SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #59
December 06, 2005
A new section this week: The Application Security Hall of Shame. We'd
love your feedback and suggestion for who should be the second inductee.
Alan
TOP OF THE NEWS
Gartner Survey Shows More Companies are Backing Up DataGoogle Adds Security Scanning to Gmail
Wiretap Technology Flaw Allows Targets to Elude Recorder
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESCourt Upholds Cyber Extortion Conviction
SPYWARE, SPAM & PHISHING
180solutions Seeks Injunction to Halt Spyware Designation
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
German Police Seize Servers Containing Pirated Content
New York Attorney Generag Addresses Sony BMG DRM Issue
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Sober Variant Delaying Some eMail Traffic
IE Flaw Puts Google Desktop Users at Risk for Data Theft
ATTACKS & INTRUSIONS & DATA THEFT
UK Tax Credit Portal Closed in Wake of Fraudulent Claims
Podcast Hijacking Illustrates RSS Squatting Vulnerability
MISCELLANEOUS
National Vulnerability Database Adopts Common Vulnerability Scoring System
SPECIAL SECTION: Application Security Hall of Shame
Application Vendor Demands Unnecessary Administrative Privileges Violates Policy of Least Privilege
*********************** Sponsored by Bindview *************************
Free Security Compliance Reality Check:
Run a quick check of your IT security compliance for specific regulations with this FREE Compliance Assessment Tool. You'll get a "compliance score" as an example of how BindView solutions can help you monitor and report on compliance---all through a single compliance architecture for managing multiple regulations. http://www.sans.org/info.php?id=953
***********************************************************************
TOP OF THE NEWS
Gartner Survey Shows More Companies are Backing Up Data (1 December 2005)
Results of a Gartner survey indicate that while the number of companies backing up their data has increased significantly in the wake of this fall's hurricanes, most companies are encrypting their backups but are keeping those backups at local sites where they are still vulnerable to physical disasters that threaten the company. Of 104 North American IT managers surveyed, 45 percent back up data to another disk; that figure is up from six percent in 2004. However, 70 percent of those who back up their data save it to a local device. A Gartner analyst says that if companies truly want to keep their data safe, they should copy it electronically to an off-site facility. Survey results also show that companies are growing more amenable to using third-party managed storage service providers.-http://www.computerworld.com/printthis/2005/0,4814,106641,00.html
[Editor's Note (Honan): Storing backup data in a secure offsite facility is a critical component of any backup strategy. Equally important, and often overlooked, is testing the recovery mechanism to ensure the data can be retrieved in a timely manner from the offsite location. ]
Google Adds Security Scanning to Gmail (3/2 December 2005)
Google has introduced a security scanning service to Gmail that checks all attachments accompanying mail sent and received by users. When the software finds an infected file in an attachment, it will try to scrub the file to allow it to be read; if it is unable to remove the malware, the file will be locked to prevent the malware from being downloaded. Some users are complaining that the service cannot be turned off and that Google has not named the vendor who supplied the technology. Users have also voiced disappointment that Google is retaining their policy of blocking all executable attachments.-http://news.com.com/2102-7349_3-5980482.html?tag=st.util.print
-http://www.computerworld.com/printthis/2005/0,4814,106758,00.html
Wiretap Technology Flaw Allows Targets to Elude Recorder (1 December/30 November 2005)
A vulnerability in wiretapping technology used by law enforcement agents could be exploited to trick the FBI's wiretapping system into turning the recorder off during a phone call. Those being wiretapped could also disguise the numbers that are dialed. An FBI spokesperson says that the vulnerability exists in about 10 percent of state and federal wiretaps.-http://news.com.com/2102-1036_3-5976523.html?tag=st.util.print
-http://www.theregister.co.uk/2005/12/01/wiretap_exploit/print.html
*********************** Sponsored Links: ******************************
1) ALERT: "How A Hacker Launches A Blind SQL Injection Attack Step- by-Step"!- White Paper http://www.sans.org/info.php?id=954
2) Centrally managed, host-based firewall protection to proactively secure your corporate network. Free NetOp trial available. http://www.sans.org/info.php?id=955
3) Earn your Master's degree in Information Security from an NSA - recognized online program. http://www.sans.org/info.php?id=956
***********************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Court Upholds Cyber Extortion Conviction (2 December 2005)
A three-judge panel of the 8th Circuit Court of Appeals upheld the conviction of Thomas Eli Ray for trying to extort US$2.5 million from Best Buy. Mr. Ray was convicted in October 2004 on two counts of extortion for sending threatening email messages to Best Buy, demanding payment if they wanted to keep their computer systems from being breached.-http://news.com.com/2102-7350_3-5980008.html?tag=st.util.print
SPYWARE, SPAM & PHISHING
180solutions Seeks Injunction to Halt Spyware Designation (2/1 December 2005)
180solutions has filed a lawsuit against Zone Labs for identifying the application as spyware and a "potential threat to the user's security and/or privacy." 180solutions maintains the claims are false and is seeking both monetary damages and an injunction forcing Zone Labs to stop classifying its products as spyware. Zone Labs says that 180solutions' products try to monitor users' keystrokes and mouse movements. 180solutions was sued in September 2005 for installing spyware; the company says it has recently made a concerted effort to clean up its image and now requires its affiliates to abide by strict guidelines. The company recently helped the FBI track down someone who has abused the company's affiliate system.-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39295210-39000005c
-http://www.securityfocus.com/brief/68
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
German Police Seize Servers Containing Pirated Content (2 December 2005)
German police have seized five servers that contain six terabytes of pirated movies and games. People were able to access the servers with the illegal content for a payment of _30 to _120 a month. Police have also arrested at least one person. People who used the servers may also face legal consequences.-http://www.theregister.co.uk/2005/12/02/warez_servers/print.html
