SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #16
April 20, 2005
TOP OF THE NEWSAmeritrade May Have Lost Data on 200,000 Customers
LexisNexis and ChoicePoint Admit They Concealed Previous Breaches
British Banks to Adopt Two-Factor Authentication
Telstra BigPond Disconnects Trojan-Infected Users
ISPs Look to Improving Outbound eMail Controls
THE REST OF THE WEEK'S NEWSHOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
DHS FISMA Grade Unlikely To Improve This Year
UC Berkeley Will Head Up Cyber Security Project
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Flaws in Mozilla Suite, Firefox
Reuters Takes IM System Off-Line Following Spread of Kelvir Variant
Microsoft Investigating Report of Flaw in Jet Database Engine Component
Flaw Affects Cisco, Juniper and IBM Routers
Microsoft's April Security Update Includes Fixes for Five Critical Flaws
Congress Eyes Data Protection Legislation
ATTACKS AND INTRUSIONS
Tufts University Notifying Alumni, Other Donors of Possible Data Breach
India Plans Call Center Staff Database
CISO Exchange Effort Halted; IAC May Establish Forum for CISOs
Comcast Sued by Customer for Disclosing Name and Contact Information
********************** Sponsored by Shavlik *****************************
Now Available! Introducing Shavlik HFNetChkPro(tm) 5, the next generation of security patch management. With over 50 awesome new features including detailed reporting, advanced reboot options, email notification, and distribution servers, staying up to date on patches has never been easier and your network has never been more secure. Keep your world in Chk with Shavlik. Download the trial version today at
Highlighted Training Program of the Week
Rocky Mountain SANS 2005, in Denver in May offers nine immersion tracks plus short programs on Cutting Edge Hacker Techniques, Security Policy Development, Security Awareness Training, and more. Wonderful teachers give you material you can put to work immediately upon returning to the office and present the most current tools and techniques. Details at http://www.sans.org/rockymnt2005
The conference hotel is offering the chance to win a drawing for a $500 credit towards the roundtrip airfare for anyone registered in the SANS block, but HURRY!! you must register by Friday, April 22.
What attendees say:
"SANS is the gold standard in network security training, in terms of relevance of material, knowledgeable instructors, and sheer usefulness."
- Steve Keifling, SGI
TOP OF THE NEWS
Ameritrade May Have Lost Data on 200,000 Customers (19 April 2005)Ameritrade reported that a lost set of backup tapes had data on 200,000 customers' accounts. The report indicated that four data cassettes containing current and former Ameritrade (Research) account holders' information from the years 2000 through 2003 was misplaced by an unnamed shipping company.
LexisNexis and ChoicePoint Admit They Concealed Previous Breaches (14/12 April 2005)LexisNexis, the data broker that last month notified 32,000 people that their personal data had been stolen from company-owned databases, now admits that a total of 310,000 people had their data stolen. The company's databases were breached nearly 60 times over the course of the past two years. At Senate Judiciary Committee hearings last week, both LexisNexis and ChoicePoint admitted to having deliberately concealed data breaches in the past because no law required them to come forward and notify those affected.
[Editor's Note (Schultz): Whatever happened to ethics in the business world? So there was no law requiring these companies to report the personal data compromises--people whose data were compromised were, however, much more likely to experience identity theft and all the miseries that go with it. Apparently these companies did not care.
(Ranum): This illustrates the dilemma faced by businesses. On one hand we want them to act responsibly when they have a security problem, but on the other, they know they're going to get pilloried by the security press (among whom we number). As long as security breaches are front page news there will be an incentive for businesses to downplay the severity of their problems. ]
British Banks to Adopt Two-Factor Authentication (14 April 2005)Major British banks are likely to introduce two factor authentication soon. Users will have a physical security device that generates single-use passwords. The British banking industry's Association of Payment and Clearing Systems says they hope to have a UK standard for the device in place next month.
[Editor's Note (Schmidt): Another good example of how we are making progress in doing a better job managing identities. The British banks are to be commended for moving forward so quickly on this. The next logical step is to federate this as we have on ATM cards.
(Schneier): Given the information that has come out as a result of the California law regarding disclosure, I'm in favor of this. Covering up information loss has become the default corporate action unless they're forced to do otherwise. ]
Telstra BigPond Disconnects Trojan-Infected Users (14/13 April 2005)Australia's largest Internet Service Provider, Telstra BigPond, says it would temporarily disconnect customers whose computers are infected with certain malware; the programs are overwhelming the ISP's servers and delaying email and web site requests. Apparently just six compromised PCs were the cause of the delays; the half-dozen machines were responsible for 95% of the false DNS requests. The ISP strongly recommended that users keep their machines supplied with updated security protections because unprotected machines can have serious effects on others Internet users.
[Editors Note (Schmidt): This a bold and brave move. It proves the concept that there is a real business need in keeping infected systems off of the network. This has a potential of becoming a rule instead of the exception.
(Schultz): What Telstra has done is becoming the wave of the future. Vulnerable and compromised computers should not be allowed on any network.
(Paller): This is a critical first step in establishing a "safer Internet." Why, if the US is a cybersecurity leader, are US banks not leading the way in protecting their customers? ]
ISPs Look to Improving Outbound eMail Controls (15 April 2005)Internet Service Providers (ISPs) are starting to move toward outbound email controls in an effort to stem the tide of spam. Some of the methods already in use are requiring passwords before sending out user email and requiring users sending unusually large numbers of messages to type characters displayed on the screen; automated tools will not be able to fulfill this request. Outbound controls do not immediately reduce the amount of spam in the ISPs' customers' inboxes, but do cut down on the likelihood of email from their servers being blocked because it is suspected of being spam.
[Editor's Note (Pescatore): A lot more of this type of thing is needed. Why should ISP A allow one of their customers to send out packets that are pretending to come from someone else at ISP B? Legitimate ISPs should have terms of service in their contracts to help limit the damage of misuse of the basic capabilities of the Internet - they can forestall well meaning but misguided regulation if they act as an industry. ]
************************* SPONSORED LINKS *******************************
These links point to sites outside SANS:
1) ALERT: Google Hacking/Web Application Worms- Are You Vulnerable?- WebInspect Product Trial
2) Earn your Master's Degree in Information Security from an NSA-recognized online program.
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
DHS FISMA Grade Unlikely To Improve This Year (14 April 2005)Outgoing Homeland Security Department CIO Steve Cooper says it is likely that the department will receive another failing grade on this year's Federal Information Security Management Act mandated cyber security report card. In testimony before the House Homeland Security Subcommittee on Management, Integration and Oversight, Cooper said he believed DHS would score a B as soon as 2006. Cooper attributes DHS's poor showing to two factors: the department is unlikely to complete its systems inventory before the end of this year and they cannot justify spending to bring systems into compliance when they plan to shut them down.
[Editor's Note (Schneier): What's the use of having standards and regulations if they're just viewed as a gentle advisory instead of actual rules? More teeth than just failing grades are needed, it looks like. ]
UC Berkeley Will Head Up Cyber Security Project (12 April 2005)The National Science Foundation has announced that the University of California-Berkeley will lead a government-funded cyber security project researching the best ways to protect the nation's computing infrastructure. The project is funded at US$19 million over five years. Other schools will join the project, forming what has been named the Team for Research in Ubiquitous Secure Technology, or TRUST. Several private companies will also take part in the research project.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Reuters Takes IM System Off-Line Following Spread of Kelvir Variant (14 April 2005)Reuters has taken its instant messaging system off-line after a new variant of the Kelvir worm began spreading through its network. This version of the worm tries to spread via instant messages sent to names found on infected systems' contact lists. The message "lures" people to a web site which will infect their computers with the worm. As yet, no other companies have reported infections with this variant. Reuters is unsure when it will bring the system up again.
Microsoft Investigating Report of Flaw in Jet Database Engine Component (13 April 2005)Microsoft is looking into a report that a security flaw in its Jet database engine component could allow an attacker to execute malicious code on vulnerable machines. Microsoft has not confirmed the existence of the vulnerability which would affect Microsoft Office and the Microsoft Access database program. Exploit code for the flaw has already been shared on a mailing list.
Flaw Affects Cisco, Juniper and IBM Routers (13 April 2005)Britain's National Infrastructure Security Co-ordination Centre has warned of an ICMP Transmission Control Protocol (TCP) reset vulnerability in routers from Cisco Systems, Juniper Networks and IBM. Other companies' products are also likely to be affected by the denial-of-service flaw.
Microsoft's April Security Update Includes Fixes for Five Critical Flaws (12 April 2005)Microsoft's April security update includes fixes for eight vulnerabilities, five of which merited a "critical" rating. These include a buffer overflow flaw in Microsoft Word, a PGN image handling flaw in MSN messenger and a cumulative update for IE 5 and 6 on most operating systems. In addition, the release date of April 12 marked the end of a grace period during which time Windows XP users could block Service Pack 2 from downloading automatically onto their computers.
ATTACKS AND INTRUSIONS
Congress Eyes Data Protection Legislation (15/13 April 2005)Congress is poised to pass legislation requiring that companies inform individuals when their personal data has been stolen. This is a shift from the government's protective stance regarding private company security breaches; in an effort to get companies to share information with them, the government has in the past made a concerted effort to protect the identities of companies that have suffered security breaches. The move for the legislation has raised the question of how much flexibility states will be allowed in creating their own data protection laws. In cases regarding technology, Congress has tended to establish rules that override the states' often more stringent laws. Some have argued that organizations holding personal data will have a hard time conforming to a patchwork of regulations and that a national standard would make things clearer for them.
[Editor's Note (Schneier): Given the information that has come out as a result of the California law regarding disclosure, I'm in favor of this. Covering up information loss has become the default corporate action unless they're forced to do otherwise. ]
Tufts University Notifying Alumni, Other Donors of Possible Data Breach (12 April 2005)Tufts University has begun the process of notifying approximately 106,000 alumni and other financial donors that their personal data stored on a computer system used for fundraising purposes may have been compromised. The information includes names, addresses and Social Security numbers; there is no evidence the information was accessed or used to commit identity theft. The system belongs to Tufts University, but is managed by a third party, as was the system at Boston College that recently suffered a similar breach.
India Plans Call Center Staff Database (18/13 April 2005)India's National Association of Software and Service Companies (NASSCOM) plans to compile a database of call center staff to allow employers to conduct background checks. Companies looking to hire staff will need to pay a fee to access the database. The move comes soon after last week's arrest of three call center employees for alleged fraud against Citibank account holders using information they had access to as part of their jobs. The three had no previous criminal records.
CISO Exchange Effort Halted; IAC May Establish Forum for CISOs (14 April 2005)Steven O'Keeffe, principal of public relations firm O'Keeffe and Co and the man who spearheaded the CISO Exchange, has announced he is ceasing efforts to promote the organization. Mr. O'Keeffe's announcement followed close on the heels of the federal CIO Council's announcement that it was severing ties with the organization and seeking to establish a new, open and accessible forum for federal and private sector CISOs. The Industry Advisory Council board has unanimously voted to establish a forum for federal and industry CISOs if the CIO Council requests it. House Reform Committee chairman Tom Davis (R-Va.) also withdrew his support from the CISO Exchange because of the way in which it solicited funding from vendors. The CISO Exchange had established different fee levels of CISO Exchange participation for industry officials ranging from US$5,000 to US$75,000; the practice could be interpreted as influence peddling. Organizations that have made contracts with the CISO Exchange will be released from those obligations; those who have paid fees will have their money refunded.
Comcast Sued by Customer for Disclosing Name and Contact Information (14 April 2005)Dawnell Leadbetter, a Seattle-Area mother of two teenagers, is suing Comcast Corp. for disclosing her name and contact information. Ms. Leadbetter was contacted by a debt collection company in January and told to pay US$4,500 for downloaded copyright protected music or she would have to face a lawsuit asking for hundreds of thousands of dollars. The collection agency was using information the RIAA had obtained in a Philadelphia lawsuit. Comcast was not ordered by any court to disclose its customers' names nor did Comcast notify Ms. Leadbetter that her information had been given to a third party.
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit