SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #6
February 09, 2005
SANS 2005, in San Diego in early April (on the ocean) is the largest security and audit training conference and exposition in the world. Extraordinary teachers present the most current tools and techniques. Details at http://www.sans.org/sans2005
TOP OF THE NEWS
Proposed 2006 US Budget Calls for Increased IT Security SpendingMicrosoft Announces Sixteen New Security Flaws; Eight Critical
NIST Releases Final Public Draft of Recommended Security Controls for Federal Information Systems
Former AOL Employee Pleads Guilty in Customer Data Theft Case
SAIC Investor Data on Stolen Machines
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESLouisiana State Worker Acquitted of Illegal Computer Access
Texas High School Student Arrested for Allegedly Stealing Test Information with Keystroke Logger
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Microsoft Introduces Security Cooperation Program for Governments
Missing Los Alamos Disks Never Existed
SPAM & PHISHING
Harry Potter Fans Targeted in Phishing Scam
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
SuSE Releases Patches for Critical Flaws
Microsoft February Update Includes Thirteen Patches
Bropia-F Worm Spreading
MISCELLANEOUS
NIST to Phase Out SHA-1
FBI Shuts Down eMail Network
Source Code Analysis Reveals MySQL has Low Incidence of Bugs
NIST and NSA Create Common Specification Language for Security Checklists
Audit Finds Rootkit on Jabber Server
Heise.de Offers Reward for DDoS Arrest
Linux Kernel Developers Create Vulnerability Mailing List
Netscape Expected to Release Anti-Phishing Browser Beta
******************** Sponsored by BindView Corporation ******************
What can you expect from regulatory compliance enforcement in 2005? What will consolidation mean to operations and security? What will identity management mean to you in 2005? Find out by attending a Webinar "Security and Risk Management Trends for 2005" presented by META Group Security analyst Paul Proctor and sponsored by BindView Corporation. Register at:
http://www.bindview.com/events/GetEvents.cfm?NUM=1342&AD=NS-0209SANS0224WBNR
-Q105
*************************************************************************
Highlighted training programs this week:
Houston, March 10-16, 9 tracks - http://www.sans.org/lonestar05
San Diego, SANS 2005, 17 tracks + vendor expo - http://www.sans.org/sans2005
Sydney, Australia, Feb. 19-26, 5 tracks - http://www.sans.org/darlingharbour05
*************************************************************************
TOP OF THE NEWS
Proposed 2006 US Budget Calls for Increased IT Security Spending (7 February 2005)
President Bush's proposed fiscal 2006 budget designates US$1.685 billion for IT security spending, a 7.2% increase over the previous year. In addition, cyber security and information sharing are now cross-agency lines of business.-http://www.fcw.com/fcw/articles/2005/0207/web-lob-02-07-05.asp
[Editor's Note (Pescatore): This works out that federal security spending is 2.6% of the IT budget. This is up slightly from last year's federal spending (about 2.4%) still a good deal lower than the 3-6% range that is typical in most industries. If the OMB effort to make sure security is baked into federal IT procurements is working, this is OK - security spending can be lower if IT operations emphasizes security - but as the FISMA grades usually show, such operationalization of security isn't apparent at many government agencies.
(Schultz): It is encouraging that the Bush Administration appears to be catching on to the importance of cyber security, as shown by the hefty increased in budgeted IT security spending. ]
Microsoft Announces Sixteen New Security Flaws; Eight Critical (8 February 2005)
Microsoft Corp. released a dozen software patches to cover 16 security flaws -- half of which it deemed "critical" -- in all versions of the Windows operating system and a broad range of popular Microsoft applications such as its Internet chat and media player products.-http://www.washingtonpost.com/wp-dyn/articles/A8723-2005Feb8.html
NIST Releases Final Public Draft of Recommended Security Controls for Federal Information Systems (31 January 2005)
The National Institute of Standards and Technology has published the final public draft of Special Publication 800-53, Recommended Security Controls for Federal Information Systems, which will become a mandatory Federal Information Processing Standard by the end of 2005. The publication is one of seven that NIST will produce as required by the Federal Information Security Management Act. NIST is accepting comments on the draft through Friday, February 11.-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=34930
-http://csrc.nist.gov/publications/drafts/SP-800-53-FinalDraft.pdf
Former AOL Employee Pleads Guilty in Customer Data Theft Case (7 February 2005)
Former AOL employee Jason Smathers has pleaded guilty to conspiracy and interstate transport of stolen property for stealing 92 million customer names and email addresses and selling them to another individual. Sean Dunaway paid US$28,000 for the data which he used to promote his gambling sites before selling them to other spammers; charges against him are pending. Smathers will face up to two years in prison when he is sentenced on May 20; he will also be required to reimburse AOL for the cost of fixing the problem, which is estimated to be between US$200,000 and $400,000.-http://www.theregister.co.uk/2005/02/07/aol_email_theft/print.html
SAIC Investor Data on Stolen Machines (4/3 February 2005)
Several computers containing names, social security numbers and other personal data belonging to 45,000 current and former Science Applications International Corp. shareholders have been stolen from an SAIC administrative building in San Diego, CA. SAIC has begun informing those affected by the security breach. There is no evidence that the thieves were after the data. In a separate story, three computers stolen from an automobile sales company in Japan's Shiga Prefecture contained data, including some credit card numbers, belonging to nearly 1,700 customers. Officials say the data cannot be accessed without passwords.-http://www.securityfocus.com/printable/news/10419
-http://www.saic.com/cover-archive/announce/012805.html
-http://mdn.mainichi.co.jp/news/20050204p2a00m0dm012000c.html
************************** SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) ALERT: Google Hacking/Web Application Worms- Are You Vulnerable?- WebInspect Product Trial
http://www.sans.org/info.php?id=723
(2) Compliance regulators and industry experts define frameworks and best practices for log data management. Click now for FREE white paper and LIVE product demonstration.
http://www.sans.org/info.php?id=724
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Louisiana State Worker Acquitted of Illegal Computer Access (3 February 2005)
Louisiana state worker Andrew Mata has been found not guilty of offenses against intellectual property for accessing the Department of Social Services computer system. The charge related to an incident in 1999 in which Mata, who was then working with the Department of Health and Hospitals, used a Social Services computer worker's codes to access that department's system elevating his privileges. Mata had previously worked for DSS; when he left that position, his access privileges were lowered. Mata maintained that his access should have been the same on both systems so he could address anticipated Y2K issues. He also said that he did not consider accessing the system through a backdoor wrong because the program he entered was in a testing phase and had no data stored on it.-http://2theadvocate.com/stories/020305/new_x_mata001.shtml
-http://www.nola.com/newsflash/louisiana/index.ssf?/base/news-14/1107439657128520
.xml&storylist=louisiana
-http://www.2theadvocate.com/stories/020205/new_hacking001.shtml
Texas High School Student Arrested for Allegedly Stealing Test Information with Keystroke Logger (1 February 2005)
A Texas high school student has been arrested for allegedly attaching a keystroke logger to a teacher's computer, stealing test information and selling that information to other students. The teen was charged with breach of computer information, a Class B misdemeanor which carries a sentence of 180 days in jail or a US$2,000 fine. Police in area school districts sent out alerts about the keystroke logging device so that teachers could be made aware of the potential problem.-http://www.click2houston.com/education/4152951/detail.html
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Microsoft Introduces Security Cooperation Program for Governments (3/2 February 2005)
Through Microsoft's Security Cooperation Program (SCP), government agencies will receive information and advice about security issues; participating governments will also get advance notice about upcoming security updates as well as information on known vulnerabilities and those still being investigated. Canada, Chile, Norway and Delaware have signed up for the program, which was announced at the company's Government Leaders Forum in Prague; a fifth government member will be announced soon. SCP is part of Microsoft's Government Security Program, which currently boasts 36 members, allows participants to review source code to 'allay fears of" backdoors.-http://asia.cnet.com/news/software/printfriendly.htm?AT=39216031-39037051t-39000
001c
-http://www.computerworld.com/printthis/2005/0,4814,99439,00.html
Missing Los Alamos Disks Never Existed (1 February 2005)
A report from the National Nuclear Security Administration (NNSA) concluded that the two disks that were believed to be missing from Los Alamos National Laboratory never actually existed. Bar codes were created for the disks, but the disks were never made. The NNSA has slashed fees paid to the Laboratory for fiscal 2004 by two-thirds -- US$2.9 million instead of the US$8.7 million that was expected. The laboratory, which is managed by the University of California, has an annual budget of approximately US$2.2 billion. Despite the fact that the disks never existed, NNSA Administrator Linton Brooks cited "major weaknesses in controlling classified material" and said the University must be held accountable.-http://www.computerworld.com/printthis/2005/0,4814,99425,00.html
-http://www.abqtrib.com/albq/nw_state/article/0,2564,ALBQ_19863_3508091,00.html
SPAM & PHISHING
Harry Potter Fans Targeted in Phishing Scam (2 February 2005)
Harry Potter author J.K. Rowling has issued a warning to her fans not to trust any one purporting to be selling electronic copies of the upcoming sixth installment in the popular series. Ms. Rowling's lawyers managed to get one phony web site closed down, but it is likely there will be others. The people behind the scam are believed to be collecting personal financial data.-http://www.computerworld.com/printthis/2005/0,4814,99442,00.html
-http://www.techweb.com/wire/security/59300503
[Editor's Note (Pescatore, smiling): OK, *now* they've gone too far. Stealing identities is one thing, but ripping off Harry Potter??? ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
SuSE Releases Patches for Critical Flaws (7 February 2005)
Novell's SuSE has released several patches for highly critical vulnerabilities in SuSE eMail Server 3.x, Linux Database Server, Linux Enterprise Server 9 and LinuxOffice Server. The flaws addressed include cross-site scripting, denial-of-service and spoofing. SuSE's practice of sending out weekly bundled updates has made it difficult to determine which patches are critical and which are less so.-http://news.com.com/2102-1002_3-5565997.html?tag=st.util.print
Microsoft February Update Includes Thirteen Patches (4 February 2005)
Microsoft's monthly security update for February includes thirteen patches including nine Windows updates and critical updates for Office and Visual Studio and Windows, Windows Media Player and MSN Messenger.-http://www.computerworld.com/printthis/2005/0,4814,99532,00.html
[Editor's Note (Schultz): Microsoft's strategy, in which it announces a group of hotfixes once a month, is really very clever from a public relations perspective; it tends to make the public think that there are fewer vulnerabilities than there really are. Doing the opposite--releasing a separate bulletin for each vulnerability--would in all likelihood cause the public to react much more negatively. ]
Bropia-F Worm Spreading (4/3 February 2005)
The Bropia-F worm spreads through MSN Messenger and installs a variant of Agobot on systems it infects, which can be used to log keystrokes, collect system information and act as a spam relay. It spreads by offering pictures to IM contacts of infected machines. Bropia-F affects MSN messenger running on Windows 95, 98, ME, NT, 2000 and XP.-http://www.theregister.co.uk/2005/02/04/msn_messenger_bropia_worm/print.html
-http://www.newsfactor.com/story.xhtml?story_title=Worm-Targets-MSN-Messenger&
;story_id=30208
-http://news.zdnet.com/2102-1009_22-5562129.html?tag=printthis
MISCELLANEOUS
NIST to Phase Out SHA-1 (7 February 2005)
The National Institute of Standards and Technology plans to phase out the SHA-1 (Secure Hashing Algorithm 1) hash function and start using SHA-256 and SHA-512. William Burr, manager of NIST's security technology group, says that SHA-1 is not broken, but cryptographic advances will encourage a shift to alternatives in the next five years. Burr went on to say that other hash functions, such as MD5, are vulnerable to attack and should no longer be used.-http://www.fcw.com/fcw/articles/2005/0207/web-hash-02-07-05.asp
FBI Shuts Down eMail Network (7/5/4 February 2005)
FBI officials have shut down a commercial email server that bureau workers used to communicate with the public. The server had apparently been compromised by an attacker who has allegedly been accessing secure FBI email for the last several months. This particular network was used for unclassified communications.-http://www.fcw.com/fcw/articles/2005/0207/web-fbi-02-07-05.asp
-http://www.msnbc.msn.com/id/6919621/site/newsweek
-http://story.news.yahoo.com/news?tmpl=story&cid=562&ncid=738&e=3&
;u=/ap/20050205/ap_on_hi_te/fbi_computers
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&stor
y.id=35019
[Editor's Note (Grefer): Given that this was the public e-mail server of the FBI, it is mind-boggling that clear text transmissions were used for email retrieval and transmission. The FBI should be well aware that it is a target of choice; therefore, it would have been prudent to use - - at a minimum - APOP, rather than POP, for email retrieval, allowing for encrypted authentication, or - better - should have used POP or IMAP, as well as SMTP, over an SSL connection. ]
Source Code Analysis Reveals MySQL has Low Incidence of Bugs (4 February 2005)
A source code analysis of the MySQL database conducted by Coverity found that the program has fewer flaws than (comparable) commercial code. MySQL averaged approximately one flaw for every 4,000 lines of code; commercial software has between one and seven flaws for every 1,000 lines of code. MySQL, the company that develops and maintains the open-source program, requested the audit and has fixed the problems that were found.-http://news.com.com/2102-1002_3-5563918.html?tag=st.util.print
[Editor's Note (Pescatore): Comparing errors/SLOC of products is very dependent on where in the product life cycle the numbers are taken, but one benefit of open source code is that numbers like this can be publicly evaluated.]
NIST and NSA Create Common Specification Language for Security Checklists (4 February 2005)
The National Institute of Standards and Technology and the National Security Agency have developed the Extensible Configuration Checklist Description Format, a common specification language to help organizations write security checklists and other pertinent documents to ensure all the systems in a given infrastructure conform to the same set of specifications. The language should help improve the speed of information sharing and the automation of testing and monitoring.-http://www.fcw.com/fcw/articles/2005/0131/web-nistnsa-02-04-05.asp
Audit Finds Rootkit on Jabber Server (2 February 2005)
An audit of the Jabber Software Foundation's web servers, which was prompted by an intrusion in January 2005, revealed the presence of a rootkit on the machine that hosts jabber.org and the JabberStudio service. The machine was evidently compromised more than a year ago, but has been rebuilt and locked down. Developers are encouraged to validate their code.-http://www.theregister.co.uk/2005/02/02/jabber_attack/print.html
[Editor's Note (Grefer): In addition, users who have a Jabber account at jabber.org might be well advised to change their passwords. ]
Heise.de Offers Reward for DDoS Arrest (2 February 2005)
German language IT news site Heise.de is offering a 20,000 Euro reward for information leading to the arrest of those responsible for a distributed denial-of-service (DDoS) attack against the German tech publication's web site. At its height, the attack disabled the site for five hours.-http://www.theregister.co.uk/2005/02/02/heise_ddos/print.html
-http://www.heise.de/english/newsticker/news/55841
Linux Kernel Developers Create Vulnerability Mailing List (2 February 2005)
Linux kernel developers have created a mailing list so they can share information about vulnerabilities. Some developers have expressed concern that important information was getting lost in the sea of email the kernel team receives. In a related piece, columnist and threat analyst Jason Miller voices concern over the way the Linux kernel handles security.-http://news.com.com/2102-1002_3-5561031.html?tag=st.util.print
-http://www.securityfocus.com/printable/columnists/296
Netscape Expected to Release Anti-Phishing Browser Beta (1 February 2005)
Netscape is expected to release a beta version of its Netscape 8 web browser on February 17. Netscape is negotiating with a variety of security companies to receive "frequently updated lists" of sites suspected of affiliation with spyware, phishing and other cyber threats. When users access one of the blacklisted sites, Netscape 8 would flash warnings and disable certain features, such as ActiveX and cookies.-http://asia.cnet.com/news/security/printfriendly.htm?AT=39215503-39037064t-39000
005c
[Editor's Note (Pescatore): This type of security increase to browsers has been badly needed for several years. It will be good to see Microsoft Internet Explorer and Mozilla Firefox react with similar security enhancements.
(Grefer): Users concerned about drive-by-downloads and similar exploits might want to take a look at SpywareBlaster in the meantime:
-http://www.javacoolsoftware.com/spywareblaster.html
(free for personal and educational use). ]
===end===
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/