SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #12
February 10, 2006
Welcome to Mark Weatherford, CISO of Colorado, who joined the NewsBites editorial board this week.
TOP OF THE NEWS
Yahoo Taken to Task for Providing Info Leading to Imprisonment of Chinese Internet WritersWebsite Defacement Seen as Retaliation for Offensive Editorial Cartoon
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESSpanish Man Jailed and Fined for Denial-of-Service Attack
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
EPA IG Finds Security Holes in Contract Management System
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft's Scheduled February Security Update Will Include Seven Patches
Sun Addresses Privilege Escalation Vulnerability in JRE
Exploit for Firefox Flaw Posted Online
ATTACKS & INTRUSIONS & DATA THEFT
Cyber Thieves Used Trojan to Gather Banking Details and Empty Accounts
Honeywell Files Suit Against Former Employee for Data Exposure
STANDARDS & BEST PRACTICES
Outsourcing Vendor Standards Released
MISCELLANEOUS
Many Phone Record Sale Sites No Longer Doing Business
Boston Hospital Faxed Patient Data to Bank
****************** SPONSORED BY SANS TRAINING **************************
World-Class Security Training Opportunities in the Next Few Weeks
SANS 2006 in Orlando (Feb 24- March 4) 36 tracks of extraordinary training - the best instructors in the world, and a great security tools exposition. Lots of people are bringing their families to Orlando to join them at the end of the program.
Plus: San Francisco, Phoenix, St. Louis, Brisbane, Tokyo, Ottawa
Or you can take SANS training anytime, anywhere with the new SANS On Demand.
Details on these and other programs: http://www.sans.org/index.php
And the SCADA Security Summit is 83% full. If you want to attend, register this week. It is an amazing program - especially for control systems engineers. If you know anyone who has engineering responsibility for SCADA or other control systems, please tell him or her about the program posted at: http://www.sans.org/scadasummit06/
*************************************************************************
TOP OF THE NEWS
Yahoo Taken to Task for Providing Info Leading to Imprisonment of Chinese Internet Writers (9 February 2006)
Yahoo provided Chinese officials with the registration details of writer Li Zhi, who was imprisoned in 2003 for writings critical of Chinese political corruption. A Yahoo spokesperson said the government is not obligated to tell the ISP why it is seeking information on particular users. She went on to say that they did not provide information beyond what they were legally obligated to provide. Reporters Without Borders and the Committee to Protect journalists have called on Yahoo to reveal information on all Internet journalists and writers it has provided to authorities in China. Last year, Yahoo was accused of helping Chinese authorities identify a reporter who was subsequently imprisoned.-http://www.eweek.com/print_article2/0,1217,a=171132,00.asp
-http://news.bbc.co.uk/2/hi/asia-pacific/4695718.stm
-http://technology.timesonline.co.uk/article/0,,19509-2032242,00.html
-http://www.smh.com.au/news/breaking/man-jailed-for-posting-critical-comment-onli
ne/2006/02/09/1139379611640.html
[Editor's Note (Boeckman): This wasn't a surprise. Yahoo was apparently willing to do the same thing in the US, even though there was no warrant or indication of illegal activity, which is specified as a prerequisite for turning over system logs in their privacy policy. ]
Website Defacement Seen as Retaliation for Offensive Editorial Cartoon (9/8/7 February 2006)
Web site defacements carried out against hundreds of Danish and other western websites are a symptom of broad outrage over the controversial cartoon depiction of the Prophet Mohammed. Nearly 600 Danish websites have been defaced.-http://www.techweb.com/wire/179101384
-http://australianit.news.com.au/articles/0,7204,18090252%5E15318%5E%5Enbv%5E1530
6,00.html
-http://news.bbc.co.uk/2/hi/technology/4692518.stm
-http://www.eweek.com/print_article2/0,1217,a=170917,00.asp
-http://www.pcworld.com/news/article/0,aid,124662,00.asp
-http://www.zone-h.org/en/news/read/id=205987/
[Editor's Note (Boeckman): The fact that so many servers were able to be compromised so quickly should serve as an indicator that there is no shortage of vulnerable systems, only a shortage of people willing to hack them.
(Honan) - Most of the defaced websites belong to small companies with limited information security resources. These attacks serve as a reminder that the argument "My company is too small for anyone to want to hack me" does not carry any weight.
(Murray): One would like to think that this flap is an anomaly. Still, we must prepare ourselves for a world that is less civil than any one we have been prepared for.
(Schultz): The chain of ugly events that have occurred since the cartoon in question was first published dramatically shows the kinds of outcomes that are bound to occur as the result of widespread access to a medium (the Internet) that crosses international and cultural boundaries. Some of the information from countries in which freedom of speech and freedom of expression are allowed will invariably offend individuals somewhere in the world, especially when religion is the issue. These events in fact are only the tip of the iceberg. ]
******************************* Sponsored Links:*************************
1) Download our latest whitepaper, Layered Network Security 2006, and receive a FREE T-SHIRT from StillSecure.
http://www.sans.org/info.php?id=1020
2) Internet Storm Center: Threat Update
Wednesday, February 15 at 2:00 PM EST (1900 UTC/GMT)
http://www.sans.org/info.php?id=1021
3) WhatWorks in Web Application Security: "Educating Code Developers with the University of Missouri"
Thursday, February 16 at 1:00 PM EST (1800 UTC/GMT)
http://www.sans.org/info.php?id=1022
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Spanish Man Jailed and Fined for Denial-of-Service Attack (8 February 2006)
A Spanish man who used a computer worm in 2003 to launch a denial-of-service attack has been sentenced to two years in jail and ordered to pay a fine of EUR1.4 million (US$1.67 million). Santiago Garrido carried out the attack, which disrupted Internet service for approximately 3 million people across Spain, in retaliation for having been banned from an IRC chat room.-http://www.theregister.co.uk/2006/02/08/spanish_hacker_jailed/print.html
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
EPA IG Finds Security Holes in Contract Management System (3 February 2006)
An audit report from the inspector general of the US Environmental Protection Agency (EPA) describes security problems found in its contract management system. The contracting system was found to be "operating without current certification and accreditation, contingency plans or testing of the plans, and a process to monitor servers for known vulnerabilities." Five of nine servers reviewed were not monitored. Fifty vulnerabilities were found on those nine servers; those that were not monitored had an average of 70% more vulnerabilities than the others. According to the audit's conclusions, had EPA officials been following "federal and agency information security policies and guidelines," the flaws would have been discovered.-http://govexec.com/story_page.cfm?articleid=33290&printerfriendlyVers=1&
-http://www.epa.gov/oig/reports/2006/20060131-2006-P-00010.pdf
[Editor's Note (Weatherford): This is a case similar to the GSA eOffer system vulnerability reported earlier in the week where government audit and oversight groups are starting to actively question why federal organizations are not complying with FISMA requirements. Granted that FISMA can be considered overly burdensome but in today's environment, whether an organization is public or private, meeting NIST standards or not, there should be very little tolerance for lack of an organizational security program where policy reviews and a process for discovering and addressing weaknesses is not actively supported. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft's Scheduled February Security Update Will Include Seven Patches (9/8/7 February 2006)
Microsoft's monthly security update will include fixes for at least two critical vulnerabilities. Some of the updates for Microsoft Windows and Microsoft Office will require a system restart. In a related story, Microsoft earlier this week acknowledged two new flaws, a remote code execution vulnerability in older versions of Internet Explorer (IE) and a privilege escalation vulnerability in Windows XP SP1 and earlier and in Windows Server 2003 without SP1.-http://www.computerworld.com/printthis/2006/0,4814,108531,00.html
-http://www.eweek.com/print_article2/0,1217,a=171219,00.asp
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1164965,0
0.html
-http://www.securityfocus.com/brief/133
-http://www.microsoft.com/technet/security/bulletin/advance.mspx
-http://www.microsoft.com/technet/security/advisory/913333.mspx
-http://www.microsoft.com/technet/security/advisory/914457.mspx
Sun Addresses Privilege Escalation Vulnerability in JRE (9 February 2006)
Sun Microsystems has released updated versions of its Java Runtime Environment (JRE) to address seven critical security flaws. The flaws lie in problems with the "reflection" APIs and could be exploited with maliciously crafted applets to read and write files on hard drives of vulnerable systems and to execute programs. Affected versions include JRE 1.3.1_16 and earlier, JRE 1.4.2_09 and earlier and JRE 5.0 Update 4 and earlier.-http://www.techweb.com/wire/179102588
-http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1
Exploit for Firefox Flaw Posted Online (8/7 February 2006)
Exploit code for a vulnerability in the Firefox web browser has been released on the Internet. Firefox upgraded the severity of the flaw from moderate to critical as a result of the available code. The flaw, which was fixed in the recently released Firefox 1.5.0.1, could be exploited to cause memory corruption and could allow attackers to run code on vulnerable machines.-http://news.com.com/2102-7349_3-6036771.html?tag=st.util.print
-http://www.informationweek.com/story/showArticle.jhtml?articleID=179101966
-http://www.computerworld.com/printthis/2006/0,4814,108469,00.html
ATTACKS & INTRUSIONS & DATA THEFT
Cyber Thieves Used Trojan to Gather Banking Details and Empty Accounts (7 February 2006)
Russian cyber criminals have allegedly used Trojan horse programs to help them steal more than EUR1 million (US$1.2 million) from French bank accounts. The malware, which is embedded in email messages and websites, is dormant until users access their online banking sites. The malware then gathers passwords and other bank data and sends it back to the cyber thieves. The thieves are also allegedly using "mules" or people who have agreed to let the stolen money pass through their accounts in exchange for a commission of as much as 10 percent.-http://www.guardian.co.uk/print/0,,5393279-110633,00.html
[Editor's Note (Kreitner): Here's one security breach no one can blame on IT. This is yet another example of careless handling of personal information by human beings at the operational level.
(Murray): We have now entered an era in which the primary motivation for the use of malicious code is to make money. One of the more powerful mechanisms for resisting this is the reluctance of banks to pay out cash to non-customers. In the US, this is complemented by the requirement for financial institutions to report suspicious cash transactions and all cash transactions over $10K.]
Honeywell Files Suit Against Former Employee for Data Exposure (6/4 February 2006)
Honeywell International Inc. has filed a civil complaint against a former employee it alleges exposed data about 19,000 company employees on the Internet. Howard Nugent has been ordered not to disclose Honeywell information by a US District Court judge in Arizona. The court filings indicate that the security of Honeywell's computer systems was not breached, but that Nugent "intentionally exceeded authorized access to a Honeywell computer."-http://www.computerworld.com/printthis/2006/0,4814,108434,00.html
-http://www.azstarnet.com/sn/printDS/114398
[Editor's Note (Shpantzer): Monitoring the privileged user is difficult but not impossible. It is being done by smart companies that use platform independent logging aggregation and normalization engines for analysis, audit and reporting against policy.
(Murray): Partly in response to the California law, we have learned a lot about abuse by privileged users. It suggests that we should both reduce privilege and increase supervision of its use.
(Grefer): Welcome to "Let's split hairs" ... today featuring the difference between "breaching security" and "intentionally exceeding authorized access" in an effort to likely not fall under certain state legislation, such as the Californian security breach laws. ]
STANDARDS & BEST PRACTICES
Outsourcing Vendor Standards Released (6 February 2006)
A consortium of financial institutions and auditors has released "standards for assessing the security practices of outsourcing vendors that work with financial services firms." The standards were created with the goal of having consistent expectations for "evaluating the controls that outsourcing vendors use to protect sensitive data." The standards, dubbed the Financial Institution Shared Assessments Program, were tested on five vendors before being released.-http://www.computerworld.com/printthis/2006/0,4814,108379,00.html
-http://www.banktechnews.com/article.html?id=20060201S19QWD9H
[Editor's Note (Shpantzer): The benefit from this is that service providers can spend time providing service to their customers, rather than responding to endless audits from each of their customers, which basically audit the same stuff, just on different letterhead. Those audits cost money for the outsourcing customers and providers. If the standard is sufficiently rigorous, then this is a good way to build some efficiency into what is normally a very large cost center in the outsourcing process.]
MISCELLANEOUS
Many Phone Record Sale Sites No Longer Doing Business (8 February 2006)
A Federal Trade Commission (FTC) check of approximately 40 web sites that had previously offered the sale of mobile phone records found that many are no longer offering the service. The other companies received letters from the FTC warning "that it is illegal to engage in deception to obtain someone else's telephone records." Two of sites say they are no longer taking orders and that unprocessed orders will not be completed. Legislators have introduced bills that would make it illegal to obtain and sell phone records.-http://www.computerworld.com/printthis/2006/0,4814,108497,00.html
(Note: the following site requires free registration)
-http://www.washingtonpost.com/wp-dyn/content/article/2006/02/08/AR2006020802070_
pf.html
Boston Hospital Faxed Patient Data to Bank (7 February 2006)
For the past six months, a Boston investment bank has been receiving faxes from Brigham and Women's Hospital with confidential medical information about women who have recently given birth there. The bank's finance manager has shredded all the FAX copies received and has contacted the hospital on several occasions in an effort to fix the problem. The documents contain a great deal of personal information, including Social security numbers and medical test results. The hospital plans to notify the affected patients.-http://news.bostonherald.com/localRegional/view.bg?articleid=124753&format=t
ext
===end===
NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Bill Murray, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
