2 Days Left to Save $250 on SANS Chicago 2014

SANS NewsBites - Volume: VI, Issue: 32


Opportunity to share your experiences: Computerworld is looking for a replacement for one of the security managers who write its award winning Security Manager's Journal. If you are a security manager, can write well, and would like to share your experiences with Computerworld's readers, anonymously, send a resume or background information and 1,000-word sample column to secman@computerworld.com. Consultants may also be welcome.

Also, Microsoft just announced its monthly list of vulnerabilities; Outlook and Exchange are affected. http://www.internetweek.com/breakingNews/showArticle.jhtml?articleID=26806893

Alan

*************************************************************************
SANS NewsBites                     August 11, 2004                    Volume: VI, Issue: 32
*************************************************************************
TOP OF THE NEWS

  Windows XP SP2 Released to Manufacturing
  Reverse Engineering of SP2 Reveals Strong Security Approach
  Oracle to Address 34 Flaws
  Information Sharing Breakdown
  Hospitals Defy Patching Restrictions
  FCC Rule: Spammers Need Consent to Send to Wireless Subscriber Messaging Service Domains

THE REST OF THE WEEK'S NEWS

  ARRESTS, CONVICTIONS AND SENTENCES
  Three Plead Guilty in Targeted Wireless Hacking Case
  Romanian Man Indicted on Conspiracy Charges
  COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
  State Attorneys General Letter to P2P Vendors Urges Software Changes, Customer Warnings
  Company That Makes DVD Copying Products Ceases Operations
  HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
  Sensitive Building Data is Readily Available on the Internet
  SPAM & PHISHING
  Pfizer Plans to Sue Spammers and Other False Viagra Advertisers
  APWG Data Shows Steady Increase in Phishing Scams During First Half of Year
  Phishing Scam Exploits Potential Campaign Donors
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
  AIM Buffer Overflow Vulnerability
  Brador.A Trojan Infects PDAs and Other Mobile Devices
  Evaman Variant Mistaken for MyDoom
  Multiple Vulnerabilities in libPNG
  Mozilla Will Pay $500 for Serious Vulnerability Discoveries
  STATISTICS, STUDIES AND SURVEYS
  Managers Blame Employees' Bad Security Habits for Cyber Attacks
  FBI Computer Crime and Security Survey
  MISCELLANEOUS
  Insider Data Theft Prompts Shutdown at Indian R&D Center
  High-Tech Wallpaper Keeps Wireless Wardrivers Out


*************************** Sponsored by NetIQ **************************

FREE audiocast: Join noted information security expert and SANS trainer, Eric Cole, for NetIQ's free audiocast, "10 Ways to More Effectively Secure Active Directory" on August 26th, 12:30pm CST. Get the tips you need to achieve higher levels of security in your day-to-day Active Directory operations. Register now for this informative event.

http://www.ftponline.com/webcasts/netiq/activedirectory/?source=sans

*************************************************************************

Featured Security Training Program: SANS Network Security 2004 Las Vegas, NV September 28 - October 6, 2004

The largest training conference in the world with 16 immersion training tracks and a large security exposition. Great courses for security managers and CISOs, for security experts, for auditors, for forensics scientists, and even for those just starting out. And Las Vegas is a great place to visit in the fall.

Register soon to get a seat at your choice of courses. http://www.sans.org/ns2004

*************************************************************************

TOP OF THE NEWS

Windows XP SP2 Released to Manufacturing (6 August 2004)
Microsoft has released Windows XP Service Pack 2 to manufacturing. XP users are encouraged
[by Microsoft ]
to turn on the Automatic Update feature to get SP2 as soon as possible. The update can also be ordered on CD.
-http://www.computerworld.com/printthis/2004/0,4814,95101,00.html
-http://www.eweek.com/print_article/0,1761,a=133063,00.asp
[Editors' Note (Several): SP2 can be downloaded from
-http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx.
It is huge, about 270 MB. Read the release notes, test it and test it before attempting to roll out to all your systems. ]


Reverse Engineering of SP2 Reveals Strong Security Approach (9 August 2004)
Security company F-Secure has reverse-engineered SP2 and believes the update will do a good job protecting against outbreaks of worms like Sasser, Slammer and Blaster; infections will spread more slowly and it will be more difficult for automated worms to spread on updated systems.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39162970-39020330t-10000003c


Oracle to Address 34 Flaws (3 August 2004)
Oracle plans to release patches to fix 34 vulnerabilities in its database software. The vulnerabilities include buffer overflow and SQL injection flaws; some are easy to exploit while others require a fair amount of technical ability. Next Generation Security (NGS) Software said that while it discovered the vulnerabilities and informed Oracle early this year, Oracle is delaying the release of the fixes until its new patch distribution system is ready for release. The delay has prevented NGS from discussing details of the vulnerabilities with others in the security field.
-http://www.computerworld.com/printthis/2004/0,4814,95013,00.html


FCC Rule: Spammers Need Consent to Send to Wireless Subscriber Messaging Service Domains (5 August 2004)
The Federal Communications Commission (FCC) has issued a new rule requiring mass marketers to obtain express permission from users before sending commercial messages to mobile phones and PDAs. The Commission is also requiring that the Commercial Mobile Radio Service providers compile a list of all pertinent Internet domains that will be used as a do not spam list; the list would not contain individual addresses.
-http://www.washingtonpost.com/ac2/wp-dyn/A41009-2004Aug4?language=printer
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=26806218
[Editor's Note (Tan): I applaud this move and would like to see SMS spam included, as well. ]


Information Sharing Breakdown (9 August 2004)
Some network operators and private researchers are backing off from sharing vulnerability information with public entities. Some government and related agencies are sharing less and less information that they gather, and companies see their vulnerability information as a lucrative commodity.
-http://www.eweek.com/print_article/0,1761,a=133046,00.asp

[Editor's Note (Tan): This is not surprising. First hand information is valuable. What does a company gain by sharing it? How much can the company trust that the information is handled carefully? How does the company know the other parties who see the data will not disclose it further or use it in harmful ways? ]


Hospitals Defy Patching Restrictions (9 August 2004)
Concerned that patient safety could be threatened, hospital staff members are applying Microsoft's patches to various Windows-based devices in defiance of the manufacturers' restrictions. Manufacturers often have a long testing period or are concerned that a patch may impair a device's functionality. Hospital staff are concerned that malware could imperil patient safety and that applying patches is a part of HIPAA (the Health Insurance Accountability and Portability Act) compliance. The Food and Drug Administration (FDA) is encouraging hospitals that run into these problems to file complaints in writing which could result in the manufacturers losing their "government seal of approval."
-http://www.nwfusion.com/news/2004/080904patchfights.html?ts



************************** SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.


(1) Best Practices for Incident Response - Sign up for the
practitioner's guide at
http://www.sans.org/info.php?id=552

(2) ALERT: "How Hackers Launch Blind SQL Injection Attacks-
New White Paper
http://www.sans.org/info.php?id=553
*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES


Three Plead Guilty in Targeted Wireless Hacking Case (6 August 2004)
Three Michigan men have pleaded guilty to breaking into Lowe's computer network though an unsecured wireless access point. Prosecutors say the three accessed the network while in a Lowe's parking lot, and that they altered software on the network to allow them to collect customer credit card information. Prosecutors will recommend varying sentences for the three men, one of whom was serving the final month of a three-year probation sentence for an earlier cyber intrusion.
-http://www.techweb.com/wire/story/TWB20040806S0003
-http://www.securityfocus.com/printable/news/9281


Romanian Man Indicted on Conspiracy Charges (5 August 2004)
Calin Mateias of Bucharest, Romania, has been indicted on charges he broke into the online ordering system at Ingram Micro and placed more than 2,000 fraudulent orders over the past four years. Five Americans who allegedly abetted Mateias will receive summonses to appear in federal court later this month.
-http://www.msnbc.msn.com/id/5614132/
-http://informationweek.com/shared/printableArticle.jhtml?articleID=26806085
[Editor's Note (Schmidt): This looks like a good case and we need to keep the pressure on and investigate, prosecute and convict as many as we can. Companies reporting crimes, as they did in this case, is a first step in holding the criminal accountable. ]


COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT


State Attorneys General Letter to P2P Vendors Urges Software Changes, Customer Warnings (5 August 2004)
A letter signed by 47 US state and territory attorneys general was sent to peer-to-peer software vendors, urging them to modify their products to prevent illegal file sharing; the letter also encourages the companies to inform customers about the legal and personal dangers of file sharing.
-http://www.infoworld.com/article/04/08/05/Hnagpeer_1.html
-http://www.washingtonpost.com/ac2/wp-dyn/A41012-2004Aug4?language=printer
-http://zdnet.com.com/2102-1104_2-5298413.html?tag=printthis


Company That Makes DVD Copying Products Ceases Operations (4 August 2004)
Bowing to the pressure of pending lawsuits, 321 Studios, maker of a number of DVD copying software products, has decided to stop operations. The lawsuits were brought by movie studios and others alleging violations of certain provisions of the Digital Millennium Copyright Act (DMCA).
-http://www.drmwatch.com/drmtech/print.php/3390801


HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY


Sensitive Building Data is Readily Available on the Internet (6 August 2004)
Sensitive information about the physical security of various companies has been found on their corporate web sites. For example, there are 3-dimensional models of the exterior and some of the interior of the Citigroup's Manhattan headquarters; there is also information about the building's structural design flaws. Amit Yoran, director of the Homeland Security Department National Cyber Security Division, says they may consider publishing best practices guidelines for companies regarding the availability of such information.
-http://computerworld.com/printthis/2004/0,4814,95098,00.html


SPAM & PHISHING


Pfizer Plans to Sue Spammers and Other False Viagra Advertisers (5 August 2004)
Pfizer has announced that it will pursue legal action against spammers and web sites advertising drugs under the name Viagra; Pfizer says it alone is licensed to sell Viagra and that no "generic" brands of the drug exist. Pfizer cites market research which revealed that 25% of men believed the spam advertising Viagra was coming from Pfizer.
-http://www.theregister.co.uk/2004/08/05/pfizer_sues_spammers/print.html


APWG Data Shows Steady Increase in Phishing Scams During First Half of Year (4 August 2004)
Data from the Anti-Phishing Working Group indicates that the incidence of phishing scams increased an average of 50% a month during the first half of 2004. A Websense Inc. analysis of APWG's report found that 25% of phishing sites were on hacked servers and that 94% of the sites allowed attackers to remotely download personal information entered by those who fell prey to the attacks.
-http://www.computerworld.com/printthis/2004/0,4814,95029,00.html
[Editor's Note (Schmidt): Even with an increase in the number of incidents the missing metric is how many are really successful. Conversations with various groups indicate that people are getting smarter. Even though there may be more scams, fewer people may be falling for the scams. ]


Phishing Scam Exploits Potential Campaign Donors (4/2 August 2004)
A recent phishing scam poses as a site to allow people to contribute to John Kerry's presidential campaign.
-http://www.msnbc.msn.com/id/5581739
-http://www.computerworld.com/printthis/2004/0,4814,95030,00.html


WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES


AIM Buffer Overflow Vulnerability (9 August 2004)
A buffer overflow flaw in the way AOL Instant Messenger (AIM) handles "away" messages could allow attackers to run arbitrary code on vulnerable machines. AOL is recommending that users upgrade to the recently released beta version of AIM. To exploit the vulnerability, attackers must trick users into clicking on a malicious link.
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci999090,00
.html

-http://www.techweb.com/wire/story/TWB20040809S0015
-http://www.infoworld.com/article/04/08/09/HNaolimflaw_1.html


Brador.A Trojan Infects PDAs and Other Mobile Devices (6/5 August 2004)
The Brador.A Trojan horse program infects devices running PocketPC devices running Windows CE version 4.2 as well as later and recent versions of Windows Mobile. Unlike its predecessors, Brador carries a malicious payload; it could allow the author to have complete control of infected machines.
-http://www.theregister.co.uk/2004/08/05/pocketpc_trojan/print.html
-http://www.nwfusion.com/news/2004/080904pdavirus.html
-http://www.computerworld.com/printthis/2004/0,4814,95090,00.html


Evaman Variant Mistaken for MyDoom (9/5/4 August 2004)
A variant of the Evaman worm uses Yahoo! People Search to harvest email addresses. When it was first detected, this worm was believed to be a MyDoom variant because an earlier version of that worm had scoured search engines for email addresses.
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39155793-20000
61744t-10000005c

-http://zdnet.com.com/2102-1105_2-5298040.html?tag=printthis
-http://www.theregister.co.uk/2004/08/04/mydoom_targets_yahoo/print.html


Multiple Vulnerabilities in libPNG (6/4 August 2004)
US-CERT has warned of multiple flaws in the libPNG library the most serious of which could be exploited to allow attackers to execute arbitrary code on vulnerable systems.
-http://asia.cnet.com/newstech/security/printfriendly.htm?AT=39189335-39001150t-3
9000005c

-http://www.us-cert.gov/cas/techalerts/TA04-217A.html


Mozilla Will Pay $500 for Serious Vulnerability Discoveries (3/2 August 2004)
The Mozilla Foundation has announced an initiative which will pay users $500 for discovering and reporting vulnerabilities in their open source software. The foundation is soliciting donations from users and supporters to fund the initiative; foundation members will decide who gets the money.
-http://www.computerworld.com/printthis/2004/0,4814,95012,00.html
-http://news.com.com/2102-1002_3-5293659.html?tag=st.util.print
-http://www.theregister.co.uk/2004/08/03/mozilla_bug_bounty/print.html
-http://www.mozilla.org/press/mozilla-2004-08-02.html


STATISTICS, STUDIES AND SURVEYS


Managers Blame Employees' Bad Security Habits for Cyber Attacks (6/5 August 2004)
A study from UK research firm Institute of Directors found that half of senior managers at the 1,200 surveyed companies blamed their employees' lax security habits for cyber attacks their companies have suffered. Included among those bad habits are downloading non-work programs, turning off security programs and opening worm-infested email messages.
-http://www.techweb.com/wire/story/TWB20040806S0004
-http://news.bbc.co.uk/2/hi/technology/3536018.stm
[Editor's Note (Schultz): I am appalled that management is blaming employees for "bad security habits" rather than recognizing that management makes or breaks security. Poor management cognizance of and commitment to security results in a culture in which users have bad security habits. ]


FBI Computer Crime and Security Survey (5 August 2004)
The ninth annual computer crime and security survey from the Computer Security Institute and the FBI found that only 53% of respondents experienced cyber intrusions in the past year, following a steady downward trend that began in 2001. The survey addressed new topics this year, including security audits and the impact of regulations like Sarbanes-Oxley.
-http://www.theregister.co.uk/2004/08/05/fbi_security_stats/print.html


MISCELLANEOUS


Insider Data Theft Prompts Shutdown at Indian R&D Center (5 August 2004)
Jolly Technologies has closed down development at its R&D center in Mumbai, India after an insider allegedly stole source code and confidential design documents. Company representatives are working with local law enforcement agencies in Mumbai to take action against the employee who allegedly stole the information. Development will not resume until more effective safeguards are in place.
-http://www.computerworld.com/printthis/2004/0,4814,95045,00.html


High-Tech Wallpaper Keeps Wireless Wardrivers Out (4 August 2004)
A British defense contractor has developed a wallpaper that can be fine-tuned to block outsiders' access to wireless networks while still allowing mobile phones and emergency services to send and receive signals.
-http://www.newscientist.com/news/print.jsp?id=ns99996240
[Editor's Note (Schmidt): I guess that is one way to do it, but using encryption and security in the wireless access points might be easier and more cost effective. ]


===end===


NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/