SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #34

April 28, 2006

SANS will announce eight updates to the Top 20 Internet Security Vulnerabilities on Monday, May 1. Several leading national newspapers papers and media outlets will be doing early stories about the announcement because it includes some surprising (and unpleasant) information patterns. Members of the press who want to participate in the online press conference Monday morning should email paller@sans.org. All readers of @RISK (the weekly update of the Top20) will get a copy of the announcement Monday morning. If you don't get @RISK, just go to your portal account and add it. It is free.

Alan

---

TOP OF THE NEWS

NISCC Warns of DNS Implementation Flaws
Cisco Issues Fixes for Multiple Flaws
Symantec Warns of Flaws in Scan Engine

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Student Arrested for Allegedly Changing School Records
SPYWARE, SPAM & PHISHING
Phishers Turn to VoIP-based Attack
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Microsoft Pushes Out Anti-Piracy Tool
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
MasterCard Tight-Lipped About Details of Credit Card Data Breach
LexisNexis Says Honesty About Security Breach Was a Good Decision
STATISTICS, STUDIES & SURVEYS
Companies Failing to Address Flash Drive Security Concerns
Cyber Consequences Unit Releases Draft Cybersecurity Checklist
MISCELLANEOUS
States Use Redaction Software to Remove Sensitive Data from Web Sites

---

************** SPONSORED SANSFIRE 2006 IN WASHINGTON DC ****************
July 5-13 - Bring your family for the fireworks and stay for SANS largest conference in Washington.

The industry's best security courses - extraordinary faculty; authoritative up-to-the-minute material - shows you how to do the job and gives you the confidence to go back and do it immediately.

"Jacked my paranoia level up around my ears, and then gave me the tools to manage the threat." (Don Geiger, DCPS Division of Technology)

Offers every one of SANS' 17 immersion training courses plus 12 short courses and a big exposition: SANS Security Essentials, Hacker Exploits, System Forensics, Intrusion Detection, Auditing, plus training for CISSP exam and all Technical certification required for DoD 8570 and more. Plus special evening sessions by the global security leaders who staff the Internet Storm Center.

http://www.sans.org/sansfire06/
*************************************************************************

---

TOP OF THE NEWS

NISCC Warns of DNS Implementation Flaws (26/25 April 2006)

The UK's National Infrastructure Security Co-ordination Centre (NISCC) has issued an advisory warning that flaws in implementations of the Domain Name System (DNS) protocol could allow attackers to crash DNS servers or run arbitrary code. Researchers at Finland's University of Oulu have uncovered several vulnerabilities in the software that is used to administer the Internet's Domain Name System (DNS). They have developed a test suite for the flaws.
-http://www.computerworld.com/printthis/2006/0,4814,110897,00.html
-http://www.niscc.gov.uk/niscc/docs/br-20060425-00311.html
-http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf
[Editor's Note (Northcutt): I hate to pass up any chance to mention that friends don't let friends use BIND8! This is not a really lethal bug, the more interesting story is the latest PROTOS toolkit they used to find the problem. My understanding is that they have not released the tool into the wild yet, but they are finding and reporting vulnerabilities, that is good! The round with the SNMP PROTOS tool was a bit painful for the industry. ]

Cisco Issues Fixes for Multiple Flaws (25/24 April 2006)

Cisco Systems has issued patches for several vulnerabilities in a number of its products, including CiscoWorks Wireless LAN Solution Engine (WLSE), Hosting Solution Engine, User Registration Tool, Ethernet Subscriber Solution Engine and CiscoWorks 2000 Service Management Solution. Cisco did not issue patches for the last two products as they have been discontinued and are no longer supported. "A privilege escalation vulnerability ... could allow attackers who already have authenticated access to the command line interface to obtain access to the underlying operating system of certain products." In addition, Cisco issued an advisory for a cross-site scripting flaw in WLSE running software earlier than version 2.13. Another advisory addresses a Multi Protocol Label Switching (MPLS)-related flaw on the Cisco IOS XR modular operating platform that could be exploited to cause a denial-of-service condition.
-http://www.itnews.com.au/newsstory.aspx?CIaNID=31916&src=site-marq
-http://www.computerworld.com/printthis/2006/0,4814,110879,00.html

Symantec Warns of Flaws in Scan Engine (24/21 April 2006)

Symantec is encouraging its Scan Engine customers to upgrade from version 5.0 to version 5.1 following the disclosure of three vulnerabilities. The first vulnerability is due to the fact that Symantec Scan Engine does not properly authenticate web-based user logins; this flaw could be exploited to control the Scan Engine server. The second flaw involves a static private DSA key for SSL communications and could be exploited by a man-in-the-middle attack. The third flaw allows unauthenticated remote users to download files located under the Scan Engine installation directory.
-http://securityresponse.symantec.com/avcenter/security/Content/2006.04.21.html
-http://www.networkworld.com/news/2006/042406-symantec-scanner.html?fsrc=netflash
-rss
[Editor's Note (Boeckman): A company that sells software intended to improve the security of a system should be the last to have such serious vulnerabilities. If their product does nothing else, it should at least not make things worse. ]

---

*********************** Sponsored Links: ********************************

1) Stop spyware! Try Webroot Spy Sweeper Enterprise for free and assess your spyware risk exposure.
http://www.sans.org/info.php?id=1126

2) Strata Guard Free - Freeware version of StillSecure's award winning intrusion detection/prevention system (IDS/IPS) Download now.
http://www.sans.org/info.php?id=1127

3) "Web Application Security" - Free SANS First Wednesday Webcast next week - Wednesday, May 03 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info.php?id=1128

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Student Arrested for Allegedly Changing School Records (21 April 2006)

An 18-year-old Florida student has been charged with felony fraud for allegedly gaining unauthorized access to the school district's computer system and changing students' grades, removing records of suspensions and absences and giving himself credit for courses he never took. Jeff Yorston allegedly used user IDs and passwords of four school district employees. Yorston was booked into Palm Beach County Jail on a charge of offense against intellectual property and released on US$5,000 bond later the same day.
-http://www.palmbeachpost.com/pbcsouth/content/local_news/epaper/2006/04/21/m1a_H
ACKER_0421.html

SPYWARE, SPAM & PHISHING

Phishers Turn to VoIP-based Attack (26/25 April 2006)

In a new twist in phishing, attackers have apparently managed to replicate the automated voice system of an unnamed US bank in an effort to harvest customers' account information. The attackers sent spam to their targets asking the recipients to call a certain telephone number to speak with a bank representative to verify their account information. The attackers used voice over Internet protocol (VoIP) telephony to perpetrate their scheme. They used PBX software to create the illusion for the bank customers that they are speaking to the actual bank.
-http://www.computerworld.com/printthis/2006/0,4814,110894,00.html
-http://www.techweb.com/wire/186701001

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Microsoft Pushes Out Anti-Piracy Tool (25 April 2006)

Microsoft has begun pushing out its Windows Genuine Advantage Notifications tool to a random subset of Windows users. The tool will check to see if users are running legitimately licensed versions of Windows; those who are not will be alerted to the fact during startup, login and during use of the operating system. Users will have the option of declining or uninstalling the download. Microsoft is also piloting a similar tool to test for authenticity of Microsoft Office software.
-http://www.zdnetasia.com/news/software/printfriendly.htm?AT=39353843-39000001c
[Editor's Note (Pescatore):Just think how much more useful this could be if it also detected and removed rootkits. ]

ATTACKS & INTRUSIONS & DATA THEFT & LOSS

MasterCard Tight-Lipped About Details of Credit Card Data Breach (27/26 April 2006)

MasterCard has acknowledged that it and its card-issuing banks are reissuing cards to at least 2,000 customers following a security breach that exposed card details to data thieves. No details about the method of attack or the scope of the breach have been released.
-http://www.silicon.com/financialservices/0,3800010322,39158448,00.htm
-http://news.com.com/2102-7349_3-6065267.html?tag=st.util.print

LexisNexis Says Honesty About Security Breach Was a Good Decision (25 April 2006)

Speaking at the Infosec Europe 2006 conference in London, LexisNexis senior director for information security Leo Cronin said his company's decision to be up front about a data security breach that took place in early 2005 was definitely the best approach to the situation. A social engineering email attack exposed personal data belonging to as many as 300,000 people at Seisint, a data broker acquired by LexisNexis in fall 2004. The company decided to inform all those affected, using California's data security breach notification law as a guideline. LexisNexis also took a number of steps to better protect the data it holds. Cronin believes the company's forthright approach minimized the damage to its reputation.
-http://www.computerworld.com/printthis/2006/0,4814,110866,00.html
[Editor's Note (Pescatore): This should not be a surprise, Egghead learned this in 2000 when they took the high road and warned customers of a breach. (Schultz): It is good that a well-respected security professional has gone on record as supporting a pro-customer approach when it comes to notification of a confidentiality breach. ]

STATISTICS, STUDIES & SURVEYS

Companies Failing to Address Flash Drive Security Concerns (27 April 2006)

Statistics from the UK Department of Trade and Industry-backed Information Security Breaches Survey indicate that more than half of the companies surveyed do not have any measures in place to secure company data on smart phones, iPods and USB memory sticks. One-third of the companies tell their employees not to use flash drives, but most do nothing to prevent workers from using them. Just 10 percent of the companies encrypt data on flash drives.
-http://news.bbc.co.uk/2/hi/technology/4946512.stm
[Editor's Note (Schultz): I am not at all surprised about these statistics. I fear that smart phones, PDAs, and the like are a time bomb waiting to go off. Most organizations have little conception of the security risks that these devices pose.
(Northcutt): these concerns are vastly overrated! What could possibly go wrong in a world where everything is connected by wireless technology and also has persistent solid state memory. The US Military is still in business after those USB drives in Afghanistan, what more proof could we possibly need. (That was a joke.) On a serious note, organizations concerned about their intellectual property being stored on hyper portable devices should consider some form of encryption such as commercial PGPdisk, or freeware/opensource LE and TrueCrypt:
-http://www.pgpi.org/products/pgpdisk/
-http://www.net-security.org/software.php?id=586
-http://www.truecrypt.org/
You can even buy drives with the security technology built in:
-http://www.lexar.com/jumpdrive/jd_secure.html
So let's all go review our organization's security policy on this topic and then spot check what people are doing, starting with ourselves!]

Cyber Consequences Unit Releases Draft Cybersecurity Checklist (26 April 2006)

The US Cyber Consequences Unit (CCU), a private company, has developed a draft Cybersecurity Checklist to help federal agencies and industry to determine the possible consequences of risks posed by the current state of their IT systems; the list also offers suggestions for mitigating those risks. The list asks 478 questions about hardware software, networks, automation, humans and suppliers. The checklist has not yet received DHS approval. CCU is funded by DHS and aims to provide the government with accurate assessments of the consequences of cyber attacks. "The new lists shifts the focus from perimeter security to internal systems monitoring and maintenance."
-http://www.fcw.com/article94201-04-26-06-Web
-http://www.gcn.com/online/vol1_no1/40564-1.html?topic=security
[Editors' Note (Multiple): Although the name and promotional material of this organization seems to imply governmental affiliation, it is actually private contractors drafting what they think the questions ought to be. Most such private lists are never widely adopted. The one exception is the Center for Internet Security's benchmarks that now cover more than 20 types of systems. If the cybersecurity checklist is ever to become adopted , it needs to go through as similar process to what CIS uses to ensure the community agrees on the benchmarks. ]

MISCELLANEOUS

States Use Redaction Software to Remove Sensitive Data from Web Sites (24 April 2006)

At least six states in the US are using redaction software to remove sensitive personal information from official web sites. Many states require that property records, which often contain Social Security numbers and financial account data, be posted on line. Florida and Wisconsin have passed legislation requiring that sensitive data be redacted from web sites. "A federal judge ... approved a settlement forcing the removal of SSNs from financial documents posted on the Ohio Secretary of state's web site" as resolution of a class-action lawsuit; Ohio legislators have introduced two bills that seek to remove the data from the Internet.
-http://www.cio-today.com/story.xhtml?story_id=1210046642XU
[Editor's Note (Grefer): Please be aware that for the state of Florida no additional funds were allocated to take care of these additional responsibilities and as such progress is rather slow. To expedite the redaction of your records, you will have to file a "Request for Removal of Information" form identifying each document by book and page number.
-http://www.pinellasclerk.org/aspInclude2/ASPInclude.asp?pageName=redaction.htm]

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/