SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #27
April 04, 2006
When you explain cyber risk to management and operations staff, the 2006 Cyber Threat Map helps you show (1) who are the cyber attackers, (2) what are their objectives, (3) what vulnerabilities they are exploiting, (4) what target systems they use to gain entry, and (5) what protections could stop them. It also includes Ed Skoudis' list of the top 10 new tools attackers are using and the WhatWorks list of five key defensive walls. US and Canadian SANS alumni and GIAC certified professionals get the maps free with their SANSFIRE 2006 brochures arriving this week. Others may order them from the SANS bookstore ($26) at
https://store.sans.org/
Alan
TOP OF THE NEWS
Senate Committee Approves Protecting Consumer Phone Records ActHouse Committee Approves Data Accountability and Trust Act
Zero-Day IE Flaw Exposes Holes in Microsoft's Security Patch Process
PA County Voting System Test Halted; Examiner Cites Software Problems
THE REST OF THE WEEK'S NEWS
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENTAnti-Piracy Group Targets UK Firms
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Attackers Hone IE TextRange() Exploit
Australian ISP Suffers Alleged Privacy Breach
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Missing Drive Holds Marines' Personal data
Winny Worm Exposed Trend Micro Information
MISCELLANEOUS
DOJ Study Estimates Identity Theft Costs Citizens US$6.4 Billion a Year
Project Yields Simpler Privacy Notice Prototype
Microsoft Extends Support for Older Version of MBSA
DOJ Subpoenas Records from More ISPs and Tech Companies
San Francisco BART Computer Error Strands 35,000 Commuters
********************* Sponsored By ArcSight, Inc. ***********************
Download Top 10 Guide to Evaluating SIM Solutions
Many factors go into buying a SIM solution. Discover the best practices, based on customer experiences, that should be an integral part of your evaluation process with the new Top 10 Guide to Evaluating SIM Solutions. Brought to you by ArcSight, the one vendor that's been proven in demanding real-world trials, for security, compliance and insider threat. Download a copy of the guide today!
http://www.sans.org/info.php?id=1090
*************************************************************************
SANS Training in San Diego, London and Washington DC
Turbo charge your security career or the careers of any of your coworkers this spring in San Diego in early May: a dozen of SANS most popular courses and a vendor exposition right on the harbor.
http://www.sans.org/security06/
Or in London at the end of June: http://www.sans.org/london06
Or Washington in July right after July 4 for the biggest SANSFIRE ever: with all 17 SANS immersion tracks and more than a dozen special courses, a big exposition, and an inside look at how the Internet's Early Warning System (Internet Storm Center) actually works. Bring your family for the national fireworks show.
http://www.sans.org/sansfire06
*************************************************************************
TOP OF THE NEWS
Senate Committee Approves Protecting Consumer Phone Records Act (31 March 2006)
The Senate Commerce, Science and Transportation Committee has approved S. 2389, the Protecting Consumer Phone Records Act, which makes it a crime "to acquire, use or sell a person's confidential phone records without that person's written consent." Several companies that offer phone records for sale have employed pretexting, the practice of pretending to be a customer to obtain that customer's records. Voice carriers would also be required to inform customers when their phone records have been accessed without their authorization. The bill also mandates the Federal Communications Commission (FCC) must create regulations for phone records akin to the financial protections of Gramm-Leach-Bliley. Violators could face civil lawsuits and fines. The bill now goes before the full Senate for a vote.-http://www.computerworld.com/printthis/2006/0,4814,110109,00.html
-http://www.technologynewsdaily.com/node/2372
House Committee Approves Data Accountability and Trust Act (31 March 2006)
The House Energy and Commerce Committee has unanimously approved the Data Accountability and Trust Act (DATA), also known as HR 4127. The bill requires organizations to inform those whose data are "acquired by an unauthorized person" in the event of a data breach "if there is a reasonable basis to conclude that there is a significant risk of identity theft." The bill also designates the Federal Trade Commission as the enforcing entity, requires data brokers to establish security policies and requires audits of organizations that experience security breaches.-http://www.techweb.com/wire/184417500
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&
story.id=40284
-http://thomas.loc.gov/cgi-bin/query/z?c109:H.R.+4127:
[Editor's Note (Pescatore): The privacy groups seem happy with the final wording. The FTC will not only be the enforcer but is required to conduct an audit after any reported disclosure. Much like the original California SB 1386, disclosure is not required if the compromised data was encrypted. This bill, combined with increased pressure by the Payment Card Industry for credit card processors to comply with PCI Data Security Standards that require data encryption, will drive more attention to the difficult problem of encrypting data at rest.
(Schultz): This legislation has taken a long time--really too long--to get as far as it has given its critical importance in helping protect against identity theft. It now appears likely that it will be passed in the US House and Senate and will be signed into Law. ]
Zero-Day IE Flaw Exposes Holes in Microsoft's Security Patch Process (1 April/30 March 2006)
Cyber criminals are now using spam in an attempt to spread malware that exploits an unpatched critical vulnerability in Microsoft's Internet Explorer (IE). The spam tries to lure people to maliciously crafted web sites; the sites download software that captures bank account log-in data onto victims' computers and transmits them to the thieves. Microsoft encourages users to disable active scripting pending the availability of a legitimate patch. The emergence of zero-day vulnerabilities illuminates problems with Microsoft's monthly security releases. An executive with a company that released a third-party patch for the flaw says he understands Microsoft's need to test, but that Microsoft should also provide some sort of faster protection for the interim, perhaps a "beta" patch.-http://www.usatoday.com/tech/news/computersecurity/2006-03-30-microsoft-security
_x.htm
-http://seattlepi.nwsource.com/business/265146_msftsecurity01.html
[Editor's Note (Honan): As we learnt with the WMF vulnerability, the availability of a patch does not necessarily mean that the threat is eliminated (see "Trojan Filches Financial Account Details" in the March 24 Issue of NewsBites).
(Schultz): Here we go again--Microsoft struggles to get a patch out while a third-party has already has made one available. I'd still recommend resisting the temptation to use the third-party patch in favor of using a workaround, however. ]
PA County Voting System Test Halted; Examiner Cites Software Problems (30 March 2006)
Dr. Michael Shamos, a Carnegie Mellon University professor of computer science, has halted testing of Sequoia Voting Systems' AVC Advantage voting machines slated for use in Allegheny County, Pennsylvania's May primary election, citing a flaw in the software that allowed him "to transform a handful of votes into thousands." Dr. Shamos called the software "not stable." Dr. Shamos said continuing with the test did not make sense; Sequoia will be given an opportunity to address the software flaw and submit it for retesting. Dr. Shamos's testing also encountered flaws that shut down the program when it is asked to print. Some voters' rights groups are opposed to the use of these particular machines because they do not generate a verifiable paper audit trail.-http://www.post-gazette.com/pg/06089/678087-85.stm
[Editor's Note (Pescatore): Let's say that on a software security and reliability scale of 1-10, space shuttle and laser surgery controller software should be at least a 9. Maybe video games and Hot or Not websites could get by with a 3. I'm pretty sure computerized voting machines should be closer to the former than the latter.]
************************** Sponsored Links: *****************************
1) ALERT: "How A Hacker Launches A Blind SQL Injection Attack"!"- White Paper
http://www.sans.org/info.php?id=1091
2) FREE Product Demo: Stop protecting while blind. Gain network visibility now.
http://www.sans.org/info.php?id=1092
3) Free White Paper: The Future of Perimeter Security by Norm Laudermilch, CSO of Trust Digital
http://www.sans.org/info.php?id=1093
*************************************************************************
THE REST OF THE WEEK'S NEWS
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Anti-Piracy Group Targets UK Firms (31 March 2006)
The UK's Federation Against Software Theft (FAST) is going after "a number of[as yet unnamed ]
companies in the UK that have been caught making illegal copies of software available for download from their networks." The companies may not be aware of the legal activity. In phase one of the investigation, known as Operation Tracker, FAST obtained the names and addresses of alleged software license violators from their Internet service providers (ISPs) through a court order. Individuals have received letters from FAST demanding they pay what amounts to a licensing fee together with a contribution toward costs incurred by the FAST investigation and that they agree to refrain from illegal software activity. Phase two of Operation Tracker involves going after the organizations whose IP addresses were revealed in the course of the investigation.
-http://www.theregister.co.uk/2006/03/31/corporate_p2p_crackdown/print.html
-http://www.fast.org.uk/default.asp
-http://www.fast.org.uk/tracker.asp
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Attackers Hone IE TextRange() Exploit (31 March 2006)
A "new generation" of exploit code that takes advantage of the TextRange() vulnerability in Microsoft's Internet Explorer (IE) has been posted to the Internet. When the older exploits attempted to install keystroke loggers on vulnerable machines, they froze browsers for noticeable periods of time, allowing users to shut down their computers and avoid being infected with the malware. The new exploit is faster and employs techniques to evade antivirus signatures.-http://www.computerworld.com/printthis/2006/0,4814,110122,00.html
Australian ISP Suffers Alleged Privacy Breach (31 March 2006)
A customer of Australian Internet service provider (ISP) Astratel has notified the company that he was able to see other customers' account information simply by entering their telephone numbers in a query form. The customer made his findings public after repeated attempts to get the company to address the security concerns proved fruitless.-http://australianit.news.com.au/articles/0,7204,18665780%5E15331%5E%5Enbv%5E1530
6%2D15318,00.html
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Missing Drive Holds Marines' Personal data (30 March 2006)
A missing portable drive contains personal information that belongs to over 207,000 US Marines. The data on the drive includes names, Social Security numbers, and enlistment contract details for those on active duty between January 2001 and December 2005. The drive was being used at the Naval Postgraduate School as part of a research project. School officials were alerted to the data loss on March 14 and the Marines were informed 10 days later.-http://www.estripes.com/article.asp?section=104&article=35264&archive=tr
ue
Winny Worm Exposed Trend Micro Information (3 April 2006)
A worm that spread through the Winny peer-to-peer file-sharing application uploaded internal Trend Micro data to the Internet. The data leak could have been prevented had the employee, who copied the documents in question to his home computer, installed his own company's anti-virus software. Trend Micro is just the latest in a string of data exposures due to viruses exploiting the Winny file sharing program.-http://www.computerworld.com/printthis/2006/0,4814,110142,00.html
[Editor's Note (Northcutt): Northcutt: The article begins with, "The failure of a Trend Micro Inc. employee to install his company's own antivirus software." You can almost see Trend Micro CEO Eva Chen banging her head on the monitor, or saying, "OK, let me get this straight employee, you work for an AV company and you didn't update your company-supplied AV *and* you were on a P2P network." And what a great reminder that when calculating risk "low risk" doesn't mean "no risk," as we see below.
-http://vil.mcafeesecurity.com/vil/content/v_101125.htm
Finally, Trend was not the only casualty:
-http://www.latimes.com/news/nationworld/world/la-fg-computer21mar21,0,5159274.st
ory
-http://www.securitypark.co.uk/article.asp?articleid=25103&CategoryID=58
DOJ Study Estimates Identity Theft Costs Citizens US$6.4 Billion a Year (3 April 2006)
According to the US Department of Justice's (DOJ) National Crime Victimization Survey, identity theft costs US citizens an estimated US$6.4 billion annually. Data gathered through the survey indicates that three percent of US households experienced some form of identity theft during the first half of 2004. Credit card fraud accounted for roughly 50 percent of the cases; banking and financial account fraud accounted for 25 percent. Average losses incurred averaged US$1290.-http://www.pcworld.com/news/article/0,aid,125291,00.asp
-http://www.ojp.usdoj.gov/bjs/abstract/it04.htm
MISCELLANEOUS
Project Yields Simpler Privacy Notice Prototype (31 March/3 April 2006)
A prototype for a privacy notice that can be used by financial institutions across the US would allow consumers to easily compare practices from institution to institution and to understand how their information is being collected and used. The Kleimann Communication Group developed the notice as part of a 365-page report, "Evolution of a Prototype Financial Privacy Notice," commissioned by a half dozen government agencies charged with enforcing Gramm-Leach-Bliley Act provisions. The six agencies along with the office of Thrift Supervision will fund the second phase, in which a larger group of people will be involved in evaluating the efficacy of the prototype and other versions of privacy notices.-http://www.computerworld.com/printthis/2006/0,4814,110121,00.html
-http://seattlepi.nwsource.com/printer2/index.asp?ploc=b&refer=http://seattle
pi.nwsource.com/business/1310AP_Financial_Privacy.html
-http://www.out-law.com/page-6808
-http://originatortimes.com/content/templates/standard.aspx?articleid=1774&zo
neid=5
-http://www.ftc.gov/privacy/privacyinitiatives/ftcfinalreport060228.pdf
[Editor's Note (Pescatore): This was a pretty small test (66 subjects) but making these notices more consumer friendly is an important thing. GLB was mostly an exercise in banks mailing their customers confusing postcards, and the coming data protection legislation will require more GLB-like regular notification of privacy rights. Making it easy for normal human beings to understand that they do *not* have to let their private information be used willy-nilly is a good thing.]
Microsoft Extends Support for Older Version of MBSA (31 March 2006)
In a bow to customer pressure, Microsoft has extended support for the Microsoft Baseline Security Analyzer (MBSA) version 1.2 indefinitely. Microsoft initially said it would end support for the tool on March 31, 2006, but feedback from customers made it clear that to discontinue support "would create a gap in security update detection for Microsoft products." MBSA is a free tool that scans computers for vulnerabilities with available Microsoft patches. MBSA 2.0, released in July 2005, fails to detect the need for patches in certain Microsoft products.-http://zdnet.com.au/news/security/print.htm?TYPE=story&AT=39248912-200006174
4t-10000005c
DOJ Subpoenas Records from More ISPs and Tech Companies (29/30 March 2006)
The US Justice Department (DOJ) has subpoenaed internal records from at least 34 ISPs and technology companies in its effort to gather evidence to defend the Child Online Protection Act (COPA). The Supreme Court has twice blocked COPA on grounds that it could violate First Amendment protections. Online publishers are challenging the law, maintaining that filters protect children without the restrictions that COPA would impose. InformationWeek Magazine obtained the subpoenas through the Freedom of Information Act (FOIA).-http://www.usatoday.com/tech/news/internetprivacy/2006-03-30-justice-files_x.htm
-http://www.informationweek.com/story/showArticle.jhtml?articleID=184401156
San Francisco BART Computer Error Strands 35,000 Commuters (31 March 2006)
In an illustration of critical infrastructure dependence on vulnerable computer systems, the Bay Area Rapid Transit (BART) system stranded 35,000 passengers during rush hour on Wednesday, March 29. Technician errors rather than hacker attacks were the cause.-http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/03/31/BART.TMP
Microsoft Extends Support for Older Version of MBSA (31 March 2006)
In a bow to customer pressure, Microsoft has extended support for the Microsoft Baseline Security Analyzer (MBSA) version 1.2 indefinitely. Microsoft initially said it would end support for the tool on March 31, 2006, but feedback from customers made it clear that to discontinue support "would create a gap in security update detection for Microsoft products." MBSA is a free tool that scans computers for vulnerabilities with available Microsoft patches. MBSA 2.0, released in July 2005, fails to detect the need for patches in certain Microsoft products.-http://zdnet.com.au/news/security/print.htm?TYPE=story&AT=39248912-200006174
4t-10000005c
DOJ Subpoenas Records from More ISPs and Tech Companies (29/30 March 2006)
The US Justice Department (DOJ) has subpoenaed internal records from at least 34 ISPs and technology companies in its effort to gather evidence to defend the Child Online Protection Act (COPA). The Supreme Court has twice blocked COPA on grounds that it could violate First Amendment protections. Online publishers are challenging the law, maintaining that filters protect children without the restrictions that COPA would impose. InformationWeek Magazine obtained the subpoenas through the Freedom of Information Act (FOIA).-http://www.usatoday.com/tech/news/internetprivacy/2006-03-30-justice-files_x.htm
-http://www.informationweek.com/story/showArticle.jhtml?articleID=184401156
San Francisco BART Computer Error Strands 35,000 Commuters (31 March 2006)
In an illustration of critical infrastructure dependence on vulnerable computer systems, the Bay Area Rapid Transit (BART) system stranded 35,000 passengers during rush hour on Wednesday, March 29. Technician errors rather than hacker attacks were the cause.-http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/03/31/BART.TMP
===end===
NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
