SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #65

December 27, 2005

End of year opportunity to make sure the security products you use get
the right visibility. Have you have found a security tool that actually
improves security in network firewalls, IPS, gateway anti-virus, gateway
anti-spam, spyware, secure desktop, encryption, identity management,
secure remote access, secure wireless, auditing, security event
management or other areas? If yes, and you are the end user (not the
vendor or a reseller or consultant who implements it), please email us
by January 6 to ensure it gets considered for inclusion on the 2006
WhatWorks lists. WhatWorks is the collection of short-lists of products
that companies and government agencies use when they are buying new
security products. Email info@sans.org with subject WhatWorks and name
the category, product and vendor.

Alan

---

TOP OF THE NEWS

Windows Vista Beta's Handling of Metadata Raises Security Concerns
Two of Three eVoting Vendors Withdraw from North Carolina Certification Process

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Engineer Indicted for Alleged Theft of Trade Secrets
SPYWARE, SPAM & PHISHING
Australian Bank Asks High Tech Crime Centre for Help with Phishing Attacks
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Botnet Using BitTorrent to Download Movies Surreptitiously
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
MerryX.A Trojan Horse Program Spreading
STATISTICS, STUDIES & SURVEYS
2005 National Encryption Survey
Anti-Virus Product Response Times Ranked
MISCELLANEOUS
Acrobat and Reader Updated to Let Users Know About Tagged PDF Documents
Perspiration Algorithm Reduces False Verifications on Fingerprint Readers
Lost Backup Tape Returned to Mortgage Company

---

*********************** Sponsored Links *********************************

1) Get the MX Logic 2005 Email Threat Report here! http://www.sans.org/info.php?id=972

2) Come to SANS 2006 (Orlando in February) 16 major tracks, 12 special courses, a large exposition. And great networking opportunities: www.sans.org/sans2006

3) Earn your Master of Science in Information Security Engineering at SANS.EDU - preparing the Top Guns to fight the next phase of cyber crime. www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Windows Vista Beta's Handling of Metadata Raises Security Concerns (23/22 December 2005)

A report from Gartner warns that problems with metadata management in the forthcoming Microsoft Windows Vista operating system could expose sensitive information. Gartner recommends that organizations planning to use Vista develop metadata policies to avoid leaking embarrassing information. Although there will be a tool for removing metadata, it involves creating a copy of the original document, meaning the document with the tags still attached could accidentally be sent out. Metadata tags are pieces of descriptive information used to help manage and search files on users' systems. Among Gartner's suggestions are using digital rights management to restrict who is able to view the metadata and developing an approved list of metadata keywords. In addition, Gartner says that Exchange Server should strip metadata when a document is released externally.
-http://www.computerworld.com/printthis/2005/0,4814,107338,00.html
-http://www.eweek.com/print_article2/0,1217,a=168055,00.asp
-http://news.com.com/2102-1012_3-6006290.html?tag=st.util.print

Two of Three eVoting Vendors Withdraw from North Carolina Certification Process (23 December 2005)

Diebold Election Systems and Sequoia Voting Systems Inc. have withdrawn their electronic voting products from North Carolina's certification process because they could not comply with the state's new requirements, leaving Election Systems & Software Inc. the sole vendor in North Carolina. The withdrawals come in the wake of a lawsuit filed by the Electronic Frontier Foundation (EFF) against the North Carolina state board of elections, alleging that their December 1, 2005 certifications of the three vendors' products violated a state law requiring the companies to provide their source code to the state election board to be held in escrow for security review.
-http://www.computerworld.com/printthis/2005/0,4814,107353,00.html

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Engineer Indicted for Alleged Theft of Trade Secrets (23 December 2005)

An engineer has been indicted for alleged theft of trade secrets. Suibin Zhang allegedly downloaded proprietary files from Marvell Semiconductors, Inc, after accepting a position with Broadcom, a Marvell competitor. Zhang had access to the Marvell data because his former employer, Netgear Inc., was a Marvell customer. Zhang then allegedly loaded the files onto a Broadcom-issued laptop and emailed some trade secrets to other Broadcom employees. Zhang entered a not guilty plea and was released on a US$500,000 bond. If convicted on all counts, Zhang faces a maximum jail sentence of 75 years and a fine of in excess of US$2 million.
-http://www.eetimes.com/showArticle.jhtml?articleID=175400269
[Editor's Note (Honan) Most companies access policy disables user accounts for employees who have left the company. This is an example of how that policy should be extended to include external users from partner companies or suppliers with employees who have access to sensitive data. ]

SPYWARE, SPAM & PHISHING

Australian Bank Asks High Tech Crime Centre for Help with Phishing Attacks (27 December 2005)

National Australia Bank has enlisted the help of the Federal Police's Australian High Tech Crime Centre to help track down the source of phishing emails targeting bank customers. The most recent scheme involves a message asking that bank customers send the bank their passwords and account numbers to help facilitate a "planned software upgrade." The email contains a Trojan horse program that leaves a keylogger on users' computers.
-http://www.theaustralian.news.com.au/printpage/0,5942,17668502,00.html

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Botnet Using BitTorrent to Download Movies Surreptitiously (21 December 2005)

Altered copies of BitTorrent have been downloaded surreptitiously from an IRC server to computers infected with the lockx.exe rootkit, which spread over the AIM (AOL Instant Messenger) network in late October. The versions of BitTorrent are then used to download movie files. The FBI is investigating.
-http://www.channelregister.co.uk/2005/12/21/bittorrent_botnet_attack/
-http://www.eweek.com/print_article2/0,1217,a=167932,00.asp

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

MerryX.A Trojan Horse Program Spreading (23 December 2005)

Another piece of holiday-related malware is spreading over the Internet. The MerryX.A Trojan horse program spreads as an attachment that shows the recipient an animated Santa delivering gifts; it downloads malware onto their computers. The malware sends information about the infected machine to a remote server and then tries to download other files.
-http://www.computerworld.com/printthis/2005/0,4814,107339,00.html
Internet Storm center provide an early warning on the 14th of December:
-http://isc.sans.org/diary.php?storyid=933

[Editor's Note (Grefer): Anti-spyware products, such as the free Spybot Search & Destroy (
-http://www.safer-networking.net)
as well as most anti-virus products will help to identify such Trojan horses early on. A personal firewall software, such as the free ZoneAlarm (
-http://www.zonealarm.com)
also provides an early warning by alerting the user to the fact that "something" is trying to "call home".]

STATISTICS, STUDIES & SURVEYS

2005 National Encryption Survey (22 December 2005)

The Ponemon Institute's 2005 National Encryption Survey found that while many organizations value encryption as "an important security tool," just over 4.2 percent of respondents said their organizations had "an enterprisewide encryption plan." The purpose of the study was to see "what privacy and security professionals think about encryption and how adequate they believe their organization's security programs are to protect sensitive and confidential information." Reasons given for using encryption included preventing data breaches, protecting the organizations' reputation and Sarbanes-Oxley compliance; reasons given for not encrypting sensitive information included system performance concerns, complexity and cost. Nearly half of the 791 respondents said their organizations encrypt sensitive and confidential documents when they are being sent to other systems or locations, but just 24 percent said their organizations encrypt sensitive backup files before they are sent to off-site storage facilities.
-http://www.computerworld.com/printthis/2005/0,4814,107280,00.html
[Editor's Note (Schultz): I'm surprised that other reasons such as problems associated with key management, the risk of keys being read without authorization while they are in memory or stored in files, and so on were not mentioned as reasons for not using encryption.
(Schmidt) Encryption is easier to use than ever before, requires less resources (or at least the available resources have caught up with the overhead) and yet very few people use encryption. As data breach law become more of a standard, perhaps encryption will be viewed as something to be used routinely. ]

Anti-Virus Product Response Times Ranked (21 December 2005)

Andreas Marx of Av-Test.org recently tested anti-virus products' response times to variants of the top 16 Windows worms of 2005, including Bagle, Mydoom and Sober. Just one product had updates out in an average of zero to two hours; four more had updates out in between two and four hours.
-http://www.securitynewsportal.com/index.shtml
-http://blogs.washingtonpost.com/securityfix/2005/12/antivirus_resea.html

[Editors' Note (Paller and Swa Frantzen): Long before this study was published, many well-informed organizations had installed two or three (and in one case, we saw five) anti-virus gateways from multiple companies - often including smaller anti-virus vendors with faster response times. One common approach is to use different AV tools on the perimeter, on the mail server and on the desktops. These better protected organizations are not worried about false positives; they are worried that viruses move faster than many of the large security research centers. ]

MISCELLANEOUS

Acrobat and Reader Updated to Let Users Know About Tagged PDF Documents (23/22 December 2005)

Adobe has updated Acrobat and Reader to inform users with a pop-up when .pdf documents tagged for tracking try to make connections to a web service. Versions 7.05 of both products have the added feature. Businesses can tag .pdf documents that contact network services to track the documents' movements. Adobe Director of Security Solutions John Landwehr says the update allows users to decide whether or not to allow the document to contact the network service.
-http://www.eweek.com/print_article2/0,1217,a=168058,00.asp
-http://www.pdfzone.com/print_article2/0,1217,a=168056,00.asp
-http://www.smh.com.au/news/breaking/adobe-keeps-an-eye-on-document-taggers/2005/
12/22/1135032121010.html

Perspiration Algorithm Reduces False Verifications on Fingerprint Readers (22/21 December 2005)

Clarkson University researchers found that while casts of fingerprints using play-doh, gelatin or dental plaster and even fingers from a cadaver resulted in a false verification rate on biometric fingerprint readers of 90 percent from a sample of 60. When the researchers added an algorithm capable of detecting perspiration patterns characteristic of a live finger, the false verification rate fell to 10 percent.
-http://www.techworld.com/midsizedbusiness/features/index.cfm?featureid=2108&
inkc=0
-http://news.zdnet.com/2102-1009_22-6003440.html?tag=printthis

Lost Backup Tape Returned to Mortgage Company (22/21 December 2005)

ABN AMRO Mortgage Group is encouraging 2 million customers to monitor their credit activity, since their account data were on a backup tape that was lost for nearly a month. DHL, the shipping company that lost the tape in mid-November, said the tape was found with its airbill missing; an employee apparently opened the package, found the return address and sent it back to the mortgage company which feels it is unlikely that the data were misused. The mortgage company plans to continue the investigation. ABM AMRO Mortgage no longer uses tapes; instead, it sends encrypted data to the credit bureaus electronically.
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1153797,0
0.html

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler,
Jaap-Henk Hoepman, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan
Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz,
Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/