SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #46
October 21, 2005
If you know a great security consulting and/or penetration testing company, please pass this note on to them. We just received a request that may affect them. One of the largest companies manufacturing and selling computer equipment asked us for a list of consulting firms that can provide high quality technical security services and still meet with senior executives in their client sites. We told them we have not vetted the firms, but it turns out that GIAC certification and SANS training are sufficient to differentiate the firms that can only talk and write about security from those that can actually do it. So if your firm is a security consulting organization and you don't mind our sharing your contact information with the organization requesting the list, please send us the name of firm, what industry or industries you have substantial experience in and what countries you work in. Thanks in advance. Send it to email@example.com (subject "Security consulting firm).
TOP OF THE NEWSRegulators Release New Guidelines for Financial Institutions' Online Authentication
UK Internet and Telephone Banking Authentication Standard to be in Place by End of Year
THE REST OF THE WEEK'S NEWSARRESTS, CONVICTIONS AND SENTENCES
Spammer's Sentence is Under Seal
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Interior Department IT Security Dilemma Continues
Transportation IG Audit Finds Serious Security Lapses
Estonia Allows Internet Voting In Nationwide Election
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Remote Code Execution Flaw in IE and Windows Media Player
Oracle Releases Quarterly Fixes: 89 Flaws Noted
Buffer Overflow Flaw in Recent Versions of Snort
Samy Worm Exploits Cross-Site Scripting Hole
IRCbot Trojan Disguised as Skype Update
STATISTICS, STUDIES & SURVEYS
Study Finds Spyware Most Prevalent in PCs in US, Thailand and UK
Most Organizations Do Not Have CIOs in Board Room
***** Sponsored By SANS Great Lakes Security Essentials with HIPAA ****
Please join us for SANS Great Lakes Security Essentials with HIPAA in Chicago on November 7-13! We have designed this special training week specifically with healthcare professionals in mind. This training is your opportunity to focus on how to follow solid information security principles, meet HIPAA guidelines for information security, and yet still maintain a focus on providing quality care to patients. Info: http://www.sans.org/greatlakes_hipaa2005">http://www.sans.org/greatlakes_hipaa2005
SANS immersion training courses on sixteen area of security and audit are also starting in more than 40 other cities around the world. See: http://www.sans.org
TOP OF THE NEWS
Regulators Release New Guidelines for Financial Institutions' Online Authentication (18/17 October 2005)The Federal Financial Institutions Examination Council has issued "Authentication in an Internet Banking Environment," updated guidelines for financial institutions' online customer identity authentication. FFIEC says that passwords and IDs alone are not adequate authentication measures for high-risk financial transactions. The guidelines describe a variety of authentication technologies, including digital certificates, USB plug-ins and biometric identification technologies, but do not endorse any one in particular. FFIEC has sent a letter to US financial institutions informing them that bank web sites are expected to be in compliance with the guidelines by the end of 2006. FFIEC is an interagency body of financial regulators.
[Editor's Note (Paller): Read the actual guidelines and you will want to cry. Apparently FFIEC caved in to the banker lobbies. Instead of following the lead of countries like Hong Kong and Singapore that require banks to offer safer authentication, FFIEC just told them to write a risk assessment. Like beauty, risk depends on your perspective. If your perspective is mainly driven by maximizing profit, customer safety risks are not very important.
(Hoepman): It's worth noting that also non-hardware based one-time-password systems, like scratch cards, are mentioned as a possible technique. These systems are widely deployed in Europe. (Honan) Guidelines are one method to encourage financial institutions to improve end user security. Improving competitiveness by offering a more robust solution than your competitors is another as can be seen by banks such as Barclay's Bank following the lead of Lloyds bank to introduce token based authentication -
UK Internet and Telephone Banking Authentication Standard to be in Place by End of Year (17 October 2005)The UK's Association of Payment and Clearing Systems (APACS) says that they will launch an online authentication standard for Internet and telephone banking by the end of this calendar year. The standard will be in the form of a device that will generate a one-time use password when users insert a chip and PIN card. APACS said the new standard device will be "slightly different" from the token device Lloyds TSB plans to test.
************************* SPONSORED LINK ****************************
1) Centrally managed, host-based firewall protection to proactively secure your corporate network. Free NetOp trial available.
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Spammer's Sentence is Under Seal (17 October 2005)Anthony Greco was sentenced in a closed session for sending nine million spam email messages through instant messages to members of MySpace.com. The sentence is under seal. Earlier this year, Mr. Greco reached a plea agreement with prosecutors wherein he would serve a sentence of between 18 months and two years in prison in return for his guilty plea. Mr. Greco had also threatened to share his spamming techniques with others. Federal prosecutors planned to ask the judge to make the sentence public.
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Interior Department IT Security Dilemma Continues (20 October 2005)US District Judge Royce Lamberth has granted a preliminary injunction ordering the Interior Department to disconnect IT systems that connect to American Indian trust fund data because they are not secure. A September 6, 2005 memo from Interior Department inspector general Earl Devaney said that penetration testers were able to access agency systems. The order covers not only computers and networks, but also handhelds and VoIP equipment. The start date for the shutdown has not yet been determined.
