SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VI - Issue #50
December 15, 2004
A really full week for news. Both of the first two stories (an FBI interview and a radical's guide to hacking) are worth your time. They provide hard evidence of the extent and reach of cyber crime.
And a useful SANS drawing for those of you with children (or adults) at home who want iPods. We'll be selecting four folks to win iPods on January 1. Everyone who has registered and paid for SANS Orlando by December 31 is eligible. SANS Orlando is the largest security training program in Orlando and runs from February 3 to 9. Information and
TOP OF THE NEWSCyber Attacks Are All About Money: Q&A with FBI's Dave Thomas
The al-Queda Terrorist's Guide To Cyber Crime for Profit
CAN-SPAM Has Not Reduced Spam Volume
Judge Throws Out Maryland's Anti-Spam Law
DHS Report Faults Department Cyber Security; Inspector General Ervin Will Not Be Reappointed
THE REST OF THE WEEK'S NEWSARRESTS, CONVICTIONS AND SENTENCES
Man Sentenced to 7 Years in Prison for DirecTV Piracy
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Cyber Security Industry Alliance Publishes List of Recommendations
House Subcommittee Urges Assistant Secretary Position for Cyber Security at DHS
Treasury Report Addresses Critical Financial Infrastructure Protection
Intelligence Reform Bill Passes in Congress
SPAM & PHISHING
Digital PhishNet Will Channel Phishing Scam Information to Law Enforcement
Phishing Vulnerability Affects Browsers
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
December Microsoft Security Bulletin Includes Fixes for 5 Flaws
Linux imlib Image Library Flaws
Trojan Horse Program Pretends to be Lycos Anti-Spam Screensaver
No SP5 for Windows 2000
STATISTICS, STUDIES AND SURVEYS
Internet Users Concerned About eCommerce and Banking Security
Security Advice for the Average User
Penn State Urges Students Not to Use Internet Explorer
California Agency to Mail Letters to Citizens Affected by Security Breach
********************** Sponsored by Check Point *************************
Your internal network is vulnerable. Worms, spyware, Trojan horses, and other security threats require proactive solutions built specifically for internal protection. Download this free Internal Security Information Kit which includes fact-filled white papers from META Group and Check Point, a special Flash demo, and much more. Get a wealth of valuable information-free!
Download now. http://www.sans.org/info.php?id=685
Two Featured Training Programs This Week (1) SANS Orlando, Feb. 3-9, 2005, The Largest Security Training Program in Orlando: Fourteen immersion tracks for sysadmins, security professionals, auditors, people seeking ISC(2) CISSP certification, and a special program for security managers. Come to Orlando when it is cold up north! http://www.sans.org/orlando05
(2) If you cannot get to Orlando, enroll in SANS@HOME Instructor Led training: flexibility, affordability and great information security training without the travel. You learn from the same SANS Certified Instructors you would find at a training conference. Our upcoming sessions are among SANS favorites:
* Hacker Techniques, Exploits & Incident Handling, with Ed Skoudis, Thursdays, January 27 - May 5, 2005 (Hacker Workshop via Virtual Lab May 19) Detail and registration information go to http://www.sans.org/athome/details.php?id=816
* Reverse Engineering Malware, with Lenny Zeltser Wednesdays, February 2- 23, 2005 Meeting time: 7:00 - 9:00 PM, Details and registration information go to http://www.sans.org/athome/details.php?id=823
** To learn more about the SANS@HOME Instructor Led Program, go to http://www.sans.org/athome/about.php *************************************************************************
TOP OF THE NEWS
Cyber Attacks Are All About Money: Q&A with FBI's Dave Thomas (29 November 2004)Dave Thomas oversees the FBI's counter-terrorism and criminal computer intrusion investigations. He provides a candid picture of what the FBI is seeing in new types of attacks. He talks about who is committing cyber crimes, where they are coming from geographically and what is being done to prevent the crimes. Cyber criminals are increasingly motivated by financial gain rather than mere notoriety. "It used to be about access, but it's all about money now."
The al-Queda Terrorist's Guide To Cyber Crime for ProfitA Washington Post's foreign correspondent, Alan Sipress, has uncovered hard evidence demonstrating that the Bali Bomber attempted to use cyber crime to raise money for the attack that killed 202 people. Imam Samudra, the bomber, also wrote an autobiography with a final chapter that is a guide to hacking and that urges his fellow Muslim radicals to take the holy war into cyberspace by attacking U.S. computers. The chapter then provides instruction on how to get started as a hacker and how to connect with other radical Muslim hackers to build skills and find useful tools.
(This site requires free registration)
CAN-SPAM Has Not Reduced Spam Volume (13 December 2004)The CAN-SPAM Act, which went into effect nearly one year ago, has had no effect on the amount of spam in people's mailboxes; in fact, spam volume has increased. Part of the reason for its apparent lack of efficacy is that it relies on an opt-out model that is counterproductive. CAN-SPAM has, however, provided a framework to prosecute spammers. The Federal Trade Commission has filed 5 lawsuits under the act, and two states, Massachusetts and Washington have each filed one suit under the act.
Judge Throws Out Maryland's Anti-Spam LawA Maryland judge has ruled the state's anti-spam law is unconstitutional and tossed out a suit against a New York e-mail marketer, saying the state law seeks to regulate commerce outside Maryland's borders.
DHS Report Faults Department Cyber Security; Inspector General Ervin Will Not Be Reappointed (10 December 2004)The Department of Homeland Security's annual performance and accountability report, recently released by the department's inspector general, finds that the DHS CIO is not a member of the senior management team; in addition, there is no formal reporting relationship between CIOs of component organizations and the DHS CIO. Furthermore, security policies and procedures of component organizations have not yet been brought in line with DHS policies, procedures and practices. The White House has decided not to reappoint DHS IG Clark Kent Ervin, despite his apparent wish to remain on the job. Ervin's office has issued several reports that were highly critical of DHS during his tenure. His was a recess appointment, which means it expires when Congress adjourns. Deputy IG Richard Skinner has assumed acting IG duties.
[Editor's Note (Ranum): Sources I have inside DHS indicate that the situation is much, much worse than it seems on the surface. ]
************************** SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) ALERT - Spam is rising exponentially: Stop the Flood - Free Whitepaper http://www.sans.org/info.php?id=686
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Man Sentenced to 7 Years in Prison for DirecTV Piracy (10 December 2004)Martin Mullen has received a 7-year prison sentence after pleading guilty to conspiracy to violate anti-piracy laws. Mullen apparently ran an organization that sold smart cards that had been tampered with to allow people to view DirecTV without paying. Mullen was also ordered to pay US$24 million to DirecTV and NDS Ltd., the company that makes the smart cards. Interestingly, NDS engineers are working to crack a memory stick that was seized from Mullen when he was arrested; the assistant US Attorney who prosecuted Mullen says the government gave the memory stick and some other evidence to NDS because the government did not have the facilities to analyze the equipment.
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Cyber Security Industry Alliance Publishes List of Recommendations (7 December 2004)The Cyber Security Industry Alliance has published a list of 12 recommendations it would like President Bush to consider/undertake in order to improve the US's cyber security. Among the requests: creating the position of assistant secretary for cyber security at DHS with separate but equal standing to a position for physical security; ratifying the Council of Europe's Convention on Cybercrime; requiring contractors to comply with federal systems requirements; and reducing the time and cost of the Common Criteria certification process. (site requires free registration)
[Editor's Note (Schultz): The Cyber Security Industry Alliance has made extremely reasonable requests. I would especially like to see the US ratify the Council of Europe's Convention on Cybercrime.
(Ranum): It probably doesn't matter how many positions are created if they don't have authority over budget and the ability to centrally coordinate security activities across large parts of the federal government. Because of the separation of powers and bureaucratic self-defense, that will likely never happen. ]
House Subcommittee Urges Assistant Secretary Position for Cyber Security at DHS (6 December 2004)The House Select Homeland Security Committee's cyber security subcommittee has published a report titled "Cybersecurity for the Homeland." Included in the report is the recommendation of the creation of an assistant secretary position at DHS to address cyber security issues. It also encourages DHS to "establish and maintain a leadership role in cyber security by setting an example for other government agencies, the private sector and academia."
Treasury Report Addresses Critical Financial Infrastructure Protection (7 December 2004)The US Treasury Department has released a study "that will provide a model for regional financial centers to protect and strengthen their critical financial services infrastructure at the local level." The study is based on a group of financial institutions and government organizations that came together to do just this in the Chicago Area.
Improving Business Continuity in the Financial Services Sector: A Model for Starting Regional Coalitions:
Intelligence Reform Bill Passes in Congress (9 December 2004)While information technology trade groups are pleased with certain elements of the intelligence reform bill recently passed by congress, they are disappointed that language which would have elevated the position of cyber security director to that of assistant secretary had been removed from the bill. The organizations feel that leaving the position as a directorship does not give it enough pull to make effective changes in the nation's cyber security. The groups are happy with other aspects of the bill, including speedier security clearances for vendors and contractors working with intelligence and defense and the inclusion of Representative Adam Putnam's (R-Fla.) amendment to the Clinger-Cohen Act which requires federal agencies to take security into consideration at the very earliest stages of capital planning and IT investment decision making.
