Register now for SANS Cyber Defense Initiative 2016 and save $400.

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VII - Issue #61

December 13, 2005


SANS 2006 in Orlando, FL, in February is SANS' largest event of the
year. Now open for registration at http://www.sans.org/sans2006


TOP OF THE NEWS

SANS Authorized To Grant Master of Science Degrees
eBay Removes Vulnerability Information Listing
South Korean Legislation Addresses Phishers, Spammers and Identity Fraud Compensation

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Software Company CEO Pleads Guilty to Theft of Trade Secrets
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Appeals Court Upholds Judgment Against Music Downloader
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Infected Computer Exposes Airport Access Codes, Boeing 767 Instruction Manual
Buffer Overflow Flaw in Firefox 1.5 Could be Exploited to Cause Denial-of-Service
ATTACKS & INTRUSIONS & DATA THEFT
Sam's Club Acknowledges Data Security Breach
Thieves Steal Donor Data from Charity Website
STANDARDS & BEST PRACTICES
Companies, Browser Makers to Develop Standards to Restore Confidence in Security Padlock
STATISTICS, STUDIES & SURVEYS
Survey: One-Third of Companies Not Following Data Backup and Recovery Policies
MISCELLANEOUS
Improperly Configured Servers Responsible for eMail Deluge
Law Firms Did Not Violate DMCA


*************************** Sponsored by NetIQ **************************
Top 10 IT Compliance Reports Get the top 10 reports that organizations must have to ensure a timely and accurate approach to satisfying regulatory requirements. Find out how today's regulations can be translated into a common set of security requirements and where NetIQ's Knowledge-Based Service Assurance solutions can help assure compliance with multiple regulations. Download this free white paper now. http://www.sans.org/info.php?id=962
*************************************************************************

TOP OF THE NEWS

SANS Authorized To Grant Master of Science Degrees (12 December 2005)

The SANS Institute now offers two graduate degrees through the SANS Technology Institute. Classes for Master of Science degrees in information security engineering and information security management are scheduled to begin in February 2006. As might be expected from SANS, the degree programs are substantially more technically challenging than most other graduate degree programs in cyber security. SANS programs also focus on developing the missing management skills, so critical to success for cyber security managers - effective writing, speaking, project management, and especially teaching.
-http://www.sans.edu/
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=37767

-http://www.fcw.com/article91707-12-12-05-Web

South Korean Legislation Addresses Phishers, Spammers and Identity Fraud Compensation (11/9 December 2005)

South Korea's National Assembly has passed a bill that will impose prison sentences of up to three years and fines of up to 30 million won (US$29,210) for people convicted of phishing. Prior to this legislation, which will take effect in three months, convicted phishers faced no prison sentences. In addition, people convicted of sending spam containing adult material or promoting drug sales would face prison sentences of up to one year and fines of up to 10 million won (US$9,736). In a separate story, legislation taking effect in October 2006 will compel financial institutions to compensate people whose identities are used fraudulently on line for losses they incur.
-http://times.hankooki.com/lpage/biz/200512/kt2005121117522211910.htm
-http://www.silicon.com/financialservices/0,3800010322,39154961,00.htm
[Editor's Note (Schultz): The fact that legislation of this nature is being passed (however slowly) in countries around the world is good news in the war against phishing. The result is that there are increasingly fewer countries from which phishers can operate without having to fear the consequences of the law. ]

eBay Removes Vulnerability Information Listing (12/10/9 December 2005)

eBay has removed a listing in which someone was trying to sell information about a zero-day vulnerability in Microsoft Excel. The person listing the item said Microsoft had been alerted to the issue but that a patch was unlikely to be available for "the next few months." eBay says that the listing violated a company policy against encouraging illegal activity.
-http://www.securityfocus.com/news/11363
-http://www.vnunet.com/vnunet/news/2147412/zero-day-excel-hacker-fights
-http://www.techweb.com/wire/ebiz/174910093?sssdmh=dm4.160404


*********************** Sponsored Links: ******************************

1) ALERT: YOU vs Sober/Zotob/Bagle Variants? Is Your Internal Network Safe? Download FREE White Paper "Zotob: Zero-Hour Detection and Response" http://www.sans.org/info.php?id=963

2) Experience the Power of Blue Coat WebFilter on Your Own PC - No Strings Attached! http://www.sans.org/info.php?id=964

3) Earn your Master's degree in Information Security from an NSA - recognized online program. http://www.sans.org/info.php?id=965

***********************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Software Company CEO Pleads Guilty to Theft of Trade Secrets (9 December 2005)

John O'Neil, former CEO of Business Engine Software, has pleaded guilty to breaking into computers belonging to Niku, a competitor, in order to steal trade secrets. Mr. O'Neil faces a maximum sentence of 10 years in prison and a US$250,000 fine. According to court documents, people at Business Engine Software managed to obtain Niku account names and passwords that allowed them administrative access to Niku's computers. They used the passwords to download more than 1,000 confidential documents including technical specifications, product designs and prospective customers. The scheme was uncovered when a Business Engine salesman contacted one of Niku's prospective clients who became suspicious concerning how his contact information had been obtained by Business Engine. The prospective client contacted Niku where log files confirmed that someone from outside the company had been accessing their computers. Sentencing for Mr. O'Neil as well as for two other defendants in the case is scheduled for May 17, 2006.
-http://news.com.com/2102-7350_3-5989750.html?tag=st.util.print
[Editor's Note (Shpantzer): This case is one of many on the list of those prosecuted by the DoJ for Economic Espionage.
-http://www.usdoj.gov/criminal/cybercrime/eeapub.htm
Mr. O'Neil, the former Business Engine CEO, was part of a conspiracy with the CTO and VP of sales, to steal information from Niku over a period of 10 months. This case didn't come from eastern European mafia hackers or Chinese intelligence, but rather the executive suite of a successful American company selling project management software to the Fortune 500. ]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Appeals Court Upholds Judgment Against Music Downloader (12 December 2005)

A federal appeals court has upheld a judgment that fined a Chicago woman US$22,500 for violating copyright law by downloading songs from the Kazaa file-sharing network. Cecilia Gonzalez maintained that she was merely sampling music under the fair use exception of US copyright law to decide which CDs she wanted to purchase. The 7th Circuit Court of appeals rejected her arguments. The court also rejected Gonzalez's request to remove an injunction obtained by the Recording Industry Association of America (RIAA) barring her from future copyright violations. The court's ruling sets formal precedent for the states of Illinois, Indiana and Wisconsin.
-http://news.zdnet.com/2102-9588_22-5991531.html?tag=printthis

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Infected Computer Exposes Airport Access Codes, Boeing 767 Instruction Manual (12/9 December 2005)

A virus-infected computer used at home by a Japan Airlines (JAL) co-pilot is apparently the source of a leak of 17 security codes that allow access to restricted areas of airports. The instruction manual for the Boeing 767 was also leaked. Although airline policy does not allow the downloading of sensitive information to computers, the access codes are not considered sensitive corporate information because so many people already know them. All the airports have been contacted and advised to change their pass codes.
-http://www.computerworld.com/printthis/2005/0,4814,106938,00.html

-http://www.japantimes.co.jp/cgi-bin/getarticle.pl5?nn20051209b2.htm
-http://www.kuam.com/news/15973.aspx
-http://www.toptechnews.com/story.xhtml?story_id=40096
[Editor's Note (Tan): The fact that information was leaked because of virus infections warrants a wake-up call. Users need to be educated how their systems get infected and how they can prevent future occurrences. Would the incident be detected if the passcode had not been posted online? The growth of botnets is often the result of human ignorance or carelessness.
(Kreitner): Considering airport access security codes non-sensitive information because lots of people know them deserves the Dumb Policy or Lame Excuse of the Week Award. This episode reflects the continuing failure to examine the security status of remote computers before granting access to the corporate network. ]

Buffer Overflow Flaw in Firefox 1.5 Could be Exploited to Cause Denial-of-Service (12/9/8 December 2005)

A buffer overflow flaw in Firefox 1.5 running on Windows XP SP2 could expose users to the possibility of a denial-of-service attack. Exploit code was posted to the Internet last week. Mozilla has called the flaw "a low-severity issue" and says it will fix the vulnerability in its next scheduled stability build of Firefox, due early next year.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39241033-39020375t-10000025c
-http://www.theregister.co.uk/2005/12/12/firefox_history_file_bug/print.html
-http://www.infoworld.com/article/05/12/08/HNfirefoxhole_1.html
Postscript: SANS Internet Storm Center handlers have verified that this does NOT cause a DOS.
-http://isc.sans.org/diary.php?storyid=920
-http://www.mozilla.org/security/history-title.html

ATTACKS & INTRUSIONS & DATA THEFT

Sam's Club Acknowledges Data Security Breach (12 December 2005)

Sam's Club has acknowledged that a data security breach exposed the credit card data of customers who purchased gas at the stores between September 23 and October 2, 2005. The company became aware of the intrusion when credit card issuers said customers were reporting fraudulent charges on their statements. Sam's Club is working with both Visa and MasterCard on the breach investigation; the US Attorney's Office for the Western District of Arkansas and the Secret Service have been notified.
-http://www.computerworld.com/printthis/2005/0,4814,107014,00.html

Thieves Steal Donor Data from Charity Website (12/9 December 2005)

A UK charity has acknowledged that its website has suffered a security breach, compromising the personal data of donors. The thieves have used the stolen data to contact the donors and attempt to get money from them. The charity, Aid to the Church in Need, has closed the affected web site, notified those whose data were compromised and contacted police.
-http://www.publictechnology.net/modules.php?op=modload&name=News&file=ar
ticle&sid=4159

