SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #18
May 04, 2005
A security news story was one of the top three technology stories on Google News all day Tuesday. It reported on the Most Critical New Security Vulnerabilities discovered during the first quarter of 2005 and was covered in more than 100 news outlets from National Public Radio to CNN Money and lots of general newspapers as well as trade publications. The report was a SANS community project led by Rohit Dhamankar of Tipping Point with substantial help from Gerhard Eschelbeck of Qualys, the team at the British Government's NISCC, and Marcus Sachs and Johannes Ullrich of Internet Storm Center. Kudos to all. Here's the url: http://www.sans.org/press/Q1-2005update_release.php
TOP OF THE NEWSJudge Rules That Two North Carolina Schools Do Not Have to Surrender Student Information to RIAA
Secret Service Investigating Disappearance of Time Warner Backup Tapes
New York AG Spitzer Files Spyware Suit Against California Company
THE REST OF THE WEEK'S NEWSARRESTS, CONVICTIONS AND SENTENCES
Heckencamp Sentenced to Prison, Home Confinement for eBay and Qualcomm Intrusions
Four Men Receive Conditional Discharges for Celebrity Data-Selling Scheme
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Australia's Dept. of Foreign Affairs and Trade Seeks New Secure Standard Operating Environment
UK's National Infrastructure Security Co-ordination Centre May Get Power to Set Security Standards
California Law Would Prohibit RFID Chips in Identification Documents
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
AOL Stomps on Gabby.A Worm
Buffer Overflow Vulnerability in Some Versions of Netscape Browser
ATTACKS AND INTRUSIONS
Florida International University Computer Systems Breached
STATISTICS, STUDIES AND SURVEYS
Web Server Attacks and Web Site Defacements Up Thirty-Six Percent
Nine charged in Bank Account Data Theft Ring
Backup Tape Disappearances Underscore the Need to Rethink Policies and Procedures
Merchants Lay Blame for Credit Card Info Theft on Problematic Software
************************** Sponsored by NetIQ ***********************
Sarbanes-Oxley Compliance Whitepaper
Get the best practices you require to maintain proper internal control frameworks as you strive to meet Sarbanes-Oxley requirements with NetIQ's free whitepaper, "Meeting Sarbanes-Oxley IT Control Requirements with NetIQ." You'll learn how to dramatically reduce your time and effort spent auditing, reporting on, and controlling essential areas such as policies, file access rights, provisioning and change control.
Download this FREE whitepaper now.
Why Professionals Always Attend SANS Training If They Have A Choice
(1) " SANS courses balance the why and the how-to of security. Not only will you learn something, you learn how to do something." (Greg Kotula, Wall Street On Demand)
(2) " SANS never fails to provide top level training that is worth every penny." (Tyler Hudak, Yellow Roadway Tech)
(3) "SANS training gives me the tools I need to do my job." (Michael Hiramoto, NCI)
TOP OF THE NEWS
Judge Rules That Two North Carolina Schools Do Not Have to Surrender Student Information to RIAA (1 May 2005)US Magistrate Judge Russell A. Eliason ruled that the University of North Carolina at Chapel Hill and North Carolina State University do not have to disclose the names of students who allegedly used the schools' computer networks to share music illegally. The Recording Industry Association of America had subpoenaed both schools to obtain the information. An attorney representing the students said that the case is not about whether students have the right to share music in this way, but about Internet users' right to privacy.
Secret Service Investigating Disappearance of Time Warner Backup Tapes (2 May 2005)Time Warner Inc. says that the US Secret Service is investigating the disappearance of backup tapes containing the names and Social Security numbers of 600,000 current and former employees. Time Warner says that an outside company, Iron Mountain, was responsible for the tapes at the time of their loss. Time Warner is notifying those whose data may have been compromised.
New York AG Spitzer Files Spyware Suit Against California Company (29/28 April 2005)New York state Attorney General Eliot Spitzer has filed a lawsuit against Intermix Media Inc. for allegedly installing spyware and adware on people's computers without their knowledge. According to the lawsuit, New York residents downloaded 3.7 million programs, including games and screen savers, from Intermix web sites, but they were not properly notified that the downloads also contained spyware and adware. Intermix senior VP and general counsel Christopher Lipp said such practices are part of Intermix's past, and were established under prior leadership and that the company has ceased distributing the programs in question of its own volition in April 2005. The lawsuit follows a six-month investigation. (Note: this site requires free registration)
[Editor's Note (Schultz): This is a case to closely watch. The ruling will help set a legal precedent in civil cases in which one organization has introduced spyware into another's systems.
(Paller): Note that the company's defensive statement says nothing about removing the spyware that they already installed. To have a credible defense, they must ensure the software they installed is removed or fully disabled. ]
************************** Sponsored Links ******************************
Note: These links may take you to sites outside SANS:
1) Security is #1 with Shavlik HFNetChkPro(tm) security patch management. Download the trial version today at http://www.sans.org/info.php?id=767
2) Job wanted. Lenny Zeltser is a SANS instructor, book author, holds CS and MBA degrees, GSE and CISSP certifications. Lenny is seeking a challenging position in the New York City area that values his ability to employ technology in pursuit of business objectives. For more information about Lenny's background and to contact him visit: http://www.sans.org/info.php?id=768
3) Secure storage and access control for all your ADMINISTRATIVE PASSWORDS: UNIX/Linux, Windows, databases, routers and firewalls http://www.sans.org/info.php?id=769
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Heckencamp Sentenced to Prison, Home Confinement for eBay and Qualcomm Intrusions (27 April 2005)Jerome Heckencamp has been sentenced to eight months in prison followed by eight months of electronically monitored home confinement. In January 2004, Mr. Heckencamp pleaded guilty to breaking into computer systems of several high profile companies, including eBay and Qualcomm, and installing Trojan horse programs. Mr. Heckencamp has also been ordered to pay nearly US$270,000 in restitution and for three years; he may not use an Internet-connected computer without permission from a probation officer.
Four Men Receive Conditional Discharges for Celebrity Data-Selling Scheme (26 April 2005)Four UK men have been given two-year conditional discharges for their roles in a scheme to sell confidential data about celebrities to the press. The data in question were held on a police computer. The sentence means that no action will be taken against the men unless they commit an additional offense within two years.
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Australia's Dept. of Foreign Affairs and Trade Seeks New Secure Standard Operating Environment (2 May 2005)Australia's Department of Foreign Affairs and Trade wants to implement a new standard operating environment (SOE) for the department's 5,000 desktops worldwide. DFAT has specified requirements for the SOE including the ability to block unauthorized applications, avoid relying on white and black lists of trusted and untrusted email addresses and servers, and protecting notebooks even when they are not connected to the network. In addition, DFAT has stipulated that the solution "must have no adverse impact on system performance, must not be able to be disabled by a standard user on a Windows XP workstation" and must be able to provide DFAT with data regarding the number, type and frequency of security incidents.
UK's National Infrastructure Security Co-ordination Centre May Get Power to Set Security Standards (27/26 April 2005)Lord Toby Harris has called for legislation that would allow the British Government's National Infrastructure Security Co-ordination Centre (NISCC) to set and enforce information security standards in order to protect the nation's critical infrastructure from cyber attacks. At present, NISCC merely provides security advice. Lord Harris was formerly chairman of the Metropolitan Police Authority.
[Editor's Note (Paller): NISCC has forged extraordinary trust relationships and information sharing partnerships with large companies in many critical industries. Even US multinational companies share cyber attack data with NISCC that they share with no other governments. It is a model of effective national cybersecurity coordination. If it receives added powers suggested in this story, its history says it would wield the power effectively without much adverse impact on industry or innovation. ]
California Law Would Prohibit RFID Chips in Identification Documents (29 April 2005)California state legislators are considering a bill that would prohibit the use of radio-frequency identification, or RFID, chips in identification documents. The bill would also make it a crime to read information from RFID tags without authorization. The Identity Information Protection Act of 2005 (SB682) was introduced after a California elementary school's proposal to require students to wear RFID-enabled photo ID cards met with parental outrage. The bill would also for exceptions, in instances in which other technology would not suffice, such as road and bridge tolls.
[Editor's Note (Pescatore): This is a great example of problems when legislators write laws about technology. This bill would let me put photo ID badges on students with the kids name and address printed in 2" high letters, visible by stalkers from across the street. Yet, prohibit a RF ID tag that wouldn't be readable from further away than if the stalker was trying to read the 1/4" high type on the existing name badges. I could have a standard that says ID badges for children can't be readable from more than 24" away or I could keep trying to write laws around ever changing technology. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
AOL Stomps on Gabby.A Worm (27 April 2005)America Online has quickly quashed the Gabby.a worm which spread through the ISP's instant messenger program. AOL learned of the threat with the help of IMLogic's Threat Center, a database of IM and peer-to-peer security threats of which AOL is a vendor member. The worm was spread via a text message with a link to a malicious site that uploaded the worm onto the unsuspecting user's system.
Buffer Overflow Vulnerability in Some Versions of Netscape Browser (27 April 2005)A buffer overflow flaw in the Netscape browser could allow an attacker to crash a vulnerable machine or execute potentially malicious code. The flaw is known to affect Netscape versions 6.2.3 and 7.2; others may be affected as well. The vulnerability is related to one in Mozilla, with which Netscape shares some code. There is no workaround for the Netscape flaw; users are advised to upgrade to version 8.0, which is based on Firefox.
ATTACKS AND INTRUSIONS
Florida International University Computer Systems Breached (29 April 2005)Some Florida International University students, faculty and staff have been notified that their personal information may have been compromised after it was discovered that computer systems at the school had suffered security breaches. A file found on one of the computers indicates that the intruders had access to user names and passwords for 165 university computers. Users have been advised to remove sensitive data from their computers and to place fraud alerts on their credit files. University "technology experts" are examining 3,000 computers at the school for evidence of intrusions.
STATISTICS, STUDIES AND SURVEYS
Web Server Attacks and Web Site Defacements Up Thirty-Six Percent (27/26 April 2005)A report from security firm Zone-H finds that web server attacks and web site defacements increased by 36% the last year, from 251,000 in 2003 to 392,545 in 2004. According to the report, 2,500 web servers are successfully attacked every day.
[Editor's Comment (Guest editor, Ryan Barnett): These stats are a bit inflated since they are tracking solely on individual domains defaced. More often than not, the defacers are executing mass defacements using a single vulnerability on a server. The problem is that that server may be hosting hundreds of other virtual web sites. Once the defacers get a foothold in one virtual host, they can infect others.
(Pescatore): I think Zone-H also counts chat board defacement as a web site defacement. A lot of discussion groups have very loose sysop control - technically they are defacements when someone takes over the board, but it is sort of like counting demolition derby crashes in NHTSA auto safety statistics. ]
Nine charged in Bank Account Data Theft Ring (30/28 April 2005)Nine people have been charged for their alleged roles in a scheme in which financial records belonging to half a million people were stolen and sold to collection agencies. Orazio Lembo Jr., the alleged ringleader of the operation, apparently obtained lists of people who were being sought by debt collection agencies. Lembo allegedly shared those names with accomplices who worked in banks where they could compare the list to the names of bank customers and provide Lembo with the names and account details when they found matches. Lembo in turn allegedly sold that information to collection agencies for a tidy profit. If convicted of all charges against him, Lembo could face 130 years in prison and a fine of US$1 million.
[Editor's Note (Shpantzer): This scheme operated undetected for several years with the direct assistance of a branch manager and assistant branch manager, in addition to the other lower level employees. What can be done to prevent this from repeating? Some (imperfect) ideas:
Backup Tape Disappearances Underscore the Need to Rethink Policies and Procedures (28 April 2005)The recent spate of revelations from companies that backup tapes containing customer data have been lost has pointed out the fact that organizations may need to reconsider their backup policies and procedures. One poll of 400 companies found that more than 60% do not encrypt any of their backup data and that just 7% encrypt all their backup data. Another problem is that the job of making backup tapes tends to fall to those ranking low on the IT department scale of importance, which increases the possibility that they could be bribed.
[Editor's Note (Ranum): This is so depressing. Security practitioners have been trying to call attention to this problem for - literally - decades. Does it always require a disaster to get people to take security seriously? ]
Merchants Lay Blame for Credit Card Info Theft on Problematic Software (28/27 April 2005)Merchants say that many credit card payment processing software products store information valuable to identity thieves rather than purging it. Merchants are not supposed to store information from credit cards' magnetic strip after a transaction is complete according to several credit card organizations' guidelines which call for penalties of as much as US$500,000 for violations. BJ's Wholesale Club which has been in the spotlight due to data theft from its computer systems, has filed a lawsuit against IBM seeking compensation for the losses it incurred from the breach. The lawsuit claims that IBM's software stored credit card data unbeknownst to BJ's managers.
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit