SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #30
July 27, 2005
TOP OF THE NEWSSANS Top 20 Critical Internet Vulnerabilities: Growing Number of Security Holes in Data Backup Products
Man in UK Sentenced for Hijacking Wireless Connection
FDIC Issues Best Practices to Fight Spyware
Bonus: Fifteen States Now Have Legislation Requiring Disclosure of Security Breaches
THE REST OF THE WEEK'S NEWSHOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
DHS Cyber Security Preparedness Exercise to be Held in November
GAO Says DHS Falling Short on Critical Infrastructure Protection
NIST Releases FISMA-Related Draft Documents for Comment
SPAM & PHISHING
US$1.26 Million in Fines Levied for Improperly Identified Commercial eMail
Known Spammer Found Dead in Moscow
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Looking Into Reported Buffer Overflow Flaws in IE 6.0 SP2
Firefox Users Urged to Uninstall Newer Versions of Greasemonkey Due to Critical Vulnerability
Breatel.AA-mm Worm launches DDoS Against Symantec Site
ATTACKS & INTRUSIONS & DATA THEFT
SpreadFirefox.com Taken Offline After Security Breach
CardSystems Congressional Hearing Elicits Finger Pointing
ChoicePoint takes US$6 Million Charge in Second Quarter for Security Breach Costs
Visa, American Express Stop Using CardSystems Solutions
Man Charged in Alleged Physician Answering Service Sabotage
New Jersey Law Requires Voter-Verified paper Audit Trail by Jan. 1, 2008
********************* Sponsored by WatchFire Corp. *********************
FREE Vulnerability Assessment & Testing Utilities. Watchfire AppScan sets the standard for automated web application vulnerability assessments. Download now and try for yourself. While you're at it, why not try the new Watchfire PowerTools: a set of five free utilities designed to assist you as you develop, test and debug your web applications.
********************** SECURITY TRAINING NEWS ***************************
1) SANS Network Security 2005 in New Orleans (October) just opened for registration http://www.sans.org/ns2005
2) SANS Silicon Valley (September) just opened for registration. 12 tracks and a vendor exposition. http://www.sans.org/siliconvalley2005/
Why Attend SANS Training Instead of Less Effective Courses? "SANS reminds me of 'The Matrix'. You can take the blue pill and go on happily thinking your network is safe, or you can take the red pill and find out what the computer world is really like. This class is the red pill, and if it doesn't drive you insane in the process, you will leave better prepared to handle the real world of security." (Shawn Wenzel, Par Pharmaceutical)
TOP OF THE NEWS
SANS Top 20 Critical Internet Vulnerabilities: Growing Number of Security Holes in Data Backup Products (26/23 July 2005)According to the SANS Institute's most recent Top 20 Most Critical Internet Vulnerabilities list, there were 422 new vulnerabilities in the second quarter of 2005, up 10.8 percent from the 381 reported in the first quarter. Of particular concern is the growing number of vulnerabilities in some data back-up products. Microsoft's Internet Explorer "is the primary vehicle for attack," according to the study. All the flaws on the list have patches available.
Man in UK Sentenced for Hijacking Wireless Connection (22 July 2005)Gregory Straszkiewicz has received a one-year conditional discharge for piggybacking on a wireless network set up in a private residence. Mr. Straszkiewicz, who was also fined GBP 500 (US$868.68), was prosecuted under sections 125 and 126 of the UK's Communications Act 2003.
FDIC Issues Best Practices to Fight Spyware (22 July 2005)The Federal Deposit Insurance Corporation (FDIC) has released best practices for financial institutions to follow to guard against the dangers of spyware. Among the recommendations: institutions should begin using multi-factor authentication and they should advise their customers about the dangers of using public computers to connect to banking and other financial sites.
Bonus: Fifteen States Now Have Legislation Requiring Disclosure Following Security BreachesCalifornia's Security Breach Notification Act in 2003 established the practice of requiring organizations to inform consumers if their personal information is disclosed through computer attack or loss of computer equipment or software. Now fourteen other states have similar laws going into effect during 2005 and 2006. Many parallel California's law closely, but others, like the one in Illinois, are much broader. Illinois's law covers all organizations that handle non-public personal information and their failure to disclose the breach constitutes fraud. Here are the dates when the new laws take affect. 2005: Arkansas (March), Georgia (May), North Dakota (June), Florida (July), Tennessee (July), Washington (July), Texas (September) 2006: Connecticut (January), Illinois (January), Minnesota (January), Nevada (January), Maine (March), Montana (Montana), Indiana (July)
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
DHS Cyber Security Preparedness Exercise to be Held in November (22/20 July 2005)Acting director of the Department of Homeland Security's National Cyber Security Division (NCSD) Andy Purdy said DHS will conduct a large-scale cyber security preparedness and response exercise in November. Dubbed Cyber Storm, the national exercise was developed by the National Cyber Response Coordination Group (NCRCG), a group of federal agencies including NCSD, the Justice department and the Department of Defense.
[Editor's Note (Grefer): While such exercises might help to improve interagency communications, it would help if all agencies at least would comply with current minimal federally mandated security requirements. ]
GAO Says DHS Falling Short on Critical Infrastructure Protection (19 July 2005)In testimony before the Senate Homeland Security and Government Affairs Subcommittee on Federal Financial Management, Government Information and International Security the Government Accountability Office's director for IT Management Issues David Powner said the Department of Homeland Security has not taken adequate measures to protect the country's critical infrastructure. Mr. Powner said DHS should heed suggestions made by the GAO including creating a detailed strategy to protect critical infrastructure control systems and completing "threat and vulnerability assessments for each sector of the infrastructure." In his testimony, Mr. Powner also noted the high rate of personnel turnover in the National Cybersecurity Division which has hindered efforts to plan and complete activities.
NIST Releases FISMA-Related Draft Documents for Comment (18 July 2005)The National Institute of Standards and Technology has released drafts of two information security-related documents for comment. Both documents are aimed at helping federal agencies comply with Federal Information Security Management Act requirements. NIST will accept comments on Draft Special Publication 800-53A: Guide for Assessing the Security Controls in Federal Information Systems through August 31, 2005; comments on Draft Federal Information Processing Standard (FIPS) 200: Minimum Security requirements for Federal Information and Information Systems may be submitted through September 13, 2005.
SPAM & PHISHING
US$1.26 Million in Fines Levied for Improperly Identified Commercial eMail (20 July 2005)Five companies will pay fines totaling US$1.26 million for sending unsolicited pornographic email messages that lacked subject lines identifying them as containing sexually explicit material in violation of Federal Trade Commission rules. The companies have also agreed to be monitored by the FTC for compliance. The FTC said that three other companies have agreed to pay fines for sending improperly identified spam.
Known Spammer Found Dead in Moscow (26 July 2005)Vardan Kushnir, a man known to be a spammer, was found beaten to death in his Moscow apartment. No motive for his murder has been established and it is not known if it is related to his spamming activities, though Mr. Kushnir has been the target of revenge attacks in the past.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Looking Into Reported Buffer Overflow Flaws in IE 6.0 SP2 (21 July 2005)Microsoft is investigating reported flaws in the way in which Internet Explorer 6.0 SP2 handles JPEG images. One of the vulnerabilities could reportedly be used to execute arbitrary code remotely. The researcher who reported the flaws and posted them on the Internet chose not to inform Microsoft of the flaws prior to doing so because he believes discussing security problems with the company "is a needlessly lengthy process."
Firefox Users Urged to Uninstall Newer Versions of Greasemonkey Due to Critical Vulnerability (19 July 2005)A severe flaw in the Greasemonkey Firefox browser extension has prompted developers to strongly recommend that users uninstall all versions of Greasemonkey prior to 0.3.5. Greasemonkey allows users to run user scripts on web pages they visit to modify their surfing experience. Running Greasemonkey scripts on websites could expose every file on local hard drives to that site. The flaw could be exploited to steal word-readable files.
Breatel.AA-mm Worm launches DDoS Against Symantec Site (18 July 2005)MessageLabs has intercepted nearly 14,000 copies of the Breatel.AA-mm worm, which recruits infected computers to become part of a botnet that attacks the Symantec website.
ATTACKS & INTRUSIONS & DATA THEFT
SpreadFirefox.com Taken Offline After Security Breach (18 July 2005)SpreadFirefox.com was taken off line after evidence of a July 10 intrusion surfaced on July 12. The attackers exploited an unpatched hole in the software that runs the site; patches have now been applied. Mozilla says the machine that was attacked was likely used to send spam, but acknowledged that it is possible that the attackers had access to usernames, passwords and other information that people may have provided on the web site. Mozilla is encouraging SpreadFirefox.com users to change their passwords.
CardSystems Congressional Hearing Elicits Finger Pointing (22/21 July 2005)During a congressional hearing , CardSystems Solutions maintained that the auditing company it hired to ensure its systems were compliant with Visa's Cardholder Information Security Program did not do a thorough job; the auditing company maintains it examined the computers CardSystems asked it to and found them to be in compliance. When Merrick Bank, which made payments to merchants using CardSystems Solutions, brought in a different auditor after the disclosure of the breach, it found problems that hadn't been turned up by the first auditing company. The hearing was held in an effort to determine whether there should be new laws to prevent massive security breaches in the future.
[Editor's Note (Schneier): What we need isn't new laws to prevent massive security breaches, but new laws to fix liability if and when massive security breaches occur. ]
ChoicePoint takes US$6 Million Charge in Second Quarter for Security Breach Costs (20 July 2005)ChoicePoint took a US$6 million charge in the second quarter to cover costs incurred by addressing the security breach that led to the exposure of data on 145,000 people and at least 750 cases of identity theft. ChoicePoint recorded US$5.4 million is costs in the first quarter. US$2 million was for communication, credit reports and monitoring service for those affected; the remaining US9.4 million was for legal and other fees. The charges had little effect on ChoicePoint's quarterly profit; second quarter net profit was US$36.4 million compared to US$36.3 million a year ago.
Visa, American Express Stop Using CardSystems Solutions (20/19 July 2005)Visa USA and American Express are no longer using CardSystems Solutions to process credit card transactions. The decision comes in the wake of a security breach that may have exposed data on as many as 40 million accounts. Visa has let 11 banks know that they have until the end of October to find and switch over to new payment processors. A Visa spokesperson said CardSystems cannot make up for the fact that it had been retaining data in violation of Visa's security rules. MasterCard International, on the other hand, is giving CardSystems until the end of August to improve security, but has suggested that if the payment processor cannot demonstrate that they are complying with security rules by August 31, the future of their business relationship will be at risk.
[Editor's Note (Schneier):I think this is a positive development. I have long said that companies like CardSystems won't clean up their acts unless there are consequences for not doing so. Credit card companies dropping CardSystems sends a strong message to the other payment processors: improve your security if you want to stay in business. ]
Man Charged in Alleged Physician Answering Service Sabotage (19 July 2005)The founder of a company that provides answering services for physicians allegedly broke into a competitor's computer system and impeded the callers' ability to reach their doctors; callers heard either a busy signal or heavy breathing. Gerald Martin of Pawling, NY, could face up to seven years in prison if convicted of the charges of computer tampering and possession of a forged instrument.
New Jersey Law Requires Voter-Verified paper Audit Trail by Jan. 1, 2008 (15 July 2005)Acting New Jersey Governor Richard J. Codey has signed into law a measure requiring that all electronic voting machines used in the state provide a voter-verifiable paper audit trail. The measure does not take effect until January 1, 2008, which some election reform activists feel is too far off. Proponents of reform have taken legal action protesting the delay.
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit