SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #38
September 21, 2005
TOP OF THE NEWSVerizon Wins Injunction Against Company That Allegedly Stole Customer Information
Trend Micro Study Shows Users Take More Risks on Work Computers
Gartner: CISOs Will Need Business Skills to Compete in the Future
Microsoft Bans Weak Crypto in New Code
THE REST OF THE WEEK'S NEWSARRESTS, CONVICTIONS AND SENTENCES
Teen Sentenced for T-Mobile Break-In
Redbus Founder Pleads Guilty to Intercepting Email; Says He Will Appeal
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
TSA Network Security Still Not Where it Should be, Says DHS IG
UK Home Office Says Organizations Will Have Graded Access to National ID Database
Navy Publishes Acceptable Use Policy for Personnel
Proposed Law in Singapore Would Allow Individuals to Sue Spammers
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
P2Load.A Worm Spreads on P2P Networks
Apple OS X Updates Address Java Flaws
Upgrade Available for Linksys WRT54G Wireless Router
Exploits Discovered for Mozilla and Firefox IDN Flaw
ATTACKS & INTRUSIONS & DATA THEFT
Stolen Berkeley Laptop Recovered; One Man Arrested
STANDARDS & BEST PRACTICES
Common Vulnerability Scoring System Ready for Wider Use
Symantec's Internet Security Threat Report
Qantas Leads the Push for De-Perimeterization in Australia
Longhorn to Have New Security Features
Keyboard Sounds Reveal What is Being Typed
Microsoft's Decision to Delay Patch Release Highlights Pros and Cons of Scheduled Security Updates
VoIP Newsletter Subscriber eMail Address List Inadvertently Sent to All
Red Cross IT Staff Keeps Networks Running, Asks for Help in Stopping Fraud
New Orleans Companies Mull IT Disaster Recovery Plans
********************* Sponsored by Watchfire Corp. **********************
You know the risks, and you've seen the news, so why not scan your web applications for security vulnerabilities before hackers do? Download Watchfire AppScan before September 30th to schedule your free application walkthrough with a member of the Watchfire security team. Share an hour of your time with our experts - a data or privacy breach is costly, but understanding your exposure is free.
TOP OF THE NEWS
Verizon Wins Injunction Against Company That Allegedly Stole Customer Information (15 September 2005)A New Jersey State Superior Court has granted Verizon Wireless a permanent injunction against Tennessee-based Source Resources barring the company from "acquiring, possessing or selling customer account information without either a court order or the subscriber's permission." According to Verizon, Source Resources advertised on its web site that it would, for a fee, obtain wireless phone records. Verizon sued Source Resources after a Verizon customer complained that the company had accessed his wireless phone records without his permission.
Trend Micro Study Shows Users Take More Risks on Work Computers (13 September 2005)According to a study from Trend Micro, "computer users are more likely to engage in risky Internet behavior at work because they believe their IT department will protect them from" malware. Trend Micro interviewed 1,200 corporate end users in the US, Germany and Japan. 39 percent believe their IT departments will protect them from phishing and spyware. 63 percent say they are comfortable clicking on suspicious links or visiting suspicious sites at work. Forty percent of those people said they did so because there would be IT support if something were to go wrong.
[Editor's Note (Schneier): From an economic perspective, this makes sense. If I screw up my home network, I have to deal with the problem. If I screw up the corporate network, the IT department has to deal with the problem. ]
Gartner: CISOs Will Need Business Skills to Compete in the Future (19/16/15 September 2005)The Gartner group says that companies need to create the position of risk management officer and fill it with someone who understands the subtleties of the business world instead of someone who views security from a purely technical point of view. The insurance company Zurich has outsourced certain portions of their IT security and focused on security from a strategic standpoint within the organization; their approach to security has gone from reactive to proactive. A risk management officer needs to possess strong communication and project management skills. Businesses need to understand that security cannot be handled by technical staff alone; it must be "built into corporate culture."
Microsoft Bans Weak Crypto in New Code (15 September 2005)A new policy at Microsoft bans developers from using functions using the DES, MD4, MD5 and in some cases the SHA1 encryption algorithms in their code because increasingly sophisticated cyber attacks are threatening the security of these algorithms. Microsoft recommends the use of the (Secure Hash Algorithm) SHA256 encryption algorithm and (Advanced Encryption Standard) AES cipher. The decision comes as part of Microsoft's twice-a-year update to its Secure Development Lifecycle policies. The company also hopes eventually to remove the vulnerable encryption from older code.
[Editor's Note (Schultz): Microsoft deserves a proverbial round of applause for its decision concerning use of cryptography in its products. (Schneier): This will improve potential security for their products at the cost of backwards compatibility -- I call that a good trade-off. ]
********************** Other Sponsored Links: ***************************
1) ALERT: YOU vs ZOTOB? Is Your Internal Network Safe? Download FREE White Paper "Zotob: Zero-Hour Detection and Response"
2) Earn your Master's degree in Information Security from an NSA- recognized online program.
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Teen Sentenced for T-Mobile Break-In (15 September 2005)A Massachusetts teenager has been sentenced to 11 months in a juvenile detention facility for his role in several cyber attacks and threats, including the T-Mobile break-in that resulted in Paris Hilton's cell phone address book being exposed in the Internet. The juvenile is also suspected to be part of a group allegedly responsible for breaking into the LexisNexis Group network and exposing details on 300,000 customer records. Following his detention, the 17-year-old will be under two years of supervised release. He is prohibited from using cell phones, computers and any other devices capable of accessing the Internet at any time during his sentence.
Redbus Founder Pleads Guilty to Intercepting Email; Says He Will Appeal (16/15 September 2005)Demon Internet and Redbus founder Cliff Stanford has pleaded guilty to unlawful email interception. Mr. Stanford and co-defendant George Liddell were both sentenced to six months in prison, suspended for two years. In addition, Mr. Stanford was fined 20,000 GBP (US$36,000) and ordered to pay an additional 7,000 GBP (US$12,600) in court costs. This case is significant because it marks the first time anyone has been prosecuted for this offense under the 2000 Regulation of Investigatory Powers Act (RIPA). The two men were accused of intercepting the email of former Redbus chair John Porter. Apparently the Redbus server was modified to intercept and redirect copies of all Mr. Porter's emails to a Hotmail account set up by Mr. Liddell. Mr. Stanford now plans to file an appeal; he believes that the judge misinterpreted the law.
[Editor's Note (Schultz): Saying that the judge misinterpreted the RIP Act in this case seems little more than a desperate attempt to avoid what appears to be well-deserved punishment for committing an egregious act. ]
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
TSA Network Security Still Not Where it Should be, Says DHS IG (13 September 2005)According to a report from the Department of Homeland Security's Inspector General, the Transportation Security Administration has made strides in improving its network security, "but still cannot ensure that critical computer network operations and data are protected from hackers and can be restored following an emergency." Among the report's recommendations to TSA are conducting "periodic network scanning, vulnerability scanning, penetration testing, password analysis and war driving." TSA was also found not to have a comprehensive network security testing program.
[Editor's Note (Grefer): It's mind-boggling that such basic measures as regular scanning and testing, password analysis, etc. are not part of regular operations at TSA. The Labor Department's Employment and Training Administration, for example, established such practices years ago. ]
UK Home Office Says Organizations Will Have Graded Access to National ID Database (13 September 2005)The UK's Home Office has announced that public and private sector organizations will have access to the national identity card database on a graded scale (where low priority checks are not allowed to slow access for high priority checks). Home Office ID Card Programme Director Katherine Courtney said the government wants to ensure that the system has safeguards to protect against "frivolous" checks on citizens' data. Some examples of uses for the system are car rentals, and teacher and job applicant background checks.
Navy Publishes Acceptable Use Policy for Personnel (9 September 2005)In July, the US Navy published "The Effective Use of Department of Navy Information Technology Resources," an acceptable use policy for Navy personnel. According to the document, military, civilian and contractor users may not "install or modify computer hardware or software without approval," "circumvent or disable security measures" or automatically forward official Navy email to a commercial email account or use a commercial account for government business without approval. In addition, personnel may not access personal email accounts from Navy networks without approval and they may not use peer-to-peer file sharing applications without prior approval, and then only in support of Navy missions.
Proposed Law in Singapore Would Allow Individuals to Sue Spammers (12 September 2005)The Infocomm Development Authority of Singapore has issued a second public consultation paper seeking feedback on the proposed Spam Control Bill, which would allow individuals affected by spam to sue the spammers. This is a change from an earlier suggestion to allow only ISPs and organizations with their own servers to take legal action against alleged spammers. Individuals would be required to prove damages before cases could proceed. According to the draft legislation, those found guilty could be ordered to stop sending spam or be fined as much as S$25 (US$14.88) per unsolicited message sent with a maximum fine of S$1 million (US$595,000). Feedback is due by noon on October 14.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
P2Load.A Worm Spreads on P2P Networks (16 September 2005)The P2Load.A worm spreads on peer-to-peer file sharing networks, pretending to be a free Star Wars computer game. The worm alters the hosts file on infected computers to redirect users to a phony Google web site when they try to access the real one. This modification technique could be used to spoof other web sites and could be exploited by Phishers to steal personal data. The other noticeable effect of the worm is that the browser's start page will be changed to display a shopping site. The worm affects Firefox and Internet Explorer browsers on computers running Windows operating systems.
[Editor's Note (Grefer): Several Anti-Spyware tools, such as Spybot Search & Destroy (www.safer-networking.net) provide mechanisms to prevent alterations of the hosts file as well as the browser's start page. ]
Apple OS X Updates Address Java Flaws (15 September 2005)Apple has released software updates for Mac OS X 10.3.9 and Mac OS X 10.4.2, known respectively as Panther and Tiger. The updates address critical security flaws in the Java software, which could be exploited to evade security restrictions or obtain elevated privileges.
Upgrade Available for Linksys WRT54G Wireless Router (14 September 2005)Linksys has released an upgrade for the operating system for its WRT54G router, a popular combination wireless access point, switch and router for home users. The upgrade fixes five serious vulnerabilities. The flaws could be exploited to disable or overwrite security settings on the devices, install firmware or cause denial-of-service.
Exploits Discovered for Mozilla and Firefox IDN Flaw (13 September 2005)Researchers have reported that they were able to create exploits for the IDN vulnerability in Firefox and Mozilla web browsers in a short period of time. There are reports that exploits for a vulnerability in the Firefox and Mozilla web browsers have been posted on the Internet. The flaw also affects the Netscape browser. The researchers did not post their exploit code, but there is little doubt that malicious coders are working on exploits as well. The buffer overflow flaw is the result of a problem in the way the browsers handle International Domain Names, which use local language characters; a temporary fix for Firefox and Mozilla disables the IDN feature.
ATTACKS & INTRUSIONS & DATA THEFT
Stolen Berkeley Laptop Recovered; One Man Arrested (16/15 September 2005)A laptop stolen from the University of California at Berkeley's Graduate Division in March 2005 has been recovered in South Carolina. A San Francisco man has been arrested and charged with possession of stolen property for allegedly selling the laptop on eBay. Shuki Alburati allegedly purchased the laptop from an unidentified woman. After the theft was discovered, the university began informing the nearly 100,000 individuals whose personal data, including names, birthdates and Social Security numbers were on the machine. When the computer was recovered, the hard drive had been erased and a new operating system installed, so it is impossible to know whether or not the thief accessed any of the data. Berkeley brought in PricewaterhouseCoopers to perform an audit on the way the school handles sensitive information; the school is now looking at how to implement the audit recommendations.
[Editor's Note (Pescatore): Just think: in the old days, law enforcement had to go visit hundreds of pawn shops. Now, they can just have bots search eBay. ]
STANDARDS & BEST PRACTICES
Common Vulnerability Scoring System Ready for Wider Use (12 September 2005)The Forum of Incident Response and Security Teams, or FIRST, is pushing for wide adoption of the Common Vulnerability Scoring System. CVSS has been piloted by 30 organizations since February, 2005. It provides "a unified approach to rating
vulnerabilities" with the goal of helping organizations make good decisions about what action to take when a vulnerability is disclosed. The system gives vulnerabilities scores from 1 to 10; organizations can customize it by adding information specific to their systems and needs. The score considers factors such as whether or not there are known exploits for a given vulnerability and whether or not a patch exists. Some security vendors support CVSS and say they will incorporate it into their products. Microsoft presently is not interested in using the system, but may adopt it if users ask for it.
Symantec's Internet Security Threat Report (19 September 2005)Symantec has released its Internet Security Threat Report for the first six months of 2005. The study found that 74 percent of the top 50 malicious code samples submitted to Symantec were of the sort that exposed confidential data. The report also noted a trend of attackers moving away from attacks on network perimeters and toward targeted attacks. Also noted was an increase in modular malicious code, which downloads additional functionality after initial infection. DoS attacks grew from 119/day to 927/day over the six-month period studied; this marks a 640 percent increase over the same period last year. The average time between disclosure of a vulnerability and the appearance of an exploit decreased from 6.4 days to 6 days, while the average length of time vendors took to release a patch for a vulnerability was 54 days.
[Editor's Note (Tan): It is interesting to note that Mozilla browsers, including firefox, had the most vulnerabilities during the first half of 2005. For once, Internet Explorer must be relieved they are behind Mozilla in this measure. This data also shows that there is no secure browser. Safety is a matter of secure browsing and proper configuration, and this should not be ignored. ]
Qantas Leads the Push for De-Perimeterization in Australia (15/16 September 2005)Australia's Qantas Airlines will be one of the first of the country's organizations to join the Jericho Forum, an "international user community" that promotes open standards in security. The Jericho Forum advocates a "de-perimeterization" security model - favoring multiple layers of security with controls throughout the network rather than a network protected only at the perimeter. If this approach is to work, vendors need to make sure their products - firewalls, intrusion detection systems, VPNs and the like - are interoperable. The Jericho Forum "explores the potential to develop common security architectures to support de-perimeterized business-to-business networking."
[Editor's Note (Pescatore): I've never understood why they call this "de-permiterization" since their materials say they are basically advocating security in depth vs. removing perimeter controls. Most of what is on their roadmap is simply closed networking - talk only to authenticated IP addresses and allow connections only to authorized people and use only thin clients. Basically, back to the mainframe days and away from the realities of the Internet. (Shpantzer): Jericho is the biblical town whose walls were felled by the noise of Joshua's priests and soldiers. This forum has a similarly difficult mission of pushing interoperability between security vendors' products. ]
Longhorn to Have New Security Features (16 September 2005)Microsoft's forthcoming Longhorn Windows Server will have new security features. A "self healing" filing system will have the defrag and chkdsk tools running in the background. "Secure at install" will, as soon as a new server is installed as a file or terminal server, automatically search for and apply any patches necessary to the computer's function. The Network Access Protection, or NAP, will allow the system to check new computers connecting to the network for established security parameters and deny access to those PCs which are deemed to have inadequate protection.
Keyboard Sounds Reveal What is Being Typed (15 September 2005)Researchers from the University of California at Berkeley have published a paper describing how a ten-minute recording of someone typing on a computer keyboard can be analyzed to figure out what is being typed with 90% accuracy. The gist of this is that we need to rethink authentication. With just 20 guesses, the system correctly identified 90 percent of all five-character passwords, 77 percent of eight-character passwords and 69 percent of ten-character passwords.
[Editor's Note (Pescatore): I always wear wrist mounted castanets to block this attack when logging in from a public PC...]
Microsoft's Decision to Delay Patch Release Highlights Pros and Cons of Scheduled Security Updates (13 September 2005)Following Microsoft's decision last week not to release a patch for a critical flaw in Windows that it had announced several days before, some have expressed concern that a critical flaw will remain unpatched for another month. However, releasing a faulty patch could allow attackers to reverse engineer it and discover and exploit the vulnerability before a quality patch is released. No other specific details about the flaw have been released, and Microsoft has not said when it plans to release the patch. Microsoft and Oracle, two companies that have adopted a scheduled patch release model, have been criticized for sitting on vulnerabilities for extended periods of time. On the other hand, regularly scheduled patch releases could increase the likelihood that the patches will be applied than if they come at unexpected times.
VoIP Newsletter Subscriber eMail Address List Inadvertently Sent to All (13 September 2005)A spreadsheet containing the email addresses of 21,000 subscribers to VoIP provider Packet8's electronic newsletter was accidentally attached to the company's monthly email newsletter. The addresses in the spreadsheet were those of customers who receive the opt-in newsletter. Packet8 has contacted those affected and apologized for the error. The danger that attends the leak is that the list of email addresses could be used for phishing attacks that appear to come from Packet8. The error could have been prevented by the use of one of several tools that scan 0utgoing email for content and attachments that should not be sent out.
Red Cross IT Staff Keeps Networks Running, Asks for Help in Stopping Fraud (12 September 2005)IT security staff at the American Red Cross are hard at work ensuring that their systems do not become overloaded by attacks and surges in use due to Hurricane Katrina. The Red Cross has also asked the FBI to help "prevent the spread of phony Red Cross web sites" that prey on people who want to help those affected by Katrina. In addition, the Red Cross is trying to use web-based applications that don't come to the corporate network, which could alleviate the strain of so much traffic.
New Orleans Companies Mull IT Disaster Recovery Plans (12 September 2005)As organizations in and around New Orleans begin to "restore key
systems," they are scrutinizing their IT disaster recovery and business continuity plans. Among the questions they are weighing: whether or not to keep data centers in New Orleans once the city is inhabitable and the best way to create backups.
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/