SPAM & PHISHING
Digital PhishNet Will Channel Phishing Scam Information to Law Enforcement (8 December 2004)A group of ISPs, technology companies, banks and law enforcement agencies have come together to help in the fight against phishing. Called Digital PhishNet, the group's aim is to gather information about phishing schemes as they occur and expedite the process of getting that information to appropriate law enforcement agencies.
Phishing Vulnerability Affects Browsers (9/8 December 2004)A flaw in the way in which at least five browsers handle pop-up windows makes them vulnerable to phishing attacks. Most browsers do not check whether or not trusted sites are allowed to alter the content of pop-up windows on other sites. The flaw is known to affect Internet Explorer, Firefox, Opera, Konqueror and Safari.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
December Microsoft Security Bulletin Includes Fixes for 5 Flaws (10/9 December 2004)Microsoft has announced that its December security bulletin will include fixes for five vulnerabilities. The most severe rating given any of the security updates this month is "important." Microsoft recently began releasing advance notice about the upcoming patches to allow organizations time to plan for their installation. The December updates will be released on Tuesday, 14 December.
Linux imlib Image Library Flaws (9/8 December 2004)Several Linux vendors, including SuSE and Gentoo, have released patches for a number of flaws found in the imlib image library. The flaws could allow attackers to execute malicious code on unprotected systems.
Trojan Horse Program Pretends to be Lycos Anti-Spam Screensaver (7/4 December 2004)A keystroke-logging Trojan horse program, known as Mdropper-IT, has been circulating on the Internet in the guise of being Lycos Europe's anti-spam screensaver that has recently garnered attention. It arrives as an attachment and steals passwords, usernames, credit card details and other sensitive personal data. Lycos Europe stopped its campaign on December 3, 2004 due to criticism that the screensaver's activities were responsible for knocking sites offline.
No SP5 for Windows 2000 (6 December 2004)Microsoft has decided against releasing SP5 for Windows 2000. Instead, Windows 2000 users will be able to install a security bundle which has not yet been released. The repackaging of the security enhancements could mean that some users will have to download additional updated components.
STATISTICS, STUDIES AND SURVEYS
Internet Users Concerned About eCommerce and Banking Security (6 December 2004)A survey of 5,000 adult Internet users conducted by Gartner found a growing concern with the lack of security on banking and e-commerce web sites. More than 80% of the people surveyed said they would be more likely to purchase from sites that require more than usernames and passwords for account protection. Given choices among additional authentication technologies, respondents favored the simple, such as challenge and response features, over the more complex, such as security software downloads, and multi factor authentication like smartcards and USB tokens.
[Editor's Note (Schultz): It's sad to think that people still believe that usernames and passwords are adequate for security.
(Schneier): I have mixed feelings about this. One of the things I like about Internet shopping is how easy it is; I wouldn't want that to change significantly in order to achieve a fractional degree of safety. On the other hand, I approve of single-use credit card numbers. ]
Security Advice for the Average User (9 December 2004)Bruce Schneier has developed a list of twelve measures that average computer users can take to protect themselves and their machines from Internet threats.
Penn State Urges Students Not to Use Internet Explorer (9 December 2004)Pennsylvania State University's Information technology services department has sent a notice to all students at the school, urging them to switch from Internet Explorer to other, safer browsers. The school has recently completed a two-month security awareness campaign encouraging the use of firewalls, anti-virus software and regular installation of operating system updates.
California Agency to Mail Letters to Citizens Affected by Security Breach (7 December 2004)California's Health and Human Services Agency will mail letters to 1.4 million people whose personal data may have been compromised by cyber intruders. The data had been shared with a researcher at the University of California at Berkeley and was on a computer at the school when attackers exploited a known vulnerability on the machine. The mailing will cost the agency nearly US$700,000. A hotline and web site set up to address the concerns of the people affected by the breach have proven less effective than the agency desires, hence the decision to do the mailing.
[Editor's Note (Schultz): This is a great "lesson learned." Many researchers (as well as others) have no idea concerning data security. California desperately needs a new law that would punish individuals who supply personal data to others without reasonable assurance that the data are adequately safeguarded. The same law should also punish those who possess such data but fail to adequately safeguard it. ]
NewsBites Editorial Board: Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/