SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #26
June 29, 2005
A comment from a SANS student: "SANS reminds me of 'The Matrix.' You can take the blue pill and go on happily thinking your network is safe, or you can take the red pill and find out what the computer world is really like. This SANS class is the red pill, and if it doesn't drive you insane in the process, you will leave better prepared to handle the real world of security." (Shawn Wenzel, Par Pharmaceutical)
The all new SANS Roadmap to Network Security -- WhatWorks poster will be distributed in five weeks. If we don't have your up-to-date surface mail address, it won't get to you. Please make sure your address is correct and complete in your SANS portal account.
TOP OF THE NEWSBritain and the US Both Facing Targeted Attacks
Supreme Court Rules File Sharing Software Companies Can Be Held Liable for Copyright Infringement
Class Action Suit Filed Against CardSystems, Visa and MasterCard for Data Security Breach
FIPS-201 Implementation Plan Deadline
THE REST OF THE WEEK'S NEWSHOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Japanese Government Investigating Leak of Nuclear Plant Data
California Legislators Move Toward Expanding Security Breach Notification Laws
SPAM & PHISHING
Alleged Spammer First to be Tried Under Australia's Spam Law
Microsoft Suing German Company for Sending Spam
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
RealNetworks Releases RealPlayer Updates to Address Four Vulnerabilities
Veritas Patches Multiple Critical Flaws in its Backup Software
Weaknesses in Wireless LAN Session Containment
STATISTICS, STUDIES & SURVEYS
Survey Predicts Slow Growth for Business to Consumer Internet Sales
CardSystems Data Exposed by Malicious Program
ChoicePoint Data Security Modifications Taking Longer Than Expected
Indian Police Need Formal Complaint Before They Can Arrest Alleged Data Thief
AT&T Corp. to Premiere Internet Security News Network Within the Next Year
Iowa State University to Develop Attack Simulation Lab
********************** Sponsored by SANS Washington *********************
July 28-August 3, Ten great tracks of intensive, practical, up-to-date security training for auditors, managers, system administrators, and security professionals. Plus an expo and a new talk by the FBI on how cyber criminals are caught.
Why Do Security Professionals Get More Value From SANS Than from Any Other Source?
"Years of experience downloaded into your brain in 6 days."
- Chris Koutras, Titan, Inc.
"The perfect balance of theory and hands on experience."
- James D. Perry II, University of Tennessee
"SANS courses bring the best of the best to one place to learn cutting- edge information."
- Jeremy Baca , Sandia National Labs
"SANS has opened my eyes to things I never would have considered based on my own research."
- Doug Wells, Media General, Inc.
Current Training Schedule: http://www.sans.org
TOP OF THE NEWS
Britain and the US Both Facing Targeted Attacks (27 June 2005)US government and corporate sites have been subjected to the same type of targeted attacks the UK's National Infrastructure Security Co-ordination Centre described last week. There are also reports that the attack that was responsible for the exposure of information on 40 million credit card accounts was a targeted attack. These increasingly frequent and effective attacks are easy to understand but difficult to stop. Targeted attacks are harder to detect because they generate less traffic than do mass attacks. Tools that detect anomalous network behavior can be helpful, as can egress-filtering tools. Additionally, using encryption and monitoring access at the database level can help lessen the effects of attacks.
[Editor's Note (Paller): The US Government, especially the Department of Defense, has been classifying information about targeted attacks, so US firms and agencies are less well prepared to defend themselves. The defenders don't know the attacks are happening, nor do they know how the attacks work. This "don't talk about the attacks" strategy, especially in the face of widespread and damaging data theft, poses a clear danger to the security of US organizations. It is time for the US government to face up to the threat and act affirmatively to stop it by distributing tools that can identify infected systems. ]
Supreme Court Rules File Sharing Software Companies Can be Held Liable for Copyright Infringement (28/27 June 2005)The US Supreme Court overturned a lower court case, MGM Studios Inc. v. Grokster Ltd., ruling that software companies can be held liable for copyright infringement when customers use their products to illegally download music and videos. The decision did not address the question of whether peer-to-peer technology is illegal, but focused instead on the actions of file-sharing software companies; Justice David Souter wrote that the actions of Grokster and StreamCast were "unmistakable" in their "unlawful intent."
