SANS NewsBites - Volume: VII, Issue: 34

*************************************************************************
SANS NewsBites                     August 24, 2005                    Volume: VII, Issue: 34
*************************************************************************
TOP OF THE NEWS

  Energy Policy Act Calls for Creation of Electric Reliability Organization
  Spear Phishers Target Specific Organizations
  Effective Spear Phishing Defense: Positive Social Engineering
  Alleged Illegal File Traders Arrested in Singapore
  Windows Vista Beta Has Peer-to-Peer System That Is On by Default

THE REST OF THE WEEK'S NEWS

  ARRESTS, CONVICTIONS AND SENTENCES
   Data Security Chief Arrested in Cyber Theft Case
   Former AOL Employee Draws 15-Month Prison Sentence for Data Theft
   New Jersey Teen Sentenced for Launching DDoS Attacks
  HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
   Malware Hits US Customs Computer System, Causes Delays
   DHS Internal Security is Still Problematic, According to Audit Report
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
   Workarounds Available for Msdds.dll Flaw
   Adobe Releases Updates for Buffer Overflow Flaw in Reader and Acrobat
   Patch Available for Cpaint Vulnerability; Updated Version Also Released
   Microsoft Updates Malicious Software Removal Tool to Address Zotob Issue
   Variety of Worms Exploiting Windows Vulnerability
   Apple Releases Large Security Update
  ATTACKS, INTRUSIONS & DATA THEFT
   US Air Force Computer System Breached
   Formal Investigation Launched in Call Center Data Sale Case
  STATISTICS, STUDIES & SURVEYS
   Survey Shows Consumers are Concerned About On-Line Security
  MISCELLANEOUS
   Lloyd's to Offer Open-Source Insurance


********************* Sponsored by VanDyke Software *********************

Turn off Telnet and FTP. The new SecureCRT 5.0 terminal emulator gives you the security of SSH in a tabbed multi-session interface. Buy SecureCRT before Sept. 9 and get SecureFX file transfer client free. http://www.vandyke.com/go.php?id=sans0805

*************************************************************************

Security Training Update "SANS is the ultimate security training program. It is the most intensive and informative security training available -- a must have for infosec professionals." (Aaron Despain, TriWest Healthcare)

Scheduled SANS training programs over the next three months in: Boston, New York, Whippany NJ, Baltimore, Virginia Beach, Herndon VA, Orlando, New Orleans, Chicago, Dallas, Los Angeles, San Jose CA, Portland OR; Ottawa, Tokyo, Barcelona, Vancouver, Amsterdam. Details: http://www.sans.org

*************************************************************************

TOP OF THE NEWS

Energy Policy Act Calls for Creation of Electric Reliability Organization (17/11 August 2005)
Among the provisions of the 1,724 page Energy Policy Act signed into law by President George W. Bush on August 8, 2005 is a call for the Federal Energy Regulatory Committee (FERC) to create an electric reliability organization that would develop standards, including cyber security guidelines, for power plants. FERC would be allowed to impose fines for violations of the security standards and must begin certifying the organization within 180 days. The impetus for the creation of the new regulations was a Government Accountability Office report indicating concern that the systems controlling utility infrastructure are vulnerable to attacks. Presently, there are no mandatory requirements for power grid operators, but many voluntarily abide by standards set by the North American Electric Reliability Council (NERC), which is expected to be certified as the official Electric Reliability Organization. NERC pushed for the legislation and is the only group developing reliability standards for utility infrastructure; FERC is expected to adopt NERC's standards.
-http://software.silicon.com/security/0,39024655,39151444,00.htm

-http://www.computerworld.com/printthis/2005/0,4814,103834,00.html
-http://energycommerce.house.gov/108/energy_pdfs_2.htm
-http://www.ferc.gov/legal/maj-ord-reg/fed-sta/ene-pol-act.asp


Spear Phishers Target Specific Organizations (18 August 2005)
In yet another variation on phishing, dubbed "spear phishing," attackers are targeting employees at specific organizations by sending phony email messages that appear to come from top executives within those organizations. The emails try to gather passwords; once the phishers have these, they can install Trojan horse programs and other malicious software on the organization's computers and harvest sensitive information.
-http://www.computerworld.com/printthis/2005/0,4814,104000,00.html
[Editor's Note (Pescatore): Yet another cute name for an old attack, but it does point out that targeted attacks require extension (not replacement) of security processes to detect and prevent.
(Shpantzer): This is an awareness training problem. Having seen the very same email that works on other people, most NewsBites readers would view it with suspicion and not give up the information, at least without a callback or some other verification. This is because we are aware that social engineering exists, whether over the phone or over email. Our awareness influences us to make a different decision/action on the very same observation. ]


Effective Spear Phishing Defense: Positive Social Engineering
Although there is no technological defense against spear phishing, New York State has discovered an alternative means of defending against those targeted attacks: positive social engineering. New York sent "safe" phishing emails to 10,000 employees and told them more would be coming. When the second one arrived the number of people who fell for the scam fell by 50%.
-http://www.computerworld.com/securitytopics/security/story/0,10801,104087,00.htm
l



Alleged Illegal File Traders Arrested in Singapore (19/18 August 2005)
Police in Singapore have arrested three people who allegedly distributed more than 20,000 MP3 music files in Internet chat rooms. The people have not yet been charged; they could face sentences of up to five years and fines of up to 100,000 Singapore dollars (approximately US$60,000).
-http://www.todayonline.com/articles/67509.asp
-http://today.reuters.co.uk/news/newsArticle.aspx?type=internetNews&storyID=2
005-08-18T080728Z_01_YUE829220_RTRIDST_0_OUKIN-UK-SINGAPORE-INTERNET-PIRACY.XML



Windows Vista Beta Has Peer-to-Peer System That Is On by Default (19/18 August 2005)
Windows Vista beta testers have found a flaw which turned out to be a peer-to-peer networking feature that is turned on by default; the tool connects to other beta machines as soon as an Internet connection is established. The vulnerability came to light when beta testers noticed unusually high levels of network traffic. The technology is a new version of Microsoft's Peer Name Resolution Protocol and was envisioned to enable users to make connections between Windows machines without a central server. A Windows project manager says Microsoft does not intend for the tool to be on by default when the project ships in late 2006. An earlier version of PNRP was included with Windows XP SP1, but was turned off by default. Some have observed that as Vista is a beta release; it should be run only in a test environment.
-http://news.com.com/2102-1002_3-5838647.html?tag=st.util.print
-http://www.theregister.co.uk/2005/08/19/windows_vista_p2p/print.html



********************** Sponsored Links ********************************


1) Latest Hacker Target: Critical Web Applications-
White Paper From SPI Dynamics
http://www.sans.org/info.php?id=851

2) Earn your Master's degree in Information Security from an
NSA-recognized online program.
http://www.sans.org/info.php?id=852


*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES


Data Security Chief Arrested in Cyber Theft Case (19 August 2005)
The data security chief of a financial services firm in Finland and two accomplices were arrested for allegedly trying to steal 200,000 Euros (US$244,000) from the company's on-line bank account. The suspects apparently mistakenly believed that using someone else's unprotected wireless network would make it impossible for them to be tracked down. However, police were able to determine through the MAC address saved in the wireless LAN's ADSL box that the laptop used belonged to the financial services firm.
-http://www.helsinginsanomat.fi/english/article/1101980633083
-http://www.theregister.co.uk/2005/08/19/finnish_wifi_bank_hack/print.html
-http://www.pcadvisor.co.uk/index.cfm?go=news.view&news=4986
[Editor's Note (Pescatore): This is Darwin in action: only the incompetent cyber criminals don't know how to do MAC spoofing. ]


Former AOL Employee Draws 15-Month Prison Sentence for Data Theft (17 August 2005)
Former America Online software engineer Jason Smathers was handed a 15-month prison sentence for stealing 92 million screen names from an AOL database and selling them to a spammer; the spammers used the email addresses to send out 7 billion unsolicited messages. Mr. Smathers pleaded guilty to charges of conspiracy and interstate trafficking of stolen property in February 2005. The judge in the case did not impose a fine, and the amount of restitution Mr. Smathers will pay to AOL has not yet been determined.
-http://www.computerworld.com/printthis/2005/0,4814,103991,00.html

-http://www.wired.com/news/print/0,1294,68557,00.html


New Jersey Teen Sentenced for Launching DDoS Attacks (17/16/13 August 2005)
New Jersey teenager Jasmine Singh has been sentenced to five years in a youth detention center for his role in a series of cyber attacks. The NJ attorney general's office said that Mr. Singh was hired by Jason Arabo to launch distributed denial-of-service (DDoS) attacks against web sites of some of Mr. Arabo's commercial competitors. Last May, Mr. Singh pleaded guilty to using a botnet to attack the web sites; he will also pay US$35,000 in restitution. Charges are pending against Mr. Arabo.
-http://ems.gmnews.com/news/2005/0817/Front_Page/003.html
-http://www.thnt.com/apps/pbcs.dll/article?AID=/20050813/NEWS0102/508130370
-http://www.theregister.co.uk/2005/08/16/teen_hacker/print.html


HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY


Malware Hits US Customs Computer System, Causes Delays (19 August 2005)
A computer virus infiltrated the US Customs system, causing significant delays at 300 ports of entry around the country. The system affected was the Customs and Border Protection system, which is used to process passengers arriving in the country. At some airports, customs officials processed passengers by hand, while other locations used back-up computer systems. The virus caused the system to be down from approximately 6:00 pm until 11:30 pm EDT on Thursday, August 18.
-http://www.mercurynews.com/mld/mercurynews/news/local/states/california/counties
/alameda_county/12421003.htm


-http://www.miami.com/mld/miamiherald/12424329.htm
[Editor's Note (Pescatore): Looks like a number of businesses were lulled to sleep since there hasn't been a major Windows worm since Sasser in early 2004. Just because it hasn't rained in a while doesn't mean you can stop patching those leaky roofs.]


DHS Internal Security is Still Problematic, According to Audit Report (19 August 2005)
According to an audit conducted by KPMG, the Department of Homeland Security has not adequately addressed security shortcomings identified earlier. The auditing company focused on DHS' financial reporting and found weaknesses including weak password practices, workstations and servers missing necessary patches and failure to segregate duties involving sensitive data.
-http://www.eweek.com/print_article2/0,1217,a=158436,00.asp


WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES


Workarounds Available for Msdds.dll Flaw (19/18/17 August 2005)
Microsoft is investigating reports that a flaw in the Microsoft DDS Library Shape Control COM object (Msdds.dll) could be exploited to allow remote code execution. A warning from US-CERT indicates that exploit code for the vulnerability is already available on the Internet, but Microsoft says it is not aware of any attacks. There is no patch presently available, but Microsoft has issued a bulletin suggesting workarounds. A "killbit" temporary workaround is also available, but users need to be aware that once it "is set to prevent the use of Msdds.dll as an ActiveX, all applications that use the Com object utility will break." Msdds.dll ships with Microsoft Office 2002 and Microsoft Visual Studio .Net 2002.
-http://www.theregister.co.uk/2005/08/19/0day_ie_exploit_fears/print.html

-http://www.eweek.com/print_article2/0,1217,a=158469,00.asp
-http://www.computerworld.com/printthis/2005/0,4814,104019,00.html
-http://news.com.com/2102-1002_3-5837611.html?tag=st.util.print
-http://www.microsoft.com/technet/security/advisory/906267.mspx


Adobe Releases Updates for Buffer Overflow Flaw in Reader and Acrobat (18/17 August 2005)
Adobe has issued a security advisory warning of a critical buffer overflow vulnerability in Adobe Reader and Acrobat. The flaw could be exploited with a maliciously crafted PDF file to crash the application, possibly execute code and obtain control of the vulnerable machine. The flaw affects Reader and Acrobat versions 5.1, 6.0 to 6.0.3 and 7.0 to 7.0.2. Adobe has posted new versions of Acrobat and Reader on its web site.
-http://www.techweb.com/wire/security/169400203
-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4233
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39249463-39000005c
-http://www.adobe.com/support/techdocs/321644.html


Patch Available for Cpaint Vulnerability; Updated Version Also Released (19/18 August 2005)
A flaw in the Cpaint application development tool could allow attackers to execute malicious code on vulnerable servers. All versions of Cpaint are affected. The Cpaint project initially issued a workaround for the vulnerability; on Monday, August 19, the project released version 2.0.0 of Cpaint in which the vulnerability is fixed. The flaw is likely to be present in other tool kits that use the Asynchronous JavaScript and XML, or AJAX, approach.
-http://www.computerworld.com/printthis/2005/0,4814,104006,00.html

-http://sourceforge.net/forum/forum.php?forum_id=489630
-http://cpaint.sourceforge.net/


Microsoft Updates Malicious Software Removal Tool to Address Zotob Issue (18 August 2005)
Microsoft has released an updated version of its Malicious Software Removal tool that detects and deletes 10 variants of the Zotob worm. This marks the first time Microsoft has released an updated version of the tool outside of its scheduled monthly security updates. Zotob exploits a critical flaw in Microsoft's Plug-and-Play technology.
-http://www.techweb.com/wire/security/169400246


Variety of Worms Exploiting Windows Vulnerability (18/17 August 2005)
Three different worms that exploit the Plug-and-Play vulnerability in Windows 2000 are apparently trying to create bot-nets. The Zotob, IRCbot and Borzoi worms amass infected machines that could be used for attacks in the future; Borzoi appears to remove other worms from the machines it infects. The worms have been spreading widely due to several factors, including the rapid appearance of exploits and infected laptops. While organizations may block port 445 on their firewalls, if employees' laptops become infected elsewhere, when they bring them inside the perimeter and connect them to the network, the worm begins to spread internally. Among the organizations affected by the worms are CNN, the ABC (American Broadcasting Corporation) television network, Visa, American Express and the New York Times.
-http://www.computerworld.com/printthis/2005/0,4814,103981,00.html
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39249213-39000005c
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1116775,0
0.html

-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39207426-20000
61744t-10000005c

[Editor's Note (Dhamankar): The time from vulnerability announcement to release of a worm was one of the shortest seen in recent times. Patch announced August 9th (Tuesday); exploit code posted publicly August 11th (Thursday); worm started to hit on August 13th (Saturday). Because worms spread over 139/tcp or 445/tcp, ports that cannot be firewalled without breaking some functionality in Windows environment. That means that even a single infected laptop brought inside an enterprise will infect all the other machines. Multiple intrusion prevention systems, as ubiquitous as switches, need to become as integral to networks. ]


Apple Releases Large Security Update (17/16 August 2005)
Apple has released a security update for OS X that addresses 44 flaws. Some of the vulnerabilities for AppKit and Safari are considered critical. Buffer overflow vulnerabilities in AppKit could be exploited to execute arbitrary code on unpatched systems. Flaws in Safari could be exploited to allow attackers to bypass security checks to execute arbitrary commands; users would have to click on malicious rich text format files for this to happen. In addition, a buffer overflow flaw in Apple's Server Manager D could allow remote code execution without user interaction.
-http://news.zdnet.com/2102-1009_22-5834873.html?tag=printthis
-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4222
-http://www.us-cert.gov/cas/techalerts/TA05-229A.html
-http://docs.info.apple.com/article.html?artnum=302163


ATTACKS, INTRUSIONS & DATA THEFT


US Air Force Computer System Breached (19 August 2005)
An attacker breached security at a US Air Force computer system, potentially exposing personal information belonging to more than 33,000 officers. Whoever broke into the Assignment Management System used a valid user ID and password. The information compromised includes birth dates, Social Security numbers and career data. A spokeswoman for the Air Force Personnel Center says there is no evidence the information has been used for identity theft. The Air Force has notified those whose data were affected by the breach.
-http://www.computerworld.com/printthis/2005/0,4814,104080,00.html
-http://www.theregister.co.uk/2005/08/22/air_force_privacy_breach/print.html


Formal Investigation Launched in Call Center Data Sale Case (18/17 August 2005)
Following allegations on the Australian Broadcasting Corporation's "Four Corners" television program last week that outsourced call center customer data were being offered for sale, the Australian federal privacy commissioner has launched a formal investigation into possible violations of the country's Privacy Act. In addition, India's National Association of Software and Service Companies (NASSCOM) has asked ABC for details of its investigation in order that the matter be reported to Indian law enforcement officials. NASSCOM says it will work with officials in both countries to help catch those responsible for the data leak.
-http://www.computerworld.com/printthis/2005/0,4814,103999,00.html
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39249224-39000005c


STATISTICS, STUDIES & SURVEYS


Survey Shows Consumers are Concerned About On-Line Security (19/18 August 2005)
On-line shoppers would do more business on the Internet if banks and e-commerce sites provided stronger authentication tools, according to a survey from RSA Security. Half of the people surveyed said they would take their business to organizations whose sites offered the best authentication processes for on-line transactions. More than two-thirds of those who responded said that they would do more business on-line if they had hardware authentication devices.
-http://networks.silicon.com/webwatch/0,39024667,39151552,00.htm
-http://www.internetnews.com/security/article.php/3528551
[Editor's Note (Ranum): This seems to be a rather self-serving "survey." Today's online economy is gigantic - without the use of RSA's products (oh, excuse me, "hardware authentication devices"). Implying that lack of security is holding the online economy back is patently silly. ]


MISCELLANEOUS


Lloyd's to Offer Open-Source Insurance (16 August 2005)
Lloyd's of London may soon be offering insurance, available through brokers, to protect users of "open-source software against claims of intellectual property infringement." The insurance will cover the open-source LAMP stack: the Linux operating system, Apache Web server, MySQL database and Perl, PHP and Python scripting languages. Other products may be added at a later date. While some vendors offer indemnification for their own Linux distributions, this insurance will be vendor-neutral, though it might not cover distribution-specific packages.
-http://www.zdnet.com.au/news/software/print.htm?TYPE=story&AT=39207063-20000
61733t-10000002c

-http://www.computerweekly.com/Articles/Article.aspx?liArticleID=211374&Print
erFriendly=true



===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan
Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier,
Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/