SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #2

January 06, 2006

Congratulations to Microsoft for reducing the pain from the programming error they made on processing WMF files. The national policy issue that remains is summed up in the question: "If 9 days is rapid and extraordinary response, and the US government has ceded responsibility for correcting its most widely used software to the vendors, what will we do when the attack comes from a nation-state adversary and tens of thousands of computers are having critical data destroyed every hour?"

Alan

PS The deadline for SANS 2006 (Orlando in February) early registration discount of $250 is next Wednesday (1/11) http://www.sans.org/sans2006

---

TOP OF THE NEWS

Microsoft Releases Out-of-Cycle Patch for WMF Flaw
Study Shows IT Professionals Gaining Increased Influence

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
UK's Crown Prosecution Service Mulling Appeal of DDoS Case Dismissal
Iowa Man Pleads Guilty in Phishing Case
Two Men Ordered to Pay Damages and Court Costs in Domain Name Phishing Scam
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
DHS IG Report Says Department CIO Is "Not Well-Positioned" to Carry Out Tasks
US Government Contractors Now Face Same Background Checks as Federal Employees
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
BlackBerry Acknowledges Security Flaws
ATTACKS & INTRUSIONS & DATA THEFT
Mortgage Company Says Transition to Secure Digital Network for Data Transfer Will be Complete This Month
STATISTICS, STUDIES & SURVEYS
Viral eMail Increased in December in Ireland
MISCELLANEOUS
Bank of America Deploys Two-Factor Authentication

---

*********** Sponsored by SANS New Master of Science Degrees **********

Earn your Masters degree in Information Security Engineering, from SANS. http://www.sans.edu

Also, two Free SANS Webcasts next week "Update on the Law of IT Security Policies: New Guidance under GLBA" Tuesday, January 10 at 1:00 PM EST (1800 UTC/GMT) http://www.sans.org/info.php?id=977 and Internet Storm Center: "Threat Update" webcast Wednesday, January 11 at 1:00 PM EST (1800 UTC/GMT) http://www.sans.org/info.php?id=978

**********************************************************************

---

TOP OF THE NEWS

Microsoft Releases Out-of-Cycle Patch for WMF Flaw (5/4 January 2006)

On Thursday, January 5, 2006, Microsoft released a patch for the WMF flaw. Microsoft released the out-of-cycle bulletin with updates in response to overwhelming customer demand. Microsoft initially said the fix would be released on January 10, the date for the scheduled monthly update. A pre-release version of Microsoft's patch for the WMF vulnerability was inadvertently posted to the web.
-http://www.computerworld.com/printthis/2006/0,4814,107500,00.html
-http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx
-http://www.microsoft.com/technet/security/bulletin/advance.mspx
-http://www.us-cert.gov/cas/techalerts/TA06-005A.html
-http://www.computerworld.com/printthis/2006/0,4814,107420,00.html
-http://www.microsoft.com/technet/security/advisory/912840.mspx
-http://www.securityfocus.com/brief/94
[Editor's Note (Schultz): This was an excellent move by Microsoft. By coming out with an update so quickly, Microsoft not only defused controversy and confusion surrounding the availability of the "unofficial patch," but also, given the seriousness of the WMF flaw, quickly helped protect its user community from potential disaster. ]

Study Shows IT Professionals Gaining Increased Influence (3 January 2006)

According to the 2005 Global Information Security Workforce Study, sponsored by the International Information Systems Security Certification Consortium (ISC)2, IT security professionals are gaining increased access to corporate boardrooms. More than 70 percent of those surveyed said they felt they had increased influence on executives in 2005 and even more expect that influence to keep growing. "They are increasingly being included in strategic discussions with the most senior levels of management." Howard Schmidt, who serves on (ISC)2's Board of Directors said "There's more attention and focus on IT security as a profession, as opposed to just a job." Companies are increasingly looking for employees who have not only security expertise, but experience in management and business as well. More than 4,300 full-time IT security professionals provided responses for the study.
-http://www.techweb.com/wire/175800558
[Editor's Note (and shameless plug) (Paller): The enormous need for management and communications skills in security professionals is the principal driver behind the SANS Institute's new Master of Science degree program authorized by the Maryland Higher Education Commission, but available to the entire security community, world-wide.
-http://www.sans.edu
Note the .edu ]

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

UK's Crown Prosecution Service Mulling Appeal of DDoS Case Dismissal (5 January 2006)

The UK's Crown Prosecution Service "is considering appealing a judge's decision" to dismiss a distributed denial-of-service (DDoS) attack case brought against a teenager under the Computer Misuse Act (CMA). The teenager allegedly deluged his former employer with five million email messages. The judge's ruling said the attack described in the case was not illegal under the CMA. The CPS requested and received "a draft case outlining how (Wimbledon Magistrate's Court) reached its decision." The CPS may take the case to the High Court to ask its opinion on the judge's ruling. If the High Court upholds the decision, it will stand; if the High Court overturns the judge's decision, the case will return to the magistrate's court and continue.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39245718-39020375t-10000025c

Iowa Man Pleads Guilty in Phishing Case (4 January 2006)

An Iowa man has pleaded guilty to charges stemming from a phishing scam. Jayson Harris conducted a scam between January 2003 and June 2004, targeting MSN customers and duping them into believing they needed to provide credit card numbers to keep their accounts active. Harris reportedly stole about US$57,000 through the scam. The fraud charge against Harris could bring him a fine of up to US$250,000 and up to 10 years in prison; for wire fraud, Harris faces another maximum fine of US$250,000 and up to 20 years in prison. If his crimes affected a financial institution, the penalties could be more stringent.
-http://www.informationweek.com/story/showArticle.jhtml?articleID=175800879

Two Men Ordered to Pay Damages and Court Costs in Domain Name Phishing Scam (3 January 2006/13 December 2005)

An Australian court has ordered two men to pay AU$2.3 (US$1.72 million) million in damages and legal fees for running a domain registration scam that targeted as many as 50,000 UK website owners. Brad Norrish and Chesley Rafferty sent notices that appeared to be genuine informing people that they would lose their domain names unless they paid a fee. Norrish and Rafferty used data they obtained from domain name registrar Nominet's database.
-http://www.theregister.co.uk/2006/01/03/domain_scam/print.html
-http://www.theaustralian.news.com.au/common/story_page/0,5744,17549155%255E2702,
00.html

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

DHS IG Report Says Department CIO Is "Not Well-Positioned" to Carry Out Tasks (5 January 2006/29 December 2005)

A report recently released by Department of Homeland Security (DHS) inspector general Richard Skinner said that DHS CIO Scott Charbo is not in a position "to accomplish the department's goal of creating a single IT infrastructure." The problem is that Charbo is not "a member of the senior management team," meaning he does not have the "authority to manage departmentwide assets and technology." Skinner recommends the DHS follow the example of other agencies where the CIOs have the necessary authority and influence to manage and "guide executive decisions on departmentwide IT investments and strategies."
-http://www.computerworld.com/printthis/2006/0,4814,107499,00.html
-http://www.dhs.gov/interweb/assetlibrary/OIG_06-14_Dec05.pdf

US Government Contractors Now Face Same Background Checks as Federal Employees (3 January 2006)

An interim rule issued by the Federal Acquisition Regulation Council requires federal agencies to make contractors undergo the same background investigations required of federal employees per Homeland Security Presidential Directive 12: Policy for a Common Identification Standard for Federal Employees and Contractors. The rule is backdated to October 27, 2005; all contractors employed before that date must be cleared by October 27, 2007.
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=37856
-http://a257.g.akamaitech.net/7/257/2422/01jan20061800/edocket.access.gpo.gov/200
6/05-24547.htm
HSPD-12:
-http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html
[Editor's Note (Schultz): Given the pervasiveness and importance of contractors in the US government, this new rule makes perfect sense. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

BlackBerry Acknowledges Security Flaws (5/4 January 2006)

BlackBerry maker Research in Motion (RIM) has acknowledged three vulnerabilities in the Blackberry software. A fix for one of the vulnerabilities is available. BlackBerry has provided information on how to protect devices from attacks via the other two. The most serious of the vulnerabilities involved a "flaw in processing Server Routing Protocol (SRP) packets." Another flaw lies in the way maliciously crafted TIFF image attachments are handled. Having BlackBerry servers behind a firewall should protect users from being attacked via the SRP flaw. A third vulnerability, which has been fixed in BlackBerry device software 4.0.2 and later, could have allowed denial-of-service attacks through maliciously crafted Java Application Description (JAD) files.
-http://www.theregister.co.uk/2006/01/04/blackberry_security_bugs/print.html
-http://www.out-law.com/page-6509
-http://www.net-security.org/article.php?id=887
US CERT Vulnerability Notes:
-http://www.kb.cert.org/vuls/byid%3fsearchview%26query=rim_blackberry_fx_dec_2006
-http://www.computerworld.com/printthis/2006/0,4814,107447,00.html
-http://hardware.silicon.com/pdas/0,39024643,39155326,00.htm
-http://www.eweek.com/print_article2/0,1217,a=168379,00.asp

ATTACKS & INTRUSIONS & DATA THEFT

Mortgage Company Says Transition to Secure Digital Network for Data Transfer Will be Complete This Month (2 January 2006)

ABN Amro Mortgage Group, which in December acknowledged that a backup tape containing customer account and personal data was missing for one month, said their transition to sending encrypted data to credit bureaus over networks instead will be complete this month. In the event a recipient cannot accept electronic data, ABM Amro will send tapes by special courier rather than through traditional shipping companies.
-http://www.computerworld.com/printthis/2006/0,4814,107357,00.html

STATISTICS, STUDIES & SURVEYS

Viral eMail Increased in December in Ireland (3 January 2006)

According to statistics compiled by Irish hosting firm IE Internet, 23.4 percent of all email messages it intercepted in December 2005 had malicious code attached. The figure for November was 16.5 percent; the significant increase is attributable to the Sober.Z worm, which accounted for 45.2 of all infected intercepted messages. In addition, 38.9 percent of the intercepted email was spam, down slightly from November's figure of 41.9 percent.
-http://www.enn.ie/frontpage/news-9660727.html
-http://www.siliconrepublic.com/news/news.nv?storyid=single5849

MISCELLANEOUS

Bank of America Deploys Two-Factor Authentication (4 January 2006)

Bank of America has deployed two-way, two-factor authentication to customers in 48 of the 50 states. The scheme uses an image, a phrase and challenge questions to let customers know they are interacting with the authentic banking site and not a phishing web site. The new authentication scheme will become mandatory in 2006; Idaho and Washington state are set to get the technology sometime this year.
-http://www.techweb.com/wire/security/175801173

---

===end===

NewsBites Editorial Board: Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/