SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #36

May 05, 2006

SANS Log Management Summit (Washington DC, July 12-14) is now available for registration. It is the only user-to-user conference where you'll learn what actually works in compliance, security and other (surprising) applications of log management. No vendor hype: just real world case studies of successes and failures. If you are coming to SANSFIRE in Washington stay for the Log Management Summit and save nearly one third off the cost.

Registration for Log Management: http://www.sans.org/logmgtsummit06
Registration for SANSFIRE: http://www.sans.org/sansfire06

And on Tuesday (May 9 at 1 PM EDT) we'll have a related "Ask the Experts" web cast on how to use these tools to monitor privileged users. It's a tough and important task that Dave Shackleford and Kristin Gallina Lovejoy will illuminate and make a little easier. To register for the free webcast called: "Who is Guarding the Cyber Guards" go to https://www.sans.org/webcasts/show.php?webcastid=90724

Alan

---

TOP OF THE NEWS

Millions of Blogs Inaccessible Due to DDoS Attack
Soon-to-be-Proposed Digital Copyright Legislation Would Tighten Restrictions

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Defense Security Service Temporarily Stops Issuing Clearances
Air Force Victorious in Sixth Annual Cyber Defense Exercise
SPYWARE, SPAM & PHISHING
FTC Cases Against Alleged Spyware Operations Proceeding
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
MySQL Database Update Addresses Handful of Flaws
Critical Flaw Found in X Window System
Mozilla Issues Update for Firefox
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Ohio University Acknowledges Computer Breaches
UK Retailer Source of Credit Card Data Theft
Man Charged with Illegally Accessing County Computer System
MISCELLANEOUS
Laptops are the Latest Card Theft Tools
Schools' Eyes Opened to Computer Security Threats
Professional Security Certification Comparison And Assessment

---

******************* Sponsored By CONSUL Risk Management *****************

UPCOMING SANS WEBCASTS NEXT WEEK
"Who's Guarding the Guards? Employing a Privileged User Monitoring Strategy" May 9th 1pm-2pm ET. (1700 UTC/GMT)
http://www.sans.org/info.php?id=1136

and Internet Storm Center: "Threat Update" Wednesday, May 10 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info.php?id=1135

*************************************************************************
TRAINING UPDATE SANSFIRE 2006 IN WASHINGTON DC
July 5-13 - Bring your family for the fireworks and stay for SANS largest conference in Washington.

The industry's best security courses - extraordinary faculty; authoritative up-to-the-minute material - shows you how to do the job and gives you the confidence to go back and do it immediately.

"Jacked my paranoia level up around my ears, and then gave me the tools to manage the threat." (Don Geiger, DCPS Division of Technology)

Offers every one of SANS' 17 immersion training courses plus 12 short courses and a big exposition: SANS Security Essentials, Hacker Exploits, System Forensics, Intrusion Detection, Auditing, plus training for CISSP exam and all Technical certification required for DoD 8570 and more. Plus special evening sessions by the global security leaders who staff the Internet Storm Center.

http://www.sans.org/sansfire06/
*************************************************************************

---

TOP OF THE NEWS

Millions of Blogs Inaccessible Due to DDoS Attack (4 May 2006)

A "massive" distributed denial-of-service (DDoS) attack on Six Apart's blogging services and corporate web site left about 10 million LiveJournal and TypePad blogs unreachable for hours on Tuesday, May 2. Six Apart plans to report the attack to authorities.
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39255176-20000
61744t-10000005c

Soon-to-be-Proposed Digital Copyright Legislation Would Tighten Restrictions (24 April 2006)

Despite efforts of computer programmers, tech companies and academics to get Congress to loosen restrictions imposed by the Digital Millennium Copyright Act (DMCA), an even more stringent copyright law is expected to be introduced soon. The Intellectual Property Protection Act of 2006 would make simply trying to commit copyright infringement a federal crime punishable by up to 10 years in prison. The bill also proposes changes to the DMCA that would prohibit people from "making, importing, exporting, obtaining control of or possessing" software or hardware that can be used to circumvent copyright protection.
-http://news.com.com/2102-1028_3-6064016.html?tag=st.util.print

---

************************ Sponsored Links: *****************************

1) ALERT: YOU vs Sober/Zotob/Bagle Variants? Is Your Internal Network Safe? Download FREE White Paper "Zotob: Zero-Hour Detection and Response" http://www.sans.org/info.php?id=1137

2) SANS OnSite InfoSec Training Your Location! Your Schedule! Lower Cost! http://www.sans.org/info.php?id=1138

3) SANS@Home - Security 601: Reverse-Engineering Malware - Hands-On with Lenny Zeltser starts June 6. Save $150 by registering before May 17! Live training delivered to your home PC. http://www.sans.org/athome/details.php?id=1418
***********************************************************************

---

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

Defense Security Service Temporarily Stops Issuing Clearances (2 May/29 April 2006)

Citing a high volume of applications and a lack of funding, the Defense Security Service has announced that it will temporarily stop issuing contractor security clearances. An increased demand for personnel with security clearances has led to a large backlog of unprocessed applications for clearance. Contractors may be asked to assume some of the costs of processing the security clearance applications. Information technology industry groups have lobbied Congress to address the issue soon; the Information Technology Association of America has asked that Congress pass legislation requiring the Defense Security Service to resume processing clearance applications and to provide funding through a supplemental budget bill.
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&
story.id=40638
-http://www.washingtonpost.com/wp-dyn/content/article/2006/04/28/AR2006042801878_
pf.html
[Editor's Note (Weatherford) This will exacerbate an already critical problem. For several years, defense contractors have had to bear the burden of delays by DSS in the processing of security clearances and this has had a significant impact on many programs since without a clearance, people can't work. A lot of small businesses simply can't afford to hire people and carry them as overhead until DSS gets around to processing a clearance. ]

Air Force Victorious in Sixth Annual Cyber Defense Exercise (1 May 2006)

Five military academy teams took part in the sixth annual Cyber Defense Exercise (CDX), a four-day competition that involves defending specially constructed computer networks against attacks staged by a team of National Security Agency (NSA) and Defense personnel. The teams, from the Air Force, Coast Guard, Merchant Marine, Naval academies and the US Military Academy at West Point, were scored on the security of their networks as well as on keeping their networks operational. The Air Force Academy took first place in the competition, which ran from April 10-13.
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn&story.
id=40574
[Editor's Note (Paller): Kudos to all the participants, and especially NSA for making it happen. I watched some of the process and interviewed participants. The learning and discovery that goes on was wonderful. The only sad element was that the Naval Post Graduate School didn't engage this year (I think they lost last time), so on the graduate level, the Air Force Institute of Technology had the field to itself. It was a dominating performance by the Air Force- undergraduate and graduate. (Guest Editor Tim Rosenberg): Congratulations to the Air Force Academy. Exercises such as the CDX are an essential part of security training and education. The gaming environment provides a safe place for people to truly test their security knowledge and expertise without risking production systems, live customer data or their jobs. The success of the CDX over the years has led to several competitions involving public sector universities; most notably the National Collegiate Cyber Defense Competition recently held at University of Texas, San Antonio. ]

SPYWARE, SPAM & PHISHING

FTC Cases Against Alleged Spyware Operations Proceeding (4 May 2006)

The US Federal Trade Commission sued two alleged spyware operations, alleging unfair and deceptive practices in violation of federal law. Both were accused of taking control of users' computers without permission and subjecting the users to a barrage of pop-up advertisements. Smartbot.Net and its affiliate OptinTrade were ordered to forfeit more than US$4 million in profit. Odysseus Marketing "has been barred from collecting consumers' personal data pending trial."
-http://www.computerworld.com/printthis/2006/0,4814,111144,00.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

MySQL Database Update Addresses Handful of Flaws (4 May 2006)

A patch released this week for the MySQL database addresses several flaws that could be exploited locally and remotely. The flaws have been assigned a severity rating of "moderate." The update, MySQL 5.0.21, addresses vulnerabilities that exist in versions 4.0.26, 4.1.18, 5.0.20, 5.1.9 and earlier.
-http://www.computerworld.com/printthis/2006/0,4814,111151,00.html
-http://dev.mysql.com/doc/refman/5.0/en/news-5-0-21.html

Critical Flaw Found in X Window System (4/3/2 May 2006)

A critical buffer overflow flaw in the X Window System code could be exploited to give local users the ability to overwrite system files and launch denial-of-service attacks. The flaw is attributed to a missing parenthesis and was found as part of a Department of Homeland Security (DHS) funded project. The vulnerability affects X11R6.9.0 and X11R7.0.0.
-http://www.computerworld.com/printthis/2006/0,4814,111149,00.html
-http://www.eweek.com/print_article2/0,1217,a=177195,00.asp
-http://www.theregister.co.uk/2006/05/03/x11/print.html

Mozilla Issues Update for Firefox (2 May 2006)

Mozilla has released a Firefox update that addresses a recently reported flaw in the way it handles certain "contentWindow.focus()" JavaScript code. The flaw could be exploited to crash vulnerable browsers and potentially fool the browser into running malicious code. Users can disable JavaScript handling in Firefox as a protective measure. The flaw does not affect Firefox 1.0 or Mozilla Suite 1.7.
-http://www.computerworld.com/printthis/2006/0,4814,111091,00.html

ATTACKS & INTRUSIONS & DATA THEFT & LOSS

Ohio University Acknowledges Computer Breaches (3/2 May 2006)

Ohio University has acknowledged two apparently unrelated computer security breaches. An intrusion at a database server that holds information belonging to more than 300,000 people affiliated with the Athens Ohio-based school exposed approximately 137,800 Social Security numbers (SSNs). IT officials became aware of the breach when they discovered the server was being used to conduct a denial-of-service attack. Logs indicate the server was breached as far back as 2005 from IP addresses in the US and abroad. This particular server was scheduled to be decommissioned over a year ago; because IT personnel believed it was no longer on line, it had not been patched. A second breach involved a server at the school's Technology Transfer Department. The FBI is investigating both incidents.
-http://www.computerworld.com/printthis/2006/0,4814,111113,00.html
-http://www.cantonrep.com/index.php?ID=283728
[Editor's Note (Schultz): It is lamentable that an incident that occurred last year was not discovered until recently, yet this is by no means a rare development. Many organizations' incident detection capabilities, if they exist at all, are terribly deficient. ]

UK Retailer Source of Credit Card Data Theft (28 April 2006)

An unnamed UK retailer has been identified as the source of a security breach that has resulted in the reissue of at least 4,000 MasterCard and Visa credit cards. At least three card issuers, the Clydesdale bank, Morgan Stanley and Goldfish, which is part of Morgan Stanley, have begun informing their affected customers of the breach and issuing then new cards. MasterCard would not name the retailer to whom the breach was traced. but insisted that MasterCard systems were not breached. Visa also notified card-issuing entities as soon as it became aware of the breach. In a separate story, UK companies are under no legal obligation to inform their customers when their personal information is compromised in a security breach.
-http://software.silicon.com/security/0,39024888,39158482,00.htm
-http://www.silicon.com/financialservices/0,3800010364,39158445,00.htm

Man Charged with Illegally Accessing County Computer System (27 April 2006)

A Pennsylvania man has been charged with various computer crimes, including unlawful use of a computer, for illegally accessing the Lancaster County Computer Assisted Dispatch site. Duane Kline, who is a lieutenant with the West Hempfield Fire and Rescue Company, allegedly used the East Hempfield Township Police Department login and password to access police intelligence and investigative information while at his job at Northeast Agri Systems.
-http://www.lititzrecord.com/pages/news/local/4/22302

MISCELLANEOUS

Laptops are the Latest Card Theft Tools (3 May 2006)

As modern cars are increasingly protected by software, car thieves are exploring a new vector of attack - laptop computers. Some cars no longer require a key to start. Software programs can be used to gain access to cars' computers, open doors and start engines. The information is supposed to remain in the hands of locksmiths and car manufacturers, but persistent thieves will find a way to obtain what they seek.
-http://www.leftlanenews.com/2006/05/03/gone-in-20-minutes-using-laptops-to-steal
-cars/
[ Editor's note ( Northcutt): The most interesting line in the article is "While automakers and locksmiths are supposed to be the only groups that know where and how security information is stored in a car, the information eventually falls into the wrong hands." Security through Obscurity anyone? A similar article with more specifics can be found at:
-http://www.latimes.com/classified/automotive/highway1/yourwheels/la-hy-wheels8fe
b08,0,2648213.story?coll=la-class-highway1-yourwheels]

Schools' Eyes Opened to Computer Security Threats (29 April 2006)

Boston area public school systems have started taking steps to secure their computer systems following a number of incidents that illustrated the dangers inherent in lax policies. Boston Public Schools stepped up security measures after a student at Boston Latin School accessed a teacher's computer and viewed student records and tests. Two Brookline High students were suspended for accessing the school's computer system and altering grades; teachers at the school are now required to make their passwords more difficult to guess. A Lexington High student was investigated last year for allegedly altering his attendance records.
-http://www.boston.com/news/local/massachusetts/articles/2006/04/29/schools_scram
ble_to_safeguard_computer_systems?mode=PF
[Editor's Note (Grefer): The schools would be well advised to use any one of the various password cracking utilities to verify passwords' strength. (Schultz): Making passwords more difficult to guess will do some, but not all that much good. The problem is with passwords, credentials that date back almost to the advent of computers, as the basis for authentication. The technology of breaking passwords and of stealing them is now far ahead of the value that they deliver. Administrators for these school systems would thus be well-advised to look into cost effective alternatives to password-based authentication. ]

Professional Security Certification Comparison And Assessment (4 May 2006)

The GIAC Advisory board has been helping Stephen Northcutt work on a document comparing the various certifications. This is not meant to be a marketing tool, but rather something to help cluster apples with apples and oranges with oranges. We seek reviewers willing to provide substantive, considered advice, to make it the best tool possible. If you hold one or more certifications and are willing to review and provide feedback please contact Stephen@sans.edu for a copy of the spreadsheet.

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/