SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #53
November 15, 2005
TOP OF THE NEWSSony BMG Temporarily Halts Manufacture of XCP-Protected Music CDs
Justice Department Proposes Broader, Stronger Copyright Protection Laws
Liberty Alliance Forms Group to Develop Interoperability Standard for Authentication
THE REST OF THE WEEK'S NEWSPOLICY & LEGISLATION
NIST Still Accepting Comments on Recommended Security Controls Document
US$20 Million Restored to FBI Cyber Squad Budget
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Vulnerability in Some ISAKMP Implementations
RealPlayer Issues Security Update for Buffer Overflow Flaws
ATTACKS & INTRUSIONS & DATA THEFT
Four Arrested in New Delhi on Data Theft Charges
STATISTICS, STUDIES & SURVEYS
Mobile Computer Users Lax on Security
Data Loss Proves Costly to Companies
Businesses Mull Personal CD Use in Light of Sony's DRM Software
Man Convicted of Unauthorized Site Access Now Employed at Security Firm
Open Invention Network Will Acquire and Share Linux Patents
New Zealand Internet Safety Group Launches Educational Campaign
************************* Sponsored by Bindview *************************
Run a quick check of your IT security compliance for specific regulations with this FREE Compliance Assessment Tool. You'll get a "compliance score" as an example of how BindView solutions can help you monitor and report on compliance---all through a single compliance architecture for managing multiple regulations.
************************** Security Training Update: ********************
"SANS has the answers to real-life problems and can fill in the education gaps that on the job training causes." Carol Templeton, Univ. of Tennessee
SANS 2006 brochures started arriving in mail boxes this week. More immersion training tracks than ever before. Plus many new short courses for people who already have mastered their areas of security. A big security tools exposition. And Orlando in February is great.
SANS training at home or at your place of employment or in other cities:
"With SANS training, leading industry professionals share the latest knowledge and practices that work for them - you can not get this information anywhere else!" Douglas K Shamlin, US Navy
"I can not believe how much I learned in 6 days!" Kenny Johnson, US Air Force
TOP OF THE NEWS
Sony BMG Temporarily Halts Manufacture of XCP-Protected Music CDs (13/11 November 2005)Sony BMG has said it will temporarily suspend manufacturing CDs with the controversial XCP digital rights management (DRM) technology. XCP has been criticized because it places cloaked files on Windows PCs. A class-action lawsuit has been filed in California alleging that Sony did not inform customers that the software is installed into the "root" of their computer systems. Malware that exploits the DRM was detected last week; Sony BMG has made a patch available to protect users from the malware. The week before, Sony BMG released a patch that removed the 'cloaking element' from the software. In a related story, Microsoft has announced that its security tools will soon be updated to detect and remove certain portions of the XCP technology that has been installed on users' computers. Microsoft "has determined that the 'rootkit' piece of software can pose a security risk to Windows PCs."
[Editor's Note (Pescatore): Every time a company uses some digital rights management approach to treat its paying customers like criminals, this type of backlash happens and the overly zealous protection approach gets pulled. The fact that Sony's "punish your customer" approach actually included making their customers more vulnerable to attack as part of their product is sadder still. ]
Justice Department Proposes Broader, Stronger Copyright Protection Laws (11/10 November 2005)The US Justice Department has submitted a "legislative package" to Congress that would broaden the protection of intellectual property and increase penalties for those found guilty of digital media piracy. The legislation would give investigators the power to seize assets purchased with the proceeds from piracy and to seize and destroy counterfeit goods. Under the proposed legislation, people could be prosecuted for attempted copyright infringement. In addition to serving prison time, those found guilty of copyright violations may be required to pay restitution to the copyright holder. The proposal also seeks to allow prosecutors to enforce copyrights that are not registered with the government in criminal cases; civil cases would still require that the copyright be registered with the government. The proposed legislation has been criticized for not addressing the issue of consumers' fair-use rights. The legislation has not yet been introduced in Congress.
Liberty Alliance Forms Group to Develop Interoperability Standard for Authentication (9/8 November 2005)The Liberty Alliance has launched the Strong Authentication Expert Group whose goal it is to create standards that will ease the interoperability of a variety of strong authentication products, such as tokens, smart cards and biometrics. The group expects to release the first version of the ID-SAFE (Identity Strong Authentication Framework) specification next year.
************************ Sponsored Links ********************************
1) ALERT: "How a Hacker Launches a LDAP Injection Attack Step-by- Step"- White Paper
2) Save up to $300 off any refurbished Latitude(tm) notebook at Dell Outlet. Expires 11/16/05.
3) Earn your Master's degree in Information Security from an NSA - recognized online program.
THE REST OF THE WEEK'S NEWS
POLICY & LEGISLATION
NIST Still Accepting Comments on Recommended Security Controls Document (11 November 2005)The National Institute of Standards and Technology (NIST) will accept suggestions for minor revisions to its Special Publication 800-53, Recommended Security Controls for Federal Information Systems, until December 31, 2005. NIST plans to release SP 800-53 when it publishes FIPS 200 (Federal Information Processing Standard 200). FIPS 200 is likely to be signed by the Commerce Department's secretary in February 2006. Once FIPS 200 is signed, government agencies will be required to use security controls for IT systems to protect data confidentiality, integrity and availability.
