Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VII - Issue #36

September 07, 2005


A longer introduction to NewsBites this week, for a good cause:

The American Red Cross needs help in areas that NewsBites readers know well. SANS Internet Storm Center is leading the search for technically savvy volunteers who can help in two ways - at the shelters in implementing Windows and Cisco systems for the volunteers and people living there, and at Red Cross headquarters in the Washington DC area to improve the implementation of security software tools that have been implemented but are not fully exploited. Here's how you can help.

1. People who live near the shelters (or who could get there and who have family/friends with whom you could stay), and who have lots of experience deploying Windows XP and/or Cisco systems, please register your willingness to help at

http://isc.sans.org/volunteers The Red Cross will contact you directly.

2. People in the Washington DC area (or who could get here quickly) and would volunteer to help, and who have substantial experience with any of the following:

-- tuning Cisco IDS -- tuning NetIQ Manager -- tuning McAfee ePolicy Orchestrator

please do two things: a. register at http://isc.sans.org/volunteers and b. send me an email at paller@sans.org telling me which tool you know well and how available and close you are so I can set up a contact for you.

SANS is also donating $100,000 to the Red Cross, and we learned today that at least one leading security vendor, TippingPoint, has offered to give the Red Cross the equipment they need to protect their networks - without asking for compensation.

If you know of people or companies in the IT or security field who are trying to make a difference in the recovery effort, please let us know what you or they are doing (Email paller@sans.org).

Alan

PS. SANS Network Security 2005 (October 24-30) has moved to Los Angeles from New Orleans. All of the great courses, the award-winning teachers, the expositions, the special sessions, the evening programs, and some additional bonus programs will be there. We'll announce the hotel tomorrow (the hotel is setting up the discounted room registration today). But please register right away for the conference to get space in the courses you want. http://www.sans.org/ns2005 and for SANS security and audit training in a twenty other cities around the world: www.sans.org

TOP OF THE NEWS

Federal Agencies Set Procurement Language to Buy Security "Baked-In"
Consumer Reports: One Third Of Net Users Damaged By Malware
New York's Data Theft Notification Law May Replace California's as de Facto National Standard
Gulf Coast Businesses Activate IT Disaster Recovery Plans

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Admitted ChoicePoint Data Thief Faces Additional Charges
Man Pleads Guilty to Selling Windows Source Code
UK Court Approves Extradition for Couple to Face Charges of Industrial Espionage
LEGISLATION
New South Wales Workplace Surveillance Act Requires Clear Facilities Use Policies
California Puts Aside RFID Blocking Bill
SPAM & PHISHING
Reputation Filters Help Web Site Identify Which Machines and Domains are Sending Spam
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Australian Court Finds in Favor of Recording Industry, Against Kazaa
Korean Court Rules Soribada Must Stop P2P Service
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Warns of Problem in Windows Firewall
MP3 Players Recalled Due to Worm-Infected File
Workaround Available for HP Network Node Manager Flaw
Microsoft Investigating Possible Remote Code Execution Flaw in IE
ATTACKS, INTRUSIONS & DATA THEFT
Phony Yahoo Site Tries to Collect User Names and Passwords
MISCELLANEOUS
Windows Vista Patching Technology Will Require Fewer Restarts
Trusted Computing Group Releases Best Practices Document for TPM
Alternative Browsers Present Challenges for Cyber Investigators
Myfip Could be Part of Titan Rain
INTERESTING NEWS AND ANALYSIS PUBLICATIONS
Bruce Schneier's Cryptogram


************* Sponsored by LURHQ Managed Security Services *************

Enhance your security posture and painlessly comply with regulations in a cost effective manner with LURHQ's integrated suite of Managed Security Services. LURHQ's services integrate key operational processes and security technologies to deliver an effective Threat and Vulnerability Management solution. Learn more by downloading our "Delivering Threat and Vulnerability Management" presentation, featuring Gartner's Kelly Kavanagh.

http://www.lurhq.com/gartner.html

*************************************************************************

TOP OF THE NEWS

Federal Agencies Set Procurement Language to Buy Security "Baked-In" (1 September 2005)

The federal government is taking steps to build security requirements into vendor contracts. According to HUD CIP Lisa Schlosser, all Housing and Urban Development vendor contracts now must include minimum baseline standards. In addition, the CIO Council is working with the General Services Administration's SmartBuy office to ensure that security is built into existing and future agreements.
-http://www.gcn.com/vol1_no1/daily-updates/36876-1.html
[Editor's Note (Paller): Procurement (and $70 billion a year in IT spending) is the single biggest lever the federal government can wield to improve security for the critical infrastructure. Kudos to HUD and the Air Force that led the way in using procurement to force vendors to deliver safer systems. As HUD's contract clauses gain broad adoption in government, all other buyers will be benefited as the vendors decide to deliver safer systems to everyone. ]

Consumer Reports: One Third Of Net Users Damaged By Malware (September 2005)

In the 2005 Consumer Reports State of the Net survey, the team led by Jeff Fox found that home users of the Internet have a 1-in-3 chance of sustaining computer damage and/or financial loss due to malware. According to the survey, Americans spent over US$2.6 billion on software to protect their computers last year, but also spent US$9 billion on repairs, parts and replacements due to the damage caused by malware. Consumer Reports maintains that on line threats are worse than they were a year ago due to "government inertia and consumers' imprudent practices." In addition the researchers discovered that major consumer products companies are actually providing the economic sustenance for spyware by buying advertising distributed using the scourge. The culprits include computer companies that then make money when users find their systems so overrun with spyware that they give up and buy a new computer.
-http://www.consumerreports.org/main/content/display.jsp?FOLDER%3C%3Efolder_id=76
0009&bmUID=1126013586822

New York's Data Theft Notification Law May Replace California's as de Facto National Standard (2 September 2005)

New York became the 19th state to pass a data security breach notification law; it will take effect in mid-December, 2005. The New York law will require all companies that do interstate business to abide by its provisions; it is stricter than the California law that has become "the de facto standard." The New York law makes no exceptions for small breaches, companies with their own disclosure policies or breaches unlikely to lead to identity theft. Data brokers have called for a national security breach notification law so they do not have to navigate a patchwork system of state laws. Congress is likely to look at passing legislation regarding data security breach notification this fall.
-http://www.infoworld.com/article/05/09/02/HNcongressdata_1.html
[Editor's Note (Schultz): New York's disclosure law is another step in the right direction as far as this type of legislation goes. As data brokers have pointed out, however, having one disclosure law in one state and another in another state is likely to result in massive confusion. National legislation requiring disclosure in the event of a compromise of personal and/or financial information is the logical solution; it is difficult to understand why the U.S. Congress has been so slow in passing such legislation. (Paller) I hope Gene Schultz is correct, but I fear the business lobbyists may spend enough money in Washington to persuade Congress to pass a watered down bill that leaves so many loopholes that the impact is dulled.
(Schneier): While this is a good idea, the effectiveness of this law is diminishing. It increases security by public shaming. But as more of these disclosures happen, the press is less likely to write about them - and the public shaming is less. ]

Gulf Coast Businesses Activate IT Disaster Recovery Plans (5/1 September/29 August 2005)

Businesses in the Gulf Coast have been setting their disaster recovery programs in motion; companies that provide disaster recovery and business continuity services say many other businesses were not prepared. Affected businesses have switched to back-up networks and data centers, requested mobile trailers that have servers and satellite communications. Among Katrina's IT casualties is the US Coast Guard; a Coast Guard Data Network hub in New Orleans and Coast Guard networks all along the gulf coast have been knocked out by the storm. The SANS Institute's Johannes Ullrich says the disaster brought by Hurricane Katrina should prompt IT managers across the country to develop disaster recovery plans. Mr. Ullrich also recommends testing the plans before an actual disruption. The SANS Institute has released a list of steps for companies to take when they may be affected by a hurricane.
-http://www.zdnetasia.com/news/software/0,39044164,39252594,00.htm
-http://www.fcw.com/article90545-09-01-05-Web&RSS=yes
-http://news.com.com/2102-7350_3-5844041.html?tag=st.util.print
-http://isc.sans.org/diary.php?date=2005-08-28


************************* Sponsored Link *******************************

1) Earn your Master's degree in Information Security from an NSA- recognized online program. http://www.sans.org/info.php?id=858

************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Admitted ChoicePoint Data Thief Faces Additional Charges (31 August 2005)

A man who has already begun serving a 16-month prison sentence for his role in the ChoicePoint data theft case now faces 22 additional charges. In February 2005, Oluwatunji Oluwatosin pleaded no contest to one charge of identity theft. Mr. Oluwatosin allegedly used mail drops to trick ChoicePoint into believing he ran a legitimate business which allowed him access to the company's data. If convicted of all the charges in the new indictment, which include conspiracy, grand theft and identity theft, Mr. Oluwatosin could face up to 22 years in prison.
-http://www.computerworld.com/printthis/2005/0,4814,104276,00.html

Man Pleads Guilty to Selling Windows Source Code (30 August 2005)

William P. Genovese, Jr. has pleaded guilty to one charge of unlawfully distributing a trade secret; Mr. Genovese sold chunks of source code from Microsoft's Windows NT 4.0 and Windows 2000. He apparently obtained the code on the Internet after someone else stole it and made it available. Mr. Genovese entered his guilty plea in a federal court in Manhattan; he will be sentenced this fall. Federal prosecutors have recommended a prison sentence of 10-30 months, although the maximum penalties for this crime are 10 years in prison and a US$250,000 fine.
-http://news.com.com/2102-1016_3-5844505.html?tag=st.util.print

UK Court Approves Extradition for Couple to Face Charges of Industrial Espionage (28/26 August 2005)

A UK court has approved the extradition of Michael Haephrati and Ruth Brier-Haephrati to Israel; a British judge ruled that there was prima facie evidence that the two received payments from Israeli private investigation agencies; Mr. Haephrati is suspected of creating software that allows organizations, with the help of the private investigation firms, to break into the computer systems of competitors. UK Home Secretary Charles Clark has 60 days to decide whether or not to extradite the couple to Israel.
-http://www.globes.co.il/serveen/globes/DocView.asp?did=1000005627&fid=1725
-http://www.ynetnews.com/articles/0,7340,L-3133649,00.html

LEGISLATION

New South Wales Workplace Surveillance Act Requires Clear Facilities Use Policies (1 September 2005)

The Workplace Surveillance Act will come into effect in New South Wales (NSW), Australia in October; the legislation requires that there is an agreed upon policy regarding the use of workplace facilities understood by employers and employees. For instance, companies would have to tell their employees that their email is being monitored and that employee Internet use could be tracked and possibly filtered. Other Australian states are expected to follow NSW's lead. The legislation was prompted by the case of an employee who used workplace facilities to disseminate information about unions. The employee was fired, but was reinstated after it was discovered that the company had no policy regarding employee email use.
-http://www.smh.com.au/news/breaking/workplace-watchdog-law-a-formality/2005/09/0
1/1125302672899.html

California Puts Aside RFID Blocking Bill (30 August 2005)

The California State Assembly's Appropriation's Committee has decided to shelve the Identity Information Protection Act of 2005, which would bar the use of RFID technology in drivers' licenses and other documents. The legislation was crafted to address concerns that private citizens could be broadly monitored with the technology. The high-tech industry has lobbied against the measure, saying they are developing safeguards that would alleviate those concerns.
-http://management.silicon.com/government/0,39024677,39151785,00.htm

SPAM & PHISHING

Reputation Filters Help Web Site Identify Which Machines and Domains are Sending Spam (29 August 2005)

The TrustedSource web site uses data from about 4,000 reputation filters to help "determine whether a specific computer has been sending legitimate email or spam." Reputation filters gather data on computers that send email and from these data assign reputations to computers and domains that send email. The site can also be used for configuring spam filters and for checking which systems within organizations are sending email; it could help identify zombie machines sending spam. In addition, the site provides information on various email authentication technologies.
-http://news.com.com/2102-7355_3-5844408.html?tag=st.util.print
-http://www.trustedsource.org/

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Australian Court Finds in Favor of Recording Industry, Against Kazaa (6/5 September 2005)

An Australian federal court has found in favor of five recording labels in a copyright infringement suit brought against Sharman Networks, the owners and distributors of the Kazaa peer-to-peer file-sharing program. Justice Murray Wilcox found that Sharman took no action to prevent file sharing and has ordered Sharman to pay 90% of the recording companies' costs associated with the case. Justice Wilcox did not order Sharman to shut down the Kazaa system but did order the company to modify its technology to filter unlicensed copyrighted material; Sharman has two months to comply.
-http://www.thecouriermail.news.com.au/common/story_page/0,5936,16501516%255E953,
00.html

-http://www.cbc.ca/story/business/national/2005/09/05/kazaa_ruling20050905.html
-http://www.wired.com/news/digiwood/0,1412,68762,00.html?tw=wn_tophead_4

Korean Court Rules Soribada Must Stop P2P Service (1 September/31 August 2005)

The Seoul Central District Court has ruled that on line music site Soribada must halt its peer-to-peer file sharing service. The Korean Association of Phonogram Producers had filed in November 2004 for an injunction against Soribada. The court went even further than the injunction, saying that it is now illegal for Internet users to distribute Soribada file sharing software. If Soribada does not comply with the order, it will face stiff fines.
-http://times.hankooki.com/lpage/nation/200508/kt2005083117362711960.htm
-http://english.chosun.com/w21data/html/news/200509/200509010012.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Microsoft Warns of Problem in Windows Firewall (5/2/1 September 2005)

Microsoft has issued an advisory warning that a problem in Windows firewall could be used to hide information about open network ports from Windows XP SP2 and Windows server 2003 users, but stopped short of calling the problem a security flaw. The problem lies in the way in which the "firewall displays exception entries, which are created by administrators to allow incoming network connections; users would need administrator privileges to create exceptions in the registry. An exception created in the registry will not be displayed in the user interface but would be displayed by the command line firewall administration tools. Microsoft has made a patch available to authenticated Windows users.
-http://www.techworld.com/security/news/index.cfm?NewsID=4337
-http://news.com.com/2102-7355_3-5845850.html?tag=st.util.print
-http://informationweek.com/story/showArticle.jhtml?articleID=170700320
-http://www.microsoft.com/technet/security/advisory/897663.mspx

MP3 Players Recalled Due to Worm-Infected File (1 September/31 August 2005)

Creative Labs has recalled approximately 3,700 5GB Zen Neeon MP3 players that contain a file infected with the Wullik-B email worm. The worm spreads through email and shared network folders. PCs will become infected only if users browse the player's files and click on the infected one.
-http://www.theregister.co.uk/2005/09/01/creative_mp3_player_virus_flap/print.htm
l

-http://www.eweek.com/article2/0,1895,1854724,00.asp

Workaround Available for HP Network Node Manager Flaw (30 August 2005)

Hewlett Packard has issued an advisory warning of a vulnerability in its Network Node Manager and has offered a workaround. The flaw could allow attackers to execute malicious shell commands on vulnerable systems. There is no patch available yet. The flaw affects Network Node Manager versions 6.2, 6.4, 7.01 and 7.50 running on HP-UX, Solaris, Windows NT, Windows 2000, Windows XP and Linux. A certain script "fails to properly check inputs in a particular 'node' parameter before running them as command-line arguments." Other scripts apparently have the same problem; users can take precautions by moving those scripts to different directories.
-http://www.pcworld.com/news/article/0,aid,122356,00.asp

Microsoft Investigating Possible Remote Code Execution Flaw in IE (29 August 2005)

Microsoft is investigating a report of a remote code execution vulnerability in Internet Explorer. The flaw affects IE6 on machines running Windows XP SP2 with all current security patches. The researcher who reported the flaw to Microsoft recommends using an alternative browser.
-http://news.com.com/2102-1002_3-5844431.html?tag=st.util.print
[Editor's Note (Schultz): According to Secunia statistics (see
-http://secunia.com
), the number of vulnerabilities in IE6 has declined significantly over the last half year or so. Furthermore, many competing browsers have also had their share of vulnerabilities lately. I am not sure, therefore, that recommending using an alternative browser is appropriate any more. ]

ATTACKS, INTRUSIONS & DATA THEFT

Phony Yahoo Site Tries to Collect User Names and Passwords (31 August 2005)

A web site pretending to be a free Yahoo game service actually attempts to gather information that could be used to steal identities. The site is being hosted on a Yahoo Geocities account; site visitors are asked to supply their Yahoo user IDs and passwords. Users are being lured to the site by spam sent through Yahoo's instant messaging service; the message, which urges the recipient to visit the malicious site, appears to come from someone on the user's friends list.
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39209468-20000
61744t-10000005c

MISCELLANEOUS

Windows Vista Patching Technology Will Require Fewer Restarts (5 September 2005)

Windows Vista, Microsoft's next version of its Windows operating system, will use a technology dubbed "Freeze Dry" that will reduce the number of restarts required when patching systems. It will also save user data before rebooting. In many instances, users will not have to restart computers after updating applications and in some cases will be able to patch applications while they are in use.
-http://www.zdnetasia.com/news/software/printfriendly.htm?AT=39252585-39000001c

Trusted Computing Group Releases Best Practices Document for TPM (1 September 2005)

The Trusted Computing Group's Trusted Platform Module is designed to help computers run more securely by restricting the access various applications have to data and code. Because of the potential for abuse of the technology, TCG has developed a best practices document titled Design, Implementation and Usage Principles for TPM-Based Platforms. Bruce Schneier, CTO of Counterpane Internet Security, is largely supportive of the document. However, Mr. Schneier questions Microsoft's motives in delaying the release of the document and blocking its applicability to software-only applications. Mr. Schneier suggests that Microsoft's tactics are aimed at making sure the document will not apply to Windows Vista, the company's forthcoming operating system.
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39209626-20000
61744t-10000005c

-https://www.trustedcomputinggroup.org/home
-https://www.trustedcomputinggroup.org/downloads/bestpractices/Best_Practices_Pri
nciples_Document_v1.0.pdf

[Editor's Note (Schultz): Microsoft has adopted the posture that it puts security first. It thus behooves Microsoft to explain its rationale for delaying the release of this best practices document and making it inapplicable to software-only applications. ]

Alternative Browsers Present Challenges for Cyber Investigators (31 August 2005)

Forensic cyber investigators may have a more difficult time tracking down important information on alternative browsers such as Firefox and Opera. Investigators are usually familiar with where to find the cache, cookie files and history on Internet Explorer, but the other browsers keep the information in different locations. In addition, most common forensic tools are helpful in searching for evidence on IE but may not work as well on the other browsers. One particular challenge is the fact that it is more difficult to determine whether a computer user clicked on a link or manually typed a URL when visiting a site on Firefox or Opera than it is on IE; this information is important because it can mean the difference between accidentally clicking on a link and deliberately visiting a specific address.
-http://news.com.com/2102-7348_3-5845409.html?tag=st.util.print
[Editor's Note (Ranum): This sounds like a problem of "too many investigators not knowing what they are doing" rather than "alternative browsers present challenges." Any decent sysadmin should be able to figure out where any browser stores its cache and cookies in about 2 minutes, tops. ]

Myfip Could be Part of Titan Rain (31 August 2005)

Although the Myfip worm has relatively low profile, it could be part of the Titan Rain attacks, that are believed to be coming from China. It is precisely malware like Myfip, which doesn't attract a great deal of attention, which could surreptitiously enter the US government computer systems targeted by the attacks. When Myfip first appeared in August 2004, it stole .pdf files; current versions search out Word documents and a variety of CAD/CAM files, the sorts of files that contain much of companies' intellectual property. In addition, Myfip and its variants have been traced back to China.
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1120855,0
0.html

[Editor's Note (Shpantzer): Pretty soon we'll be seeing malware that goes for the Google Desktop Search (GDS) cache. If GDS is on the machine and it's configured to take snapshots of the web cache and file types, such as password protected Office docs, then the GDS will possibly be a very valuable mechanism for defeating password protection and encryption in folders and virtual disk partitions. Please take a look at your organization's use of GDS and make some decisions about what should and shouldn't be indexed by GDS. Their new version allows for central administration and encryption of the cache:
-http://desktop.google.com/enterprise/index.html]

INTERESTING NEWS AND ANALYSIS PUBLICATIONS

Bruce Schneier's Cryptogram

If you don't regularly read Bruce Schneier's monthly email on what's happening in cybersecurity, it is definitely worth a look. His commentary and analysis doesn't pull any punches, and his outspoken positions at least get a hearing in Washington DC policy discussions. Topics range all over cybersecurity, to privacy and beyond. Last month he wrote about the Cisco debacle at BlackHat, Virginia's errors in stopping illegal IDs, RFID chips in US passports, and more. You'll find that issue at
-http://schneier.com/crypto-gram-0508.html
Previous issues along with a free subscription URL can be found at
-http://schneier.com/cg.html


NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan
Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier,
Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/