SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #60

December 09, 2005

Three short notes this week:

1. NewsBites editor's quote of the day (in the context of the last story
in this issue) "Seeing the little padlock in the browser is meaningless
... it implies absolutely no authentication or identification." (John
Pescatore)

2. If you handle Microsoft Tuesday for a large organization with
multiple sites and at least some computers you cannot allow to go down,
one of the top news organizations in the country wants to profile a
typical Microsoft Tuesday and would like your help. Could be
enlightening for the whole community. Email me by Friday night
(paller@sans.org) and I'll introduce you to the news organization.

3. If you are involved in log monitoring (every organization should have
at least person doing that) and if you have figured out which reports
make a difference, email us and we'll trade the list of 20 such reports
we have compiled for your list of "most useful log monitoring reports."
(info@sans.org subject: Log Monitoring)

---

TOP OF THE NEWS

Bot Worm Chats with IM Users
Security Breach Analysis Finds Identity Fraud Concerns are Overstated
FBI: Damaging Cyber Attack on US Critical Infrastructure Unlikely

THE REST OF THE WEEK'S NEWS

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Privilege Escalation Attack in Sony BMG CD Anti-Piracy Technology
Kazaa Parent Company Accused of Ignoring Australian Court Order
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft's December Security Update to Include Two Bulletins
Google Desktop Modified to Protect Users from Unpatched IE Flaw
ATTACKS & INTRUSIONS & DATA THEFT
University of San Diego Criticized for Poor Breach Notification Letter
STANDARDS & BEST PRACTICES
South Korea Establishes Guidelines for Safe Online Financial Transactions
STATISTICS, STUDIES & SURVEYS
BSA Survey Finds Software Piracy Rate Down Just One Percent From Last Year
Study Finds Home Users' Computers Still Not Very Well Protected
MISCELLANEOUS
GAO Study: Five Percent of Domain Names Registered with Phony Contact Data

---

************************** Sponsored by Permeo **************************

Get CSO advice on Information Theft Join Bob West (former CISO Fifth Bank & ISO BankOne) and analyst Mark Bouchard, CISPP, for a webcast series on preventing information theft. Get advice on how to develop a comprehensive security program to protect information in your end-to-end data chain. The series also includes 10-minute tutorials on Keyloggers, Phishing and Endpoint security. View now! http://www.sans.org/info.php?id=960

*************************************************************************

---

TOP OF THE NEWS

Bot Worm Chats with IM Users (7/6 December 2005)

A recently detected Instant Messager bot worm, IM.Myspace04.AIM, talks with users. Computers become infected when users click on a URL that accompanies the phony IM message. The bot replies to responses to the initial message, making it seem as if the known user is conversing with the recipient. It infects computers of AIM users and sends messages to addresses on the user's AIM buddy list. The worm disables security software and installs a backdoor program on the computer. Another IM bot worm, Aimdes.E, has been spreading in the guise of an electronic greeting card.
-http://www.computerworld.com/printthis/2005/0,4814,106832,00.html
-http://news.com.com/2102-7349_3-5984845.html?tag=st.util.print
Editor's Note (Pescator): It probably took hundreds of thousands of years of burnt fingers for humans to evolve a reflex to pull back from heat. It took about 2 years of successful large scale phishing attacks before consumers began to mistrust URLs embedded in email. Hopefully that faster evolutionary rate will apply to URLs within IM messages, too.
(Schmidt): There are tools available to better protect IM clients, but these protections have not been widely adopted. It would be too much to expect this news to be a wake up call, but I hope it will get some attention.
(Shpantzer): If malware is going to impersonate people, we need to verify the presence of a human in the loop. Luckily, computer scientists at Carnegie Mellon came up with just such a tool to weed out spambots that were autoregistering massive amounts of email addresses with Yahoo! and Hotmail. Most of us have experienced the technology that asks us to input the distorted character set, called a Gimpy.
-http://www.captcha.net/cgi-bin/gimpy]

Security Breach Analysis Finds Identity Fraud Concerns are Overstated (8 December 2005)

An analysis of four data security breaches of electronic databases found that concerns about the information being used for identity fraud might be exaggerated. Furthermore, the study indicates that if the people whose information was compromised are notified of the breach, the thieves may be less likely to use the stolen data fraudulently. The computerized analysis calculated the rate of data misuse to be 0.098 percent, or less than 1 in 1000.
-http://www.signonsandiego.com/uniontrib/20051208/news_1b8identity.html

FBI: Damaging Cyber Attack on US Critical Infrastructure Unlikely (7 December 2005)

The FBI said that terrorists do not have the capabilities to damage the nation's critical infrastructure via the Internet, but did say that foreign governments are likely behind cyber intrusions attempting to obtain sensitive military and technological data. There is no definitive proof that the intrusions are state sponsored.
-http://news.zdnet.com/2102-1009_22-5986099.html?tag=printthis

---

************************* Sponsored Link: *******************************

1) SSH Tectia, from the original Secure Shell Developer - SSH! Replace unsecure telnet and FTP! FREE White Papers!! http://www.sans.org/info.php?id=961

*************************************************************************

TRAINING NEWS: SANS 2006 in Orlando, FL, in February, SANS' largest event of the year, now open for registration at

http://www.sans.org/sans2006

Register early to get space in the courses you want. Here's what some past students say about SANS training:

"By actually using the tools hackers use, I now have a much better idea of not only how to protect our systems, but also the extreme importance of plugging the holes that can be so easily compromised." Beth Powell, AR Blue Cross/Blue Shield

"SANS reminds me of 'The Matrix'. You can take the blue pill and go on happily thinking your network is safe, or you can take the red pill and find out what the computer world is really like. SANS training is the red pill, and if it doesn't drive you insane in the process, you will leave better prepared to handle the real world of security." (Shawn Wenzel, Par Pharmaceutical)

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Privilege Escalation Attack in Sony BMG CD Anti-Piracy Technology (8/7/6 December 2005)

MediaMax version 5 anti-piracy technology that shipped with certain Sony BGM CDs installs a file folder in computers that could allow a privilege escalation attack. Sony BMG announced the security problem jointly with the Electronic Frontier Foundation (EFF). A patch for the flaw was made available; however, the day after the patch was released, researchers detected a problem with it. The security issue with MediaMax is unlike the XCP DRM security issue because MediaMax does not hide itself on users' computers.
-http://news.com.com/2102-1002_3-5984764.html?tag=st.util.print
-http://www.theregister.co.uk/2005/12/07/sony_cd_security/print.html
-http://news.zdnet.com/2102-1009_22-5987776.html?tag=printthis
-http://www.informationweek.com/showArticle.jhtml;jsessionid=0VOFJV00HHIHEQSNDBCC
KHSCJUMEKJVN?articleID=174903698
-http://www.eff.org/IP/DRM/Sony-BMG/mediamaxfaq.php
-http://www.freedom-to-tinker.com/?p=942

Kazaa Parent Company Accused of Ignoring Australian Court Order (6/5 December 2005)

Australian record companies have accused Sharman Networks, owners of the Kazaa file-sharing software, of ignoring a court order to install filters to help prevent music piracy. Sharman says they have complied with the order by preventing people in Australia from downloading the most recent version of the software. Australian users who already have the software on their computers will receive warnings. The judge had given Sharman until December 5th to develop a new version of its software with filters built in. Attorneys for record companies are expected to take the case back to court to claim that Sharman has breached the order.
-http://www.usatoday.com/tech/news/2005-12-05-kazaa-filter_x.htm
-http://www.theregister.co.uk/2005/12/06/kazaa_pulls_p2p_code/

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Microsoft's December Security Update to Include Two Bulletins (8 December 2005)

Microsoft has given advance notice that two security bulletins will be released on Tuesday, 13 December. At least one of the threats to be addressed has been given a "critical" rating. Microsoft released no information regarding which components are affected or how many flaws the bulletins will address.
-http://news.zdnet.com/2102-1009_22-5987630.html?tag=printthis
Internet Storm Center early data:
-http://isc.sans.org/diary.php?storyid=922

Google Desktop Modified to Protect Users from Unpatched IE Flaw (6/5 December 2005)

Google has fine-tuned the Google Desktop application to protect its users from a vulnerability in Internet Explorer (IE) that could put the contents of their computers at risk. Users do not need to take any action, as the adjustment was made at Google's main site. The IE flaw currently remains unpatched, but Microsoft says it will address the vulnerability, which is in the way IE parses cascading style sheet files.
-http://www.eweek.com/print_article2/0,1217,a=166885,00.asp
-http://www.cio-today.com/news/Google-Fixes-Desktop-Search-Loophole/story.xhtml?s
tory_id=011000DNG0PQ

ATTACKS & INTRUSIONS & DATA THEFT

University of San Diego Criticized for Poor Breach Notification Letter (3 December 2005)

The University of San Diego has been criticized for what many consider to be a poor notification letter regarding a computer security breach. A server that is used to print tax documents suffered an intrusion, exposing sensitive personal data belonging to people with various affiliations to the school. The letter provided few specifics about the intrusion and offered no suggestions for those affected to help protect their financial accounts and credit histories. The California law that requires organizations to notify people whose data were compromised in the event of a security breach does not specify what information should be included in the letter, nor does it say when the letter should be sent.
-http://www.signonsandiego.com/news/business/20051203-9999-1b3breach.html

STANDARDS & BEST PRACTICES

South Korea Establishes Guidelines for Safe Online Financial Transactions (7 December 2005)

The South Korean government has established guidelines to help prevent online financial fraud. The "10 Commandments on Electronic Financial Transactions" makes recommendations for users including not storing certificates and other digital credentials from financial institutions on their computers; changing passwords for financial-transaction related web sites frequently; not conducting online financial transactions on public computers; and using a favorites list or typing in the addresses for their financial account sites rather than clicking on links in email.
-http://joongangdaily.joins.com/200512/06/200512062216559209900090609061.html

STATISTICS, STUDIES & SURVEYS

BSA Survey Finds Software Piracy Rate Down Just One Percent From Last Year (8 December 2005)

According to a survey from the Business Software Alliance (BSA), about 35 percent of the software used around the world is pirated; last year that figure was 36 percent. Piracy rates are highest in China and Russia, with 90 and 87 percent of software respectively identified as pirated. The US has a piracy rate of 21 percent. The BSA encourages countries to strengthen legislation against piracy and to improve public awareness of the issue. In 1992, before European authorities enacted legislation against piracy, the rate was nearly 80 percent; the rate in Europe is now 35 percent.
-http://news.com.com/2102-1014_3-5987127.html?tag=st.util.print
[Editor's Note (Schultz): I worry about interpretations of results such as these. A small change in a statistic such as percentage of pirated software might be due to sampling fluctuations rather than a true change in the population parameter that the statistic is supposed to estimate. Similarly, the decline in piracy in Europe over the years is not necessarily due to legislation that was passed. Inferring causation from statistics from non-scientifically controlled research is specious. ]

Study Finds Home Users' Computers Still Not Very Well Protected (7 December 2005)

A recently released study from America Online (AOL) and the National Cyber Security Alliance found that just 44 percent of respondents had updated their anti-virus software within the last week. Last year's survey found just 33 percent of people had updated their anti-virus software within the past week. Last year, only 28 percent had properly configured firewalls; this year that figure was 56 percent. Eighty-three percent of those surveyed said they felt they were safe from online threats. The survey followed up the questions with home visits and brought in technicians to examine the respondents' computers. Participants were asked to save all the email they received for one month; twenty-fiver percent had received at least one phishing email during that time, and 70 percent of those people believed the phony messages were legitimate.
-http://www.msnbc.msn.com/id/10363568/
[Editor's Note (Schultz): Despite the negative conclusions that AOL and the National Cyber Security Alliance reached, there appears to be some cause for optimism. Look at the yearly change in the percentage of respondents who had recently updated their systems' anti-virus software, for example.
(Schmidt) Once again we have validation that the consumer/end users are not well protected, and depending on them to handle their own security is just not working. ]

MISCELLANEOUS

GAO Study: Five Percent of Domain Names Registered with Phony Contact Data (7 December 2005)

According to the Government Accountability Office (GAO), about five percent of domain names, or roughly 2.3 million web sites, are registered with false contact data. The contact information provided to registrars is publicly available through the Whois service on the Internet. The study was conducted to determine the amount of false data in registrations, to see how much of the phony data would be corrected within one month of being reported to ICANN and the kinds of businesses associated with the patently false registration data.
-http://www.informationweek.com/story/showArticle.jhtml?articleID=174904958
-http://www.gao.gov/new.items/d06165.pdf
[Editor's Note (Pescatore): This is a big part of the weak underbelly of the Internet. The data in the regional registrars is so dirty that trying to move up to things like Secure DNS is really difficult - even if technical obstacles were overcome. This also spills over into making SSL largely useless - if the domain name registration info is dirty, SSL certificates get sold based on that dirty data. Because of this, consumers need to know that seeing the little padlock in the browser is meaningless - all it means is the bits are encrypted over the wire, it implies absolutely no authentication or identification. ]

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler,
Jaap-Henk Hoepman, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan
Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz,
Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/