Transportation IG Audit Finds Serious Security Lapses (18 October 2005)The Department of Transportation's inspector general was able to penetrate and gain root control of a vulnerable server during a recent audit. Because there is interconnectivity within DOT, other departments could be put at risk by just one department's security weaknesses. According to the audit report, there are also previously noted security vulnerabilities that the agency has not addressed. The audit is an annual event conducted in accordance with the Federal Information Security Management Act (FISMA).
[Editor's Note (Pescatore): The report also points out that they were able to gain admin access to a network switch and a number of PCs, exploiting vulnerabilities that had been reported previously. This points out some serious shortcomings in vulnerability management processes, as DoT also had major problems with Zotob.
(Paller): John Pescatore's comment raises an important question. Transportation has invested heavily in a vulnerability management system called FoundScan. It would be illuminating for the entire security community if the Department of Transportation could share enough information to determine whether the problem was DoT's implementation or a major flaw in FoundScan. ]
Estonia Allows Internet Voting In Nationwide Election (14 October 2005)Estonia became the first country in the world to hold an election allowing voters nationwide to cast ballots over the Internet. Internet voters used a special ID card and a $24 device to read the card. Fewer than 10,000 people, out of 1,000,000 voters, used the Internet
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Remote Code Execution Flaw in IE and Windows Media Player (19 October 2005)A critical vulnerability in default installations of Microsoft Internet Explorer and Windows Media Player could allow remote code execution. The flaw affects Windows XP with SP1 and SP2, Windows NT and all versions of Windows 2000. The vulnerability does not appear to be exploitable by a worm.
Oracle Releases Quarterly Fixes: 89 Flaws Noted (19 October 2005)Oracle's quarterly patch release on October 18 fixes 89 flaws in a variety of products. The flaws include unauthenticated remote code execution, information disclosure and denial-of-service. The accompanying advisory provides few details, making it difficult for users to prioritize their testing and patching.
[Editor's Note (Northcutt): There is still more important Oracle security news coming about the "unbreakable" database. The announcement will be made Wednesday, October 26 - 8:15pm - 9:00pm (PDT) at Network Security 2005 in Los Angeles
(Tan): Oracle should consider reviewing its patch updates schedule with a shorter time between announcements. Releasing such a huge multi-part patch that addresses so many vulnerabilities may do more harm than good. It is simply to hard to test that many different changes all at once to ensure the system will not be broken when the patches are applied. ]
Buffer Overflow Flaw in Recent Versions of Snort (20/19/18 October 2005)A buffer overflow vulnerability in Snort versions 2.4.0 and higher could allow remote code execution. There is concern that the vulnerability could be exploited with a network-based worm. Sourcefire, which oversees the open source intrusion detection program, encourages users to update Snort to version 2.4.3. If that presents a problem, then users could instead disable the Back Orifice preprocessor function, which would leave them unable to detect Back Orifice activity. US-CERT also suggests restricting outbound traffic.
[Editor's Note (Tan): IDS packages love packets. Any vulnerability discovered in an IDS could easily be exploited. In the case of Snort Back Orifice Preprocessor Buffer Overflow, a single spoofed UDP packet hitting any target within a vulnerable Snort radar is sufficient to exploit the vulnerability. Kyle from Internet Storm Center has demonstrated this and is working on some defensive measures. Check this out at
Samy Worm Exploits Cross-Site Scripting Hole (17 October 2005)The Samy worm is believed to be among the first to exploit a cross-site scripting vulnerability. A MySpace.com community site member allegedly created the worm to increase his popularity rating. While this particular incident caused little damage, some believe the technique may be copied to exploit cross-site-scripting vulnerabilities on other web sites in a more malicious manner.
IRCbot Trojan Disguised as Skype Update (17 October 2005)A variant of the IRCbot Trojan has been spreading by pretending to be an update for Skype, the VoIP software client. When opened, the Trojan displays a phony installation error message and then installs a backdoor on the computer and blocks access to security updates.
[Editor's Note (Grefer): A reminder to our readers. Skype updates are not distributed via email. They are available for download at
Users may also click on "Help" > "Check for Update" within the Skype client. ]
STATISTICS, STUDIES & SURVEYS
Study Finds Spyware Most Prevalent in PCs in US, Thailand and UK (20 October 2005)According to research from anti-spyware company Webroot, the countries with the highest incidences of computers infected with spyware in the most recent quarter are the US, Thailand and the UK. Nearly 55 percent of consumers' PCs are infected with spyware. The research counts tracking cookies among the spyware. In the UK, the average number of pieces of spyware on the consumers' PCs is 18; discounting the cookies, that figure falls to just 4.5.
Most Organizations Do Not Have CIOs in Board Room (19 October 2005)Recent research indicates that most companies do not have technology experts involved in high-level strategic planning. The study, from public relations company Burson-Marsteller, looked at Fortune Global 500 organizations. In 2003, the number of organizations with current or former-CIOs in the boardroom was five percent; the recent study puts that figure at eight percent. In Europe, the figure is 10 percent; in the Asia-Pacific region, the figure is up to ten times greater. Just three percent of the companies surveyed have a CEO with prior IT experience.
[Editor's Note (Schultz): If these results are valid (and at face they seem to be), they provide at least a partial explanation of why IT organizations tend to be not be so effective. As the top leadership goes, so goes the rest of the organization.]
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler, Jaap-Henk Hoepman, Brian Honan, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org