-http://software.silicon.com/malware/0,3800003100,39154968,00.htm

STANDARDS & BEST PRACTICES

Companies, Browser Makers to Develop Standards to Restore Confidence in Security Padlock (12 December 2005)

A group of companies is working with web browser makers to develop stronger authentication certificates to restore consumer confidence in the yellow security padlock. It is hoped that the standards will help thwart phishers. The padlock icon is used to demonstrate that a certification authority "has identified the site and vouched for its validity" and that the traffic is encrypted. Certificate providers used to check applicants thoroughly before issuing a web site security certificate; some providers have become more relaxed with their checks to offer less expensive certificates.
-http://news.com.com/2102-1029_3-5989633.html?tag=st.util.print
[Editor's Note (Ranum): This is ironic, since the original intent of the public key certificates used in web authentication was to address EXACTLY this kind of problem. What went wrong? So many companies concluded that they could make a ton of money selling certificates that the whole trust hierarchy never happened. Put differently, the pigs charged the trough so hard they knocked it over.
(Northcutt): I agree with Marcus and have predicted this for years. When I attended IEEE and IETF meetings in the late 80s and early 90s, as these protocols were being developed, I noticed an odd repetitive behavior. The researcher would present his algorithm and show the audience viewgraphs displaying advanced equations no one could follow. Then when Q&A time came, the algorithm was not discussed at all, but trust was. Why should we trust AT&T ( at the time it was thought they would be a major player )? Why should we trust IBM? Etc. It was quite obvious, even then, that this was about money, not trust. Whoever got to "sell" trust was going to rake in some serious dinero.
(Pescatore) I have to disagree on this one. The real problem here has been that browsers *never* implemented functionality to be able to recognize different assurance levels in certificates. The primitives and extension exist in the X.509 standards to have pointers to Certificate Policies that can define acceptable use, and Certification Practice Statements that define the assurance level of the registration process, along with the rest of the certificate process. The ability to deal with this was never built into the browsers, so any certification authority that did implement different classes of certificates found it didn't matter - and this drove certificates to a price-driven commodity. Thus, the registration processes got automated to reduce cost, which meant lower assurance - and that is where we are today. That is why the efforts by Mozilla, Microsoft and the other browser builders to try to change the browser end is the important starting point of changing this. ]

STATISTICS, STUDIES & SURVEYS

Survey: One-Third of Companies Not Following Data Backup and Recovery Policies (12 December 2005)

Findings from a recent survey indicate that 33 percent of businesses in Ireland and the UK either do not have backup and recovery procedures in place or do not abide by the policies they have established. The survey compiled responses from 258 large private and public sector organizations within Ireland and the UK. Seventy-eight percent of respondents said they keep their backed up data in the same building or campus that houses their data centers. Fifty-three percent of IT managers have implemented a "tiering" strategy for storing different data on different media types.
-http://www.siliconrepublic.com/news/news.nv?storyid=single5800

MISCELLANEOUS

Improperly Configured Servers Responsible for eMail Deluge (11/9 December 2005)

Improperly configured servers were to blame for a deluge of email that jammed systems at Dublin law firms. When some solicitors responded to a marketing email message, the server sent the original message to their entire email database tens of thousands of times. The problem was in the configuration of Microsoft Small Business Server and can be addressed by implementing Microsoft Knowledge Base patches KB886208 and KB835734.
-http://www.sbpost.ie/post/pages/p/story.aspx-qqqid=10364-qqqx=1.asp
-http://www.enn.ie/frontpage/news-9657619.html
[Editor's Note (Kreitner): Good configuration practice is one of the basic blocking and tackling components of competent security. I continue to see data revealing how careless even large and sophisticated enterprises are at granting access privileges and leaving critical data and program assets inadequately protected. What is that definition of insanity? Continuing to do the same thing and expecting different results. ]

Law Firms Did Not Violate DMCA (9 December 2005)

District of Columbia federal judge Henry Kennedy Jr. has ruled that two law firms did not violate the Digital Millennium Copyright Act (DMCA) when they used a valid username and password combination to access the password-protected website of an expert witness in a Colorado trial. The law firms maintained they accessed the web site to demonstrate that Dr. David Eligman had violated a gag order imposed by the judge in the original case. Judge Kennedy ruled that the law firms did not violate the DMCA, writing that "it is irrelevant who provided the username/password combination, or given that the combination itself was legitimate, how it was obtained."
-http://www.law.com/jsp/printerfriendly.jsp?c=LawArticle&t=PrinterFriendlyArt
icle&cid=1134036310706

[Editor's Note (Schultz): This ruling seems completely unfair. The law firm in this case blatantly gained unauthorized access to the expert witness' account. Perhaps the DMCA was not violated, but why individuals from this law firm do not have to face other criminal charges is puzzling. ]


===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler,
Jaap-Henk Hoepman, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan
Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz,
Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/