*************************** Sponsored by NetIQ ************************** Sarbanes-Oxley Whitepaper
Get the best practices you require to maintain proper internal control frameworks as you strive to meet Sarbanes-Oxley requirements with NetIQ's free whitepaper, "Controlling Your Controls: Security Solutions for Sarbanes-Oxley." You'll learn how to dramatically reduce your time and effort spent auditing, reporting on, and controlling essential areas such as policies, file access rights, provisioning and change control.
************* Also Sponsored by SANS Orlando 2005 *********************** The largest security training conference in Orlando starts in just 16 days. Practical, timely, exciting training programs for every security professional. Fourteen immersion tracks for security practitioners, managers and auditors. Those seeking ISC2 CISSP certification will find the nation's top rated prep course at SANS Orlando, too. Plus seven one and two day short courses. And Orlando is comfortable in February!
Gartner Study: Security Spending Tops List of Priorities (14 January 2005)
A Gartner survey of more than 1,300 CIOs worldwide found that IT budgets are expected to increase 2.5% this year; security enhancement tools topped the list of technology priorities. -http://www.techweb.com/wire/ebiz/57701452 [Editor's Note (Pescatore): Just so we all don't get cocky ("Security's number one, security's number one!), to CIO's "security enhancement" means increases in effectiveness *and* efficiency - stop more new threats before they cause damage but spend less on stopping the old threats. If overall IT spending only goes up 2.5%, security spending will not continue to increase at 15% per year - efficiency increases are badly needed. (Schmidt): Another sign that Security is being "baked" into the core IT Functions. ]
Former Teledata Employee Gets 14 Years for Identity Theft (11 January 2005)
A New York judge has sentenced former Teledata employee Philip Cummings to 14 years in prison for identity theft. Mr. Cummings used his position as a Teledata helpdesk employee to steal customer's credit reports which he sold to other criminals. Mr. Cummings will also have to pay compensation which has not yet been determined, though losses associated with the theft are estimated to be as much as US$100 million. Several accomplices in the crime are still on trial. -http://news.bbc.co.uk/2/hi/americas/4163237.stm [Editor's Note (Northcutt): If you are looking for a case study on how much damage one malicious insider in a fairly low position can do, read the complaint. This case is a black eye for Teledata, Experian, Ford Motor Credit and it even hints Nigerian 419 scams are more effective than most of us might guess. -http://news.findlaw.com/cnn/docs/crim/uscummings112202cmp.pdf]
DHS and Justice Dept. Plan Annual Computer Security Survey (13 January 2005)
Homeland Security and Justice Department officials plan to conduct an annual Computer Security Survey to assess the type and frequency of cyber security incidents. The departments plan to survey 36,000 companies across the country this spring. The data collected could help in the development of policy and resource allocation both for the government and for the private sector. The survey is being reviewed by a number of groups, including the FBI and the President's Information Technology Advisory Committee, before it is used. -http://www.fcw.com/fcw/articles/2005/0110/web-survey-01-13-05.asp
************************** SPONSORED LINKS ****************************** Privacy notice: Some sponsored links redirect to non-SANS web pages.
FBI Arrests Tsunami eMail Scammer (16 January 2005)
The FBI arrested Matthew Schmieder, who has admitted to sending out 800,000 unsolicited emails designed to look as if they were from a charitable organization collecting funds for the tsunami victims. Mr. Schmieder had established a Paypal account to collect the money, but at the time of his arrest had reportedly received just US$150. He will face a preliminary hearing this week. -http://www.computer-security-news.com/artman/publish/printer_tsunami-scammer-115 5.shtml [Editor's Note (Schmidt): Two key points here: 1) the private sector-law enforcement cooperation has proven successful once again, and 2) The education efforts appear to be working based on his ability to get only $150. (Schneier): This is definitely a small fish; it's disappointing, given the report of over 110 tsunami-related scams, that there's nothing more impressive to report. (Schultz): After attempting to prey on people who wanted to help tsunami victims, Schmeider deserves to have the book thrown at him. ]
SPAM & PHISHING
Judge Grants Injunction Against Spammers (17/11 January 2005)
Texas AG Files Suit Against Prolific Spammers (14/13 January 2005)
The Texas attorney general has filed a lawsuit against two men who allegedly run one of the most prolific spam operations in the world. The federal complaint was filed under the CAN-SPAM Act, which carries fines of up to US$250 per violation; the men named in the suit are also accused of violating two Texas laws that provide for penalties of up to US$20,000 per violation and US$10 per email up to US$25,000 a day. The suit names as defendants University of Texas at Austin student Ryan Samuel Pitylak and Mark Stephen Trotter of California. The pair allegedly sold the personal information garnered from phony mortgage refinance offers and other financial schemes to people for up to US$28 a name. They could face up to US$2 million in fines if they are convicted. -http://www.techweb.com/wire/security/57701213 -http://www.theregister.co.uk/2005/01/14/texas_spam_suit/print.html
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
iTunes Vulnerability Exploit Code Posted (17/12 January 2005)
A buffer overflow flaw in iTunes 4.x could allow could allow attackers to take control of vulnerable machines. Users are encouraged to update to iTunes version 4.7.1. Proof-of-concept exploit code for the vulnerability has been posted on the Internet; it does not contain a malicious payload. -http://www.securitypipeline.com/57700817 -http://www.vnunet.com/news/1160551
Microsoft Selects External Patch Testers (14/12 January 2005)
Microsoft Denies IE Security Bypass Flaw (14 January 2005)
According to information posted on the Internet by a researcher, a vulnerability in Microsoft Internet Explorer could be remotely exploited to bypass security warnings and download malicious content. There is not yet a patch for the flaw, and as yet, no exploit code to take advantage of it has been detected. The flaw affects IE 6.0.0, including the fixes for IE contained in Windows XP SP2. Microsoft maintains that the claims are false. -http://www.computerworld.com/printthis/2005/0,4814,98969,00.html
FBI Not Using Carnivore, Opts for Commercial Alternatives (14 January 2005)
According to two reports to Congress obtained under the Freedom of Information Act, the FBI did not use the controversial Carnivore surveillance tool, also known as DCS-1000, in either FY2002 or FY2003. The Agency instead opted for commercially available tools to conduct surveillance on the Internet on thirteen occasions during that two-year period. -http://www.securityfocus.com/printable/news/10307 [Editor's Note (Grefer): These "documents only enumerate criminal investigations in which the FBI deployed a government-owned surveillance tool, not those in which an ISP used its own equipment," and "Cases involving foreign espionage or international terrorism are also omitted." ]
Man Arrested for T-Mobile Network Breaches (12 January 2005)
In October 2004, Nicolas Jacobsen was charged with breaking into T-Mobile's computer network and accessing names and Social security numbers belonging to 400 T-Mobile customers. Jacobsen also allegedly was able to access US Secret Service email while he had access to the servers. The Secret Service and the federal prosecutor on the case have both declined to comment. -http://news.com.com/2102-7349_3-5534323.html?tag=st.util.print -http://www.securityfocus.com/printable/news/10271 [Editor's Note (Schneier): There is an important meta-point to this story: the security of much of our data is not under our control. T-Mobile controlled the voice mails and SMSs of its customers. Banks and brokerage firms control the financial data of its customers. ISPs control the contents of its customers email. The result is that we all have no choice but to trust these companies with our privacy, even though the companies have little incentive to protect that privacy. ]
French Scientist on Trial for French Copyright Code Violation (12/11 January 2005)
NewsBites Editorial Board: Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
SANS provides the best up to date training relating to security issues. The sessions are relevant and well presented with well written manuals. -Ravindranath Goswami, The Power Generation Company of Trinidad and Tobago Ltd.