SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #58

December 02, 2005

A little help, if possible:
SANS 2006 (Orlando, Feb-Mar) has all the most popular SANS security and audit and management courses taught by the best teachers of those topics in the world, and those classes will fill up and people will learn a lot and their security will improve. The problem is that, at SANS 2006, we also have several other classes that are designed for developers and that are just as good - one on Secure Programming, one on Securing Oracle, and one on Developing a Secure Internet Presence. Because these are for developers, most of whom don't get NewsBites, these classes will not do as much good. So here's the request. If you have attended a SANS class and know how good they are, would you share this note with your developers and Oracle programmers and web site managers so they can get the training they need to improve the security of their systems - systems that are now the main target of attackers? Thanks in advance.

Here's the URL: http://www.sans.org/sans2006/

Alan

---

TOP OF THE NEWS

NASA Inspector General Notes Improvement in IT Security
Trojan Exploits Unpatched IE Flaw
Code Injection Flaw in Cisco IOS Web Server Code
DSW Agrees to Improved Security Practices as Part of Settlement

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
System Administrator Who Caused Physical Damage and Power Failures Draws Seven Year Sentence
SPYWARE, SPAM & PHISHING
IRS Warns of Phishing Scam
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
IM Worms Increasing
Apple Releases Cumulative Update for Mac Os X
New Java Release Addresses Three Vulnerabilities
Format String Vulnerability in Perl More Serious than Previously Thought
Exploit Code Posted for Windows MSDTC Flaw
MISCELLANEOUS
Diebold Suffers Setback in North Carolina

---

************************** Sponsored by Qualys **************************
Audit your Network for Security Weaknesses
Are you confident your network is secure? Get a FREE Network Security check from Qualys and find out the necessary fixes to proactively guard your network. No software downloads required. Qualys is the easiest solution to manage vulnerabilities and achieve compliance.
Get a Free Trial today!
http://www.sans.org/info.php?id=950
*************************************************************************

---

TOP OF THE NEWS

NASA Inspector General Notes Improvement in IT Security (30 November 2005)

NASA inspector general (IG) Robert Cobb has removed IT security from the list of the agency's most serious management and performance challenges. Mr. Cobb credits the improvements to NASA CIO Patricia Dunnington, who has "implemented policies and procedures that strengthen the Agency's IT security and internal controls over sensitive information" in accordance with recommendations made in the NASA IG's October 2004 report.
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=37675
-http://www.hq.nasa.gov/office/oig/hq/SeriousChallenges2005.pdf
[Editor's Note (Schultz); Success stories in the practice of IT security (especially within the government arena) are not all that prevalent. I just hope that those who "turned the corner" with respect to NASA's IT security, Patricia Dunnington included, get the recognition that they so richly deserve. ]

Trojan Exploits Unpatched IE Flaw (1 December/30/28 November 2005)

The Delf-DH Trojan horse program exploits an unpatched vulnerability in Microsoft Internet Explorer (IE). Delf-DH downloads malware onto infected computers, changes the computer's settings to allow the user to be monitored and redirects web surfers to certain sites. US-CERT recommends that users disable Active Scripting until a patch is available. The flaw affects fully patched Windows 2000 and XP systems. There is some speculation that the situation is serious enough to impel Microsoft to release an out-of-cycle patch.
-http://www.theregister.co.uk/2005/12/01/ie_exploit_trojan/print.html
-http://www.eweek.com/print_article2/0,1217,a=166469,00.asp
-http://www.security.ithub.com/print_article/Unpatched+IE+Flaw+Is+Worse+Than+Expe
cted/166164.aspx
[Editor's Note (Tan): Microsoft has updated its Security Advisory pertaining to this vulnerability to include proof of concept code and malicious software. In addition, it also makes reference to Windows Live Safety Center which allows you to scan your system for viruses and improve your system's performance. More details can be obtained from:
-http://safety.live.com/
-http://isc.sans.org/diary.php?storyid=871
-http://www.microsoft.com/technet/security/advisory/911302.mspx
-http://www.microsoft.com/security/encyclopedia/details.aspx?name=TrojanDownloade
r:Win32/Delf.DH]

Code Injection Flaw in Cisco IOS Web Server Code (30 November 2005)

A vulnerability in the web server code in Cisco's IOS software could allow attackers who know a device's IP address to obtain administrative control or run arbitrary code. The flaw would let attackers "view a memory dump of an IOS router via the HTTP server and inject script code into the router through the HTTP server." Only Cisco routers running IOS HTTP servers are vulnerable. Cisco is aware of the problem and is investigating.
-http://www.networkworld.com/news/2005/113005-cisco-ios.html
[Editor's Note (Tan): Cisco has released an advisory on the workarounds to mitigate the threat. No patch is available at this point of time.
-http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml]

DSW Agrees to Improved Security Practices as Part of Settlement (1 December 2005)

DSW, a shoe retailer, has agreed to strengthen its security practices to settle federal charges following its acknowledgment this spring that cyber thieves broke into its computer network and compromised the security of data belonging to more than 1.4 million customers. Some of those whose data were stolen have reported fraudulent activity on their debit card, credit card and checking accounts. The Federal Trade Commission said DSW created unnecessary risk by storing the data unencrypted and with insufficient security measures. The settlement includes a provision mandating security audits every two years for the next 20 years.
-http://www.eweek.com/print_article2/0,1217,a=166534,00.asp

---

************************* Sponsored Links: ******************************

1) Log data management should be the cornerstone of any organization's PCI compliance strategy. LogLogic can help. FREE Webcast!
http://www.sans.org/info.php?id=951

