SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #55

July 14, 2006

TOP OF THE NEWS

Phishing Attack Defeats Two-Factor Authentication
VA IG Report Critical of Department Data Security Policies
State Department Computers Targeted by Intruders

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Four Sentenced for Australian and US Government Site Break-Ins
SPYWARE, SPAM & PHISHING
Gmail Phishing Scam
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
ISP Will Not Reveal Alleged File Traders' Names to BPI
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Adobe Issues Updates to Fix a Pair of Flaws
Microsoft's July Security Update Addresses 18 Vulnerabilities
MISCELLANEOUS
CIO Resigns After Security Breaches at Ohio University
UK Companies Responsible for Ensuring Security of Outsourced Data
Australian University Trades Perimeter Firewall for Core Firewall

---

******************** Sponsored By LogLogic, Inc. ************************

The legal community is not sure what to make of system logs. Documented cases show logs can store very valuable evidence, but logs are so poorly understood that lawyers and regulators have been hard pressed to say anything useful about their creation and retention. REGISTER NOW for SANS Ask the Expert webcast on July 18th at 1pm ET featuring SANS Instructor Ben Wright titled: The Law of IT System Logs. http://www.sans.org/info.php?id=1229

*************************************************************************

Summer Security Training Extravaganza

Over the next two months, you may attend one or more of 50 SANS courses in 20 cities on four continents. And if you cannot make those events, because of travel restrictions, you may attend live SANS courses with the best teachers in the world, without leaving your home. You can even take SANS courses online at your own schedule. Attendance at SANS educational events is experiencing the largest growth spurt in half a decade. Pick your class and register early to get a seat. http://www.sans.org/index.php

*************************************************************************

---

TOP OF THE NEWS

Phishing Attack Defeats Two-Factor Authentication (13 & 10 July 2006)

Phishers are targeting Citibank Citibusiness customers using a man-in-the-middle attack to exploit people's trust in two-factor authentication. The scheme, if successful, would provide the phishers with Citibank Citibusiness customers' names and passwords in addition to temporary passwords generated by security tokens. The scheme passes on the customers' entered information to the legitimate site to see if it authentic. In a real-time attack scenario, the temporary passwords could be used before they expire. The phony site has reportedly been shut down.
-http://www.vnunet.com/vnunet/news/2160250/phishers-crack-two-factor
-http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor
_1.html
[Editor's Note (Pescatore): The real issue in securing remote connections is mutual authentication: the user has to know they are connected to the legitimate business and the business has to know they are connected to the legitimate user. Without that MITM attacks are always going to happen - this is not new. So, unless the server side of online banking adds mechanisms to assure the user that it is safe to enter a password (reusable or one time) this risk will be there. There are plenty of ways to do this securely.
(Honan): Schemes focusing solely on authenticating the end user will always be susceptible to attack. A combination of schemes authenticating the end user, enabling the end user to easily authenticate the site they are dealing with and for the institution to detect fraudulent transactions are what is required. ]

VA IG Report Critical of Department Data Security Policies (13 & 12 July 2006)

A report from the US Department of Veterans Affairs office of the inspector general says VA officials acted "with indifference and little sense of urgency" in the wake of the theft of a computer and storage device containing data belonging to millions of veterans. The report is critical of employees at all levels within the VA; it also says VA policies in place at the time of the theft did not adequately protect sensitive data. The report says notification of the theft was passed from one desk to another, delaying the Department's response; the report also indicates that a VA official wanted to rewrite the theft notification to make the possibility of data misuse seem less likely than it actually was.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39374813-39000005c
(Please note this site requires free registration)
-http://www.washingtonpost.com/wp-dyn/content/article/2006/07/11/AR2006071101066_
pf.html
The report is posted at
-http://www.va.gov/oig/51/FY2006rpts/VAOIG-06-02238-163.pdf
[Editor's Note (Pescatore): If you read the report, the real issue was processes not policies. There were policies in place but the processes to monitor, enforce and react were all ad hoc and personality dependent. You can have policies out the kazoo and Joe and Sally's informal approach to meeting them might work fine until Joe and Sally have a spat or until fast, broad, coordinated action is required. The OIG report reads like a soap opera because of this lack of process. ]

State Department Computers Targeted by Intruders (12 & 11 July 2006)

The US State Department has been the target of cyber attacks over the last several weeks. The attackers appeared to be focusing on State Department headquarters and the Bureau of East Asian and Pacific Affairs. Officials speaking on condition of anonymity say investigators think the intruders stole sensitive data, including passwords, and placed backdoors on the systems they infiltrated. The State Department has acknowledged only that it is investigating network traffic anomalies in its unclassified computer systems. Following the discovery of the intrusions, State Department employees were told to change their passwords; the Department also temporarily disabled SSL access.
-http://www.cnn.com/2006/US/07/11/state.hackers.ap/index.html
-http://today.reuters.co.uk/news/newsArticle.aspx?type=internetNews&storyID=2
006-07-12T043822Z_01_N11204558_RTRIDST_0_OUKIN-UK-SECURITY-STATE-COMPUTERS.XML&a
mp;archived=False
-http://www.informationweek.com/showArticle.jhtml%3Bjsessionid=2SNDTR4SELBG0QSNDL
PCKHSCJUNN2JVN?articleID=190302905

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Four Sentenced for Australian and US Government Site Break-Ins (12 July 2006)

An Italian court has sentenced four people to 17 months in jail each for breaking into a number of government web sites in Australia and the US, including the Pentagon, NASA and Australia's Department of Defence. The trial of two minors involved in the case has not yet come to a close.
-http://www.smh.com.au/news/world/italians-jailed-for-breaching-australian-defenc
e-website/2006/07/11/1152383746278.html

SPYWARE, SPAM & PHISHING

Gmail Phishing Scam (12 July 2006)

A recently detected phishing scam targeting Gmail users pretends to offer a US$500 cash prize. Recipients are directed to a web site where they are asked to register to receive the prize. They are also asked to pay a membership fee of less than US$10. The phony registration site actually hosts malware.
-http://www.theregister.co.uk/2006/07/12/gmail_phish/print.html

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

ISP Will Not Reveal Alleged File Traders' Names to BPI (12 July 2006)

Tiscali, an Italian Internet service provider (ISP) with roughly 1.2 million broadband customers in the UK, says it will not disclose the identities of 17 of its customers whom the British Phonographic Industry (BPI) maintains are sharing copyrighted music files in violation of UK laws. Tiscali says it has received scant evidence that its customers are doing what the BPI alleges and says it will not disclose customer information in the absence of a court order. Tiscali has, however, contacted one customer for whom it had received a screenshot indicating illegal activity and has given that customer seven days to respond or risk having the account shut down.
-http://australianit.news.com.au/articles/0,7204,19764504%5E15322%5E%5Enbv%5E,00.
html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Adobe Issues Updates to Fix a Pair of Flaws (13 July 2006)

Adobe has issued two security advisories regarding vulnerabilities in Acrobat and Reader software. The other flaw is specific to MAC OS systems and is a file permissions vulnerability in Adobe Acrobat and Adobe Reader 6.0.4 and earlier. Users are encouraged to upgrade to version 6.0.5. This flaw affects both Windows and Mac OS systems. The other flaw is a file permissions vulnerability in Adobe Acrobat and Adobe Reader 6.0.4 and earlier but only on Mac OS systems. It could allow attackers to change key program files.
-http://www.zdnetasia.com/news/software/0,39044164,39374812,00.htm
-http://www.adobe.com/support/security/bulletins/apsb06-09.html
-http://www.adobe.com/support/security/bulletins/apsb06-08.html

Microsoft's July Security Update Addresses 18 Vulnerabilities (12 & 11 July 2006)

On Tuesday, July 11, Microsoft released seven security bulletins that addressed 18 vulnerabilities in Windows and Office. Five of the seven bulletins had a severity rating of critical. One of the most critical flaws, addressed in MS06-035, is in the Windows mailslot component and could be exploited to take control of vulnerable machines without any user interaction; this vulnerability could be exploited to launch a worm. The bulletins also include patches for two zero-day vulnerabilities in Excel for which exploit code had already been published.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39374438-39000005c
-http://www.microsoft.com/technet/security/Bulletin/MS06-035.mspx
-http://www.us-cert.gov/cas/techalerts/TA06-192A.html

MISCELLANEOUS

CIO Resigns After Security Breaches at Ohio University (13 July 2006)

Citing the need for "a new energy level and skill set," the CIO of Ohio University has submitted his resignation. William Sams will remain at Ohio University until a replacement has been hired. Two IT staffers were recently placed on administrative leave following the disclosure of several data security breaches that exposed the personal information of 137,000 students and alumni.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9001777

UK Companies Responsible for Ensuring Security of Outsourced Data (12 July 2006)

The UK Information Commissioner's Office (ICO) said that companies are liable for security breaches that occur at third party contractors, including outsourcing sites overseas. The UK's Data Protection Act requires companies to establish policies and procedures to safeguard customer data no matter where or by whom the data are processed. New guidance from ICO clarifies companies' responsibilities in finding outsourcers that will take the necessary precautions to protect sensitive customer data.
-http://www.theregister.co.uk/2006/07/12/outsourced_data_protection/print.html
[Editor's Note (Pescatore): I don't think there was much doubt about this one. Even in the US, the companies that the customer dealt with have had to announce and take the heat for the data breaches, even when an outsourcer was at fault. That's why evaluating the security of suppliers and outsourcers has to happen *before* the decision is made - contractual language making the supplier or outsourcer liable doesn't change the brand damage equation. ]

Australian University Trades Perimeter Firewall for Core Firewall (11 July 2006)

An AU$1 million upgrade to Sydney Australia's Macquarie University's computer network involved taking away the network's perimeter firewall and instead deploying a firewall at the network core. Universities face the challenge of creating computer networks that allow access for students while protecting intellectual property.
-http://www.zdnet.com.au/news/hardware/print.htm?TYPE=story&AT=39262966-20000
61702t-10000001c
[Editor' Note (Pescatore): Security "in the cloud" (whether the ISP cloud, the data center cloud or the core network cloud) is definitely a trend and has many advantages. However, time has shown there is always a need for a separate security control plane - if all network security can be compromised by one switch misconfiguration, big problem. Adding network security further into the core is a very good thing. Doing so and losing that inexpensive layer of separate perimeter security is a very risky proposition.
(Schultz): The kind of change described in this news item is bound to become increasingly common. The traditional view of a security perimeter enforced by a firewall at the exterior gateway has become increasingly obsolete over time because of the new types of services that have been created and the greater use of mobile computing. ]

---

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is Lead Network Security Engineer supporting the US Transportation Command, responsible for the security of global military transportation command and control systems.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent language consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/