[Editor's Note (Northcutt): So a gun company can produce a "Saturday Night Special" under the law but Grokster has "unlawful intent". Weee Oh. ]
Class Action Suit Filed Against CardSystems, Visa and MasterCard for Data Security Breach (27 June 2005)A California attorney has filed a class-action lawsuit against CardSystems Solutions, Visa and MasterCard on behalf of California residents and merchants who accept credit cards. The lawsuit alleges the companies did not appropriately secure their systems and did not inform people in a timely manner about a security breach that exposed data on 40 million accounts. Apparently information on approximately 200,000 accounts was verifiably transferred out the payment processor's computer system, but the credit card companies said they do not intend to notify people of the problem unless the accounts are used fraudulently. The lawsuit asks that the companies notify all people whose data were exposed and provide special notification to the 200,000 whose data were stolen. The suit also asks that chargeback fees and penalties to merchants be waived on transactions where the information was used fraudulently.
FIPS-201 Implementation Plan Deadline (24 June 2005)Monday, June 27 was the deadline for all major US government agencies to submit their detailed plans for implementing a 2004 Homeland Security Presidential Directive that requires government-wide adoption of smart cards for physical and IT systems access. The requirements are described in Federal Information Processing Standard 201. The first phase of FIPS-201 must be implemented by October 27, 2005; agencies must have in place processes for employee identification verification, registration and the issuing of ID cards. The deadline for the second phase, when the agencies start using the cards, is October 2006. The cards must support two-factor authentication and be interoperable across all agencies.
[Editor's Note (Schultz): This requirement will do worlds of good for security within government agencies, but I am extremely skeptical of agencies' ability to comply with the first phase requirements by October of this year. Everything in government circles works slowly, and implementing smart cards within agencies will not be trivial. ]
************************* Sponsored Links: ******************************
1) Earn your Master's degree in Information Security from an NSA- recognized online program. http://www.sans.org/info.php?id=809
2) What Does Secure On Demand Access Really Mean? Faster, better, cheaper remote access solutions. Free White Paper.
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Japanese Government Investigating Leak of Nuclear Plant Data (24 June 2005)The Japanese government is investigating a computer security breach that exposed confidential data about Japanese nuclear plants. The information was leaked when a computer that had file-sharing software on it became infected with a virus, which sent the confidential files to the Internet.
[Editor's Note (Grefer): The importance of a distributed firewall architecture cannot be emphasized often enough. Centrally managed local "personal" firewalls on each computer can provide an early warning of attempts by malware to "call home". ]
California Legislators Move Toward Expanding Security Breach Notification Laws (22 June 2005)California legislators are moving closer to expanding a law that requires notification about consumer data security breaches to include compromise or loss of paper records and back-up tapes.
[Editor's Note (Schultz): This makes a great deal of sense. Records are records, regardless of whether they are paper or electronic records. ]
SPAM & PHISHING
Alleged Spammer First to be Tried Under Australia's Spam Law (24/23 June 2005)The Australian Communications Authority will try Wayne Mansfield, managing director of Clarity 1, for allegedly sending at least 56 million spam messages since Australia's Spam Act took effect in April 2004. The ACA is also seeking an interim injunction against Clarity 1 to prevent it from sending out more unsolicited email until the court hearing, which is scheduled for July 20. Mansfield maintains he has not broken the law and is looking forward to proving his innocence in court.
Microsoft Suing German Company for Sending Spam (22 June 2005)Microsoft is suing an unnamed German company for allegedly inundating Hotmail users with spam. The German company allegedly used organizations in the US and the Ukraine to send the unsolicited commercial email. The company's director denies any personal wrongdoing; he says his partners are responsible for the spam and that they are "out of control." Because Germany does not presently have any laws against distributing spam, Microsoft is seeking an injunction in an attempt to shut down the North Rhine Westphalia-based company under German fair trade law.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
RealNetworks Releases RealPlayer Updates to Address Four Vulnerabilities (24/23 June 2005)RealNetworks has made updates available for four security holes in current and older versions of RealPlayer. The most serious of the flaws could allow an attacker to take control of vulnerable systems and are present in RealPlayer for Windows, Mac OS and Linux. Attackers could use specially crafted RealMedia, AVI files and MP3 files to exploit the vulnerabilities.
Veritas Patches Multiple Critical Flaws in its Backup SoftwareVeritas backup software has significant flaws that should be patched immediately because SANS @RISK newsletter reports an active exploit for the vulnerabilities is circulating. Details may be found at
[Editor's Note (Grefer): Note the absence of Opera from the list of vulnerable browsers. ]
Weaknesses in Wireless LAN Session Containment (19 May 2005)While reviewing distributed WLAN intrusion detection systems, SANS Institute wireless security researcher Joshua Wright noticed some problems with "how they attempt to contain a client and prevent it from connecting to a rogue or protected wireless network," and wrote a paper about the vulnerabilities.
STATISTICS, STUDIES & SURVEYS
Survey Predicts Slow Growth for Business to Consumer Internet Sales (24 June 2005)In a Gartner survey of 5,000 US consumers, 42% said concerns about attacks had affected their online purchases to some extent. Of that 42%, three-quarters are careful about which sites they make on-line purchases with and one-third buy fewer items on the Internet due to security concerns. 28% of the 5,000 have changed their online banking practices. Of that 28%, three-quarters log into bank accounts less frequently, 14% stopped using on-line bill payment and 4% have abandoned online banking altogether. Most of those surveyed said they delete email from people and businesses they do not know unread. The reasons for the increased concerns and decreased on-line buying are the recent disclosures of customer data losses and unauthorized access. Business to consumer sales will increase more slowly than previously thought, according to Gartner.
CardSystems Data Exposed by Malicious Program (21 June 2005)A MasterCard International spokesperson said that the CardSystems breach occurred when attackers exploited vulnerabilities to install a program that captured credit card information. That malicious code was discovered during an investigation "triggered by a MasterCard inquiry into atypical reports of fraud." The investigation also revealed that CardSystems did not meet MasterCard's security requirements: it held onto data longer than it should have and stored them unencrypted.
ChoicePoint Data Security Modifications Taking Longer Than Expected (24 June 2005)Following the disclosure that fraudsters had managed to steal data belonging to 145,000 people from its computer system, ChoicePoint announced in March that it would undertake changes to prevent such a data breach from happening again. Among the stated changes were that ChoicePoint would sell data only when certain, strict criteria were met. ChoicePoint had said in March that the changes would be "substantially completed" within 90 days, but a spokesperson for the company said last week that the changes have not yet been completed and that probably they will not be complete any time in the near future.
Indian Police Need Formal Complaint Before They Can Arrest Alleged Data Thief (24/23 June 2005)A man who reportedly sold data on 1,000 bank accounts of UK citizens to an undercover reporter in India is still at large. The information was reportedly stolen from call centers. Delhi police cannot arrest the man, Karan Bahree, until they receive a formal complaint either from the call centers where the data were stolen or from banks or individuals in the UK affected by the theft. In a BBC interview, Mr. Bahree said he gave a CD to the undercover reporter at the behest of another person and did not know what the disk contained. UK organizations that outsource customer services are liable for security problems that arise; the banks affected in this case could be found to be in violation of the UK's Data Protection Act.
AT&T Corp. to Premiere Internet Security News Network Within the Next Year (23 June 2005)AT&T Corp aims to provide the first single point of contact service for Internet security issues with its development of a video streaming Internet security service which will be available 24 hours a day to its customers within the next nine to 12 months. The service, called the Internet Security News Network or ISN, will feature interviews with security professionals and experts as well as constant monitoring, updates and advice for emerging threats. ISN is part of AT&T's Cyber Security Defense Initiative.
Iowa State University to Develop Attack Simulation Lab (20 June 2005)Iowa State University will use a US$500,000 Justice Department grant to fund the Internet-Simulation Event and Attack Generation Environment, a cyber security laboratory that hopes to create accurate simulations of online attacks.
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit