SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #41
May 23, 2006
TOP OF THE NEWS
DSS Resumes Processing Some Clearance Applications, Draws Ire of LegislatorsUpdate to UK's CMA Could Prohibit Flaw Disclosure and Network Monitoring Tools
Trojan Exploits Unpatched MS Word Hole
Veterans' Personal Data Stolen
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESMSN Spammer Draws 19 Months in Prison
Three Sentenced for Music Piracy Activity
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Alleged Software Pirate Settles Microsoft Civil Suit
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Worm Spreads Through Yahoo Messenger
Skype Releases Updates to Fix URI Flaw
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Ohio University Revamps Computer Services After Three Breaches
Data Security Breach at Retailer Affects Texas Bank's Customers
******** Sponsored By SANS Log Management Summit at SANSFIRE ************
Washington DC, July 12-14, 2006
More than 15 users will be sharing surprising stories about how their log management systems caught insider criminals, stopped the spread of worms and more. The Summit is the only place you can learn how to deploy log management for maximum impact. Don't miss it. You get a big discount if you are also attending classes at SANSFIRE. Registration information:
SANSFIRE: http://www.sans.org/sansfire06
Log Management Summit: http://www.sans.org/logmgtsummit06
*************************************************************************
SECURITY TRAINING UPDATE FOR JUNE and JULY, 2006
Washington DC: 18 tracks
Denver: 6 tracks
London: 5 tracks
Toronto: 4 tracks
Plus 10 other cities and live-online programs you can take from your home.
See http://sans.org/ for course schedule registration
*************************************************************************
TOP OF THE NEWS
DSS Resumes Processing Some Clearance Applications, Draws Ire of Legislators (19/17 May 2006)
Although the Defense Security Service (DSS) has resumed processing certain security clearance applications, US legislators are angry that the shutdown occurred at all. Officials have been ordered to develop a plan within six months to permanently solve the clearance-processing problem. Clay Johnson, acting director of the Office of Management and Budget (OMB), acknowledged that not informing Congress about the lack of necessary funds and impending processing halt was "a mistake."-http://www.fcw.com/article94594-05-19-06-Print
-http://www.fcw.com/article94560-05-17-06-Web
[Editor's Note (Pescatore): What is really needed is a review to determine if the clearance process actually provides any security value, and if security clearances are being required for positions that really don't need them. A knee jerk reaction to just throw more money to pay for more background investigations just perpetuates long time problems in the entire process.
(Weatherford): I wonder if this temporary shutdown was simply a way for DSS to cry for help and get the government's attention. This has been a problem for years. Maybe now they will get the funding required to eliminate the backlog.
(Shpantzer): The situation is so bad that some technical staffing companies providing cleared employees to the government actually put the cart before the horse: They find cleared people first, then train them up to technical requirements... If that's not scary, I don't know what is.
(Paller): The "clearance first" policies of many agencies has led them to make people who have never secured a system responsible for telling people how to secure systems. In other agencies, contractors with abominable delivery records are being kept on, over the objections of those who take security seriously, because the ineffective contractors have people with clearances. ]
Update to UK's CMA Could Prohibit Flaw Disclosure and Network Monitoring Tools (19 May 2006)
While the UK's Police and Justice Bill will update the country's Computer Misuse Act (CMA) to allow prosecution for denial-of- service attacks and other cyber crimes that were not on the radar when it became law, there is some concern that it could also allow individuals to be prosecuted for disclosing details about flaws that have not yet been patched or making network monitoring tools available. The House of Commons recently passed the Police and Justice Bill; the House of Lords will consider the bill in the next several months.-http://news.zdnet.co.uk/business/legal/0,39020651,39270045,00.htm
[Editor's Note (Honan): Legislators need to be careful they focus the legislation on the intent of the individual rather than the tools held by that person. After all a screwdriver is a useful tool to help me fix items around the house but can also be used to break into someone else's home. ]
Trojan Exploits Unpatched MS Word Hole (22/19 May 2006)
Mdropper-H, a Trojan horse program that exploits an unpatched hole in Microsoft Word 2002 and 2003, has been detected on the Internet. It has been used in highly targeted spear phishing attacks, via email containing MS Word attachments that contain a backdoor program called Backdoor-Ginwui. Microsoft is developing a fix for the MS Word flaw. The SANS Internet Storm Center (ISC) has made several recommendations for protecting networks from attack, including quarantining attachments to allow for the release of relevant virus signatures, limiting user privileges, monitoring or blocking outbound traffic and replacing MS Word with OpenOffice until patches are available from Microsoft.-http://www.theregister.co.uk/2006/05/22/trojan_exploit_word_vuln/print.html
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39361207-39000005c
-http://blog.washingtonpost.com/securityfix/2006/05/microsoft_hackers_exploiting_
u.html
-http://isc.sans.org/diary.php?storyid=1347
[Editor's Note (Boeckman): Why are we still seeing such serious problems over 4 years after Microsoft announced their trusted computing initiative? Did they even patch the last zero day yet (CVE-2006-1992)? ]
Veterans' Personal Data Stolen (22 May 2006)
A Department of Veterans Affairs employee who took electronic data home without authorization has been placed on administrative leave following a burglary at his home during which the data were stolen. The employee was not authorized to take the files home; the FBI, local law enforcement agents and the VA's inspector general are investigating the incident. The data include the Social Security numbers, names and birthdates of all US veterans who have served in the military and have been discharged since 1975, an estimated 26.5 million US veterans. There is no evidence the data have been used. The VA is taking steps to inform veterans of the data security breach and has established a web site and a toll free number to address veterans' concerns.-http://www.usatoday.com/tech/news/2006-05-22-vadisk_x.htm
-http://www.gcn.com/online/vol1_no1/40840-1.html?topic=security
(Please note this site requires free registration)
-http://www.washingtonpost.com/wp-dyn/content/article/2006/05/22/AR2006052200709_
pf.html
-http://www.msnbc.msn.com/id/12916803/
[Editor's Note ( Northcutt): I happen to be a veteran so I used this as an opportunity for field research. To get the toll free number you need to go to
-http://www.firstgov.gov/veteransinfo.shtml
and the phone number, 1-800-333-4636 is at the very bottom of the article. When I called, there was a recorded message with the same information as the web site. Eventually, I got a person. I explained that I was a veteran and I wanted to validate the accuracy of the data they had recorded for me. Note that is a basic OECD privacy principle. Joshua, after a one minute pause, tried to send me back to www.firstgov.gov. I don't wish to appear as mean or cynical, but I am concerned. More than a couple veterans have suffered injuries due to their time in service and might be particularly vulnerable to identity attacks. If there is someone from the VA or the government with authority, I am happy to volunteer to participate on, or even lead a testing team to ensure the processes in place to help veterans actually work. Right now they don't.
(Multiple): If the employee was not authorized to take the data home then he should not have been able to do so. Simply having a policy statement prohibiting certain courses of action does not guarantee the statement will be adhered to nor that the data will be secured. Controls and mechanisms need to be implemented to support and manage compliance to policy statements and maintain the integrity of the resources being secured. ]
*************************** Sponsored Links: ****************************
1) ALERT: How do you protect what you can't see? Stop protecting while blind. Gain network visibility now. Download FREE White Paper "Network Behavior Analysis (NBA) in the Enterprise."
http://www.sans.org/info.php?id=1173
2) "SQL Injection and Signature Evasion" whitepaper - The attack process, countermeasures and what does and doesn't work.
http://www.sans.org/info.php?id=1174
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
MSN Spammer Draws 19 Months in Prison (22/19 May 2006)
Jayson Harris has been sentenced to 21 months in prison after pleading guilty to fraud and wire fraud for his role in a phishing scam that targeted MSN users. In his plea agreement, Harris admitted he sent deceptive email to MSN users to try to lure them to a specially crafted site that would help him harvest credit card numbers and other data. Harris has been ordered to pay approximately US $57,000 in restitution; he admitted to defrauding between 50 and 250 individuals.-http://www.techspot.com/news/21667-msn-phisher-gets-21-months-in-prison.html
-http://www.informationweek.com/story/showArticle.jhtml?articleID=188100721
Three Sentenced for Music Piracy Activity (19 May 2006)
Three men have been sentenced for their roles in groups that post pre-release music to the Internet. George S. Hayes pleaded guilty to one count of copyright infringement and was sentenced to 15 months in jail. Aaron O. Jones and Derek A. Borchardt pleaded guilty to one felony count of conspiracy to commit copyright infringement. Jones received a sentence of six months in jail followed by six months of home confinement; Borchardt was sentenced to six months home confinement. A fourth man, Matthew Howard, will be sentenced next week. The men were caught through the efforts of the FBI's ongoing Operation FastLink, which targets piracy groups.-http://www.infoworld.com/article/06/05/19/78530_HNwarez3_1.html
-http://www.australianit.news.com.au/articles/0,7204,19215726%5E15318%5E%5Enbv%5E
,00.html
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Alleged Software Pirate Settles Microsoft Civil Suit (22/19 May 2006)
Microsoft brought a GBP 12 million (US$22.6 million) civil suit against William Ling earlier this year for damages it claims it suffered as a result of Ling selling pirated copies of its software. In May 2005, Ling was prosecuted for selling pirated software but received a fine of just GBP 10,000 (US$18,839) and resumed selling pirated software within two months. Ling has settled the civil suit out of court for an undisclosed sum and has agreed to stop selling pirated software.-http://software.silicon.com/applications/0,39024653,39159008,00.htm
-http://www.theregister.co.uk/2006/05/22/microsoft_sues_pirate/print.html
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Worm Spreads Through Yahoo Messenger (22 May 2006)
The yhoo32-explr worm spreads through Yahoo's instant messaging network and installs what it calls a "Safety Browser." The Safety Browser hijacks Internet Explorer homepages and redirects it to a site that downloads spyware onto infected machines.-http://www.theregister.co.uk/2006/05/22/safety_browser_im_worm/print.html
-http://www.eweek.com/print_article2/0,1217,a=178894,00.asp
-http://www.vnunet.com/vnunet/news/2156523/yahoo-messenger-worm-turns-ie
Skype Releases Updates to Fix URI Flaw (22/19 May 2006)
Skype Ltd. has released an updated version of its VoIP software to address a flaw stemming from improper handling of Uniform Resource Indicator (URI) arguments that could be exploited to allow attackers to download files from vulnerable machines. Vulnerable versions of Skype include 2.0.x.104 and earlier and 2.5.x.0 through 2.5.x.78. Users are encouraged to upgrade to Skype 2.5 release 2.5.x.79 or later or Skype 2.0, release 2.0.x.105 or later.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9000662
-http://news.com.com/2102-1002_3-6074640.html?tag=st.util.print
-http://www.skype.com/security/skype-sb-2006-001.html
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Ohio University Revamps Computer Services After Three Breaches (21 May 2006)
A series of attacks on Ohio University servers has prompted a reorganization of the school's computer services department. While the attacks were only recently disclosed, at least one of the servers may have been accessible to intruders for more than a year. This particular server holds the Social Security numbers of more than 137,000 individuals. Ohio University was alerted to the breach when the FBI discovered that one of the servers was being controlled remotely. A technician has been placed on paid administrative leave.-http://news.com.com/2102-7349_3-6074739.html?tag=st.util.print
Data Security Breach at Retailer Affects Texas Bank's Customers (19 May 2006)
About 100 customers of Texas-based Frost Bank were victims of cyber thieves who stole debit card data from an unnamed retailer and used it to commit identity fraud. Frost Bank is notifying all 9,300 affected customers and informing them they will have all stolen money restored to their accounts. Visa USA has acknowledged that it was alerted to the data theft and that it notified the institutions that issued the affected cards.-http://www.mysanantonio.com/business/stories/MYSA051906.01E.frosttheft.216bbd06.
html
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is the author/ co-author of books on
Unix security, Internet security, Windows NT/2000 security, incident
response, and intrusion detection and prevention. He was also the
co-founder and original project manager of the Department of Energy's
Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.
Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers.
Schneier has regularly appeared on television and radio, has testified
before Congress, and is a frequent writer and lecturer on issues
surrounding security and privacy.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for
Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's @RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.
Marcus J. Ranum built the first firewall for the White House and is widely
recognized as a security products designer and industry innovator.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development
Authority (IDA) of the Singapore government.
Chuck Boeckman is Lead Network Security Engineer supporting the US
Transportation Command, responsible for the security of global military
transportation command and control systems.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin,
Ireland.
Roland Grefer is an independent language consultant based in Clearwater,
Florida.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/