SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #8
February 23, 2005
The early registration deadline for SANS 2005 (San Diego, early April 7-12) is this Friday, February 25.
Details at http://www.sans.org/sans2005
TOP OF THE NEWSFederal Computer Security Grades Average D+
ChoicePoint will Expand Breach Notification
Bank of America to Use Two-Factor Authentication for on-Line Banking Customers
Microsoft Chastised for Security Approach
THE REST OF THE WEEK'S NEWSARRESTS, CONVICTIONS AND SENTENCES
IM Spammer Arrested
Man Pleads Guilty to Sending MSN TV Malware that Calls 911
Guilty Plea in T-Mobile Intrusion Case
T-Mobile Intrusion Underscores Disparity Between Virtual and Physical Privacy
Teen Gets Three Years Probation for Microsoft DDoS Attack
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Treasury Bond Purchase Site Security Poses Concerns
Senate Approves Chertoff Nomination to Head DHS
IT Not Sharing Critical Infrastructure Security Concerns with Government
SPAM & PHISHING
Phish Report Network
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Patch Available for HP HTTP Server Flaw
Microsoft Releases Windows Media Player Update
Researchers Break SHA-1
Gates Says Spyware Product Free to Windows Users, IE7 Due Out This Year
Citibank UK Uses On Screen Keyboard for Passwords
SANS Recommends Reviewing Disaster Recovery Plans To Consider H5 Avian Flu Risk
*********************** SPONSORED BY SANS 2005 **************************
SANS 2005, in San Diego in early April (on the ocean) is SANS' largest security and audit training conference and expo. Extraordinary teachers present the most current tools and techniques. Early registration deadline for SANS 2005 is this Friday, February 25. Details at
TOP OF THE NEWS
Federal Computer Security Grades Average D+ (17/16 February 2005)The new US government cyber security report card released by the House Government Reform Committee gives agencies an average grade of D+. While this represents a 2.3 point increase over last year's overall grade, 7 of the 24 agencies included in the report card received failing grades. Among the most significant changes: the Department of Transportation rose from a D+ last year to an A- this year; the Departments of Justice and the Interior both received failing grades last year but rose to B- and C+ respectively on this year's report card. Separately, a phone survey of 30 federal chief information security officers graded the House Government Reform Committee's report card itself: it got a C. The CISOs surveyed represented 24% of all CISOs in the government. The CISOs want to improve the criteria by which the agencies' cyber security is evaluated. HGRC chair Rep. Tom Davis (R-Va.) announced the CISO Exchange, an initiative aimed at "giving federal CISOs more of a voice in upgrading federal cyber security."
[Editor's Note (Paller): The remarkable element of these grades was that, for the first time, two large agencies (Transportation and Justice) had substantial grade improvements. They used innovative techniques that improved security while lowering the cost and pain of compliance. They will be great models for the CISO Exchange to discuss.
(Schultz): Change of any nature in the government arena is difficult to achieve, so the marks that government agencies recently received are hardly surprising. If anything, it is in fact encouraging to see that there was once again some improvement in cyber security. ]
ChoicePoint will Expand Breach Notification (19/18 February 2005)ChoicePoint will inform more than 100,000 additional consumers that their personal data was compromised; the consumer data services company has already informed approximately 35,000 Californians of the breach in compliance with a state law requiring such notification. Attorneys general in 38 states have filed formal requests that ChoicePoint notify affected consumers in their states. According to law enforcement officials, 750 cases of identity theft have already been tied to the data theft.
Bank of America to Use Two-Factor Authentication for on-Line Banking Customers (18 February 2005)Bank of America plans to use two-factor authentication system to protect applications used by its online customers to access banking services. Within past weeks, a businessman sued Bank of America, claiming US$90,000 was wired out of his online account without his authorization.
[Editor's Note (Pescatore): We are inching closer to getting tokens into the hands of consumers for use in online services. However, the implementation costs will still be a barrier if each business has to issue its own token, and if consumers are expected to cover token costs. Some new business models are needed to allow all the lemmings to jump off of the password cliff sooner rather than later.
