SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #32

April 21, 2006

Security Log and Event Management:
Regulatory requirements have made log management the fastest growing
area of security. More than 200 log management users will be gathering
in Washington, July 12-14, to share the mistakes they made and the
lessons they learned in making log management meet regulatory
requirements and significantly improve security. They'll also attend
optional half-day classes. Most of the seats are reserved for attendees
at SANSFIRE and participating speakers, but 70 are being held for other
SANS alumni and GIAC certification holders and other readers of
NewsBites. If you would like an invitation, email logs@sans.org. And
if you have a great story about how log management made a significant
difference in improving security, or a huge mistake, please send that
to me (paller@sans.org). It might result in an invitation to speak.

Alan

---

TOP OF THE NEWS

Ireland to Begin Introducing Biometric Passports
Yahoo Implicated in Another Chinese Dissident Arrest

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
US Military Buying Back Stolen Flash Drives at Bagram Bazaar
SPYWARE, SPAM & PHISHING
Man Fined US$84,000 in Spyware Removal Tool Case
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple Releases Java Update
Recent Microsoft Patches Causing Problems
Oracle Quarterly Security Update
Microsoft to End Support for "Outdated" Operating Systems
STATISTICS, STUDIES & SURVEYS
UK Security Professionals Feeling Good About Security
Identity and Access Management Budgets on the Rise
Lag Time in Applying Patches Opens the Door for Attacks
MISCELLANEOUS
FBI: Data on NH State Computer Not Compromised

---

****************** SPONSORED SANS SECURITY SAN DIEGO ******************

"SANS has the highest quality instructors and the most relevant, current
information of any training I have attended." (Melodee McHone, Hallmark)

SANS offers the industry's best courses and extraordinary faculty,
offering authoritative up-to-the-minute material that shows you how to
do the job and gives you the confidence to go back and do it
immediately.

SANS Security Essentials, Hacker Exploits, System Forensics, Intrusion
Detection, Auditing, plus training for CISSP exam and all Technical
certification required for DoD 8570.

Join 600 security professionals in San Diego in May for SANS best
instructors, a great security product expo, and evening networking and
new technology sessions. Bonus: Smaller classes than the national
conferences:
Register today: http://www.sans.org/security06/

*************************************************************************

---

TOP OF THE NEWS

Ireland to Begin Introducing Biometric Passports (20 April 2006)

The Irish government plans to start incorporating biometric information into new passports. The passports will contain embedded microchips that hold digitized versions of the facial image and details included in the passport. Airports around the world are starting to deploy biometric passport systems.
-http://www.siliconrepublic.com/news/news.nv?storyid=single6313

Yahoo Implicated in Another Chinese Dissident Arrest (20/19 April 2006)

According to Reporters Without Borders, Yahoo is linked to the jailing of yet another Chinese dissident. Yahoo allegedly provided Chinese authorities with information that helped them identify Jiang Lijun who received a four-year prison sentence in November 2003 for writing pro-democracy articles that appeared online. Information provided by Yahoo has led to the identification and arrests of two other dissidents, Shi Tao and Li Zhi. Reporters Without Borders has called on Yahoo to remove its email servers from China. (Note: Washington Post requires free registration)
-http://www.washingtonpost.com/wp-dyn/content/article/2006/04/19/AR2006041902536_
pf.html
-http://www.techweb.com/wire/186100319
-http://www.computerworld.com/printthis/2006/0,4814,110669,00.html
[Editor Note (Northcutt): For your reading convenience, here are links to previous similar arrests:
-http://www.hrichina.org/public/highlight/index.html
and
-http://www.theregister.co.uk/2006/02/10/yahoo_china_cyber-dissident_flak/]

---

************************* Sponsored Links: ******************************

1) Strata Guard Free - Freeware version of StillSecure's award
winning intrusion detection/prevention system (IDS/IPS)
Download now.
http://www.sans.org/info.php?id=1117

2) Free SANS WhatWorks in Intrusion Prevention Systems Webcast "Low-
Maintenance Security"
Tuesday, April 25 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info.php?id=1118

3) "From Logs to Logic: Turning Log Piles into Log Intelligence" a
Free SANS Tool Talk Webcast next week!
Wednesday, April 26 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info.php?id=1119

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

US Military Buying Back Stolen Flash Drives at Bagram Bazaar (15/13 April 2006)

Following reports that stolen military computer hardware was being sold at a bazaar near a US air base in Bagram, Afghanistan, the US military is apparently doing its best to buy all the stolen flash drives it can find. The drives contain potentially sensitive military information. An investigation into the theft of the devices and a computer security policy review are pending.
-http://www.nytimes.com/2006/04/15/world/asia/15afghanistan.html?_r=1&oref=sl
ogin&pagewanted=print
-http://news.bbc.co.uk/1/hi/world/south_asia/4913174.stm
-http://www.latimes.com/news/nationworld/world/la-fg-disks13apr13,0,1166178.story
?coll=la-home-headlines

SPYWARE, SPAM & PHISHING

Man Fined US$84,000 in Spyware Removal Tool Case (19 April 2006)

Zhijian Chen has been fined US$84,000 for using deceptive advertising techniques that urged computer users to purchase a bogus anti-spyware program. By using Windows' "Net send" command, Chen was able to generate pop-ups on users' computers that looked something like security warnings. If the users clicked on the supplied link they were eventually led to the Secure Computer web site, where they were offered a free scan, and then a chance to purchase Spyware Cleaner to remove the often non-existent spyware the scanner claimed to have detected. Chen is the first to learn his penalty from a suit brought by Microsoft and Washington state Attorney General Rob McKenna against Secure Computer, Chen and two other men.
-http://www.techweb.com/wire/186100344
-http://www.theage.com.au/news/breaking/us-spyware-suit-reaches-settlement/2006/0
4/20/1145344168599.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Apple Releases Java Update (20 April 2006)

Apple has released the Java 2 Standard Edition 5.0 Release 4 update, which addresses five flaws in the Java Virtual machine. The most serious flaw could be exploited to gain access to vulnerable systems. The flaws addressed in the update affect Mac OS X version 10.4.5 and the corresponding server edition.
-http://news.com.com/2102-1002_3-6062766.html?tag=st.util.print
-http://www.vnunet.com/vnunet/news/2154369/apple-plugs-java-holes
-http://docs.info.apple.com/article.html?artnum=303658

Recent Microsoft Patches Causing Problems (20 April 2006)

Some of the patches released by Microsoft last week have been causing problems for users. Some people reported their Outlook Express address book was gone after installing MS06-016. The same patch caused problems with sending template-based messages. When the patch was uninstalled, the problems disappeared. MS06-015 has reportedly been causing problems for users of HP hardware. There have also been problems reported with users of Sunbelt's Kerio Personal Firewall, Siebel and Google. Microsoft has provided a "compatibility" patch that rolls back the Active X changes for causing these problems and provides a 60 day Window for those vendors to update their own products.
-http://www.techweb.com/wire/186500211
-http://www.techworld.com/security/news/index.cfm?NewsID=5812
-http://www.eweek.com/article2/0,1895,1950095,00.asp
-http://software.silicon.com/security/0,39024655,39158122,00.htm

Oracle Quarterly Security Update (19/18 April 2006)

Oracle has released fixes for a variety of vulnerabilities in several of its products. Included in the Critical Patch Update are patches for 14 flaws in Oracle database products. Oracle also released a tool to find default passwords that users have failed to change. Oracle, which releases security updates on a quarterly schedule, has faced criticism for being slow to address vulnerabilities in its products. Oracle CSO Mary Ann Davidson has responded that people who use irresponsible disclosure practices cause security problems themselves.
-http://news.com.com/2102-1002_3-6062438.html?tag=st.util.print
-http://www.computerworld.com/printthis/2006/0,4814,110642,00.html
Davidson on irresponsible disclosure practices:
-http://news.com.com/2102-1071_3-5807074.html?tag=st.util.print
-http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html

Microsoft to End Support for "Outdated" Operating Systems (18 April 2006)

Microsoft plans to retire support for Windows 98, Windows 98 SE and Windows ME on July 11, 2006; after that date, there will be no more security updates for these versions of the company's operating systems. Microsoft calls these systems "outdated" and recommends that users upgrade to a more secure operating system, such as Windows XP.
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1182527,0
0.html
[Editor's Note (Schultz): Microsoft's decision is a good thing for security, but it would be even better if Microsoft eliminated the many backwards compatibility mechanisms that are built into in more recent and intrinsically more secure products such as Windows XP and Windows Server 2003. Backwards compatibility mechanisms introduce many security-related vulnerabilities in these products.
(Grefer): Upgrading systems still running on Windows 98, 98 SE and ME to XP is not really an option since the operating system has a much larger footprint, especially with regards to its _real_ memory and CPU requirements, which typically result in upgrade costs approaches the purchase price of a current computer system. ]

STATISTICS, STUDIES & SURVEYS

UK Security Professionals Feeling Good About Security (20 April 2006)

According to the responses to a Cisco-sponsored survey of 100 chief security officers and IT directors in the UK, 72 percent believe their companies are more secure than they were one year ago. Eighty-nine percent have some form of proactive security management in place. At least 80 percent of those polled said their organizations have some sort of disaster contingency plan in place. In addition, however, 23 percent of respondents said "security is still not recognized as a boardroom level issue."
-http://www.theregister.co.uk/2006/04/20/cisco_security_survey/print.html
[Editor's Note (Schultz): Ignorance is bliss. Do these CSOs have metrics to back up their subjective feelings? ]

Identity and Access Management Budgets on the Rise (19 April 2006)

A Forrester Consulting survey of companies in the US and eight European countries found 38 percent had budgets of at least 250,000 euros (US$308,000) for identity and access management; twelve percent had identity management budgets higher than 1 million euros (US$1.23 million). Forty-one percent of those surveyed said they expected identity management budgets to increase over the next three years. Increasing cyber attacks and regulatory demands appear to be driving the budget increases.
-http://www.silicon.com/research/specialreports/idmanagement/0,3800011364,3915818
7,00.htm
[Editor's Note (Honan): A recent survey carried out for the Infosecurity Europe exhibition claims 81% of those surveyed would give away enough personal details to enable their identity to be stolen in return for some chocolate -
-http://www.infosec.co.uk/page.cfm/T=m/Action=Press/PressID=255.
If this is the case, then companies will have to invest more time and money in educating and protecting their customers from themselves. ]

Lag Time in Applying Patches Opens the Door for Attacks (18 April 2006)

According to a McAfee study, 19 percent of companies take more than a week to apply software patches. Twenty-seven percent said they take two days to deploy fixes for vulnerabilities. The delay could be attributed to the volume of patches released. Other research has demonstrated "that 85 percent of the damage done by automated attacks occurs during the first 15 days after vulnerabilities become known."
-http://news.bbc.co.uk/2/hi/technology/4907588.stm
[Editor's Note (Pescatore): Of course, as the story above on problems with recent Internet Explorer patches points out, if you apply patches *too soon* you can also cause yourself a lot of problems. After all, the majority of vulnerabilities for which patches are issued are *never* attacked - for most enterprises, patching without testing is just as likely to cause damage as hacker attacks due to waiting to patch until *after* testing. So, 81% of enterprises doing expedited testing and patching within a week is a very good thing - back in 2003, less than 25% of enterprises were patching within a week. (Paller) One of the most important reasons that patches cause problems and that patch testing is time consuming, is that application developers take liberties with the operating system. The first step toward rapid testing is agreeing on common operating system configurations and asking application developers to have the discipline to not make changes unless they are willing to take on the patch testing responsibility, too. That strategy is already starting to work: SCADA and process control system vendors are already doing the patch testing for their customers (nearly always within 24 hours). In addition parts of the US Department of Defense are already drafting procurement policies that require programmers to make sure their software works on the standard OS configurations that are being deployed. These required behaviors are being written into contracts as procurement specifications. ]

MISCELLANEOUS

FBI: Data on NH State Computer Not Compromised (17 April 2006)

An FBI investigation has determined that the Cain & Abel password recovery program found on a New Hampshire state computer had never been run, so it is unlikely that the card data on the server were accessed. The investigation into the tool's discovery on the state computer is ongoing. Douglas A. Oliver, an employee who was placed on paid leave during the investigation, will be allowed to return to work. Oliver says he installed a number of tools on the computer for testing purposes and that Office of Information Technology managers knew about his actions.
-http://www.computerworld.com/printthis/2006/0,4814,110612,00.html
[Editor's Note (Honan): A lesson here for all security professionals conducting a security test either on client systems or those of their employers. Make sure you have a clear and detailed test plan that has been agreed and authorized by those with responsibility for the systems. ]

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/