*************** Sponsored By Core Security Technologies **************
SANS WEBCAST: WhatWorks for Vulnerability Management, Auditing &
"Improving System Health with Care New England:" Regulatory compliance
coupled with numerous false positives produced by vulnerability
scanners, prompted Care New England to investigate solutions that would
give them a more accurate view of their network security. Learn how they
were able to cost-effectively manage vulnerabilities while improving
overall network security.
SANS Training in San Diego, Munich, London and Washington DC
Turbo charge your security career or the careers of any of your
coworkers this spring in San Diego in early May: a dozen of SANS most
popular courses and a vendor exposition right on the harbor.
http://www.sans.org/security06/ Or in London at the end of June: http://www.sans.org/london06 Or Munich in early April: http://www.sans.org/munich06 Or Washington in July right after July 4 for the biggest SANSFIRE ever:
with all 17 SANS immersion tracks and more than a dozen special courses,
a big exposition, and an inside look at how the Internet's Early Warning
System (Internet Storm Center) actually works Bring your family for the
national fireworks show.
TOP OF THE NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Twenty-one Arrested in On-Line Cyber Crime Crackdown (29 March 2006)
GAO Report: NIAP Testing and Accreditation Program Problematic (27 March 2006)
A report from the Government Accountability Office (GAO) says that the National Information Assurance Partnership's (NIAP) independent validation and accreditation of IT security products has proven helpful in some areas but also has some serious shortcomings. NIAP is responsible for implementing the Common Criteria Evaluation and Validation Scheme; they provide laboratories with guidelines to conduct the testing. While the program offers agencies guidance on what products they may use, agencies have often found that the products they need are not available. In addition, the number of people qualified to validate products is falling, which means vendors will experience greater lag times in hearing whether or not their products meet the criteria. Finally, NIAP has not implemented any sort of system to measure the program's effectiveness. -http://www.fcw.com/article92750-03-27-06-Web -http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily& story.id=40218 -http://www.gao.gov/new.items/d06392.pdf [Editor's Note (Pescatore): GAO could have saved a few dollars and just reprinted the findings of several cybersecurity advisory panels back in 2003 and 2004. The NIST/NSA side has to allocate budget to reinvigorate the development and validation of standard protection profiles. Even more important, they have to require NIAP testing to put way more emphasis on vulnerability testing of the overall software, not just testing of security controls.]
Phishers Take New Tack With Three Florida Banks (29/27 March 2006)
1) SANS OnSite InfoSec Training
Your Location! Your Schedule! Lower Cost!
Receive a bonus seat for your OnSite Course (up to $4,750 value).
Simply complete the interest form today!
Third-Party Companies Issue Workarounds for IE Flaw (29/28 March 2006)
Two third-party companies have issued temporary workarounds to protect Windows computers using Internet Explorer (IE) from being exploited through the TextRange vulnerability that affects IE 6.0 and IE 5.01. This is not the first time a third-party company has issued a workaround to address a vulnerability that Microsoft has not yet patched; a third-party patch for the WMF flaw was released in January. Users can also protect themselves by disabling Active Scripting in IE. Microsoft has not said when it plans to release a fix for the flaw; its next security updates are scheduled for April 11. Internet Storm Center: -http://isc.sans.org/diary.php?storyid=1226 -http://www.theregister.co.uk/2006/03/29/ie_patches_released/print.html -http://www.techworld.com/security/news/index.cfm?NewsID=5666 -http://news.com.com/2102-1002_3-6055051.html?tag=st.util.print [Editor's Note (Pescatore): My neighbor is a smart guy, and he designs medical machinery. However, I'm pretty sure I won't be using his homegrown remedy for bird flu. I'm also really sure I don't want my kids to think its OK to accept medicine from anywhere they find it. It is not a good idea for enterprises or consumers to get in the habit of accepting patches to software from anywhere other than the vendor of the software. Use the time you'd spend undoing them to pressure software vendors to reduce the time the spend talking about security and increase the time they spend reducing security vulnerabilities before they ship their products. ]
Attackers Lure Users to Malicious Web Site with Real News Story (30 March 2006)
One of the attacks exploiting the IE flaw (described elsewhere in this Newsbites under the title "Third-Party Companies Issue Workarounds") lures computer users to maliciously crafted web sites by enticing them with bits of real BBC news stories and offering a "read more" link. The spoofed site contains the rest of the story but also attempts to download and install a keystroke logger on vulnerable computers with no user interaction. -http://www.eweek.com/print_article2/0,1217,a=174708,00.asp
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Bank of New Zealand Suspends Cards in Wake of Skimming Attack (30 March 2006)
The Bank of New Zealand (BNZ) has suspended 1,300 credit and debit cards that were used at an automatic teller machine (ATM) where thieves installed skimming technology. People also used the ATM for transactions with about 700 cards from other banks. According to BNZ, 21 customers reported fraudulent transactions on their accounts totaling NZD$20,000 (US$12,246); two ASB customers have reportedly lost a total of between NZD$3,000 and $5,000 (US$1,836 and $3,062). BNZ and the other banks plan to reimburse their customers for their losses. -http://www.nzherald.co.nz/section/story.cfm?c_id=5&ObjectID=10375158
Georgia State Pension Database Intruder Exploited Known Flaw (30 March 2006)
A cyber intruder exploited an unpatched, known vulnerability in unnamed software to gain access to a Georgia Technology Authority database. The database contained information belonging to more than 570,000 people who invested in the state's pension plans. The intrusion took place in late February. A GTA spokesperson said they were in the process of fixing the flaw when the intruder exploited it. GTA is informing the 180,000 people for whom it has contact information and hopes media attention and other outreach efforts will alert those for whom it does not have contact information. -http://www.computerworld.com/printthis/2006/0,4814,110094,00.html
Hong Kong Police Complaint Database Leak (29/28 March 2006)
UK Dept. of Trade and Industry Biennial Survey (28 March 2006)
A survey conducted late last year by PricewaterhouseCoopers LLP on behalf of the UK Department of Trade and Industry found that Internet misuse ranks second behind viruses in accounting for security incidents at large companies in the UK. The biennial survey compiled responses from 1,000 UK companies. The number of companies with acceptable use policies at companies of all sizes has grown significantly. Two years ago, 43 percent of the companies had an acceptable use policy; this year's survey found that figure to be 63 percent. Eight-nine percent of the large businesses surveyed this year had acceptable use policies in place. -http://www.techworld.com/security/news/index.cfm?NewsID=5661 [Editor's Note (Honan): While policy development is an important step it is equally important to ensure the policies are managed, monitored and enforced. (Pescatore): this is another survey where you have to read beyond the headlines. So, acceptable use policies grew from 43% of 63%? Sounds good, until you read that over the same period misuse of web surfing grew from 8% to 17%. a 50% increase in telling users not to do something" and a 100% increase in them doing that same thing occurred over the same period of time. Acceptable use policies are all well and good - use URL blocking if you actually want to stop dangerous, illegal or questionable surfing behavior. ]
NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS provides the best up to date training relating to security issues. The sessions are relevant and well presented with well written manuals. -Ravindranath Goswami, The Power Generation Company of Trinidad and Tobago Ltd.