(Schneier): Sadly, this will be too little too late. Modern attack methods will just blow right by two-factor authentication. ]
Microsoft Chastised for Security Approach (17 February 2005)Gartner's Neil MacDonald has taken Microsoft to task for missing the mark on security. MacDonald says Microsoft should be working toward eliminating the need for anti-virus and anti-spyware products rather than entering the market and undercutting competitors' prices. Furthermore, Microsoft's decision to restrict Internet Explorer 7.0 to the Windows XP platform is irresponsible; it should work with Windows 2000 and not require an upgrade.
************************** SPONSORED LINKS ******************************
Privacy notice: Some sponsored links redirect to non-SANS web pages.
(1) ALERT: Google Hacking/Web Application Worms- Are You Vulnerable?- WebInspect Product Trial
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
IM Spammer Arrested (21 February 2005)Anthony Greco has been arrested on charges of sending 1.5 million unsolicited instant messages, known as "spim," to members of the MySpace.com online networking service. Greco was arrested in Los Angeles after being lured there from New York. Greco believed he was heading for a meeting with the president of MySpace to sign an exclusive marketing agreement; he had threatened to share his spimming techniques with others if he did not get the agreement. Greco's arrest is the first of someone for sending spam over IM.
[Editor's Note (Shpantzer): Unlike email spam, text message spam can end up costing phone customers money, and there's no tools widely available to block Spim. ]
Man Pleads Guilty to Sending MSN TV Malware that Calls 911 (17 February 2005)David Jeansonne has pleaded guilty to two federal felonies for distributing malware disguised as a tool to change the colors on the MSN TV user interface. The program actually reprogrammed infected set-top boxes to dial 911 emergency services instead of the local Internet dial up number. It also posted infected users' browser histories to a web site and emailed hardware serial numbers to a certain email account.
Guilty Plea in T-Mobile Intrusion Case (16 February 2005)Nicolas Jacobsen has pleaded guilty to intentionally accessing a protected computer and recklessly causing damage for breaking into T-Mobile servers. Jacobsen accessed and monitored a US Secret service cyber crime agent's email; he also downloaded customers' photographs. When he is sentenced in May, Jacobsen faces up to five years in prison.
T-Mobile Intrusion Underscores Disparity Between Virtual and Physical Privacy (14 February 2005)Bruce Schneier uses the T-Mobile intrusion case as an illustration of the fact that "virtual privacy and physical privacy do not have the same boundaries." We no longer have control of our data's security. While police require a warrant to read the email on individuals' home computers, there is no warrant required to read email from an ISP's backup tapes.
Teen Gets Three Years Probation for Microsoft DDoS Attack (14 February 2005)A fourteen-year-old has been sentenced to three years of probation for creating a worm that took down the Microsoft home page for four hours in August 2003. The RPCSDBOT trojan created a network of bots that launched a distributed denial-of-service attack on the web site. The worm reportedly took advantage of the same Windows vulnerability exploited by Blaster.
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Treasury Bond Purchase Site Security Poses Concerns (17 February 2005)House Government Reform Committee chairman Tom Davis (R-Va.) has written a letter to Treasury Department commissioner of the Public Debt Van Zeck, voicing concerns about the security of information people are required to provide at the www.treasurydirect.gov web site when purchasing government savings bonds over the Internet. Buyers are required to transmit bank account and routing numbers as well as social security numbers, drivers license numbers and other personal information to buy the bonds electronically. A disclaimer in the site's privacy and security notice says that the security of transmitted data cannot be guaranteed; however, the notice also says the Bureau of Public Debt uses Secure Sockets Layer and 128-bit encryption technology to protect information.
IT Not Sharing Critical Infrastructure Security Concerns with Government (11 February 2005)The Protected Critical Infrastructure Information program has been virtually unused by the IT sector. The program was designed to allow entities that control sections of the nation's critical infrastructure to share with the government information about their cyber and physical security vulnerabilities free from fear that the information would be made public under the Freedom of Information Act. Industry concerns include the fact that once the information has been submitted, the organizations that submitted it have no control over who gets to see it. In addition, PCII presently requires submissions to be made through paper rather than electronic filings, though that might be changing soon.
SPAM & PHISHING
Phish Report Network (15 February 2005)The Phish Report Network, an initiative that counts among its participants Microsoft, eBay, PayPal and Visa, aims to reduce phishing's spread by reporting suspect sites to a central database. Once a site is confirmed as fraudulent, members are notified so that the URL can be blocked.
[Editorial Note (Paller): The Phish Report Network is different from the Anti-Phishing Working Group (APWG). APWG is the global pan-industrial and law enforcement association with 1,000 members focused on eliminating the fraud and identity theft that result from phishing, pharming and email spoofing of all types. It provides best practices and other advice and maintains the definitive repository of phishing examples.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Patch Available for HP HTTP Server Flaw (16 February 2005)Hewlett Packard has released a patch for a denial-of-service/remote code execution vulnerability in its HP HTTP Server. The flaw affects versions 5.0 to 5.95 of the product.
Microsoft Releases Windows Media Player Update (16 February 2005)Microsoft has released an update for Windows Media Player following confirmed reports that attackers were exploiting the digital rights management system to install spyware, adware and other malicious programs. The update gives users more control over pop-ups during license acquisition.
Researchers Break SHA-1 (21/17 February 2005)Scientists from Shandong University in China and Princeton University in the US are circulating a paper called "Collision Search Attacks n SHA-1" which describes methods for creating collisions with the SHA-1 algorithm 2,000 times faster than was believed to be possible before. The National Institute of Standards and Technology recently recommended that government begin moving from SHA-1 to SHA-256 and SHA-512.
[Editor's Note (Schultz): NIST's recommendation to quit using SHA-1 was remarkably timely and accurate. ]
Gates Says Spyware Product Free to Windows Users, IE7 Due Out This Year (17/16/15 February 2005)Speaking at RSA Conference 2005, Bill Gates said that all licensed Windows users would receive the company's anti-spyware product at no charge. Gates also said that Microsoft will release a new, more secure version of Internet Explorer, IE 7, by the middle of this year. Though Microsoft has indicated that it will charge users for its forthcoming anti-virus product, the cost free anti-spyware product has fueled speculation that if Microsoft ties the anti-virus software too closely to its OS or prices it low enough, company practices could come under antitrust scrutiny.
[Editor's Note (Northcutt): In SANS NewsBites, February 09, 2005, Volume: 7, Issue: 6 we reported NIST's William Burr was quoted as saying MD5, the most commonly used cryptographic hash, was vulnerable to attack. These algorithms are used to ensure messages and files have not been tampered with so these discoveries potentially affect IT process ranging from forensics and evidence collection to ecommerce. ]
Citibank UK Uses On Screen Keyboard for Passwords (17 February 2005)Citibank's UK division now requires its on-line banking customers to use an on screen keyboard to enter their passwords. The move is likely an effort to evade keystroke loggers, although malware that grabs screenshots at designated times could defeat this security measure.
SANS Recommends Reviewing Disaster Recovery Plans To Consider H5 Avian Flu risk (17 February 2005)CDC researchers report that over 100 million birds have died of the H5 flu strain over the past two years and that this flu has spread to humans. There are 55 documented cases infection resulting in 42 deaths. Human to human infection has also been documented, but as yet it has not resulted in a self-sustaining outbreak. The flu has also spread from birds to pigs and cats. The potential for an epidemic during the 2005
- - 2006 flu season is significant. SANS recommends the following:
- - Assess options to travel in the winter of 2005 - 2006
- - Consider the possibility of "work from home" especially in Asia and high Asian contact areas
- - DR/BCP planners should incorporate the lessons learned from SARS into continuity planning
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit