SANS NewsBites - Volume: VIII, Issue: 6


If your employer is subject to the PCI standard for protecting credit
card information *and* subject to any other information security
requirements (GLB, HIPAA, SOX, state law on disclosure) and you know
something about the PCI, please join the new SANS/CIS standards project
to correct the five fatal flaws in the PCI and expand it to cover other
personally identifiable information. We now have 23 large organizations
on the team and are hoping for 100. Email info@sans.org with subject PCI
and include information about your experience with the PCI and what
other standards apply to your organization.

*************************************************************************
SANS NewsBites                     January 20, 2006                    Volume: VIII, Issue: 6
*************************************************************************
TOP OF THE NEWS

  Cingular Obtains TRO Against Companies Selling Private Cell Phone Records
  Emerging Threats Seen in Linux, Mac OS X, iPod

THE REST OF THE WEEK'S NEWS

  ARRESTS, CONVICTIONS AND SENTENCES
   Former Medical Office Manager Indicted for Patient Record Theft
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
   F-Secure Has Fixes Available for DoS and Code Execution Flaws
   Patches Available for Backup Software Holes
   Visual Basic Worm Spreading
   Windows XP SP3 Due Out in Second Half of 2007
   Cisco Issues Two Fixes
   Oracle's Quarterly Security Update
   Buffer Overflow Flaw in AOL's You've Got Pictures Tool
  ATTACKS & INTRUSIONS & DATA THEFT
   MillionDollarHomepage.com Targeted by Cyber Extortionists
   Privacy Rights Clearinghouse List of Data Security Breaches
  MISCELLANEOUS
   Internet Explorer 7 Will Have History Delete Feature


********************** Sponsored by BigFix, Inc. ************************

WEBCAST AND RESEARCH NOTE: "MINIMIZING RISK"Join BIGFIX, and GARTNER guest speaker, Mark Nicolett, for "MinimizingRisk with Vulnerability and Security Configuration Management".Presentations and a customer CASE STUDY illustrate how the rightvulnerability management solution helps BigFix customers worldwide reduce costs, maintain compliance and increase security - without adding expensive infrastructure. RESEARCH NOTE for all attendees!

http://www.sans.org/info.php?id=989

*************************************************************************

Training Opportunities in the Next Five Weeks

SANS 2006 in Orlando (Feb 24- March 4) 36 tracks of extraordinarytraining - the best instructors in the world, and a great security tools exposition. Lots of people are bringing their families to Orlando to join them at the end of the program.

Or you can take SANS training anytime, anywhere with the new SANS On Demand. Details on these and other programs: www.sans.org

*************************************************************************


TOP OF THE NEWS

Cingular Obtains TRO Against Companies Selling Private Cell Phone Records (17/16 January 2006)
A federal court in Atlanta has granted Cingular Wireless a temporary restraining order (TRO) against operators of several web sites that provide private cellular phone records for a fee. Cingular says the companies' employees pretend to be cellular phone customers and Cingular employees to gather confidential information from customer service representatives. The information offered for sale includes private phone numbers and call records. In a separate case, on line data brokers have used devious means to obtain cell phone records of Verizon Wireless customers, according to court documents filed in a Florida court.
-http://www.usatoday.com/tech/wireless/2006-01-16-cingular-records_x.htm
-http://www.theregister.co.uk/2006/01/17/cingular_sues_over_customer_records/prin
t.html

-http://www.wired.com/news/technology/1,70027-1.html


Emerging Threats Seen in Linux, Mac OS X, iPod (12 January 2006)
At the recent Cyber Crime Conference sponsored by the US Department of Defense, intensive courses offered on Mac OS X, Linux and iPods indicate a growing concern with malicious code running on the operating systems and the threats posed by iPods and similar devices. As the platforms become more widely used, malicious code for them is becoming an emerging threat.
-http://www.eweek.com/print_article2/0,1217,a=169104,00.asp



************************ Sponsored Links: *******************************

Note: These links take you outside the SANS site: 1) Email Security Strategies: What to Plan for in 2006 Gartner analyst featured in this On Demand webinar beginning January 19th http://www.sans.org/info.php?id=990

2) Free SANS Webcast Next Week - WhatWorks in Penetration Testing: "Improving System Health with Care New England" Wednesday, January 25 at 1:00 PM EST (1800 UTC/GMT) http://www.sans.org/info.php?id=991

3) WhatWorks in Intrusion Prevention: "Eliminating Virus Outbreaks with Sara Lee" a FREE SANS Webcast Tuesday, January 31 at 1:00 PM EST (1800 UTC/GMT) http://www.sans.org/info.php?id=992

*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES


Former Medical Office Manager Indicted for Patient Record Theft (19 January 2006)
Joseph Nathaniel Harris, who formerly worked as the manager of the San Jose (California) Medical Group, has been indicted by a federal grand jury on charges stemming from the theft of computers and DVDs that contained patient records. Harris allegedly broke into the office after resigning his position. If convicted of all charges against him, Harris faces a maximum prison sentence of ten years and a fine of up to US$250,000.
-http://www.eweek.com/print_article2/0,1217,a=169608,00.asp


WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES


F-Secure Has Fixes Available for DoS and Code Execution Flaws (19 January 2006)
F-Secure has warned of several vulnerabilities in its products that could be exploited to cause denial-of-service or execute malicious code. One of the flaws is a boundary error in .zip archive handling that could allow the execution of arbitrary code; a problem with .rar and .zip archive processing scanning functionality could allow malware to escape detection. Attackers could exploit the vulnerabilities with specially crafted archives. The company has fixes available for the flaws.
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1160314,0
0.html


-http://www.zdnet.co.uk/print/?TYPE=story&AT=39248179-39020375t-10000025c
-http://www.f-secure.com/security/fsc-2006-1.shtml


Patches Available for Backup Software Holes (18 January 2006)
Backup software from two different companies is vulnerable to attacks. Patches are available for denial-of-service and hijacking flaws in EMC's NetWorker. Patches are also available for a Veritas NetBackup buffer overflow; exploit code for the flaw has been posted to the Internet.
-http://news.com.com/2102-1002_3-6028515.html?tag=st.util.print
[Editor's Note (Northcutt): Northcutt, backup software vulnerabilities were number one in the 2005 SANS Top 20 for cross platform issues:
-http://www.sans.org/top20/#c1]

[From the Internet Storm Center (Swa Frantzen): It is interesting to note the spike in scanning for the netbackup software started *after* publication of the exploit
-http://isc.sans.org/diary.php?storyid=1055
Seems to invalidate the claims by the FD adepts that it is used before they publish. (vulnerability and fix were old) ]


Visual Basic Worm Spreading (18 January 2006)
A Visual Basic worm known by several names, including Blackmal.e and MyWife.d, arrives as an attachment and spreads through shared folders. It tries to disable several different security programs. The attachment can be an executable file or a MIME file containing an executable file.
-http://www.informationweek.com/news/showArticle.jhtml?articleID=177101528


Windows XP SP3 Due Out in Second Half of 2007 (18 January 2006)
Microsoft has set a tentative release date of the second half of 2007 for Windows XP Service Pack 3 (SP3) the professional and home editions. Windows XP SP2 was released in 2004. Microsoft reportedly pushed back the release date for XP SP3 to allow them to concentrate resources on Windows Vista, which is scheduled to be released later this year.
-http://www.zdnetasia.com/news/software/printfriendly.htm?AT=39305800-39000001c
-http://www.theregister.co.uk/2006/01/18/windows_xp_sp3_delay/
-http://www.microsoft.com/windows/lifecycle/servicepacks.mspx


Cisco Issues Two Fixes (19/18 January 2006)
Cisco has issued two security advisories and fixes for flaws in Cisco CallManager. A privilege escalation flaw could be exploited to gain full administrative privileges; the other flaw could be exploited to create a denial-of-service condition.
-http://news.com.com/2102-1002_3-6028417.html?tag=st.util.print
-http://www.vnunet.com/vnunet/news/2148884/cisco-patches-voip-flaws
-http://www.cisco.com/en/US/products/products_security_advisory09186a00805e8a55.s
html

-http://www.cisco.com/en/US/products/products_security_advisory09186a00805e8a5a.s
html

[From the Internet Storm Center (Swa Frantzen): There are three issues, not two: - - DoS against routers - - DoS against CallManager - - privilege escalation by administrative users of the call managers
-http://isc.sans.org/diary.php?storyid=1054]



Oracle's Quarterly Security Update (18 January 2005)
Oracle's quarterly security update includes patches for more than 100 flaws. One of the vulnerabilities allows Oracle databases users with basic access privileges to elevate those privileges to those of the database administrator. Oracle's quarterly schedule has met with criticism because some believe it leaves users vulnerable for too long. Oracle has also been criticized for not providing adequate detail about the vulnerabilities addressed. Oracle has also released a tool that allows users to check for default accounts and passwords in an effort to protect users from the Oracle Voyager worm.
-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=5183
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39305786-39000005c
[Editor's Note (Schultz): Isn't this the same database product that Larry Ellison only a few years ago declared was "hackerproof?" ]


Buffer Overflow Flaw in AOL's You've Got Pictures Tool (17 January 2006)
A critical buffer overflow flaw in AOL's YGP Picture Finder Tool ActiveX Control (YGPPicFinder.DLL), which is used by AOL's You've Got Pictures, could be exploited to execute arbitrary code or cause a denial-of-service condition. The problem lies in an ActiveX control in the tool and affects several versions of AOL, including AOL 8.0, 8.0+ and 9.0 Classic. An AOL spokesman said the company became aware of the issue in July and pushed out a fix to affected members for a few weeks last fall. Users who did not log in during that period are encouraged to download a newer version of AOL's client suite or apply a hotfix patch.
-http://www.computerworld.com/printthis/2006/0,4814,107824,00.html
-http://www.eweek.com/print_article2/0,1217,a=169374,00.asp
-http://www.kb.cert.org/vuls/id/715730


ATTACKS & INTRUSIONS & DATA THEFT


MillionDollarHomepage.com Targeted by Cyber Extortionists (19/18 January 2006)
MillionDollarHomepage.com, the brainchild of UK student Alex Tew, has been the target of denial-of-service attacks that law enforcement agents have attributed to people in Russia. Tew created the web page to fund his schooling; he sold pixels to advertisers and has made more than US$1 million. Tew wrote in his blog that the alleged attackers made demands for "a substantial amount of money."
-http://www.smh.com.au/news/breaking/russian-hackers-hold-website-to-ransom/2006/
01/19/1137553695238.html

[Editor's Note (Pescatore): It is not that hard to get denial of service protection. Trying to put up a $1M web site without doing so is like putting a $1M painting out in your front yard - it really ought to be under a roof.]


Privacy Rights Clearinghouse List of Data Security Breaches (17 January 2006)
The Privacy Rights Clearing house has compiled a list of known data security breaches that have occurred since ChoicePoint's data breach acknowledgment on February 15, 2005. The list includes the dates the breaches were reported, the names of the institutions, the types of breach and the number of individuals affected in each breach.
-http://www.privacyrights.org/ar/ChronDataBreaches.htm

[Editor's Note (Schultz): The soon to be released list of known data security breaches is much too long for comfort. The fact that suitable legislation designed to reduce such breaches has not yet been passed in the US only exacerbates concerns about failure to adequately protect personal and financial information.
(Honan): This information could be the most valuable metric to put in front of your senior management when trying to justify budget spend for security measures. It is certainly a strong argument against the "it could never happen to us" mentality. Interestingly, the figures show that of the total 52 million identities that were compromised, 40 million were exposed due to the CardSystems debacle in June. Of the remaining 12 million breaches, approximately 7.25 million were exposed on lost mobile media such as laptops and backup tapes. ]


MISCELLANEOUS


Internet Explorer 7 Will Have History Delete Feature (17 January 2006)
According to information from a Microsoft program manager Uche Enuha in the company's browser blog, Internet Explorer 7 will have a "delete browsing history" feature in the Tools menu that will flush data accumulated while visiting web sites. The feature will remove data, including temporary Internet files, cookies, history, form data and passwords. Users will be able to choose the data they want to delete. A beta version of IE7 is available for Windows XP SP2 and an enhanced beta version is available for Windows Vista beta 1.
-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=5171


===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/