SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #14
April 06, 2005
TOP OF THE NEWSGoogle Tests Anti-Phishing Technology
US Supreme Court Hears MGM vs. Grokster P2P Case
Japanese Personal Data Protection Law Imposes Penalties for Managers and Data Handlers
Microsoft Says Security Development Lifecycle has Reduced Vulnerabilities
THE REST OF THE WEEK'S NEWSARRESTS, CONVICTIONS AND SENTENCES
Estonian Police Arrest Alleged Internet Bank Thief
Blaster Author Will Do Community Service Instead of Paying US$500,000 Fine
Israeli Military Commander Jailed After his Laptop is Stolen
SPAM & PHISHING
Microsoft Files More Phishing Lawsuits
South Korea Fines SMS Spammers
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Windows Server 2003 Service Pack 1 Tightens Security
Symantec Patches two Denial-of-Service Flaws in Norton AntiVirus
Eight Mytob Variants Emerge
ATTACKS AND INTRUSIONS
Laptop Stolen from UC Berkeley Office Contains Data on Almost 100,000 Former Students and Applicants
STANDARDS AND BEST PRACTICES
VoIP Security Alliance Committee to Define Security Standards
STATISTICS, STUDIES AND SURVEYS
Sarbanes Oxley Section 404 Compliance Costs Higher than Expected
Study: Europeans Growing Wary of Internet Banking
Nearly Half of Retailers Surveyed Said they Share Customer Data
Study Says Federal Cyber Security Regulations Would be Problematic
EU Asks US to Delay Biometric Passport Deadline Again
Microsoft's Anti-Piracy Program Moves Toward Restricting Downloads to Authenticated Users
Technology Uses Macromedia Flash MX to Thwart Cookie Purgers
UK Government Supports Cyber Security Information Exchange Groups
Virus Kits Readily Available on the Internet are Protected by Right to Free Speech
********************** Sponsored by NetIQ *****************************
Assure Compliance & Manage Risks with Free NetIQ eBook! Do you know how to secure your infrastructure and prove compliance with government regulations? Get the insight you need to assure compliance, secure your assets and manage your IT risks. Download a FREE copy of "The Practical Guide to Compliance & Security Risks".
Highlighted Training Program of the Week
Rocky Mountain SANS 2005, in Denver in May offers nine immersion tracks plus short programs on Cutting Edge Hacker Techniques, Security Policy Development, Security Awareness Training, and more. Wonderful teachers give you material you can put to work immediately upon returning to the office and present the most current tools and techniques. Details at
What attendees say:
"SANS is the gold standard in network security training, in terms of relevance of material, knowledgeable instructors, and sheer usefulness."
- Steve Keifling, SGI
TOP OF THE NEWS
Google Tests Anti-Phishing Technology (1 April 2005)Google is testing methods of protecting its Gmail users from on line fraud. When users open a suspect message, a dialog box appears warning that the message may not be from whom it appears to be from and advising against clicking on any hyperlinks or providing the sender with any personal information. Gmail also now removes hyperlinks from HTML email. In fall of last year, Google implemented DomainKeys technology as a precautionary measure against email spoofing.
US Supreme Court Hears MGM vs. Grokster P2P Case (29/28 March 2005)The US Supreme Court began hearings on MGM Studios vs. Grokster. At issue is the question of whether or not P2P companies can be sued for copyright infringement committed by users. If the court finds in favor of MGM, it means that manufacturers of peer-to-peer file sharing technology can be held liable when the technology is used to share pirated content; P2P companies would have to pay fines for every piece of copyrighted material shared over their networks. MGM lost both the original case in a lower court ruling in April 2003 and the appeal at the 9th US Circuit Court of appeals in August 2004. The appeals court based its ruling on the 1984 Betamax case in which it ruled that the recorder was a legal device because it had "substantial non-infringing uses." Billionaire Mark Cuban has pledged to cover Grokster's costs for the legal battle against MGM. An amicus brief signed by Grokster supporters expresses concern that a finding for MGM could stifle technological innovation. Justice Scalia has expressed concern that innovators and entrepreneurs would be "discouraged by the threat of litigation" and Justice Breyer said P2P has some legal "really excellent uses." Justice Kennedy expressed concern that building a business on a technology that shares copyrighted material is "morally questionable." A ruling in the case is expected in June. Some expect that the film and recording industries will once again turn to legislators to protect their copyrighted material.". Entertainment companies lobbied heavily last year for the Inducing Infringements of Copyrights Act which would have held the technology companies liable for users' copyright infringements, but the bill failed to pass the Senate Judiciary Committee.
Cuban's Blog statement:
Japanese Personal Data Protection Law Imposes Penalties for Managers and Data Handlers (28 March 2005)Japan's Personal Information Protection Law, which took effect on April 1 of this year, requires companies to comply with a set of rules for handling consumers' personal data. The law applies to companies holding the personal data of 5,000 or more individuals, including employees and affects foreign companies as well. Companies are required to designate a corporate privacy officer and staff who will be responsible for compliance with the law. Penalties include fines of up to 300,000 yen approximately US$2,760 and jail sentences of up to 6 months for the managers and data handlers who fail to comply. Under the provisions of the law, the companies must specify why they are collecting the information, obtain consent from the individuals before using it for any other purpose and take measures to prevent theft and leaks.
[Editor's Note: (Schultz): Now if the US government could only follow suit by passing a law very similar to this one! Such legislation is desperately needed in the US, as evidenced by all the compromises of personal information lately. ]
Microsoft Says Security Development Lifecycle has Reduced Vulnerabilities (25 March 2005)Microsoft has released a white paper which describes its Trustworthy Computing Security Development Lifecycle procedures and which maintains that the procedures are responsible for a "significant" reduction in the volume and severity of security flaws. The Security Development Lifecycle is mandatory for about 90% of the products Microsoft ships, including Windows Server 2003, SQL Server 2000 Service Pack 3 and Exchange Server Service Pack 3. Security figures in at every stage of product development rather than being tacked on at the end. Key to the program is the idea that "the default state of software should promote security." In addition, engineers have mandatory annual security refresher courses.
**************************** SPONSORED LINKS ****************************
Privacy notice: Some of these links redirect to non-SANS web pages.
1) ALERT: Google Hacking/Web Application Worms- Are You Vulnerable?- WebInspect Product Trial
2) Be the hacker! (Live On-line Demo)
Sentinel IPS w/ Network Cloaking(tm) Affordable, effective, managed, and monitored intrusion prevention from $299/mo. Network Cloaking whitepaper-SANS Reading Room:
3) Free Download: Threat Management Software for Enterprises & SMBs - IDP, File Integrity, Service Monitoring and more.
4) SANS is happy to bring you the latest in our complimentary series of Secure Software Webcasts. Database risks explored in depth at
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Estonian Police Arrest Alleged Internet Bank Thief (1 April 2005)Estonian police have arrested a 24-year-old man suspected of stealing money from numerous bank accounts. The man allegedly infected victims' computers through email purporting to be about job offers; the malware he allegedly used stole personal information which could be used to access others' bank accounts. The malware used in the thefts managed to evade antivirus detection and erased evidence of itself after it had collected the desired information.
Blaster Author Will Do Community Service Instead of Paying US$500,000 Fine (31/30 March 2005)Microsoft has asked that Jeffrey Lee Parson, the man who created a Blaster variant, be required to serve 225 hours of community service in lieu of a $500,000 fine that would have been paid to Microsoft. In January, Parson was sentenced to 18 months in prison and ordered to pay half million dollars in restitution. Parson's community service cannot involve the Internet or computers.
Israeli Military Commander Jailed After his Laptop is Stolen (30 March 2005)An Israeli Defense Forces commander was sentenced to two weeks in military prison following the theft of his laptop computer. The commander says he left his computer, which contains classified military information, on his desk while he was on a field trip with his soldiers; military protocol requires that laptops containing classified material be kept in a vault while not in use. Military police are investigating the theft.
SPAM & PHISHING
Microsoft Files More Phishing Lawsuits (1 April 2005)Microsoft has filed civil lawsuits against 117 alleged phishers. The "John Doe" suits were filed in the US District Court for the Western District of Washington in Seattle and are targeted at phishing sites that pretend to be Microsoft MSN and Hotmail sites.
South Korea Fines SMS Spammers (30 March 2005)Korea's Ministry of Information and Communication has fined premium phone service operators between w15 million (US$14,744) and w30 million (US$29,483) for sending "unsolicited promotional text messages to cell phones." The fines were larger for companies that operated more than one call service; fines totaled w720 million (approximately US$707,700). The ministry is also investigating nearly 200 more cases of spam.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Windows Server 2003 Service Pack 1 Tightens Security (1 April/31 March 2005)Microsoft has released Windows Server 2003 Service Pack 1 which the company says will make the operating system "less vulnerable to cyber attacks." Among the features of Windows Server 2003 SP1 are the ability of systems to turn on their firewalls as soon as they're deployed and to block incoming Internet traffic until the most recent Microsoft security updates have been installed. In addition, SP1 has a security configuration wizard that detects the server's role and disables software and ports that are not necessary to its operation. Windows Server 2003 SP1 is available for download.
[Editor's Note (Schultz): I'd advise waiting a while before downloading and installing this service pack. Initial releases of Windows service packs have historically been quite flawed. ]
Symantec Patches two Denial-of-Service Flaws in Norton AntiVirus (31 March 2005)Symantec has issued patches for two vulnerabilities in versions of its Norton AntiVirus software released in 2004 and 2005 that could allow an attacker to launch denial-of-service attacks on machines running the vulnerable applications. Symantec urges customers who have not applied the patches to do so as soon as possible; the fix was also pushed out to subscribers of the company's Automatic LiveUpdate service.
Eight Mytob Variants Emerge (29/28 March 2005)Eight Mytob worm variants were detected last week. The worms place a backdoor on an infected computer and alter a PC's Hosts file in an attempt to prevent it from visiting security update sites. The Mytob variants use their own SMTP engine to spread by sending themselves to email addresses found in infected PCs. They are also capable of exploiting the LSASS vulnerability in Windows; Microsoft issued a patch for the flaw in 2004.
ATTACKS AND INTRUSIONS
Laptop Stolen from UC Berkeley Office Contains Data on Almost 100,000 Former Students and Applicants (28 March 2005)A laptop computer stolen from a restricted area of a University of California, Berkeley office contained personal information belonging to nearly 100,000 former graduate students and graduate school applicants. Notifying all those affected could prove difficult as some received their degrees nearly 30 years ago. The data included Social Security numbers and some birthdates. A university spokesperson said there is no evidence the thief has used the information; it is more likely that the thief was after the machine and not the data it contained. University officials announced the March 11 theft on Monday, March 28 in accordance with California law requiring notification of consumers when their personal data is stolen.
[Editor's Note (Schultz): What amazes me is how incidents like this keep occurring, not only at UC Berkeley, but also at other universities such as the University of California at San Diego. The relative ease of making massive notifications, namely by merely releasing information through the media (as allowed by California law SB1386), may be part of the problem. Institutions such as these may continue to fail to deploy measures needed to adequately protect personal data in favor of the easier (and less costly) solution, namely simply notifying victims afterwards. Legislation that requires protection of personal information with severe penalties for failing to do so would be a much more effective approach. ]
STANDARDS AND BEST PRACTICES
VoIP Security Alliance Committee to Define Security Standards (31/29/28 March 2005)The Voice over IP Security Alliance (VOIPSA) has formed a committee to define security standards for VoIP. VoIP use is expanding in the business community, but security has not adequately addressed. VoIP and its underlying communication protocols are vulnerable to exploits. The committee will define security requirements across a variety of deployments and address architecture and network design, network management, endpoint authentication and security technology components. Other VOIPSA committees will address best practices, testing, security research and education and community outreach. In a separate story, the Australian government has issued a request for tender briefing document in which it says it hopes to hire a consultant to evaluate the security concerns that accompany VoIP technology.
STATISTICS, STUDIES AND SURVEYS
Sarbanes Oxley Section 404 Compliance Costs Higher than Expected (March/April 2005)A survey conducted by Financial Executives International has found that public companies have spent 39% more than they expected to on compliance with Section 404 of the Sarbanes Oxley Act. Companies spent an average of US$4.36 million, compared to the US$3.14 million they expected to spend. Section 404 "requires executive managers of public companies to attest to the effectiveness of the internal controls on their financial reporting." The spending increase can be attributed in large part to sharp increases in the costs of consulting, software and external audits.
This article answers ten questions about Sarbanes-Oxley Act compliance for CIOs and CEOs.
Study: Europeans Growing Wary of Internet Banking (30 March 2005)According to a study from Forrester Research, European consumers are increasingly wary of Internet banking due to security concerns. Forrester polled nearly 23,000 European citizens and found that just 30% of them were confident in the security of online financial transactions. The concerns are not as pronounced in countries where banks have introduced two-factor authentication policies, one of the technologies Forrester recommends banks employ if they wish to retain online customers and attract new ones.
Nearly Half of Retailers Surveyed Said they Share Customer Data (29 March 2005)A study from The Customer Respect Group found that data brokers aren't the only ones playing fast and loose with customer data. 43% of financial services firms surveyed said they share customer data with business partners or third parties. 47% of retailers surveyed said they "shopped customer data around." Of insurance companies surveyed, 35% said they shared customer information with third parties. Airline and travel companies fared the best in the survey, with only 28% sharing data with other sources.
Study Says Federal Cyber Security Regulations Would be Problematic (25 March 2005)Creating a National Framework for Cybersecurity: An Analysis of Issues and Options, a Congressional Research Service study on the feasibility of the government "taking a larger role" in cyber security, found that "congressional leaders will face significant challenges if they try to create a regulatory framework to strengthen the nation's cyber defenses." The reason are fourfold. First, networks have many of the characteristics of a public commons, so market mechanisms will not be as effective. Second, getting buy-in from all parties involved would be very difficult. Third, there is not much agreement on what constitutes "best approaches to securing cyber space," and finally, regulatory standards will have a hard time keeping pace with technological change. The report suggests two models for increased government involvement. The first would be similar to preparations for the year 2000, which included rules for preparedness reporting and liability protection for compliant entities. The other would resemble a food safety or environmental regulation model with set regulations and inspectors to monitor compliance.
EU Asks US to Delay Biometric Passport Deadline Again (4 April 2005)The European Union (EU) has asked the United States to push back the deadline it has set for the mandatory use of biometric identification technologies in passports for those visiting the US without visas. The US wants the technology in place by October 2005, but EU Justice Commissioner France Frattini has asked that the deadline be moved to August 2006. According to Frattini, only six EU countries are in a position to meet the October 2005 deadline; other concerns include "data security and the interoperability of reading devices."
Microsoft's Anti-Piracy Program Moves Toward Restricting Downloads to Authenticated Users (31 March 2005)Windows users who want to download one of Microsoft's 22 Language Interface packs will soon have to verify that they are running a legitimate copy of the software. The Windows Genuine Advantage authentication program began last year as an optional program. Over time, Microsoft has begun offering benefits to those people who verify they are running legitimate copies of the operating system, and are moving toward withholding updates from users whose copies are determined to have been pirated.
Technology Uses Macromedia Flash MX to Thwart Cookie Purgers (31 March 2005)A New York company has begun offering persistent identification element, or PIE, technology which "undermines" consumers' attempts to remove cookies from their computers. By making use of the local shared objects feature in Macromedia's Flash MX, PIE tags a flash object to the user's browser when a PIE site is visited; the tag acts as a sort of back-up cookie and can be used to restore a deleted cookie when the site is revisited. Macromedia has posted instructions on its web site for disabling shared objects uploaded to browsers.
UK Government Supports Cyber Security Information Exchange Groups (29 March 2005)The UK government is supporting the creation of three more Warps, or warning advice and reporting points, one of which will be geared toward home users. Six warps, which serve as exchanges for computer security and cyber crime information among a community, have been established since the program's inception in 2003. Warps are a part of the National Infrastructure Security Coordination Centre's strategy to protect the UK's critical infrastructure from electronic attacks.
Virus Kits Readily Available on the Internet are Protected by Right to Free SpeechNote: The following is a summary of an article that appeared in the Wall Street Journal on March 31, 2005. The Wall Street Journal site requires paid registration. CDs containing virus source code, virus writing tools and descriptions of how various viruses work are available for sale on the Internet. Some sites even offer this information at no charge. The administrator of a site that advertises a hacking guide to "hard drive killers" and keystroke loggers maintains that the "merchandise" is intended for people who want to test the security of their systems. The proliferation of do-it-yourself malware kits available on the Internet has raised security concerns, but law enforcement officials have no legal recourse against the purveyors; publishing code than can be used to create malware is not illegal. What is illegal, according to the Computer Fraud and Abuse Act, is releasing malware with the knowledge that it will cause harm. Web sites are not investigated unless a virus released on the Internet has been traced back to it; even then, those who posted the code cannot be prosecuted for simply making the information public. Prosecutors could conceivably have a case if the site on which the malware code is posted urges destructive activity. Criminalizing these tools is problematic because some of them have "very legitimate uses in the security profession," so the focus has been on criminalizing the activity of spreading malware rather than on the malware itself.
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit