SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #5

January 17, 2006

TOP OF THE NEWS

IRS Imposes Strict Security Rules on New Contractors
Government Web Site for Contractor Bids Offline for Security Fix

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Spanish Civil Guard Arrests Suspected Cyber Intruder
Alleged Spammer Reportedly Reaches Plea Deal
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Researcher: SonyBMG DRM Software Still Widespread
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Windows Wi-Fi Vulnerability
Microsoft Issues WMF Patches for Vista
QuickTime Patch Problems
MISCELLANEOUS
UK Banks Will Not Face Legal Action Over Alleged Indian Call Center Data Security Breach
iTunes MiniStore Feature Raises Privacy Concerns

---

****************** Sponsored by ArcSight ********************************
Download Top 10 Guide to Evaluating SIM Solutions

Many factors go into buying a SIM solution. Discover the best practices, based on customer experiences, that should be an integral part of your evaluation process with the new Top 10 Guide to Evaluating SIM Solutions. Brought to you by ArcSight, the one vendor that's been proven in demanding real-world trials, for security, compliance and insider threat. Download a copy of the guide today!
http://www.sans.org/info.php?id=987
*************************************************************************
Training Opportunities in the Next Five Weeks

SANS 2006 in Orlando (Feb 24- March 4) 36 tracks of extraordinary training - the best instructors in the world, and a great security tools exposition. Lots of people are bringing their families to Orlando to join them at the end of the program.

Plus: San Francisco, Phoenix, St. Louis, Brisbane, Tokyo, Ottawa Or you can take SANS training anytime, anywhere with the new SANS On Demand.

Details on these and other programs: www.sans.org
*************************************************************************

---

TOP OF THE NEWS

IRS Imposes Strict Security Rules on New Contractors (16 January 2006)

Beginning in March, the US Internal Revenue Service (IRS) will have three private contractors helping to collect back taxes from US citizens. The contractors will be obliged to follow stringent IRS security rules. All their work must be done in the United States; contractors must purge taxpayer data from IT systems when a case is completed, or if that is not possible, guarantee the security of that information. The contractors must also abide by federal security standards.
-http://www.informationweek.com/story/showArticle.jhtml?articleID=177100345
[Editor's Note (Schultz): If you read the Information Week article, you'll see that there is another side to this story, one that focuses on concerns that the IRS will not sufficiently protect taxpayer information. I share these concerns, especially given that contractors are not required to immediately delete taxpayer information from their computers when a case is done if doing so "is not possible." This creates all kinds of loopholes for contractors. Furthermore, will contractors actually be able to delete all of this information if and when the time comes? ]

Government Web Site for Contractor Bids Offline for Security Fix (13 January 2006)

The eOffer/eMod web site, which is used by vendors to bid on government contracts through the General Services Administration (GSA), has been closed to address security concerns. One of the site's users says he was able to look at and possibly edit others' bids by altering unique ID numbers on applications; he reported the problem to the GSA on December 22, 2005. The site is scheduled to be back on line by the middle of this week.
-http://www.computerworld.com/printthis/2006/0,4814,107750,00.html
-http://www.fcw.com/article91960-01-13-06-Web
(New York Times web site requires free registration)
-http://www.nytimes.com/2006/01/13/technology/13secure.html?pagewanted=print
White Paper on the Flaw:
-http://www.thinkcomputer.com/corporate/news/restassured.pdf

---

********************* Sponsored Links: **********************************

1) Email Security Strategies: What to Plan for in 2006 Gartner analyst featured in this On Demand webinar beginning January 19th
http://www.sans.org/info.php?id=988

2) WhatWorks Webcasts
WhatWorks in Secure Email - January 19
WhatWorks in Penetration Testing - January 25
Organizations that select security tools without first checking WhatWorks case studies and interviews are unnecessarily, and foolishly increasing their risks.
Upcoming Webcasts: http://www.sans.org/webcasts/
All the WhatWorks Webcasts Archived: http://www.sans.org/whatworks
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Spanish Civil Guard Arrests Suspected Cyber Intruder (16 January 2006)

The Spanish Civil Guard says that a man has been arrested in Malaga for allegedly breaking into a computer with sensitive information at a US Navy base in San Diego. The Spanish Civil Guard searched the man's home and seized a computer and other effects. The Civil Guard says the suspect is allegedly part of a group that has broken into more than 100 computer systems and caused damages exceeding US$500,000.
-http://www.cnn.com/2006/WORLD/europe/01/16/spain.us/index.html
-http://abcnews.go.com/Technology/wireStory?id=1510995

Alleged Spammer Reportedly Reaches Plea Deal (13 January 2006)

Alleged spammer Daniel Lin is expected to enter a guilty plea in court on January 17, 2005 after he admitted using corporate and government computer networks to send unsolicited commercial email. Lin's deal with prosecutors will send him to jail for between two years and 57 months; if he had not agreed to the deal, Lin would face a much lengthier sentence. Lin is one of four people charged in April 2005 with using compromised computers to send spam. The group allegedly sent spam through proxies with phony return-path addresses in violation of the CAN-SPAM Act.
-http://www.theregister.co.uk/2006/01/13/detroit_spam_case/print.html
[Editor's Note (Shpantzer): If we could figure out how to jail some of the people who fund the spammers in the first place, that would be a true deterrent. Let's remember the fundamentals: Spammers don't send us those emails for their own amusement, they are serving their corporate clients that use spam as a paid marketing channel. Same goes with lots of spyware. ]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Researcher: SonyBMG DRM Software Still Widespread (16 January 2006)

A security researcher estimates that hundreds of thousands of computer networks around the world still have PCs on them that contain SonyBMG's notorious digital rights management (DRM) software. Many of the affected networks belong to the US military and government. The problems caused by two different DRM programs, XCP and MediaMax, resulted in several lawsuits being filed against SonyBMG. A New York district court judge recently approved a settlement between SonyBMG and attorneys for six class-action lawsuits.
-http://www.securityfocus.com/news/11369

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Windows Wi-Fi Vulnerability (16 January 2006)

A flaw in a Windows XP and 2000 feature that automatically searches for Wi-Fi connections could be exploited to put vulnerable computers in peer-to-peer networks, potentially exposing the contents of their hard drives. When computers running these operating systems are turned on, they automatically search for a Wi-Fi connection; if none is found, they create an ad hoc connection to a local address using the SSID from the last successful connection and broadcast the SSID in an attempt to search for other computers to connect to. If an attacker is listening for this type of broadcast, he can create a network connection with the same SSID that would allow the machines to associate and give the attacker access to files on the user's PC. Users with firewalls are protected; users running Windows XP SP2 are not at risk. Users can protect their computers by disabling Wi-Fi when they are not using it. In addition, system administrators should block ports 135, 137, 138 and 139 from accepting NetBIOS connections.
-http://news.com.com/2102-1029_3-6027399.html?tag=st.util.print
-http://www.newsfactor.com/news/Windows-Wi-Fi-Flaw-Uncovered/story.xhtml?story_id
=100009TZG1MS

Microsoft Issues WMF Patches for Vista (16/14 January 2006)

Microsoft has released a patch for the critical WMF vulnerability for its Windows Vista December Community Technology Preview (CTP) and Windows Vista Beta 1. Microsoft plans to release Vista to the public later this year.
-http://www.computerworld.com/printthis/2006/0,4814,107798,00.html
-http://www.eweek.com/print_article2/0,1217,a=169260,00.asp
-http://www.microsoft.com/downloads/details.aspx?familyid=228f2cdc-7148-4002-86bb
-e4ade080ea86&displaylang=en
[Editor's Note (Schultz): I don't think that Microsoft has gotten the praise that it has so richly deserved for getting patches for the WMF vulnerability out so quickly. In this particular case I would label Microsoft's actions as heroic. ]

QuickTime Patch Problems (12 January 2006)

People who installed a security update for QuickTime media player are reporting problems on both Mac OS X and Windows systems. The trouble includes "deleted applications and files, unplayable movie files and the disappearance of rights to use the professional version of QuickTime." Others have reported that the media player has difficulty connecting to the Internet after installing the update. Apple has released a tool for Mac OS X users that removed QuickTime 7.0.4 and restores QuickTime 7.0.1.
-http://news.com.com/2102-1002_3-6026745.html?tag=st.util.print

MISCELLANEOUS

UK Banks Will Not Face Legal Action Over Alleged Indian Call Center Data Security Breach (13 January 2006)

The UK's Information Commissioner (IC) says that UK banks will not face legal action following a data security breach at an Indian call center last year. An undercover UK journalist was allegedly able to purchase sensitive financial information belonging to 1,000 UK bank customers. The banks were warned then that they could face legal action for violations of the Data Protection Act. The IC now says there is no evidence that any data were compromised. In addition, the City of London police force says it has no jurisdiction outside the country.
-http://news.com.com/2102-1029_3-6027073.html?tag=st.util.print
[Editor's Note (Honan): This story quotes The Financial Services Authority, which oversees British banking, as saying "Our concerns are whether adequate security controls were in place". It is time that financial organisations realise that when they are entrusted with the personal information of their customers that just "adequate" measures are no longer acceptable! ]

iTunes MiniStore Feature Raises Privacy Concerns (13/12 January 2006)

iTunes users have expressed concern about a MiniStore feature in an updated version of the software that keeps tabs on users' music preferences. The feature recommends other, similar music tracks to those being played on iTunes. Apple says it does not keep any of the data after making recommendations. The update was released on January 10; Apple has posted information about how to turn the feature off.
-http://news.bbc.co.uk/1/hi/technology/4608882.stm
-http://news.com.com/2102-1029_3-6026542.html?tag=st.util.print
-http://docs.info.apple.com/article.html?artnum=303066
[Editor's Note (Ranum): With zillions of people cheerfully running systems that are cripplingly infested with spyware and keyloggers, iTunes users are concerned about having their musical tastes tracked? Get a grip!
(Pescatore): I think we should be way beyond this being a privacy issue, as the Amazon.com and Tivo and may others have had this type of feature for years. As long as you have notification and choice (easy to find notification and easy to exercise choice), case closed. Even better: opt in, with the default being no monitoring and suggestions. ]

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/