SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #28
April 07, 2006
By now you should have received the SANSFIRE 2006 program and the new
Threat Matrix poster. SANSFIRE in Washington in early July is the first
opportunity to both attend 16 great hands-on courses and get the inside
scoop on the Internet Storm Center. You'll come away far better
prepared to protect your organization's computers. Also now that
government is requiring technical security certifications for all
sysadmins and technical security professionals - both employees and
consultants -- SANSFIRE (and SANS Security 2006 in San Diego in May) are
the only places where you can get training for all the technical
security certifications that are approved by government regulations.
Please register early because all the popular courses were sold out at
our last big conference.
Information on SANSFIRE in Washington DC: http://www.sans.org/sansfire06
Information on SANS Security in San Diego: http://www.sans.org/security06
Ordering extra Threat Matrix posters: https://store.sans.org/
Also: If your organization uses the VeriSign security mark on its web
site, be certain to read the advisory at the bottom of this edition of
NewsBites.
Alan
TOP OF THE NEWS
GAO Report: Data Brokers and Government Agencies Not Compliant with Privacy ActSenator Questions DOJ Contract with ChoicePoint
Proposed Rule Change Would Allow Tax Preparers to Sell Data with Permission
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESSuffolk County, NY Policeman Arraigned on Stalking and Other Charges
Two Plead Guilty to Piracy Charges
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
GAO Report: SEC Information Security Still Problematic
SPYWARE, SPAM & PHISHING
NY AG Lawsuit Alleges Company Surreptitiously Installed Spyware
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Cisco Addresses Flaws in ONS 15000 Series
Microsoft Will Release Five Security Bulletins on Tuesday
New IE Flaw Could be Exploited by Phishers
HP Issued Update to Fix Flaw in Color LaserJet Printers
MISCELLANEOUS
Database with Passwords Inadvertently Exposed on Internet
Police Society Posted Reporter's Personal Info on Web
Advisory: An Important Note For Any Web Site That Relies on Verisign's Security Marks
************************** Sponsored Links ******************************
1) Free SANS Webcast next week - Internet Storm Center: "Threat Update"
Wednesday, April 12 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info.php?id=1094
2) SANS OnSite InfoSec Training
Your Location! Your Schedule! Lower Cost! Receive a bonus seat for your OnSite Course (up to $4,750 value). Simply complete the interest form today! http://www.sans.org/info.php?id=1087
3) The SAN@Home program brings the same courses taught at SANS conferences right to your home. Many new classes starting in April.
See http://www.sans.org/athome
*************************************************************************
TOP OF THE NEWS
GAO Report: Data Brokers and Government Agencies Not Compliant with Privacy Act (5 April 2006)
According to a Government Accountability Office (GAO) report, the Departments of Justice, Homeland Security and State and the Social Security Administration spend a total of US$30 million to acquire data from information resellers for a variety of purposes. According to the study, "while major information resellers that do business with the federal agencies had some measures to protect privacy, they 'are not always fully consistent with the Fair Information Practices,'" which form the basis of the Privacy Act of 1974. The "resellers ... have limited ability to ensure the accuracy of the data they collect." In addition, the agencies apparently do not have consistent policies regarding the use of the data they purchased. According to the report, resellers do not believe they need to be completely compliant with the Privacy Act because they do not collect their data directly from individuals.-http://www.washingtonpost.com/wp-dyn/content/article/2006/04/04/AR2006040401727_
pf.html
-http://www.computerworld.com/printthis/2006/0,4814,110245,00.html
-http://govexec.com/story_page.cfm?articleid=33759&printerfriendlyVers=1&
-http://www.techweb.com/wire/184429050
-http://www.gao.gov/new.items/d06609t.pdf
[Editor's Note (Schultz): I fear that the real truth of the matter is that information resellers correctly believe that they can get away with almost everything that they do when it comes to collecting and selling personal and financial data. Why? Lamentably, there is incredibly little commitment on the part of the US government to enforce the few privacy statutes that exist. ]
Senator Questions DOJ Contract with ChoicePoint (5 April 2006)
US Senator Patrick Leahy (D-Vermont) wonders why the US Department of Justice (DOJ) is still doing business with data broker ChoicePoint, which last year disclosed that it had suffered a large data security breach. The DOJ and FBI recently signed a "five-year, US$12 million contract with ChoicePoint to provide investigative analysis software to the FBI." US Attorney General Alberto Gonzales and ChoicePoint have both defended the contract, pointing out that it is for technology services, not data services. Leahy also voiced concerns about the findings of the GAO report discussed in the "Top of the News" story about GAO and data brokers.-http://www.networkworld.com/news/2006/040506-senator-questions-fbi-on-choicepoin
t.html
[Editor's Note (Kreitner): A good example of the lingering impact of reputational damage stemming from a past security incident. I wonder how many Board members and CEO's have given really deep thought and analysis to the costs of damaged reputation vs the costs of adequate protection. Reminds me of the relationship between human lifestyle and health status. Something in our DNA makes us more disposed to deal with disasters after they happen rather than prevent them. ]
Proposed Rule Change Would Allow Tax Preparers to Sell Data with Permission (5 April 2006)
A proposed Internal Revenue Service (IRS) rule change would allow tax preparers to sell personal information they acquire in their work with taxpayer consent. Opponents of the proposed change say it is designed to increase revenues for tax preparers and exposes taxpayers to possible identity fraud.-http://www.techweb.com/wire/184429112
[Editor's Note (Northcutt): Sen. Chuck Grassley's closing statement says it best! "I am concerned about trends suggesting that tax preparers are interested in selling taxpayer information to make a fast buck, rather than as proprietary information that should be held in confidence by a trusted advisor. We need to change the focus of paid preparers from selling to advising."
(Schultz): Why would a government "by the people and for the people" do anything like this?
(Schmidt) Not having any more information then what is in this story, I agree with the opponents. Why anyone would want to consent to something like this is beyond me. This is NOT a good rule change.
(Kreitner): This is beyond objectionable! As a society, we have enough trouble protecting our personal information without spreading it around even more.
(Grefer): As Jean Ann Fox of the Consumer Federation of America points out, the proposed change "essentially turns tax return information into a commodity for the highest bidder." Unfortunately, coverage of the April 4th open hearing on this issue is virtually non-existent at this point.
-http://www.accountingweb.com/cgi-bin/item.cgi?id=101947
Proposed consent language:
-http://www.irs.gov/pub/irs-drop/n-05-93.pdf]
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Suffolk County, NY Policeman Arraigned on Stalking and Other Charges (5 April 2006)
A Suffolk County, New York policeman has been arraigned on a 197-count indictment that includes charges of stalking, computer trespass and official misconduct for allegedly breaking into the email account of a woman he dated for a short time, altering her on line dating profile and sending threatening and deceptive email messages from her online account. Officer Michael Valentine has pleaded not guilty; he has been suspended from the police force without pay.-http://www.wral.com/apstrangenews/8449104/detail.html
Two Plead Guilty to Piracy Charges (4 April 2006)
Two California men have entered guilty pleas to charges related to music and software piracy. The charges against Ye Teng Wen and Hao He stem from the illegal manufacture of 200,000 CDs. The two men, together with a third person, Yaobin Zhai, were indicted in October 2005 on charges related to illegally copying music CDs and Symantec and Adobe software. US Attorney for Northern California Kevin Ryan called it "the largest case involving CD manufacturing piracy uncovered in the United States to date." Each of the five counts carries a maximum five-year sentence.-http://today.reuters.co.uk/news/newsArticle.aspx?type=technologyNews&storyID
=2006-04-04T021133Z_01_N03321736_RTRIDST_0_TECH-CRIME-MUSIC-PIRACY-DC.XML
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
GAO Report: SEC Information Security Still Problematic (5/4/3 April 2006)
A report from the Government Accountability Office (GAO) says the US Securities and Exchange Commission (SEC) addressed just eight of 51 security weaknesses identified in last year's report. Problems that have yet to be addressed include controlling remote access to servers and implementing auditing and monitoring mechanisms. GAO identified 15 additional problem areas in this year's report. The SEC says it agrees with the GAO's findings.-http://www.fcw.com/article92839-04-05-06-Web
-http://www.computerworld.com/printthis/2006/0,4814,110196,00.html
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&
story.id=40313
-http://www.gao.gov/new.items/d06408.pdf
SPYWARE, SPAM & PHISHING
NY AG Lawsuit Alleges Company Surreptitiously Installed Spyware (4 April 2006)
New York Attorney General Eliot Spitzer has filed a lawsuit against Direct Revenue LLC, alleging the software distributor "surreptitiously installed millions of pop-up ad programs on consumers' computers." Spitzer's lawsuit asks that Direct Revenue be enjoined from installing spyware without users' permission and from sending advertisements through software that is already on computers. It also asks that the court make the company disclose its revenues and "impose monetary penalties." Direct Revenue has posted a rebuttal to the allegations on its web site, saying the case is founded on activity in which they no longer engage. A lengthy investigation indicated that Direct Revenue had installed the spyware on people's computers when they installed free applications and neglected to mention the bundled spyware. The suspect software was downloaded to consumers' computers by Direct Revenue's own servers once the free application had been installed. Investigation results also indicate that the software was designed to be difficult to detect and uninstall and in some cases, reinstalled itself after users removed it.-http://www.computerworld.com/printthis/2006/0,4814,110203,00.html
-http://www.informationweek.com/story/showArticle.jhtml?articleID=184428598
-http://www.smh.com.au/news/breaking/spyware-company-sued-over-popup-ads/2006/04/
05/1143916536088.html
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Cisco Addresses Flaws in ONS 15000 Series (6 April 2006)
Cisco has issued a bulletin that warns users about five security flaws in its Cisco Optical Networking System 15000 Series. Cisco has distributed an updated version of the ONS 15000 operating system to end-users. The flaws could be exploited to launch denial-of-service attacks on vulnerable systems, reset control cards or execute arbitrary code.-http://www.eweek.com/print_article2/0,1217,a=175221,00.asp
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1178960,0
0.html
Microsoft Will Release Five Security Bulletins on Tuesday (6 April 2006)
Microsoft's Security Bulletin Advance Notification says that on Tuesday, April 11 Microsoft will release five Microsoft Security Bulletins - four are for Windows and one is for both Windows and Office. The highest maximum severity rating is critical. One of the bulletins will include a cumulative IE update that will address the CreateTextRange() vulnerability. Microsoft also plans to release an updated version of its Windows malicious Software Removal Tool as well as a handful of non-security, high-priority updates. Internet Storm Center:-http://isc.sans.org/diary.php?storyid=1247
-http://www.microsoft.com/technet/security/bulletin/advance.mspx
-http://news.com.com/2102-1002_3-6058548.html?tag=st.util.print
New IE Flaw Could be Exploited by Phishers (6 April 2006)
A newly disclosed flaw in Microsoft's Internet Explorer (IE) could be used by phishers to trick vulnerable users into thinking they are visiting a legitimate web site when they are actually on a malicious site. Attackers could exploit the vulnerability to spoof the address bar in the browser window. The flaw lies in the way IE loads Macromedia Flash animation. The flaw is known to affect IE 6.0 on fully patched versions of Windows XP as well as the most recent IE 7 beta; other versions of IE may be vulnerable as well.-http://news.com.com/2102-1002_3-6058557.html?tag=st.util.print
HP Issued Update to Fix Flaw in Color LaserJet Printers (6/5 April 2006)
Hewlett-Packard (HP) is warning of an input validation error vulnerability in two HP Color LaserJet printers. The security flaw is in the Toolbox software that ships with HP Color LaserJet 2500 and 4600 printers; attackers could exploit the flaw to read documents sent to the printer and gain remote administrative control over Windows PCs. HP has issued HP Color LaserJet 2500/4600 Software Update version 3.1 to address the flaw.-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39348880-39000005c
-http://www.vnunet.com/vnunet/news/2153487/hp-printer-users-warned-upgrade
MISCELLANEOUS
Database with Passwords Inadvertently Exposed on Internet (5 April 2006)
A database containing the names, email names and passwords of as many as 800 people who signed up to receive New South Wales (Australia) Police media releases was inadvertently posted to the Internet. This database has since been removed from the Internet. NSW police apparently have not yet contacted those whose data were exposed. While passwords are used for the subscription service mentioned above, the people could potentially be using the same passwords for other accounts.-http://www.smh.com.au/news/breaking/police-secret-password-blunder/2006/04/05/11
43916569155.html#
[Editor's Note (Honan): This story highlights the conundrum faced by many ordinary Internet users. Having too many passwords is difficult to manage, yet reusing the same password across many sites can expose you in the event of one of those sites being breached. People should consider either using a common password for use across low risk/value websites with difficult passwords for more critical sites and using a tool such as Password Safe to manage their different passwords. ]
Police Society Posted Reporter's Personal Info on Web (30 March 2006)
In response to a piece of investigative journalism that cast Broward and Miami-Dade (Florida) county police in an unfavorable light, a reporter's personal information, including his address, birth date and driver's license number was posted on the web site of the Broward County Police Benevolent Association. The posting was listed as a "be on the lookout" or BOLO, a term typically used when law enforcement officers are searching for missing people or criminals. The information was removed from the site after a lawyer from the reporter's station sent a letter explaining that disclosing the personal information contained in motor vehicle records violates both state and federal law.-http://www.miami.com/mld/miamiherald/news/local/states/florida/counties/broward_
county/14218941.htm
[Editor's Note (Schultz): This is simply egregious. Hopefully, the reporter in this unfortunate incident will win a large sum of money in a future lawsuit against the individual or organization that posted this information to the Broward County web site in question.
(Northcutt): The current version of the BOLO for Police "Benevolent" Association can be found at
-http://www.bcpba.org/]
Advisory: An Important Note For Any Web Site That Relies on Verisign's Security Marks
VeriSign reports that many public-facing Web sites continue to implement an older and less secure version of VeriSign's security mark. The old VeriSign site seals did not contain the full set of anti-spoofing measures available in the newest version of the VeriSign Secured Seal. VeriSign is phasing out its old-architecture seals and moving forward with support only for the newest version of the VeriSign Secured Seal.Old-version, less secure seals are in a round, "gold or silver medallion" shape and call their verification page from
-https://digitalid.verisign.com.
Newer, more secure seals contain the black VeriSign check mark in a red circle and the words VeriSign Secured and call their verification page from
-https://seal.verisign.com.
Authorized web site administrators can download the latest version of the VeriSign Secured Seal free of charge at www.verisign.com/seal.
[Editor's Note (Northcutt): The real problem with privacy trustmarks is there are too many of them, and they seem to be more of a marketing feature than something that actually improves privacy. If you are not familiar with the securewebbank project, you might want to give it a look:
-https://www.securewebbank.com/trustseal.html]
===end===
NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
