IT Security in Health Care: Where Are We Now? Take Survey - Enter to Win iPad

SANS NewsBites - Volume: VII, Issue: 3

*************************************************************************
SANS NewsBites                     January 19, 2005                    Volume: VII, Issue: 3
*************************************************************************
TOP OF THE NEWS

  Gartner Study: Security Spending Tops List of Priorities
  Former Teledata Employee Gets 14 Years for Identity Theft
  DHS and Justice Dept. Plan Annual Computer Security Survey

THE REST OF THE WEEK'S NEWS

  ARRESTS, CONVICTIONS AND SENTENCES
   DDoS Suspect Arrested in Scotland
   FBI Arrests Tsunami eMail Scammer
  SPAM & PHISHING
   Judge Grants Injunction Against Spammers
   Texas AG Files Suit Against Prolific Spammers
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
   iTunes Vulnerability Exploit Code Posted
   Microsoft Selects External Patch Testers
   Microsoft Denies IE Security Bypass Flaw
   Google Repairs Gmail Flaw
   Microsoft's January Security Update
   mpg123 Audio Player Flaw
   Lasco.A Infects Symbian-based Phones
  MISCELLANEOUS
   New York ISP Panix Hit With Domain Name Hijacking
   FBI Not Using Carnivore, Opts for Commercial Alternatives
   Man Arrested for T-Mobile Network Breaches
   French Scientist on Trial for French Copyright Code Violation


*************************** Sponsored by NetIQ **************************
Sarbanes-Oxley Whitepaper

Get the best practices you require to maintain proper internal control frameworks as you strive to meet Sarbanes-Oxley requirements with NetIQ's free whitepaper, "Controlling Your Controls: Security Solutions for Sarbanes-Oxley." You'll learn how to dramatically reduce your time and effort spent auditing, reporting on, and controlling essential areas such as policies, file access rights, provisioning and change control.

Download this FREE whitepaper now.
http://www.netiq.com/f/form/form.asp?id=2529&origin=NS_SANS_011905

************* Also Sponsored by SANS Orlando 2005 ***********************
The largest security training conference in Orlando starts in just 16 days. Practical, timely, exciting training programs for every security professional. Fourteen immersion tracks for security practitioners, managers and auditors. Those seeking ISC2 CISSP certification will find the nation's top rated prep course at SANS Orlando, too. Plus seven one and two day short courses. And Orlando is comfortable in February!

Details: http://www.sans.org/orlando05/

*************************************************************************

TOP OF THE NEWS

Gartner Study: Security Spending Tops List of Priorities (14 January 2005)
A Gartner survey of more than 1,300 CIOs worldwide found that IT budgets are expected to increase 2.5% this year; security enhancement tools topped the list of technology priorities.
-http://www.techweb.com/wire/ebiz/57701452
[Editor's Note (Pescatore): Just so we all don't get cocky ("Security's number one, security's number one!), to CIO's "security enhancement" means increases in effectiveness *and* efficiency - stop more new threats before they cause damage but spend less on stopping the old threats. If overall IT spending only goes up 2.5%, security spending will not continue to increase at 15% per year - efficiency increases are badly needed.
(Schmidt): Another sign that Security is being "baked" into the core IT Functions. ]


Former Teledata Employee Gets 14 Years for Identity Theft (11 January 2005)
A New York judge has sentenced former Teledata employee Philip Cummings to 14 years in prison for identity theft. Mr. Cummings used his position as a Teledata helpdesk employee to steal customer's credit reports which he sold to other criminals. Mr. Cummings will also have to pay compensation which has not yet been determined, though losses associated with the theft are estimated to be as much as US$100 million. Several accomplices in the crime are still on trial.
-http://news.bbc.co.uk/2/hi/americas/4163237.stm
[Editor's Note (Northcutt): If you are looking for a case study on how much damage one malicious insider in a fairly low position can do, read the complaint. This case is a black eye for Teledata, Experian, Ford Motor Credit and it even hints Nigerian 419 scams are more effective than most of us might guess.
-http://news.findlaw.com/cnn/docs/crim/uscummings112202cmp.pdf]



DHS and Justice Dept. Plan Annual Computer Security Survey (13 January 2005)
Homeland Security and Justice Department officials plan to conduct an annual Computer Security Survey to assess the type and frequency of cyber security incidents. The departments plan to survey 36,000 companies across the country this spring. The data collected could help in the development of policy and resource allocation both for the government and for the private sector. The survey is being reviewed by a number of groups, including the FBI and the President's Information Technology Advisory Committee, before it is used.
-http://www.fcw.com/fcw/articles/2005/0110/web-survey-01-13-05.asp



************************** SPONSORED LINKS ******************************
Privacy notice: Some sponsored links redirect to non-SANS web pages.

(1) Enable secure remote SSL VPN access: Free Web Security Informational Kit
http://www.sans.org/info.php?id=710

(2) The SANS Reading Room now has the largest collection of original security research papers in the world - more than 1,400 in 71 categories.
http://www.sans.org/rr/ (all free)

(3) Cut months of the process of finding security tools that work with SANS "WhatWorks" interviews and short lists of proven products.
http://www.sans.org/whatworks/ (all free)

*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES


DDoS Suspect Arrested in Scotland (17/14 January 2005)
A Scottish man has been arrested on suspicion of launching distributed denial-of-service (DDoS) attacks by using zombie, or bot networks. The arrest came as a result of Operation Casper, a joint effort between Scottish police and the US Secret Service.
-http://www.theregister.co.uk/2005/01/17/casper_ddos_arrest/print.html
-http://news.bbc.co.uk/2/hi/uk_news/scotland/4175801.stm


FBI Arrests Tsunami eMail Scammer (16 January 2005)
The FBI arrested Matthew Schmieder, who has admitted to sending out 800,000 unsolicited emails designed to look as if they were from a charitable organization collecting funds for the tsunami victims. Mr. Schmieder had established a Paypal account to collect the money, but at the time of his arrest had reportedly received just US$150. He will face a preliminary hearing this week.
-http://www.computer-security-news.com/artman/publish/printer_tsunami-scammer-115
5.shtml

[Editor's Note (Schmidt): Two key points here: 1) the private sector-law enforcement cooperation has proven successful once again, and 2) The education efforts appear to be working based on his ability to get only $150.
(Schneier): This is definitely a small fish; it's disappointing, given the report of over 110 tsunami-related scams, that there's nothing more impressive to report.
(Schultz): After attempting to prey on people who wanted to help tsunami victims, Schmeider deserves to have the book thrown at him. ]


SPAM & PHISHING


Judge Grants Injunction Against Spammers (17/11 January 2005)
US District Court Chief Judge Philip M. Pro has granted the Federal Trade Commission's (FTC's) request for preliminary injunctions against six companies accused of sending adult-themed spam. The companies are enjoined from sending out spam for the duration of the civil suit against them. The FTC alleges that the email sent by these companies did not have either the required "Sexually Explicit" labels in their subject lines or a way of opting out of receiving future email.
-http://www.technologyreview.com/articles/05/01/ap/ap_2011705.asp
-http://www.computerworld.com/printthis/2005/0,4814,98885,00.html


Texas AG Files Suit Against Prolific Spammers (14/13 January 2005)
The Texas attorney general has filed a lawsuit against two men who allegedly run one of the most prolific spam operations in the world. The federal complaint was filed under the CAN-SPAM Act, which carries fines of up to US$250 per violation; the men named in the suit are also accused of violating two Texas laws that provide for penalties of up to US$20,000 per violation and US$10 per email up to US$25,000 a day. The suit names as defendants University of Texas at Austin student Ryan Samuel Pitylak and Mark Stephen Trotter of California. The pair allegedly sold the personal information garnered from phony mortgage refinance offers and other financial schemes to people for up to US$28 a name. They could face up to US$2 million in fines if they are convicted.
-http://www.techweb.com/wire/security/57701213
-http://www.theregister.co.uk/2005/01/14/texas_spam_suit/print.html


WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES


iTunes Vulnerability Exploit Code Posted (17/12 January 2005)
A buffer overflow flaw in iTunes 4.x could allow could allow attackers to take control of vulnerable machines. Users are encouraged to update to iTunes version 4.7.1. Proof-of-concept exploit code for the vulnerability has been posted on the Internet; it does not contain a malicious payload.
-http://www.securitypipeline.com/57700817
-http://www.vnunet.com/news/1160551


Microsoft Selects External Patch Testers (14/12 January 2005)
Microsoft is inviting certain corporate customers and consultants to participate in its Security Update Validation Program; those who agree to participate will be allowed to test Microsoft patches before they are made available to the public. Participants have to sign a nondisclosure agreement and commit "a significant amount of time and effort" to test patch compatibility, stability, reliability in simulated production environments.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39213153-39037064t-39000
005c

-http://www.eweek.com/print_article2/0,2533,a=142578,00.asp


Microsoft Denies IE Security Bypass Flaw (14 January 2005)
According to information posted on the Internet by a researcher, a vulnerability in Microsoft Internet Explorer could be remotely exploited to bypass security warnings and download malicious content. There is not yet a patch for the flaw, and as yet, no exploit code to take advantage of it has been detected. The flaw affects IE 6.0.0, including the fixes for IE contained in Windows XP SP2. Microsoft maintains that the claims are false.
-http://www.computerworld.com/printthis/2005/0,4814,98969,00.html


Google Repairs Gmail Flaw (13 January 2005)
Google has fixed a Gmail vulnerability that allowed users to view others' email message contents. Specifically, an improperly formatted address allows users to query the servers for the message body of the most recently processed HTML-formatted email.
-http://www.infoworld.com/article/05/01/13/HNgmailhole_1.html
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39212973-39037064t-39000
005c



Microsoft's January Security Update (12/11 January 2004)
Microsoft's January security update release contains three patches, two rated critical, one rated important. The critical patches are for vulnerabilities in HTML Help ActiveX control in Windows and for flaws in cursor and icon format handling in most versions of Windows with the exception of Windows XP SP2. The third patch addresses security issues in Windows indexing service.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39212766-39037064t-39000
005c

-http://www.securityfocus.com/printable/news/10268
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1043888,0
0.html

-http://www.microsoft.com/technet/security/bulletin/MS05-001.mspx
-http://www.microsoft.com/technet/security/bulletin/ms05-002.mspx
-http://www.microsoft.com/technet/security/bulletin/ms05-003.mspx
-http://www.us-cert.gov/cas/techalerts/TA05-012A.html
-http://www.us-cert.gov/cas/techalerts/TA05-012B.html


mpg123 Audio Player Flaw (12 January 2005)
A buffer overflow vulnerability in MPEG audio player mpg123 could allow an attacker to run malicious code. Users would have to stream music from a malicious server to be vulnerable to the exploit. A patch for the flaw is not yet available.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39212757-39037064t-39000
005c



Lasco.A Infects Symbian-based Phones (11 January 2005)
New mobile phone malware, dubbed Lasco.A, infects phones running the Symbian operating system in two different ways -- through wireless connections and by attaching itself to files. Lasco.A is the first known phone virus to use multiple vectors of infection. Users are advised to set their phones to hidden Bluetooth mode.
-http://asia.cnet.com/news/personaltech/printfriendly.htm?AT=39212550-39037091t-3
9000004c

-http://www.infoworld.com/article/05/01/11/HNphonevirus_1.html


MISCELLANEOUS


New York ISP Panix Hit With Domain Name Hijacking (17 January 2005)
New York ISP Panix has suffered a domain name hijacking. While Panix has recovered its Panix.com domain, the ISP has warned its customers that those responsible for the hijacking could have captured passwords. Domain ownership had been moved to a company in Australia, while the DNS records had been moved to the UK and mail was being redirected to a Canadian company.
-http://www.theregister.co.uk/2005/01/17/panix_domain_hijack/print.html
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39213487-39037064t-39000
005c

[Editor's Note (Northcutt): This is a fascinating story and the source of more than a little finger pointing. The best countermeasure available to prevent this from happening to your organization is to lock your domain. The best article on domain locking I know of is here:
-http://news.netcraft.com/archives/2004/11/10/netsol_locks_domains_but_others_say
_concerns_are_overblown.html

Finally, as a blast from the past, recall it was Panix, New York's first dial up ISP, that was recipient of the first widely known Syn Flood attack in 1996.
-http://seclists.org/lists/bugtraq/1996/Sep/0026.html]



FBI Not Using Carnivore, Opts for Commercial Alternatives (14 January 2005)
According to two reports to Congress obtained under the Freedom of Information Act, the FBI did not use the controversial Carnivore surveillance tool, also known as DCS-1000, in either FY2002 or FY2003. The Agency instead opted for commercially available tools to conduct surveillance on the Internet on thirteen occasions during that two-year period.
-http://www.securityfocus.com/printable/news/10307
[Editor's Note (Grefer): These "documents only enumerate criminal investigations in which the FBI deployed a government-owned surveillance tool, not those in which an ISP used its own equipment," and "Cases involving foreign espionage or international terrorism are also omitted." ]


Man Arrested for T-Mobile Network Breaches (12 January 2005)
In October 2004, Nicolas Jacobsen was charged with breaking into T-Mobile's computer network and accessing names and Social security numbers belonging to 400 T-Mobile customers. Jacobsen also allegedly was able to access US Secret Service email while he had access to the servers. The Secret Service and the federal prosecutor on the case have both declined to comment.
-http://news.com.com/2102-7349_3-5534323.html?tag=st.util.print
-http://www.securityfocus.com/printable/news/10271
[Editor's Note (Schneier): There is an important meta-point to this story: the security of much of our data is not under our control. T-Mobile controlled the voice mails and SMSs of its customers. Banks and brokerage firms control the financial data of its customers. ISPs control the contents of its customers email. The result is that we all have no choice but to trust these companies with our privacy, even though the companies have little incentive to protect that privacy. ]


French Scientist on Trial for French Copyright Code Violation (12/11 January 2005)
A French scientist is on trial for releasing proof-of-concept code that revealed flaws in Viguard, an anti-virus product. Guillaume Tena is being prosecuted for violating French copyright law. The prosecution is asking for a four-month suspended sentence and a fine of 6,000 euros. Tegam is asking for 900,000 euros in damages.
-http://www.theregister.co.uk/2005/01/12/full_disclosure_french_trial/print.html
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39183601-39020369t-10000022c


===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/