SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #29
July 20, 2005
TOP OF THE NEWSReorganization Within DHS Includes Assistant Secretary Position for Cyber Czar
While Computer Attack Costs are Down, Data Theft Costs Increase
Number of Zombie Computers Growing Quickly, Says McAfee
THE REST OF THE WEEK'S NEWSHOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Australian Water Utilities to Assess SCADA Security
Alleged Defense Computer Intruder Says Security Was Poor
GAO Report Finds DHS Information Security Lacking
British Parliament Likely To Increase Sentences for Cyber Crimes
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Court Says Third Party Monitor Erred, ISPs Do Not Have to Reveal Song Swappers' Identities
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
DoS Vulnerability in Windows Remote Desktop Service
ICC Flaw in Microsoft Internet Explorer and MSN Messenger
Cisco Warns of DoS Vulnerabilities
MIT Releases Patches for Critical Kerberos Flaws
Oracle Quarterly Security Update
ATTACKS & INTRUSIONS & DATA THEFT
UK's NHCTU Investigating DoS Attack on Police Network
******************** Sponsored by CipherTrust ***************************
FREE Online Webcast: Are you doing enough to protect your intellectual property and ensure compliance with onerous privacy regulations? Join Gartner analyst Arabella Hallawell and executives from CipherTrust to discuss the evolution of e-mail security as controlling outbound threats and regulatory compliance become critical imperatives. Register now for this August 4th online event!
******************** Security Training News *****************************
1) SANS@HOME: Live courses with SANS best teachers - without leaving your home or office - amazingly effective and satisfying. Hacker Techniques, Auditing, Forensics, SANS Security Essentials, and Firewalls all start within the next week or two. Sign up today at www.sans.org
2) SANS Network Security 2005 in New Orleans (October) just opened for registration http://www.sans.org/ns2005
3) SANS Silicon Valley (September) just opened for registration. 12 tracks and a vendor exposition. http://www.sans.org/siliconvalley2005/
Why Attend SANS Training Instead of Less Effective Courses? "SANS reminds me of 'The Matrix'. You can take the blue pill and go on happily thinking your network is safe, or you can take the red pill and find out what the computer world is really like. This class is the red pill, and if it doesn't drive you insane in the process, you will leave better prepared to handle the real world of security." (Shawn Wenzel, Par Pharmaceutical)
TOP OF THE NEWS
Reorganization Within DHS Includes Assistant Secretary Position for Cyber Czar (14/13 July 2005)DHS Secretary Michael Chertoff has revealed his plans to reorganize some of the agencies at his department. Of particular interest are the decision to dissolve the Information Analysis and Information Protection Directorate and the elevation of cyber czar to assistant secretary level by creating the position of assistant secretary for cyber and telecommunications security There is no word yet on when the position will be filled.
[Editor's note (Schultz): I have felt that the DHS's Information Analysis and Information Protection Directorate functionality overlapped with functionality that already existed elsewhere within the US government, so from a taxpayer's perspective the decision to dissolve this Directorate appears to be a good one. Re. the cyber czar position being elevated to the assistant secretary level, this cannot hurt. DHS security has a long way to go, but some of the decisions that this department has made recently appear to be in the right direction. ]
While Computer Attack Costs are Down, Data Theft Costs Increase (18 July 2005)A survey from the Computer Security Institute (CSI) and the FBI found that the average losses due to computer attacks dropped 61% in 2004. The 700 companies and government agencies who responded to the survey reported an average cost for cyber attacks of US$204,000 in 2004 compared to an average of US$526,000 in 2003. This is the fourth consecutive year in which the cost has dropped. However, the cost associated with information theft has increased more than US$51,000 from last year. Theft of proprietary information cost the respondents an average of US$355,000 in 2004, compared to US$169,000 in 2003.
[Editor's Note (Schultz): Although I am always skeptical about any information security-related statistics, I feel that these statistics make a good deal of sense. "Classic" types of attacks appear to be occurring less and less; identity theft attempts and other attacks intended to enable perpetrators to make money through other means are on the rise. I wonder how many information security practices around the world have adjusted their risk management strategies accordingly. ]
Number of Zombie Computers Growing Quickly, Says McAfee (13 July 2005)A report from McAfee says that the numbers of computers infected with zombie code are increasing at an alarming rate. Incidents involving bot code increased to 13,000 in April through June of this year, four times the number for the preceding three months.
************************* Sponsored Link ********************************
1) ALERT: "How a Hacker Launches a SQL Injection Attack!"- White Paper http://www.sans.org/info.php?id=819
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Australian Water Utilities to Assess SCADA Security (14 July 2005)Australian water utilities plan to assess the security of their Supervisory Control and Data Acquisition systems as part of the country's Computer Network Vulnerability Assessment to secure its critical infrastructure.
[Editor's Note (Schmidt): There can be many lessons learned from this assessment that should translate into improved security in other sectors AND give vendors that create SCADA devices a better set of requirements to build more secure DCS. ]
Alleged Defense Computer Intruder Says Security Was Poor (13 July 2005)Gary McKinnon, the British man who faces extradition to the US on charges he broke into and damaged US defense-related computer systems, says weak security on those systems enabled him to exploit them. Mr. McKinnon maintains that in one system, the local administrator's passwords was blank.
[Editor's Note (Pescatore): Unfortunately for Mr. McKinnon, the administrator's stupidity isn't an excuse for illegal action. Stealing a car because the keys were in the ignition, or coming in a house to use the phone because the front door wasn't locked, are still illegal acts. But, I have to admit: I'd really love to see more Darwinian retribution applied to the people leaving things wide open. The "attractive nuisance" is one concept lawyer types have proposed, that typically hasn't held up for anyone above college age. How about the good old free market solution - fire the system administrator who wasn't checking for weak passwords?
(Shpantzer): Wow, this is like a hacker from Hollywood central casting. A thirty-nine year old "unemployed UFO enthusiast' computer addict with a belief in 9/11 conspiracies and UFO coverups. Conspiracy theories are a great labor-saving device, especially for those who are so deluded that they believe the government can actually coordinate a long-term cover up of anything as important as UFOs and 9/11. Note that a sizable portion of every weekly Newsbites covers the lack of coordination at the federal level in the intelligence and homeland security communities. ]
GAO Report Finds DHS Information Security Lacking (11 July 2005)A Government Accountability Office report says the Department of Homeland Security's computer systems do not adequately ensure their own security and the security of the information they contain. Among the problems are risk assessments that have not been completed and incomplete implementation of security plans and policies. The applications and agencies selected for review in the GAO report include US-VISIT, the Transportation Security Administration and the Emergency Preparedness and Response Directorate.
British Parliament Likely To Increase Sentences for Cyber Crimes (15/14 July 2005)British MPs say they are in favor of a Ten Minute Rule Bill proposed by MP Tom Harris that would amend the Computer Misuse Act (CMA) to increase prison time for those convicted of cyber crimes. The bill, which includes recommendations made by the All Party Parliament Internet Group (APIG) during an inquiry into the CMA in 1994, would create a specific offense for denial-of-service attacks and increase sentences from six months to two years, and from five years to 10 years for further related offenses. Ten Minute Rule Bills do not generally lead to legislation; however, MP Harris has been given the opportunity to read the bill again in early December.
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Court Says Third Party Monitor Erred, ISPs Do Not Have to Reveal Song-Swappers' Identities (12 July 2005)A Dutch court ruled that five Dutch Internet Service providers do not have to reveal the identities of 42 people suspected of illegal music downloading. The Dutch Protection Rights Entertainment Industry Netherlands (BREIN) knows only the people's IP addresses. The court said that a third party monitoring company BREIN hired looked at shared Kazaa files which could also have contained files for personal use, which means there is not adequate proof that the files were uploaded. The court said the ISPs could be forced to reveal customers' identities, but only if the investigation starts over from the beginning.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
DoS Vulnerability in Windows Remote Desktop Service (18 July 2005)A flaw in the Windows Remote Desktop Service in Windows XP could allow attackers to launch denial-of-service attacks and crash vulnerable systems. Microsoft is aware of the vulnerability, though there is no patch currently available.
[Editor's Note (Tan): Update: Microsoft has confirmed the DoS vulnerability and has issued an advisory with workarounds. The advisory is at
ICC Flaw in Microsoft Internet Explorer and MSN Messenger (18 July 2005)A flaw in Microsoft's Internet Explorer web browser and its MSN Messenger client could allow attackers to crash or run arbitrary code on vulnerable systems. The problem lies in the way in which the products handle International Color Consortium Profiles. The flaw could be exploited to spread malware.
Cisco Warns of DoS Vulnerabilities (15 July 2005)Cisco has released a patch for a vulnerability in its CallManager software that could allow attackers to launch denial-of-service attacks on IP telephony networks. Cisco has also released software that blocks the attack so customers can be protected while they install and test the patch. Affected versions of CallManager include 3.3 and earlier as well as 4.0 and 4.1. Cisco has also released patches for flaws in its Security Agent software agent and CISCO ONS 15216 Optical Drop/Add Multiplexer (OADM).
MIT Releases Patches for Critical Kerberos Flaws (14 July 2005)The Massachusetts Institute of Technology has released patches for two critical vulnerabilities in Kerberos. The flaws could be exploited to crash or even gain unauthorized access to computers running the open source authentication technology. Several vendors have released patches for the flaws which affect Kerberos 5 Release 1.4.1.
[Editor's Note (Schmidt): Just when we thought that every vulnerability that could have been found in Kerberos had been found and fixed. Reinforces the argument that writing secure code that will stand the test of time is not here yet. ]
Oracle Quarterly Security Update (13 July 2005)Oracle's quarterly security update release last week includes fixes for flaws in its database, application server and business applications, as well as other products.
ATTACKS & INTRUSIONS & DATA THEFT
UK's NHCTU Investigating DoS Attack on Police Network (12 July 2005)Experts from the UK's National Hi-Tech Crime Unit are helping to investigate a denial-of-service attack that attempted to take down the Greater Manchester Police computer systems. They are hopeful the culprit will be found; an individual responsible for a similar attack two years ago has been arrested.
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/