SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #64

December 23, 2005

TOP OF THE NEWS

French Parliament Approves Amendment to Legalize Filesharing
California Sec. of State Refuses to Approve Diebold Electronic Voting Machines, Asks Company to Submit Code for Federal Review
Buffer Overflow Flaw in Symantec Antivirus Software

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Department of Energy Faces IT Security Challenges, Says IG
SPYWARE, SPAM & PHISHING
FTC Delivers Report on Effectiveness of CAN-SPAM Act
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Microsoft Files Lawsuits Against MAPS Partners for Alleged Subscription Breaches
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Google Repairs Cross-Site Scripting Flaw
Vulnerability in iTunes and QuickTime
GiftCom Worm Spreads through Major IM Networks
ATTACKS & INTRUSIONS & DATA THEFT
Ford Informs Employees Whose Data Were on Stolen Computer
MISCELLANEOUS
British Parliament Increases Maximum Fine for Rogue Dialer Convictions
Sober Variant Scares Man into Surrendering Himself to Police

---

*************************** SPONSORED LINKS *****************************

1) Come to SANS 2006 (Orlando in February) 16 major tracks, 12 special courses, a large exposition. And great networking opportunities: http://www.sans.org/sans2006

2) More than 100 people registered for the Process Control and SCADA Security Summit in the first 12 hours yesterday. It will be sold out. If you want to come, don't dawdle. http://www.sans.org/scadasummit06

2) Earn your Master of Science in Information Security Engineering at SANS.EDU - preparing the Top Guns who will fight the next wave of cyber crime, and the managers who will lead the third generation of cybersecurity. http://www.sans.edu

************************************************************************

---

TOP OF THE NEWS

French Parliament Approves Amendment to Legalize Filesharing (22 December 2005)

By a narrow margin, French Parliament members voted for an amendment that could legalize peer-to-peer downloading of digital content. The text of the amendment reads "Authors cannot forbid the reproduction of works that are made on any format from an online communications service when they are intended to be used privately." The amendment is attached to an intellectual property rights bill. French copyright law includes a concept called "private copy" under which people are permitted to make copies for themselves or for friends. A French court recently held that content that has been downloaded for personal use meets the requirements of "private copy." L'Association Des Audionautes, "a French group that defends people accused of improperly sharing music files", supports a royalty tax to accompany the amendment, to be collected from the Internet service providers who would likely pass the cost on by "levying" a fee on users who conduct a certain amount of downloading.
-http://news.com.com/2102-1030_3-6005860.html?tag=st.util.print
-http://www.bloomberg.com/apps/news?pid=10000085&sid=avOoTq8aXkU8&refer=e
urope#

California Sec. of State Refuses to Approve Diebold Electronic Voting Machines, Asks Company to Submit Code for Federal Review (21 December 2005)

California Secretary of State Bruce McPherson has refused to approve the use of thousands of touch-screen and optical scanning electronic voting machines. There are "unresolved significant security concerns" with memory cards that store votes in the machines. McPherson's office has asked that Diebold, the maker of the voting machines in question, submit the machines' source code to the Federal Independent Testing Authorities for review. Dave Byrd, Diebold VP of business operations, said the company is happy to comply with the request.
-http://www.mercurynews.com/mld/mercurynews/news/politics/13455648.htm?template=c
ontentModules/printstory.jsp
-http://news.com.com/2102-1028_3-6004615.html?tag=st.util.print
[Editor's Note (Schultz): Diebold's up-front cooperation with the state of California represents a major shift in Diebold's posture--a much-welcomed change for the better when it comes to assuring integrity in eVoting systems. ]

Buffer Overflow Flaw in Symantec Antivirus Software (22/21/20 December 2005)

A buffer overflow flaw in Symantec's antivirus software could allow attackers to gain control of vulnerable systems. The flaw affects 40 products and lies in a library component, Dec2Rar.dll, involved in processing RAR files. The problem occurs when users' antivirus software scans RAR files, a format often used to store large video and audio files. The flaw can be exploited via email without the need to the user to open an attachment. Users should update their software.
-http://www.computerworld.com/printthis/2005/0,4814,107270,00.html
-http://www.theregister.co.uk/2005/12/22/symantec_archive_bug/print.html
-http://www.eweek.com/print_article2/0,1217,a=167824,00.asp
-http://securityresponse.symantec.com/avcenter/security/Content/2005.12.21b.html

---

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

Department of Energy Faces IT Security Challenges, Says IG (20/19 December 2005)

A recent report from the US Department of Energy's inspector general Gregory Friedman describes a number of problems with IT system security, including ensuring authorized access to department systems and with "verifying that modifications to applications and systems were properly approved and managed." In addition, contingency plans for several systems are incomplete. The report acknowledged that department senior managers "are focusing on upgrading cybersecurity."
-http://www.fcw.com/article91775-12-20-05-Web

-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=37812
-http://www.ig.doe.gov/pdf/ig-0712.pdf
[Editor's Note (Kreitner): Some of the most important information security management metrics that enterprises should implement are those related to stability of operational software images. Research and experience are revealing that the root of many security incidents is inadequate internal discipline of configuration settings and software changes. This is not to suggest a cumbersome change management system, but rather a clear definition of internal responsibilities with regard to software image integrity. ]

SPYWARE, SPAM & PHISHING

FTC Delivers Report on Effectiveness of CAN-SPAM Act (20 December 2005)

The Federal Trade Commission (FTC) on Tuesday said that the incidence of spam has decreased in the two years since the passage of the CAN-SPAM Act, although much of the decrease can be attributed to the use of blocking services and products. The effectiveness of CAN-SPAM has been questioned, but the FTC says the legislation has helped create standard best practices for commercial email. More than 50 lawsuits have been filed against spammers since CAN-SPAM was enacted. Critics are displeased that CAN-SPAM allows commercial emailers to keep sending unsolicited email until consumers opt out of receiving it. The report also warned that while spam is decreasing, attacks are becoming more malicious and sophisticated.
-http://www.computerworld.com/printthis/2005/0,4814,107229,00.html
-http://news.bbc.co.uk/1/hi/technology/4547474.stm
-http://www.techweb.com/wire/security/175007086%3Bj
-http://www.ftc.gov/reports/canspam05/051220canspamrpt.pdf

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Microsoft Files Lawsuits Against MAPS Partners for Alleged (19 December 2005)

Microsoft has filed a series of lawsuits against people for allegedly breaching the Microsoft Action Pack Subscriptions (MAPS) Initiative software agreement. The initiative provides certain Microsoft partners with discounted software that they agree to use internally for application development and testing and for other business purposes. The people named in the lawsuits allegedly attempted to sell the software they acquired through the program on auction sites. Microsoft has also filed lawsuits against three companies for allegedly distributing counterfeit software.
-http://www.out-law.com/page-6476

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Google Repairs Cross-Site Scripting Flaw (21 December 2005)

Google has fixed a cross-site scripting flaw that could have been exploited to hijack accounts or conduct phishing attacks. Google became aware of the problem on November 15 and fixed it on December 1. The problem was in the mechanism used to generate certain error pages; 7-bit Unicode Transformation Format (UTF-7) characters could be used to exploit the vulnerability.
-http://news.com.com/2102-1002_3-6004471.html?tag=st.util.print

Vulnerability in iTunes and QuickTime (21 December 2005)

A security hole in iTunes and QuickTime could allow attackers to crash these programs and execute arbitrary code on vulnerable machines. Users would need to be fooled into opening a maliciously crafted .mov file. The vulnerability affects all versions of iTunes and QuickTime. Users can protect themselves from having this flaw exploited by not opening media files from untrusted sources.
-http://news.com.com/2102-1002_3-6004635.html?tag=st.util.print
-http://www.eweek.com/print_article2/0,1217,a=167911,00.asp

GiftCom Worm Spreads through Major IM Networks (20 December 2005)

A worm that spreads through an instant message inviting recipients to view an image of Santa Claus has been sending itself across the MSN, AOL, ICQ and Yahoo instant messaging networks. When users visit the phony web site, a malicious file is downloaded onto their computers. The file has rootkit elements that keep it hidden; it also attempts to disable antivirus products and places a keylogging program on the computer. The worm, known as IM.GiftCom.All, spreads by using the names in the IM contact list.
-http://internetweek.cmp.com/news/175007108
-http://news.com.com/2102-7349_3-6002790.html?tag=st.util.print

ATTACKS & INTRUSIONS & DATA THEFT

Ford Informs Employees Whose Data Were on Stolen Computer (22 December 2005)

Ford Motor Company sent email messages to 70,000 current and former employees informing then that their personal data, including Social Security numbers, were on a computer stolen from a company facility. Ford is working with law enforcement and says there is no evidence that the information has been misused.
-http://www.informationweek.com/showArticle.jhtml?articleID=175007673
[Editor's Note (Shpantzer): Encrypting laptops and smartphones that hold sensitive information is important, since these mobile computing assets have virtually no physical security. ]

MISCELLANEOUS

British Parliament Increases Maximum Fine for Rogue Dialer Convictions (22/21 December 2005)

British Parliament has voted to increase the maximum fine that can be imposed for convictions on charges of premium-rate rogue dialing scams. As of December 30, 2005, the maximum fine will increase from GBP100,000 to GBP250,000. The current cap was found to be an ineffective deterrent to a scam that can generate considerable revenue for the perpetrators. A rogue-dialer is software surreptitiously installed on users' computers that causes their dial up modems to call premium-rate long distance numbers, amassing significant charges.
-http://news.zdnet.com/2102-1035_22-6005760.html?tag=printthis
-http://www.theregister.co.uk/2005/12/21/premium_rate_phone_fines_surge/print.htm
l

Sober Variant Scares Man into Surrendering Himself to Police (20 December 2005)

A recent variant of the Sober worm has tricked a German man into surrendering himself to police because the phony message that accompanies the infected attachment made him believe he was being investigated for his possession of child pornography. The message says that law enforcement officials have become aware that the recipient's IP address has been used to log on to illegal web sites. The recipient is requested to answer some questions in an attachment; when the attachment is opened, the worm infects the computer.
-http://www.securityfocus.com/news/11365

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler,
Jaap-Henk Hoepman, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan
Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz,
Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/