The url for the document is:
US$20 Million Restored to FBI Cyber Squad Budget (14 November 2005)Legislators have demonstrated their support for the FBI's cyber crime division by approving a spending bill that restores US$20 million in funding for fiscal 2006. The division had experienced US$35 million in budget decreases over the last five years. The division, which already has an estimated annual budget of US$65 million, provides support for numerous counter-terrorism, counter-intelligence and criminal investigations involving digital or electronic information. The House has approved the final version of the spending bill; the Senate is likely to approve the bill this week.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Vulnerability in Some ISAKMP Implementations (14 November 2005)A flaw in the certain implementations of the Internet Security Association and Key Management Protocol (ISAKMP) could leave affected products vulnerable to denial-of-service attacks, format string attacks and buffer overflows. Cisco Systems Inc. and Juniper Network Inc. have said that some of their products are affected by the problem.
RealPlayer Issues Security Update for Buffer Overflow Flaws (11 November 2005)RealPlayer has issued an update that addresses three security flaws in the Windows versions of RealPlayer 10.5, RealPlayer 10, RealOne Player v2 and v1, RealPlayer 8 and RealPlayer Enterprise. The flaws also affect the Apple Macintosh version of RealPlayer 10 and Linux versions of RealPlayer 10 and Helix Player. The three buffer overflow flaws could allow attackers to execute malicious code on vulnerable machines.
ATTACKS & INTRUSIONS & DATA THEFT
Four Arrested in New Delhi on Data Theft Charges (13/12 November 2005)Four people have been arrested in New Delhi, India in connection with the theft of data. The four were former employees of Parsec Technologies Limited (PTL), an Indian subsidiary of US-based Parsec Technologies. PTL provided leads about people interested in refinancing their home mortgages. Those arrested allegedly sold the data they stole to other call centers in India.
[Editor's Note (Hayler): Personal data and call lists change hands for a significant amount of money. It is not particularly surprising that the centralisation of outsourced call centres has led to the rise of this sort of black market for data. I suspect that for every incident like this that is exposed, many more go undetected. ]
STATISTICS, STUDIES & SURVEYS
Mobile Computer Users Lax on Security (14 November 2005)Pointsec's Mobile Usage Survey 2005 found that one-third of professionals who use mobile devices such as PDAs and smartphones do not protect the data they contain with passwords or any other type of security measure. Thirty percent use the devices to store PIN numbers, passwords and other sensitive corporate data, including customer contacts. Twenty-two percent of those surveyed said they had lost a mobile device; of those, 81 percent had not encrypted the data on the device.
[Editor's Note (Schultz): Although some organizations have addressed security issues associated with mobile computing well, it would be safe to say that the overwhelming majority has not. Mobile user security will become one of the most important information security issues over the next few years. ]
Data Loss Proves Costly to Companies (14 November 2005)A pair of surveys conducted on behalf of PGP Corp. found that companies that lose or mishandle customer data suffer significant financial fallout. A survey of organizations found that each security breach cost approximately US$14 million. A survey of consumers found that twelve percent of the 9,000 people surveyed said they had received a notice that the security of their personal data had been breached. Nineteen percent of people whose information was mishandled immediately closed accounts with that company; an additional 40 percent said they were considering terminating their accounts.
Businesses Mull Personal CD Use in Light of Sony's DRM Software (14 November 2005)The presence of digital rights management (DRM) software on some Sony BMG CDs has prompted some organizations to examine their policies regarding the use of personal CDs in the workplace. One company said it is reviewing the autorun settings for music CDs but not banning the use of CDs.
Man Convicted of Unauthorized Site Access Now Employed at Security Firm (11 November 2005)Daniel Cuthbert, who was convicted in October of "gaining unauthorized access" to a tsunami relief donation web site, is now gainfully employed at a UK security company. Cuthbert was convicted under the Computer Misuse Act. He maintained he was suspicious that the site to which he contributed might have been a phishing site, so he tried to access the site's higher directories, which triggered an alarm. Mr. Cuthbert's case could provide another reason to re-examine the CMA; just weeks ago, a case against a teenager accused of launching a denial-of-service attack was thrown out because the CMA has no provisions for that crime.
Open Invention Network Will Acquire and Share Linux Patents (10 November 2005)The Open Invention Network (OIN) is a new company formed "to share Linux patents without charging for royalties." The company's plan is to acquire "Linux-related patents and share them royalty-free with organizations that agree not to assert its patents against Linux or its applications." The organizations that have formed OIN, IBM, Sony Philips N.V., Red Hat and Novell, have done so to reduce impediments to Linux collaboration,
New Zealand Internet Safety Group Launches Educational Campaign (3 October 2005)NetSafe, the New Zealand Internet Safety Group, has launched a six-month security awareness and education program aimed at home users. Among the recommendations made by the Net Basics campaign are updating software, installing anti-virus software and keeping it current and installing a firewall. The NetSafe website provides information designed specifically for children, parents, adults, teachers and others.
[Editor's Note (Hayler): What makes this stand out from the many government initiatives of recent months is the focus on educating young people about the dangers of modern communications. Hopefully the next generation of IT users will be better equipped to deal with Internet and mobile phone security issues. ]
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler, Jaap-Henk Hoepman, Brian Honan, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit