SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #12
March 23, 2005
TOP OF THE NEWSCyber Thieves Thwarted
More University Computer Breaches
US Legislators Take Aim at Data Brokers
State Legislators Introduce Data Theft Customer Notification Bills
New Zealand Banks Block Spyware Infected Customers from Online Access
THE REST OF THE WEEK'S NEWSARRESTS, CONVICTIONS AND SENTENCES
Brazilian Police Arrest Alleged Phishing Ringleader
Man Who Spread WebTV 911 Trojan Gets Six Month Sentence
Former IT Manager Gets 5 Months in Prison for Breaking Into Company's System
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
IRS Employees Vulnerable to Social Engineering
Federal Agencies to Face Tougher Security Requirements
Microsoft Security Update Validation Program Allows Air Force to Test Pre-Release Patches
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
McAfee Antivirus Library Vulnerability
Symantec Releases Patch for DNS Cache Poisoning Vulnerability
ATTACKS AND INTRUSIONS
Japanese Foreign Ministry Homepage Attacked
ICANN Blames Melbourne IT for Panix Domain Hijacking
STATISTICS, STUDIES AND SURVEYS
Symantec's Internet Security Threat Report
Computer Stolen from Nevada DMV Contains Motorist Data
NIST Posts Draft Recommendation for CMAC Block Cipher Mode of Authentication - Comments Invited
************** Sponsored by Watchfire Corp. *****************************
"The Twelve Most Common Application-Level Hack Attacks", a Watchfire Whitepaper.
Hackers continued adding billions to the cost of doing business online in the first half of 2004, despite security executives' efforts to prevent malicious attacks. This paper identifies the most common methods of attacks and outlines a guideline for developing secure web applications.
Highlighted Training Program of the Week
SANS FIRE 2005, in Atlanta in June is SANS first training program co-sponsored with the Internet Storm Center. Attend any of thirteen immersion tracks and also learn about the Internet's early warning system and how it can tell you which of your employers' computers may have been compromised. Wonderful teachers give you material you can put to work immediately upon returning to the office and present the most current tools and techniques. Details at
What attendees say:
"SANS is the gold standard in network security training, in terms of relevance of material, knowledgeable instructors, and sheer usefulness."
- Steve Keifling, SGI
TOP OF THE NEWS
Cyber Thieves Thwarted (18/17 March 2005)Police thwarted an attempt by cyber thieves to steal GBP220 million (US$41.7 million) from the London offices of Japanese bank Sumitomo Mitsui. The bank's computer systems were compromised with keystroke loggers in October 2004 and then used in unsuccessful attempts to transfer money to 10 overseas bank accounts. The thieves were stopped before any money was actually transferred. Emerging reports suggest that the attack was carried out with the help of an insider.
More University Computer Breaches (17/16 March 2005)California State University, Chico has informed more than 59,000 people that the security of their personal information may have been compromised due to an attack on the school's servers. The information included the names and Social Security numbers of current, former and prospective students and well as current and former faculty and staff. Those affected were notified through email and the postal service. The university says it will stop using Social Security numbers as identifiers. A Boston College computer used for fund-raising purposes was broken into, but school officials say no personal data were stolen; they still plan to notify the 120,000 alumni whose information may have been compromised. Boston College spokesman Jack Dunn says the school will no longer use Social Security numbers as identifiers.
US Legislators Take Aim at Data Brokers (16/15 March 2005)In the wake of the data thefts from ChoicePoint and LexisNexis, US legislators say they are considering placing new, stringent restrictions on data brokers, companies that collect and sell personal information like Social Security numbers. At a House Commerce, Trade and Consumer Protection Subcommittee hearing, ChoicePoint and LexisNexis executives said they had "scaled back the sale of sensitive personal information." Some legislators said companies should not be allowed to sell people's Social Security numbers without permission. At a Senate Banking Committee hearing, ChoicePoint VP Don McGuffey said there had been other security breaches in the past that his company had not made public. Representative Edward Markey (D-Mass.) has already introduced the Information Privacy and Security Act which asks the Federal Trade Commission to create data protection rules for data brokers.
[Editor's Note (Schultz): A bill of this nature was inevitable because the problem of stolen personal and financial information is getting out of control. I predict that passing legislation that restricts gathering and storing personal and financial information or increases punishments for those who steal this type of information will be a long and arduous road, however. Count on lobbyists for companies that make their living off of gathering, processing and selling this kind of information doing everything they can to stifle legislation of this nature.
(Pescatore): The rest of the world calls this "opt in" - if you want to sell my information, you have to get my permission first. The US needs to move to this model. Add in a uniform breach disclosure law and you have two sensible ways to drive the market to higher levels of security while minimizing the inevitable unintended consequences of legislation trying to address technology. ]
State Legislators Introduce Data Theft Customer Notification Bills (14 March 2005)Legislators in more than 20 states have already proposed bills aimed at dealing with data theft like that recently experienced by ChoicePoint and LexisNexis. Hastily proposed measures run the risk of being overly broad or narrow, or vaguely worded, impeding effective interpretation.
[Editor's Note (Schultz): Legislation within states may provide critical impetus for getting some kind of federal legislation that requires better protection of personal and financial information or puts more restrictions on gathering this kind of legislation passed. ]
New Zealand Banks Block Spyware Infected Customers from Online Access (14 March 2005)Major banks in New Zealand are blocking access to online banking for customers whose computers are infected with a certain brand of spyware. The banks are concerned that Marketscore interferes with secure Internet sessions because the spyware disguises itself as part of a secure session. Marketscore offers free software on its website, but when the software is downloaded, the tracking software is downloaded as well. Marketscore sells the information it collects to advertisers. The company's privacy statement says the software is used to monitor Internet behavior, including secure session activity.
[Editor's Note (Pescatore): This is an increasingly common practice for early adopters in the consumer facing online commerce field. If your customer is not on a safe platform from which to log-in, warn them and don't let them connect. Much more effective for both parties than dealing with all the consequences of compromised accounts. ]
************************** Sponsored Link *******************************
Takes you outside the SANS site
(1) Learn why "Enterprise Network Security Doesn't End with Inline-IPS." Download whitepaper at
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Brazilian Police Arrest Alleged Phishing Ringleader (18 March 2005)Brazilian federal police have arrested Valdir Paulo de Almeida, the alleged leader of a phishing gang. The group allegedly stole US$37 million from victims' bank accounts with the aid of a Trojan horse program; as many as 3 million Trojan-laden emails a day were sent.
Man Who Spread WebTV 911 Trojan Gets Six Month Sentence (17 March 2005)David Jeansonne has been sentenced to six months in prison and ordered to pay US$27,100 in restitution to Microsoft for his role in distributing a Trojan horse program to unwitting WebTV subscribers. The program made their computers dial 911, resulting in a number of unnecessary emergency services responses. Jeansonne had pleaded guilty in February to causing a threat to public safety and causing damage to computers; he will also serve 6 months of home detention as part of a two-year supervised release portion of his sentence.
[Editor's Note (Tan): This form of denial of service attack could have a big impact if it happened during in an emergency period. The threat should not be overlooked especially because VoIP is becoming pervasive ]
Former IT Manager Gets 5 Months in Prison for Breaking Into Company's System (16 March 2005)Mark Erfurt, who in August 2004 pleaded guilty to breaking into his former employer's computer system and to obstruction of justice for overwriting backup tapes, was sentenced to five months in prison. Erfurt will also serve five months under home detention and three years of supervised release, in addition to being ordered to pay US$45,000 in restitution. Erfurt had been employed by Manufacturing Electronic Sales Corp. as an IT manager, but after his termination, he broke into the company's computer system, read email, deleted data and downloaded a proprietary database.
[Editor's Note (Shpantzer): The backup tapes weren't what led to the obstruction charges, it was the attempts at removing evidence of his hacking from his Centaur machine. From the DOJ plea agreement announcement
: "Mr. Erfurt also admitted to obstructing justice in the FBI's ensuing investigation of these events by deleting data from his new employer's computers in an effort to destroy the evidence of his illegal computer intrusions. ]
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
IRS Employees Vulnerable to Social Engineering (16 March 2005)Treasury Department inspectors posing as information technology help desk employees addressing a network problem were able to convince 35 IRS employees to reveal their network logon names and change their passwords to one suggested by the callers. The results show a significant improvement from a similar test conducted in 2001, when 71 of 100 IRS employees changed their passwords.
[Editor's Note (Pescatore): Any day of any week you can publish a study that says "Company/Agency X Employees Vulnerable to Social Engineering." Caveperson Og fell for the old Pleistocene Shiny Rock swap scam and today people are still falling for the Nigerian Banking scam. People will be people and security controls need assume that and make it harder for them to hurt themselves. ]
Federal Agencies to Face Tougher Security Requirements (16 March 2005)US federal agencies will face additional requirements when they are graded on next year's security report card. The Federal Information Security Management Act of 2002 requires that agencies categorize their applications and systems according to the impact a major security breach would have on their ability to operate. In addition, agencies will be required to comply with minimum security control standards for federal systems by December 2006; the standards are described in the National Institute of Standards and Technology Special Report 800-53.
Microsoft Security Update Validation Program Allows Air Force to Test Pre-Release Patches (11 March 2005)As part of Microsoft's Security Update Validation Program, government agencies will receive notice about Microsoft patches a month before they are released to the public. The patches will be released to the Air Force where they will be tested; the Department of Homeland Security will inform agencies of the vulnerabilities and will distribute tested patches after they have been released to the public. Certain business customers are also eligible for the closed beta early access program.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
McAfee Antivirus Library Vulnerability (17 March 2005)A vulnerability in McAfee's Antivirus library could allow attackers to cause systems to run files instead of simply scanning them for malware. Users are vulnerable only if their software has not been updated through a current subscription and if the most current virus definitions file has not been downloaded.
Original ISS advisory:
Symantec Releases Patch for DNS Cache Poisoning Vulnerability (16/14 March 2005)Symantec has released a patch for a "high risk" DNS cache poisoning and redirection vulnerability in a number of its gateway security products. Attackers are apparently already exploiting the issue which was first noted by the SANS Internet Storm Center; the attackers are redirecting traffic from popular domains to sites that try to download spyware onto vulnerable computers. Affected products include the Symantec Gateway Security 5400 Series v 2.x, Symantec Gateway Security 5300 Series v1.0, Symantec Enterprise Firewall v.7.0.x (Windows and Solaris), Symantec Enterprise Firewall v .8.0 (Windows and Solaris) and Symantec VelociRaptor, Model 1100/1200/1300 v1.5.
Original Symantec Advisory
ATTACKS AND INTRUSIONS
Japanese Foreign Ministry Homepage Attacked (17 March 2005)The Japanese Foreign Ministry homepage was targeted by a denial-of-service attack on March 17. There has been a report that the attack came from South Korea due to a territorial dispute over a small island chain.
ICANN Blames Melbourne IT for Panix Domain Hijacking (17 March 2005)The Internet Corporation for Assigned Names and Numbers (ICANN) has completed its investigation of the Panix domain name hijacking incident that took place the weekend of January 15-16, 2005 and has placed the blame squarely on the shoulders of domain registrar Melbourne IT. Melbourne IT has admitted that one of its resellers did not follow proper the procedure to seek authorization for a domain transfer request.
STATISTICS, STUDIES AND SURVEYS
Symantec's Internet Security Threat Report (21/16 March 2005)Malware is increasingly driven by the lure of financial gain, according to Symantec's recently released Internet Security Threat Report. More than half of the worms and viruses sent during the second half of 2004 were designed to steal identities and money from their victims. Also noted in the report is a marked drop off in the number of machines involved in botnet scanning. The largest drop occurred in August 2004, which coincides with the release of Windows XP SP2. During the first six months of 2004, Symantec tracked an average of 30,000 machines daily involved in botnets; the second six months of 2004 saw the number drop to just 5,000. Interestingly, a report from the Honeynet Project says that bots have become "more pervasive" in recent months.
Computer Stolen from Nevada DMV Contains Motorist Data (19/15/11 March 2005)Thieves broke into a Nevada Department of Motor Vehicles office and stole a computer that contains personal data belonging to more than 8,900 licensed Nevada drivers. The information includes names, birth dates, Social Security numbers, photographs and signatures. The Nevada DMV initially said the data was encrypted, but DMV chief Ginny Lewis said the company that makes the state's digital driver's licenses told her the data was not encrypted. All Nevada DMV licensing stations have been ordered to remove personal information from computers; the department plans to send letters to the people whose data is on the stolen computer. In addition to the computer, the thieves also stole 1,700 blank licenses and the equipment to make licenses. The US Secret Service is investigating.
NIST Posts Draft Recommendation for CMAC Block Cipher Mode of Authentication - Comments InvitedThe National Institute of Standards and Technology (NIST) has posted for public comment a new draft of NIST Special Publication 800-38B Recommendation for Block Cipher Modes of Operation: the CMAC Mode of Authentication. This draft document specifies the CMAC algorithm, a cipher-based algorithm for a message authentication code (MAC). Like any MAC algorithm, CMAC is designed to provide assurance of the authenticity of data, and hence its integrity, among parties that share the secret key. CMAC is based on an approved block cipher such as the AES algorithm or TDEA.
NIST will accept public comments on the draft until April 25, 2005; comments may be sent by email to EncryptionModes@nist.gov. A link to a PDF file of the draft is available at
Information about NIST's overall effort to update and develop block cipher modes of operation is available at
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit