SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #57
July 21, 2006
The Associated Press did a story yesterday about the free DHS/DoE SCADA Security Courses in Las Vegas Sept, 28-30. Now the main day is 60% full. So if you want a seat, register soon.
SCADA Security Summit: http://www.sans.org/link.php?id=1531
SANS Network Security: http://www.sans.org/link.php?id=380
Alan
TOP OF THE NEWS
Bill Revamps Veterans Affairs SecurityBritish Home Office Proposes Sweeping Powers To Ban Hackers From Internet
Professional Hackers Target Large Financial Organizations
THE REST OF THE WEEK'S NEWS
GOVERNMENT CYBER SECURITY, STANDARDS, POLICY & LEGALUK Government Looks at Strengthening Anti-Spam Law
EFF Privacy Lawsuit Against Alleged AT&T / NSA Collaboration Receives Green Light
ARRESTS, CHARGES & CONVICTIONS
Microsoft Keelhauls 26 Pirates
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Metasploit Creator Releases Malware Search Engine
Microsoft to Plug Actively Exploited PowerPoint Hole - Next Month
Oracle Patches 65 Holes With Security Round
Vulnerability Found In D-Link Routers
Vishing - Criminals Exploit VOIP Phone Calls
COMPROMISES & BREACHES
Unsecured E-Mail Sparks Dispute
STATISTICS, STUDIES & SURVEYS
Eighty Percent Of New Malware Defeats Antivirus
MISCELLANEOUS
Vulnerability Auctions Killing Responsible Disclosure.
************************** Sponsored By LURHQ ***************************
LURHQ Security Services - Passion. Expertise. Trust. LURHQ has been exemplifying these attributes for over 10 years to form a true security partnership with each of our Managed Security and Consulting clients. Download our whitepaper "Choosing an Effective Security Services Partner" to learn why these attributes are critical for a successful services partnership.
http://www.sans.org/info.php?id=1236
*************************************************************************
Summer Security Training Extravaganza
Over the next two months, you may attend one or more of 50 SANS courses in 20 cities on four continents. And if you cannot make those events, because of travel restrictions, you may attend live SANS courses with the best teachers in the world, without leaving your home. You can even take SANS courses online at your own schedule. Attendance at SANS educational events is experiencing the largest growth spurt in half a decade. Pick your class and register early to get a seat.
http://www.sans.org/index.php
*************************************************************************
TOP OF THE NEWS
Bill Revamps Veterans Affairs Security (18 July 2006)
The House Veterans Affairs Committee is pushing forward a new bill that would make the VA CIO an Undersecretary, giving him status equal to the other departmental leaders. It also creates another position, Undersecretary for Information Security. Additionally, it details response to data breaches, risk analysis and notification and credit monitoring services for those affected.-http://www.gcn.com/online/vol1_no1/41380-1.html
British Home Office Proposes Sweeping Powers To Ban Hackers From Internet (July 19 2006)
The British Home Office has proposed the Serious Crime Prevention Order which aims to combat suspected hackers and spammers by using civil proceedings to ban them from the Internet." Civil libertarians expressed concern that the courts would have too much power. The Home Office proposals also call for data mining across government and private data bases. Parliament will debate the proposals. The proposals may be found at:-http://www.homeoffice.gov.uk/documents/new-powers-paper.pdf?view=Binary
-http://news.zdnet.co.uk/internet/security/0,39020375,39279134,00.htm
-http://www.theinquirer.net/default.aspx?article=33119
Professional Hackers Target Large Financial Organizations (July 19 2006)
The 2006 Deloitte Global Security Survey reports a surge in the number of security attacks targeting large financial institutions over the past year. Phishing and pharming accounted for more than half (51%) of external attacks, followed by spyware/malware utilization (48%). Attacks are becoming more numerous and more sophisticated.-http://www.scoop.co.nz/stories/BU0607/S00302.htm
THE REST OF THE WEEK'S NEWS
GOVERNMENT CYBER SECURITY, STANDARDS, POLICY & LEGAL
UK Government Looks at Strengthening Anti-Spam Law (July 18 2006)
The UK department of Trade and Industry is considering strengthening its Privacy and Electronic Communications Regulations antispam legislation introduced in 2003. A loophole in the law currently limits ability to prosecute people sending unsolicited junk e-mails to businesses.-http://management.silicon.com/government/0,39024677,39160496,00.htm
EFF Privacy Lawsuit Against Alleged AT&T / NSA Collaboration Receives Green Light (21 July 2006)
A federal court judge denied the government's and AT&T's motions to dismiss the a lawsuit filed by the Electronic Frontier Foundation against AT&T alleging collaboration with the NSA in a massive and illegal surveillance program, violating privacy.-http://www.wired.com/news/technology/1,71432-0.html
-http://www.washingtonpost.com/wp-dyn/content/article/2006/07/20/AR2006072001792_
pf.html
-http://www.nytimes.com/2006/07/21/washington/21data.html?pagewanted=print
ARRESTS, CHARGES & CONVICTIONS
Microsoft Keelhauls 26 Pirates (July 18 2006)
After purchasing software from 26 vendors and determining that the software was not authentic, Microsoft filed lawsuits against each of the companies that allegedly pirated software or installed unlicensed software on computers they sold. BSA (Business Software Alliance), an organization that is heavily funded by Microsoft, earmarked $200,000 for awards to people who provide tips that lead to prosecution of software pirates.-http://www.internetnews.com/bus-news/article.php/3620786
-http://news.zdnet.co.uk/business/legal/0,39020651,39279112,00.htm
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Metasploit Creator Releases Malware Search Engine (July 18)
A new malware search engine uses Google to enable searchers to find live malicious code on the Internet. A web interface allows the user to type in the name of a virus or Trojan. The search engine will then find Google-indexed copies of code for that virus or Trojan. H.D. Moore posted the source code in three segments: the Malware Signature Generator; the Malware Google API Signature Search; and the Malware Downloader.-http://www.eweek.com/article2/0,1895,1990158,00.asp
-http://www.internetnews.com/security/article.php/3620831
Microsoft to Plug Actively Exploited PowerPoint Hole - Next Month (July 17 2008)
One day after announcing the July patches that fixed 18 Microsoft security flaws, Microsoft told its users about a flaw in PowerPoint that is being exploited now in targeted cyberattacks. The flaw allows an attacker to gain complete control over a vulnerable PC if its user opens a malicious file. A patch for the PowerPoint vulnerability is due out Aug 8.-http://news.com.com/Microsoft+to+plug+PowerPoint+hole/2100-1002_3-6095181.html
[Editor's Note (Boeckman): Since most businesses have become dependant on tools like Powerpoint, I would say the making the entire world wait so long for the patch is somewhat irresponsible. ]
Oracle patches 65 holes with security round (July 18 2006)
Oracle's quarterly patch release included 65 patches for a variety of problems in its database, application server, e-business suite products, and others. Twenty patches are for the E-Business Suite and 10 are for Application Server. Many of the fixes focus on Oracle Net, the Oracle networking protocol that has become a target for hackers and security researchers in recent months.-http://www.infoworld.com/article/06/07/18/HNoracle65bugs_1.html
-http://www.theregister.co.uk/2006/07/19/oracle_security_update/
Vulnerability Found In D-Link Routers (July 18 2006)
Home and office networks that run D-Link routers may be compromised by attackers who send excessively long MSearch strings. The buffer overflow flaw affects the Local Area Network (LAN) interface of several of D-Link's consumer-grade routers and could allow an attacker to execute arbitrary code and potentially compromise entire networks. Patches are available (but may still be in beta - or test - status).-http://www.informationweek.com/story/showArticle.jhtml?articleID=190500683
[Editor's Note (Tan): This is indeed critical. The initial exploit would disable admin password and enable remote configuration to take over the router. After taking over the router, the attacker could modify the firmware to monitor traffic and inject hostile executable code when the user is downloading any executable.
-http://www.eeye.com/html/research/advisories/AD20060714.html
-http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Jack.pdf]
Vishing - Criminals Exploit VOIP Phone Calls (July 18 2006)
Criminals are sending emails asking people to call an 800 number where their personal information is taken through touch-tone dialing. The technique has been dubbed "Vishing" because it combines email requests with VOIP phone services that can appear to be in any city, regardless of where the criminals are located. Another scam uses only telephones - bulk dialing, warning of fraudulent credit card use, and then requesting credit card and security code information. Again effectiveness of the attack relies on the VOIP capability allowing the call to appear to come from any city.-http://news.bbc.co.uk/2/hi/technology/5187518.stm
[Editor's Note (Northcutt): While it is certainly true that just about anyone can sign up for a VOIP account like skype and that it is possible to spoof caller ID, this is not a technology based scam; this is a lack-of-awareness scam. If someone calls you, or leaves you a number to call them, that is not a good reason to give them your personal details about your credit card and bank account. Further, if your bank issued your credit card they certainly already know the security code on the back of the card. This would make a good awareness Tip of the Day: If anyone ever contacts you about your credit card, thank them, hang up, and call the number on the back of your credit card. ]
COMPROMISES & BREACHES
Unsecured E-Mail Sparks Dispute Among Australian Doctors (July 18 2006)
A Melbourne hospital is sending out sensitive health information as unencrypted e-mail, following a decision by the hospital that the benefits of rapid communication outweigh the risks to patient confidentiality. Doctors are complaining, but other doctors find using encrypted email too difficult to use.-http://australianit.news.com.au/articles/0,7204,19822430%5E15306%5E%5Enbv%5E,00.
html
[Editor's Note (Schultz): Encryption is indeed a double-edged sword. Its value in protection sensitive information from unauthorized disclosure is indisputable, but encryption programs are too often user-hostile, and key management is frequently grossly inadequate.
(Honan): Ah yes, the old "security makes things harder so lets ignore it" argument. Just because something is difficult does not mean it should not be done. How much harder will things be for the hospital, not to mention the patients concerned, if sensitive patient data becomes exposed as a result of doing things the easy way? ]
STATISTICS, STUDIES & SURVEYS
Eighty Percent Of New Malware Defeats Antivirus (July 19 2006)
The Australian Computer Emergency Response Team (AusCERT) recently reported that popular desktop antivirus applications miss 80% of new viruses and malware. AusCERT general manager Graham Ingram said that most PCs are protected by "a piece of software that is not working."-http://zdnet.com.au/news/security/soa/Eighty_percent_of_new_malware_defeats_anti
virus/0,2000061744,39263949,00.htm
[Editor's Note (Northcutt): To be sure, there are significant problems facing the antivirus/antispyware companies. However, I expect the experts will start weighing in over the next few days and we will find 80% was a stretch otherwise all of our computers would be defunct by now. Here are two links to consider. The first one is spycar. Early results from this test suite showed significant problems with anti-spyware software, but the vendors are improving rapidly; that is why tools like this are so valuable. The second is a bit of an older story, but I think it adds balance to the discussion. Enjoy:
-http://www.spycar.org/Welcome%20to%20Spycar.html
-http://www.informationweek.com/story/showArticle.jhtml?articleID=174907285
(Tan and Grefer): Anti-virus scanners typically rely on signatures to detect malware. Until a piece of malware is reported and a corresponding virus signature created, it will remain undetected. Using custom or new packing method can also evade signature based anti-virus scanners. Although heuristic scanning is available, it cannot be configured, in most cases, to find new malware while avoiding false alarms. The high failure rate could also mean that attacks are now more targeted. Attacker intent has shifted away from fame and toward making money. Virus writers have been careful to create malware that will not attract attention. ]
MISCELLANEOUS
Vulnerability Auctions Killing Responsible Disclosure (July 19 2006)
Selling vulnerability research to the highest bidder instead of disclosing them responsibly to the affected vendor is a rising trend. Observers believe that more researchers will sell their research as demand and pay rates increase. One person asked rhetorically, "If I have a choice between a nice mention from Microsoft for responsible disclosure, or paying off my mortgage, which one do I choose?"-http://zdnet.com.au/news/security/soa/Vulnerability_auctions_killing_responsible
_disclosure/0,2000061744,39263952,00.htm
[Editor's Note (Northcutt): This has been going on for a very long time of course, but what is changing is that it is getting more organized and more visible. And it isn't just hackers, security companies are also bidding for these vulnerabilities. Here are a couple of interesting links including a blog from 2005 and story about an auction on Ebay that was shut down:
-http://www.zerodayinitiative.com/
-http://www.securityfocus.com/news/11363
-http://www.matasano.com/log/2005/12/phreakonomics.html
(Schultz): The trend of vulnerability information being for sale to the highest bidder will only get worse over time. Trying to suppress the public disclosure of new vulnerabilities through various methods has not proven very successful, and money is a powerful motivator. The only real solution is for vendors to eliminate bugs in their products in the first place through use of systematic software development methodologies. ]
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/