SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #4

January 13, 2006

TOP OF THE NEWS

Clause in New Law Criminalizes Anonymous "Annoying" eMail and Web Postings
MasterCard Offers Merchants Free Network Scans and Incentives

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Singapore Student Jailed for Selling Pirated Software
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Audit of Military User Accounts Finds Problems
SPYWARE, SPAM & PHISHING
Amended Qwest Subscriber Agreement Describes Fines for Sending Spam
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Symantec Fixes Flaw that Could Allow Malware to Hide
Apple Fixes QuickTime Flaws
Microsoft Bulletins Address Two Critical Flaws
ATTACKS & INTRUSIONS & DATA THEFT
Connecticut Bank Says Lost Tape Contains Customer Data
Resort Acknowledges Security Breach Compromised Customer Data
STATISTICS, STUDIES & SURVEYS
2005 FBI Computer Crime Survey

---

*********************** Sponsored by BigFix, Inc. ***********************
NEW WEBCAST AND COMPLIMENTARY GARTNER RESEARCH NOTE: "MINIMIZING RISK" Join BigFix, and guest speaker, Mark Nicolett, of Gartner, for "Minimizing Risk with Vulnerability and Security Configuration Management" and learn how the right vulnerability management solution helps BigFix customers worldwide reduce costs, maintain compliance and increase security without adding expensive infrastructure.
http://www.sans.org/info.php?id=986
*************************************************************************

---

TOP OF THE NEWS

Clause in New Law Criminalizes Anonymous "Annoying" eMail and Web Postings (10/9 January 2006)

The recently enacted Violence Against Women and Department of Justice Reauthorization Act contains a clause that makes it a crime to post "annoying messages or send annoying email" without disclosing one's true identity. The clause, which amends existing phone harassment laws, prohibits people from using the Internet "without disclosing their identities and with the intent to annoy." People convicted under the law could face fines and prison sentences of up to two years.
-http://news.com.com/2102-1028_3-6022491.html?tag=st.util.print
-http://www.vnunet.com/vnunet/news/2148324/flame-wars-criminalised
-http://www.whitehouse.gov/news/releases/2006/01/20060105-3.html

MasterCard Offers Merchants Free Network Scans and Incentives for Using Authentication Service (11 January 2006)

MasterCard says it will reduce transactions charges for merchants using its SecureCode customer authentication service, which allows merchants to authenticate customers by having them enter a passcode that is known only by the customers and the issuing banks. MasterCard will also provide free network vulnerability scans for one IP address per merchant until June 2006. Network vulnerability scans are required under the Payment Card Industry Data Security Standard that took effect in July 2005.
-http://www.computerworld.com/printthis/2006/0,4814,107659,00.html
-http://www.mastercard.com/us/merchant/security/what_can_do/SDP/merchant/free_sca
n.html
[Editor's Note (Schultz): Offering reduced transaction charges for using MasterCard's SecureCode authentication is a brilliant idea, as is offering free network scans. By taking these initiatives MasterCard is substantially reducing resistance to security measures; information security practitioners should note and imitate this approach whenever possible.
(Pescatore): The Payment Card Industry Data Security Standard program needs more attention and investment from the Payment Card Industry than just giving out free single IP address vulnerability scans. Merchants and processors are frustrated by the lack of guidance and feedback from Visa and Mastercard on the issues around acceptable compensating controls when issues are found. While the PCI DSS approach is a good idea, the Payment Card industry's execution has been lacking. ]

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Singapore Student Jailed for Selling Pirated Software (11 January 2006)

Ang Chiong Teck, a student at Singapore's Nanyang Technological University, has been sentenced to four months in prison for selling pirated copies of Microsoft software. The phony copies of software included forged certificates of authenticity. Ang's scheme was discovered when those who had purchased the software found they lacked the codes required to register the software online and download updates. When Ang was arrested, authorities confiscated S$20,000 (US$12,270) worth of pirated software in his possession. Ang was arrested in September, but his sentencing was delayed until December to allow him to finish his university examinations.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39246559-39020651t-10000022csa

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

Audit of Military User Accounts Finds Problems (10 January 2006)

An audit of US military computer user accounts found that as many as 20 percent of all accounts are unauthorized or inactive, with 3,000 in the Defense Information Systems Agency (DISA) alone. Inactive accounts are those abandoned when those to whom they were issued moved on to other positions; unauthorized accounts are those that were created with "unnecessary or unauthorized permissions." The existence of these accounts together with the fact that military systems experience slow patch distribution presents opportunities for malicious attackers to infiltrate military computer systems.
-http://www.eweek.com/print_article2/0,1217,a=168898,00.asp
[Editor's Note (Kreitner): Closing no longer needed user accounts is especially important in organizations like the military where there is so much personnel turnover, but this is a ubiquitous management failure--and a good candidate for a metric tracking the effectiveness over time of improved access management discipline.
(Grefer): Exit procedures, independent of the reason (lay-off, promotion, cross-organizational move), should include a phased approach to dealing with the former accounts and privileges. Following an initial lockdown of said account, migrate the remaining data and privileges to a successor, substitute or surrogate and to subsequently disable or delete the account.]

SPYWARE, SPAM & PHISHING

Amended Qwest Subscriber Agreement Describes Fines for Sending Spam (9 January 2006)

Qwest has added a clause to its subscriber agreement, indicating that customers will be charged US$5 for each spam message sent from their computers if the spam sent results in damages awarded against Qwest. The fine would stand regardless of whether or not the customers are aware of the spam being sent, according to the new clause. However, a Qwest spokesperson said that the company would be unlikely to impose fines if a customer or end-user were the victim of malware that caused the computer to send out spam.
-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=5116
-http://www.qwest.com/legal/highspeedinternetsubscriberagreement/

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Symantec Fixes Flaw that Could Allow Malware to Hide (12 January 2005)

Symantec has updated its Norton SystemWorks to address a flaw that could be used by attackers to hide malicious code on vulnerable computers. The flaw lies in the Norton Protected Recycle Bin feature that creates a hidden directory on Windows systems and is designed to allow restoration of deleted or modified files. The flaw affects Norton SystemWorks 2005 and 2006 and Norton SystemWorks Premier 2005 and 2006. Symantec disputes allegations that this feature constitutes a rootkit.
-http://software.silicon.com/security/0,39024888,39155548,00.htm
-http://www.theregister.co.uk/2006/01/12/symantec_fixes_rootkit_bug/print.html
-http://www.techweb.com/wire/175804046

Apple Fixes QuickTime Flaws (11/10 January 2006)

Apple Computer has released QuickTime 7.0.4 which fixes five serious security flaws in earlier versions of the QuickTime media player. The vulnerabilities could be exploited to "run unauthorized code" on machines running vulnerable versions of QuickTime. Attackers would need to trick users into viewing maliciously crafted TIFF, GIF, TGA or QTIF files. Internet Storm Center Note:
-http://isc.sans.org/diary.php?storyid=1033
-http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/01/10/7378
7_HNquicktimepatch_1.html
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39304153-39000005c
-http://docs.info.apple.com/article.html?artnum=303101
[Editor's Note (Dhamankar): With vulnerabilities in so many file formats these days, may be its time to re-learn the good old days of text browsing! ]

Microsoft Bulletins Address Two Critical Flaws (10 January 2006)

Microsoft's January security update, released on January 10, 2006, includes fixes for two critical remote code execution flaws. A vulnerability in Outlook and Exchange involves the way the products decode the Transport Neutral Encapsulation Format (TNEF); the second flaw involves the way Windows "handles malformed embedded Web fonts." The TNEF flaw is perceived to be more dangerous than the Windows flaw as it requires no user interaction to be exploited. Internet Storm Center Notes:
-http://isc.sans.org/diary.php?storyid=1032
-https://www.sans.org/webcasts/show.php?webcastid=90616
-http://www.computerworld.com/printthis/2006/0,4814,107621,00.html
-http://www.microsoft.com/technet/security/Bulletin/MS06-003.mspx
-http://www.microsoft.com/technet/security/Bulletin/MS06-002.mspx

ATTACKS & INTRUSIONS & DATA THEFT

Connecticut Bank Says Lost Tape Contains Customer Data (12 January 2006)

Connecticut-based People's Bank has acknowledged that a tape containing sensitive data belonging to approximately 90,000 customers was lost en route to a credit-reporting bureau. The data on the tape includes Social Security numbers, names and bank account numbers. The bank said there is no evidence that the data have been misused and made no comment about whether or not it was encrypted. Affected customers will be provided with one year of free credit monitoring service.
-http://news.com.com/2102-1029_3-6026692.html?tag=st.util.print
-http://www.peoples.com/pressroom/article/0,8401,14103,00.html

Resort Acknowledges Security Breach Compromised Customer Data (10 January 2006)

Kerzner International, owner of the Atlantis resort in the Bahamas, filed a document with the Bahamas Securities and Exchange Commission that included information about a data theft; personal data belonging to approximately 55,000 resort customers was among the information compromised in a database security breach. Atlantis hotel management is notifying those affected in writing and is offering them one year of credit monitoring service. The compromised information includes Social Security numbers and credit card and bank account details.
-http://news.com.com/2102-7348_3-6025591.html?tag=st.util.print
-http://www.pcworld.com/resource/article/0,aid,124339,pg,1,RSS,RSS,00.asp

STATISTICS, STUDIES & SURVEYS

2005 FBI Computer Crime Survey (11 January 2006)

According to the 2005 FBI Computer Crime Survey, 87 percent of those responding said their organizations had experienced a security incident. Ninety-eight percent of respondents said they used antivirus software; ninety percent said they used firewalls. The report found a "positive correlation between the number of security measures employed and the number of denial-of-service attacks" experienced. More than 79 percent of respondents said their organizations experienced problems with spyware. Some security incidents went unreported due to beliefs that there was no criminal activity involved in the incident, that the incident was too small to report and that law enforcement would not be interested in the incidents. The survey asked 23 questions of 2,066 organizations in New York, Iowa, Texas and Nebraska.
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1157706,0
0.html?track=sy160
[Editor's Note (Boeckman): This is a sad fact about the state of computer security today and serves as an indication that things are not improving much. The only thing worse is that the 13% that did not report an incident are probably just oblivious. ]

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/