New York Attorney General Addresses Sony BMG DRM Issue (29 November 2005)
Sony BMG's trouble with the digital rights management (DRM) software on some CDs has caught the attention of New York Attorney General (AG) Eliot Spitzer. The AG's office sent undercover investigators to retail music stores in New York where they were able to purchase Sony BMG CDs with the DRM in place despite the fact that the disks were recalled. Spitzer's office has advised consumers not to purchase the affected disks and to return any disks they have already purchased for a refund. Consumers have also been cautioned not to play the CDs in question in their computers. Spitzer has also called for merchants to pull the affected disks from their shelves.-http://businessweek.com/technology/content/nov2005/tc20051128_573560.htm
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Sober Variant Delaying Some eMail Traffic (2 November 2005)
A variant of the Sober worm, Win32/Sober.Z@mm, is clogging servers at MSN and Hotmail, delaying email traffic between users of Microsoft's email services and Comcast users. Comcast users have been getting error messages that say the emails they sent to MSN and Hotmail accounts were not received. Microsoft says that some mail may be delayed, but will be delivered eventually.-http://news.com.com/2102-7349_3-5980987.html?tag=st.util.print
IE Flaw Puts Google Desktop Users at Risk for Data Theft (2 December 2005)
A flaw in the way Internet Explorer (IE) processes web pages could allow attackers to steal sensitive information from Google Desktop users' hard drives. The vulnerability lies in "the way IE processes web page layout information using the Cascading Style Sheets format." People would need to be tricked into visiting a malicious web site for the attack to work. IE6 is known to be vulnerable to the attack; other versions may be vulnerable as well. There is currently no patch available for the flaw, but users can protect themselves by disabling active scripting in IE.-http://www.computerworld.com/printthis/2005/0,4814,106725,00.html
-http://www.eweek.com/article2/0,1895,1895579,00.asp
ATTACKS & INTRUSIONS & DATA THEFT
UK Tax Credit Portal Closed in Wake of Fraudulent Claims (5/2 December 2005)
The UK's HM Revenue & Customs (HMRC) has closed its on line tax credit system portal following the discovery of fraudulent claims. It is not clear if attackers broke into the system or if the fraudulent claims were made with insider assistance. There is an investigation into the use of 1,500 Department for Work and Pensions (DWP) staff identities in the commission of the fraudulent claims.-http://www.theregister.co.uk/2005/12/05/hmrc_credit_portal/print.html
-http://news.bbc.co.uk/2/hi/business/4493008.stm
-http://www.vnunet.com/vnunet/news/2147114/uk-tax-credit-website-shut-due
-http://www.silicon.com/publicsector/0,3800010403,39154779,00.htm
Podcast Hijacking Illustrates RSS Squatting Vulnerability (2 December/30 November 2005)
eWeek's Lisa Vaas provides an excellent step-by-step explanation of how an extortionist hijacked vegan podcaster Erik Marcus's podcast. The person responsible has demanded money or "permanent agreement to terms" before the podcast will be released. Mr. Marcus has retained an intellectual property rights lawyer.-http://www.eweek.com/print_article2/0,1217,a=166472,00.asp
-http://www.toptechnews.com/story.xhtml?story_id=39861
MISCELLANEOUS
National Vulnerability Database Adopts Common Vulnerability Scoring System (2 December 2005)
The National Vulnerability Database has converted to the Common Vulnerability Scoring System. Scores have been assigned to more than 13,000 previously listed vulnerabilities. CVSS gives each vulnerability a base score to describe its severity, a temporal score to describe its current danger and an environmental score that describes "an organizations' reliance on the vulnerable systems." Some software vendors have expressed concern about adopting CVSS; they fear they would face liability if a vulnerability to which they have assigned a low risk turns out to be a significant attack vector.-http://www.securityfocus.com/news/11360
[Editor's Note (Schultz): I'd feel more confident about CVSS scores if the assignment scores were done entirely by individuals who were not affiliated with companies and organizations whose products' vulnerabilities are being scored. The possibility of conflict of interest by employees and consultants of such companies and organizations exists. ]
SPECIAL SECTION: Application Security Hall of Shame
Application Vendor Demands Unnecessary Administrative Privileges Violates Policy of Least Privilege
This new section allows the user community to share intelligence on applications that require users to lower their barriers to cyber attacks. Now that the US Air Force has established a minimum standard of due care, soon to be adopted by other government agencies, there is a standard against which to measure the application designers' security decisions.
The first inductee into the Application Security Hall of Shame is QuickBooks.
The latest release of Intuit's QuickBooks, widely used by accountants and businesses, negates the security attributes of the underlying operating system (e.g., Windows) on a computer using this Intuit product. Installation and operation of QuickBooks requires granting operating system "Administrative privileges" to the user, giving users complete control over the security features of the computer on which it is installed. In an enterprise setting, this hinders the organization's ability to ensure security policies are implemented appropriately for password control, user privileges, and other security disciplines for a computer with QuickBooks installed. This is an unfortunately perfect example of an application software product demolishing the security capabilities of the underlying operating system. Computers with unprotected operating systems are easy pickings for would-be intruders looking for personal identity and financial information in QuickBooks files.
In response to Newsbites' recognition, Brad Smith, senior vice president of QuickBooks, confirmed on December 2, 2005 that this problem will be fixed in the next major release (QuickBooks 2007), scheduled for delivery within 12 months.
===end===
NewsBites Editorial Board:
Kathy Bradford, Clint Kreitner Rohit Dhamankar, Roland Grefer, Richard
Hayler, Jaap-Henk Hoepman, Brian Honan, Stephen Northcutt, Alan Paller,
John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal
Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/