2) ALERT: YOU vs Sober/Zotob/Bagle Variants? Is Your Internal Network Safe? Download FREE White Paper "Zotob: Zero-Hour Detection and Response"
http://www.sans.org/info.php?id=952

3) SANS School Store is running a 50% off sale for two weeks on selected Step-by-Step guides through the SANS School Store! Some prices dropped below $20.
https://store.sans.org/store_category.php?category=stepxstep

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

System Administrator Who Caused Physical Damage and Power Failures Draws Seven Year Sentence (1 December 2005)

Joseph D. Konopka has been sentenced to seven years in federal prison for breaking into computers and causing power failures in Wisconsin, affecting 30,000 customers. In August 2005, Mr. Konopka pleaded guilty to 11 felonies including conspiracy, creating counterfeit software and interfering with computers. Mr. Konopka was also ordered to pay US$436,000 in restitution and undergo three years of supervised release after he completes his prison term. Mr. Konopka is currently serving a 13-year sentence for chemical weapons possession.
-http://www.cnn.com/2005/LAW/12/01/dr.chaos.ap/index.html

SPYWARE, SPAM & PHISHING

IRS Warns of Phishing Scam (30 November 2005)

The US Internal Revenue Service has warned of a phishing scheme that pretends to be notification of a refund, but which actually redirects people to a maliciously constructed web site in order to try to steal Social Security numbers, credit card data and other sensitive information.
-http://www.msnbc.msn.com/id/10268811/
-http://www.irs.gov/newsroom/article/0,,id=151065,00.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

IM Worms Increasing (30 November 2005)

Worms that target instant messaging (IM) services are growing more prevalent and more sophisticated. Sixty-two IM worms were detected in November, 2005, a 226 percent increase over October. Of those 62 worms, 58 were variants of earlier ones; 36 percent of the IM worms were designed to target more than one public network.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39239132-39020375t-10000025c

Apple Releases Cumulative Update for Mac Os X (30 November 2005)

Apple has released a cumulative update for the Mac OS X operating system. The update addresses 13 flaws, that could be exploited to allow remote code execution, cross-site scripting and spoofing. The most serious flaws are the remote code execution vulnerabilities in CoreFoundation, Curl and Safari.
-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4891
Internet Storm Center:
-http://isc.sans.org/diary.php?storyid=905

New Java Release Addresses Three Vulnerabilities (29 November 2005)

A new release of Java addresses Java Runtime Environment (JRE) vulnerabilities described in three separate bulletins. Each of the flaws could allow maliciously crafted Java applets to escalate their privileges which would in turn allow the applet to read and write local files and execute applications with the users' privileges. The flaws affect Windows, Linux and Unix platforms; they also affect the Java Software Development Kit (SDK).
-http://www.computerworld.com/printthis/2005/0,4814,106607,00.html
-http://sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-102050-1
-http://sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-102003-1
-http://sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-102017-1
Internet Storm Center:
-http://isc.sans.org/diary.php?storyid=906

Format String Vulnerability in Perl More Serious than Previously Thought (29 November 2005)

A format string vulnerability in Webmin, a web-based administration utility written in Perl, can reportedly be exploited to take root control of machines running the flawed software. Format string vulnerabilities in Perl were previously thought to be exploitable only for denial-of-service attacks. It was not believed until now that such a flaw could be exploited to execute code remotely.
-http://news.zdnet.com/2102-1009_22-5975954.html?tag=printthis

Exploit Code Posted for Windows MSDTC Flaw (28 November 2005)

Exploit code for a critical Windows component vulnerability has been posted to the Internet. Microsoft released a patch for the flaw in its Microsoft Distributed Transaction Coordinator (MSDTC), a transaction processing component for Windows, in its October update. However, some users have reported difficulties applying the update. The flaw could be exploited to crash unpatched computers.
-http://news.com.com/2102-7349_3-5974290.html?tag=st.util.print
-http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx
Internet Storm Center:
-http://isc.sans.org/diary.php?storyid=897

MISCELLANEOUS

Diebold Suffers Setback in North Carolina (29 November 2005)

A North Carolina judge has denied Diebold's request for an injunction to protect the company from prosecution under a new law requiring electronic voting machines suppliers to make all of their code available for examination by election officials in the event of a voting discrepancy. Breaking the law is considered a low-level felony offense and carries a civil penalty of up to US$100,000 per violation. Diebold is concerned that it cannot meet the requirements because Microsoft owns some of its code and Diebold does not have the authority to make that code public. The judge's decision was based on the fact that Diebold has not been charged with breaking the law; the judge also declined to offer an interpretation of the law to ease Diebold's concerns. Diebold may decide not to sell its products in North Carolina as a result of the judge's decision.
-http://www.wired.com/news/print/0,1294,69708,00.html
[Editor's Note (Pescatore): Microsoft has source review licensing available for government bodies, hard to believe that this obstacle couldn't be overcome if that was truly the issue. Editor's Note (Schultz): Setbacks such as this one will ultimately force makers of eVoting machines to quit resisting measures designed to ensure that the eVoting machines produce fair results.
(Tan): It is common to request for code review, with NDA in place, for systems that may impact national security, and evoting systems should be subjected to such scrutinizing. Using Microsoft code as a reason is not a strong case since Microsoft does has a Government Security Program some years back to allow controlled access to Microsoft Windows source code.
-http://www.microsoft.com/presspass/press/2003/jan03/01-14GSPrelease.mspx
(Schneier): If Diebold chooses not to sell its machines in North Carolina rather than make its source code available for examination, the best thing the other 49 states could do would be to enact similar legislation. ]

---

===end===

NewsBites Editorial Board: Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler, Jaap-Henk Hoepman, Brian Honan, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/