SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #1

January 03, 2006

This Microsoft WMF vulnerability is causing real damage to a lot of people and organizations. See the first story for a temporary fix and a discussion of the pros and cons of using it.
Alan

PS. SANS 2006 is in Orlando in late February. The deadline for getting the $250 early registration discount is a week from tomorrow (1/11).
http://www.sans.org/sans2006

---

TOP OF THE NEWS

Users Urged to Install Unofficial Patch to Protect Computers from WM Exploits
Three States Have New Data Security Laws for 2006

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Alleged ChoicePoint Data Thief Pleads Guilty
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Trojan Horse Displays Phony Google Ads on Web Sites
ATTACKS & INTRUSIONS & DATA THEFT
Pennsylvania Medical Office Informs 700 People Whose Data Were on Stolen Computer
MISCELLANEOUS
White House Says Web Bugs Do Not Violate Federal Privacy Guidelines
DHS to Test RFID Passport Technology at San Francisco Airport

---

*************************** Sponsored Links *****************************

1) Join us for a Free SANS Webcast "Migrating from WEP to WPA2" Wednesday, January 04 at 1:00 PM EST (1800 UTC/GMT)
http://www.sans.org/info.php?id=974

2) To find the security products you can trust (along with user interviews showing why) start your selection process at
http://www.sans.org/whatworks

3) Free courses on SCADA Security (a gift from DHS and DOE) still have a have a few seats available. (March 1-2) Also the SCADA Security Summit (March 2-3) registration page is now open. Find both at:
http://www.sans.org/scadasummit06

*************************************************************************

---

TOP OF THE NEWS

Users Urged to Install Unofficial Patch to Protect Computers from WMF Exploits (2/1 January 2006/31/30 December 2005)

The threat posed by the flaw in Windows WMF files is increasing. Now hundreds of sites are using exploits for the flaw to install malicious software on people's Windows-based computers. What makes the WMF vulnerability particularly insidious is that it can infect computers when users merely visit sites or view a maliciously crafted image in the preview pane of older versions of Microsoft Outlook; machines can become infected without requiring the user to click on anything or open any files. Microsoft is investigating the issue and says it will issue a patch, but has not yet said when that patch will be available. The SANS Internet Storm Center recommends applying an unofficial patch; a link to the patch is available in the Handler's Diary. Authoritative overview from Internet Storm Center:
-http://isc.sans.org/diary.php?storyid=993
Other news stories:
-http://www.computerworld.com/printthis/2006/0,4814,107419,00.html
-http://www.computerworld.com/printthis/2006/0,4814,107420,00.html
-http://www.computerworld.com/printthis/2006/0,4814,107421,00.html
-http://www.msnbc.msn.com/id/10651414/
-http://www.eweek.com/print_article2/0,1217,a=168161,00.asp
[Editor's Note: (Schmidt) The idea of installing "unofficial patches", while it sounds like a good idea, is pretty scary as it becomes yet another way to potentially distribute malware and/or introduce yet a new vulnerability if not written correctly. Who handles "support" when the unofficial patch breaks other things? I support doing "work-arounds" but worry about ANY "quick fix" patches.
(Northcutt): While I agree with Howard's observations, the path of wisdom is to download the unofficial patch, and test it on some non-production systems and also to make sure you are ready to go when the worm breaks loose. Also, the WMF FAQ has been translated into a number of different languages at this point, so if you are a multinational organization you might want to be familiar with:
-http://isc.sans.org/diary.php?storyid=994
(Pescatore): Even with a trusted source of an unofficial patch, the odds of causing self inflicted damage by doing so are very high for enterprise users. The workarounds (like unregistering the .dll and losing thumbnails) are likely to have fewer unintended consequences than an unsupported, unofficial patch.
(Schultz): To me it is not at all clear what the correct course of action in dealing with this serious vulnerability is. Installing unofficial patches is generally not a good practice, but it may be the only truly viable solution at this time. Meanwhile, Microsoft owes it to its users to do everything in its power to create a patch for this vulnerability as soon as possible.
(Tan): Microsoft has updated its security advisory providing a piece of good news that an official patch is on the way. But the bad news is that you still have to wait until 10 Jan 06. Let's keep our fingers cross from now till then.
-http://www.microsoft.com/technet/security/advisory/912840.mspx]

Three States Have New Data Security Laws for 2006 (2 January 2006/31 December 2005)

New state laws in Louisiana, New Jersey and Illinois require that people be notified when data security breaches compromise their personal information. In New Jersey a law that took effect January 1, 2006 allows residents to freeze access to their credit reports to thwart identity fraud, even when the data thief has possession of the person's Social Security number. New Jersey residents must pay a US$5 fee to unfreeze their reports when they need to be accessed legitimately. Other states have enacted data security legislation as well.
-http://www.kplctv.com/Global/story.asp?S=4307966&nav=0nqx
-http://www.thejournalnews.com/apps/pbcs.dll/article?AID=/20060102/OPINION01/6010
20305/1015
-http://www.philly.com/mld/philly/news/13532711.htm?template=contentModules/print
story.jsp
-http://www.chicagotribune.com/business/chi-0512310060dec31,1,1644957.story?coll=
chi-business-hed
-http://www.wluctv6.com/Global/story.asp?S=4306169&nav=81AX

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Alleged ChoicePoint Data Thief Pleads Guilty (28 December 2005)

A man allegedly responsible for the ChoicePoint consumer record database security breach has pleaded guilty to charges of conspiracy and grand theft. Olatunji Oluwatosin is the only person charged in the massive data theft that compromised the personal data of 145,000 people. Oluwatosin will be sentenced on February 10, 2006; he is already serving a 16-month prison term for an earlier felony count of identity theft.
-http://www.consumeraffairs.com/news04/2005/choicepoint_guilty.html
[Editor's Note (Schmidt): It would send a good message if they gave him the maximum sentence and made the term run consecutive to the current term he is serving. It should also be part of the sentencing that he cannot do a book, movie or public speaking for profit. Unfortunately, it is too often the case where today's convicted felon becomes the "security speaker" du jour. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Trojan Horse Displays Phony Google Ads on Web Sites (2 January 2006/30 December 2005)

A Trojan horse program is replacing legitimate Google AdSense advertisements with counterfeit ads. The Trojan targets small publishers. Normally AdSense advertisements are relevant to the web site's content; however, the ads generated by the Trojan promote products Google stays away from, including gambling and adult entertainment products. AdSense works by paying web site publishers to place relevant advertisements on their sites. When users click on the illegitimate ads, they are reportedly taken to three other sites and finally to a page of advertisements with links to more advertisements.
-http://www.eweek.com/print_article2/0,1217,a=168268,00.asp
-http://www.ebcvg.com/articles.php?id=1016
[Editor's Note (Shpantzer): For a great article about the economics of click fraud, see
-http://www.wired.com/wired/archive/14.01/fraud.html
This is a relative newcomer on the cyberfraud scene, yet there's a cottage industry set up to monitor click fraud and alert advertisers. Click fraud can be used to increase your own profits (ex: splogging) as well as to grind away at your competition, by inflating their advertising spending. Legal action by search engines (and against them) is already underway, and this latest trojan is just a milestone in the road towards more sophisticated malware, designed to target specific companies or a broader attempt at making money by gaming the pay-per-click system. ]

ATTACKS & INTRUSIONS & DATA THEFT

Pennsylvania Medical Office Informs 700 People Whose Data Were on Stolen Computer (1 January 2006)

Squirrel Hill Family Medicine in Pennsylvania is taking steps to inform approximately 700 patients that one of six computers stolen from their office over the December 17-18 weekend contains a file with their names, Social Security numbers and birth dates. The University of Pittsburgh Medical Center, which owns Squirrel Hill Family Medicine, will pay for one year of credit monitoring services for those affected.
-http://www.philly.com/mld/philly/news/13530545.htm
[Editor's Note (Honan): This story illustrates how important information security is to organisations of all sizes. The cost of a security breach incurred by a smaller organisation is proportionately much higher than that experienced by larger organizations, yet time and again I see small organisations ignore investing in basic information security. ]

MISCELLANEOUS

White House Says Web Bugs Do Not Violate Federal Privacy Guidelines (30 December 2005)

The White House has declared that it will continue to use web bugs on its web site, maintaining that the anonymous tracking technology does not violate 2003 federal privacy guidelines from the Office of Management and Budget (OMB). The OMB directive prohibits the use of persistent cookies, though it does allow session cookies that exist only for the duration of the computer user's visit to the web site. Analysis indicates that cookies already on users' computers from visiting other sites have been read when users visit the White House site. The National Security Agency (NSA) disabled persistent cookies on its web site last week; the NSA maintained the cookies were the accidental result of a software upgrade. Apparently an outside contractor placed the tracking technology on the White House web site. The White House was "caught off guard" when the existence of the tracking technology came to light.
-http://www.msnbc.msn.com/id/10644090/
-http://news.bbc.co.uk/2/hi/technology/4569184.stm
-http://www.cio-today.com/news/Did-Contractor-Bug-White-House-Site-/story.xhtml?s
tory_id=133004L22IA6
[Editor's Note (Ranum): How ridiculous! In an industry where 90% of the desktop windows machines are infected by spyware people have the time to waste worrying about persistent cookies from the NSA?
(Schultz): It is difficult to understand how the White House can justify what appears to be a clear violation of the 2003 OMB guidelines. Worse yet, there appears to be little recourse for American citizens concerned about yet another government-initiated privacy infringement. ]

DHS to Test RFID Passport Technology at San Francisco Airport (30 December 2005)

Beginning in approximately two weeks, the US Department of Homeland Security (DHS) will be testing radio frequency identification (RFID) chip-embedded passport technology at San Francisco International Airport. Singapore, Australia and New Zealand have begun issuing citizens passports with the technology. The US Department of State has said that all US passports issued after October 2006 will have embedded RFID technology that will carry personal data and a digital photograph. Last fall, DHS conducted a three-month test of RFID-embedded passports in Los Angeles through the US-VISIT program. In addition, the DHS has "installed biometric entry facilities at all fixed points of entry."
-http://www.techweb.com/wire/ebiz/175800140
-http://www.fcw.com/article91831-12-30-05-Web
[Editor's Note (Boekman): The Government should be extremely thorough in how they test the security of RFID technology, and pay attention to the results. If they get this wrong initially, it will be extremely difficult and expensive to retrofit something that is already deployed. ]

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/