.uk/1/hi/technology/4463372.stm
[Editor's Note (Shpantzer): The MPAA would do well by its member companies to negotiate with P2P companies like BitTorrent to enable paid, legitimate downloads. The built-in potential customer base is staggering. ]

---

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

Dept. of Interior Asks OMB for FISMA Compliance Clarification (23/21 November 2005)

Department of the Interior (DOI) secretary Gale Norton has asked the Office of Management and Budget (OMB) to clarify its interpretations of the requirements for compliance with the Federal Information Security Management Act (FISMA). DOI inspector general Earl Devaney's penetration testing reportedly found that DOI networks were vulnerable to both internal and external unauthorized access. The report concluded that DOI is not in compliance with FISMA. DOI CIO Hord Tipton maintains Devaney's interpretation of FISMA compliance exceeds basic requirements as reflected in his answers in the FY 2005 reporting template. Mr. Tipton also says the report does not take into consideration improvements made during the year that came as a direct result of the IG's testing. Ms. Norton maintains that her department meets FISMA requirements and has asked OMB for a "clearer definition of adequate security."
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=37643
-http://www.fcw.com/article91521-11-21-05-Web
[Editor's Note (Schultz): Penetration testing performed by competent and fully authorized individuals and organizations can be very beneficial. At the same time, however, I hate to see the results of penetration tests used in the way they apparently have been in the case of the Department of the Interior. Penetration tests should never in and of themselves be used as the sole evidence for the adequacy of security; they should instead be considered part of a complete set of findings that include among other things security reviews and vulnerability assessments.
(Paller): Gene's criticism is accurate but doesn't go far enough. People who rely on penetration testing as their primary method of deciding whether systems are vulnerable to cyber attacks are either misinformed or lacking in competence. ]

DHS Inspector General: FEMA Core Databases are Not Secure (21 November 2005)

According to a report from Department of Homeland Security (DHS) Inspector General Richard L. Skinner, the Federal Emergency Management Agency (FEMA) has not implemented sufficient security safeguards to protect its core databases. The report acknowledges FEMA has made IT security improvements, such as the development of a contingency plan. FEMA officials agree with the majority of the findings and are taking action.
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story
.id=37600

SPYWARE, SPAM & PHISHING

Verizon Files Lawsuit Against Florida Company for Allegedly Spamming Mobile Customers (23 November 2005)

Verizon has filed a lawsuit in US District Court in New Jersey asking for an injunction to keep Passport Holidays from sending any further spam messages to Verizon mobile phones customers. Verizon is also seeking financial damages from the Florida-based company. The lawsuit alleges that the messages were sent to sequential mobile phone numbers within certain area codes and were sent at rates of up to 200 a minute. The "From" field in the messages was blank; customers called requesting refunds for receiving the spam messages. Verizon says they had US$150,000 in related expenses. Passport Holidays claims that everyone who received a message had "opted-in" to receive such messages.
-http://www.msnbc.msn.com/id/10166148/

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

New Sober Variant Spreading Quickly (24/23 November 2005)

The FBI and the CIA have posted warnings on their web sites about new variants of the Sober worm that pose as messages from the agencies. The worm can also appear to come from Germany's Bundeskriminalamt. The phony email messages say that the government found that the recipient has been visiting illegal web sites and asks the person to click on an attachment to answer some questions. The Sober worm spreads using its own email engine. Sober disables security applications and opens backdoors on infected machines for attackers to exploit. The worm's prolific spreading could cause problems for corporate email gateways. (Please note this site requires free registration)
-http://www.washingtonpost.com/wp-dyn/content/article/2005/11/23/AR2005112302147_
pf.html
-http://news.com.com/2102-7349_3-5969271.html?tag=st.util.print
-http://www.vnunet.com/vnunet/news/2146570/sober-worm-rampage

Microsoft Will Patch IE Flaw (22 November 2005)

Microsoft has said it will release a fix for the recently disclosed Internet Explorer (IE) vulnerability in one of the company's scheduled monthly security updates; the next update is scheduled for release on December 13, although Microsoft did not say whether the fix would be issued that soon. Microsoft has downplayed the seriousness of the flaw, but the researcher who found it gave it an "extremely critical" rating. The flaw reportedly allows attackers to execute malicious code on infected machines; it affects IE 5.0, 5.5 and 6.0 running on Windows XP SP2, Windows Server 2003 SP1 and Windows 2000 SP4. A Microsoft spokesperson said the company would "issue a fix for this issue once the investigation is complete and the update is found to be well engineered and as thoroughly tested as possible."
-http://www.techweb.com/wire/security/174401173%3Bj

Opera Update Addresses Several Vulnerabilities (22 November 2005)

Opera Software has released Opera 8.51, an update that addresses flaws in Macromedia's Flash player and in certain versions of its browser running on Linux and Unix. One flaw found in Opera 7 and Opera 8 running on Linux, FreeBSD or Solaris could allow remote shell command execution on vulnerable systems.
-http://news.zdnet.com/2102-1009_22-5967695.html?tag=printthis
-http://www.opera.com/announcements/en/2005/11/22/

MISCELLANEOUS

Browser Developers Meet to Discuss Security Enhancements (24/23 November 2005)

Developers for several browsers, including Internet Explorer (IE), Mozilla/Firefox, Opera and Konqueror, met in Toronto to share ideas and address problems with Internet architecture and browser technology that contribute to security concerns. All have agreed to begin implementing stronger encryption protocols, which includes dropping SSLv2. They have also agreed to make address bars visible for every window, including pop-ups. Microsoft's anti-phishing plug-in, which will be available for IE7, will color code the address bar to warn users of possible phishing web sites. There was no agreement made as to whether or not Microsoft will make the filter available to the others.
-http://www.vnunet.com/vnunet/news/2146530/browsers-team-certificate
-http://www.theregister.co.uk/2005/11/23/browser_security_summit/print.html
-http://www.pcpro.co.uk/news/80698/web-rivals-team-up-on-security.html
-http://www.dmeurope.com/default.asp?ArticleID=11514
[Editor's Note (Northcutt): Another link that is a bit more technical can be found:
-http://dot.kde.org/1132619164/
I am intrigued by the Microsoft IE7 toolbar approach and I am sure the folks selling certificates are overjoyed, but you can get a lot of the way there right now using the Netcraft toolbar. I have been using it for months and am very satisfied:
-http://toolbar.netcraft.com
(Ranum): The security problems of browsers are not going to be addressed by ADDING NEW STUFF - security is better served by not doing dumb stuff than by trying to do smart stuff. ]

Allied Irish Bank Updates On Line and Telephone Transaction Security (22/19 November 2005)

AIB (Allied Irish Bank) has updated the access procedure for customers wishing to conduct Internet and telephone transactions; instead of entering just two digits from their personal access code (PAC), they are now required to enter three digits. In addition, customers who wish to make money transfers will be given a unique "code card" by the bank; customers will have to provide a randomly selected code from the 100 listed on the card.
-http://www.siliconrepublic.com/news/news.nv?storyid=single5708
-http://www.timesonline.co.uk/article/0,,2095-1879706,00.html

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler,
Jaap-Henk Hoepman, Brian Honan, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz,
Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/