SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #9
March 02, 2005
The early registration deadline for SANS 2005 (San Diego, April 7-12) is this Monday, March 7. Details at http://www.sans.org/sans2005
TOP OF THE NEWS9-11 Commission Member Questions ISACs Effectiveness
Singapore's Infocomm Security Masterplan
Lost Bank of America Backup Tapes Contain Federal Employees' Personal Data
Paymaxx Closes Site After Data Exposure Vulnerabilities Acknowledged
THE REST OF THE WEEK'S NEWSHOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
IG Report: IRS Secure Messaging Must be Used by All to be Effective
DHS Will Conduct Cyber Preparedness Exercise in November
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
SP2 Automatic Update Blocking Will Expire in April
Mozilla Releases First Firefox Update
T-Mobile Warns of Voice Mail Box Vulnerability
ARJ File Parsing Flaw in Trend Micro Virus Scanning Products
Phony eMail Appears to Come from FBI, Has Virus Attached
Patch Available for Java Flaw in MacOS X
New Worm Variants Include MyDoom, Sober
Cabir Phone Worm Migrates to US
Homograph IDN Flaw Allows Spoofing
ATTACKS AND INTRUSIONS
Two Japanese Government Web Sites Downed by DoS Attacks
Mitigating Web Application Security Risks
UK Establishes Cyber Security Site for Home and Small Business Users
Lawsuit Against ChoicePoint Alleges Fraud and Negligence
ChoicePoint Taking Steps to Protect Data From Unauthorized Access
Firefox Downloads Top 25 Million
Microsoft Will Reimburse Dutch Web Company for Inadvertently Blocked Portal
*********************** SPONSORED BY NetIQ ******************************
Total email security means looking beneath the surface. Spam is just the tip of the iceberg. NetIQ MailMarshal protects you from spam and all other email system abuses and perilous dangers that can sink your ship. Highly scalable, comprehensive and simple to deploy and use, download a free 30-day evaluation of NetIQ MailMarshal today.
SANS 2005, in San Diego in early April (on the ocean) is SANS' largest security and audit training conference and expo. Extraordinary teachers present the most current tools and techniques. Early registration deadline for SANS 2005 is this Monday, March 7. Details at
TOP OF THE NEWS
9-11 Commission Member Questions ISACs Effectiveness (18 February 2005)During a panel discussion at the RSA conference, 9-11 Commission Member Jamie Gorelick says that industry led Information Sharing and Analysis Centers (ISACs) are not serving their purpose and should be discontinued or changed. Gorelick maintained the ISACs have neither the funding nor the organization to effectively provide the government with information about threats to the country's critical infrastructure, thereby posing a threat to national security. Gorelick said that having the government fund the ISACs and provide communication systems and a single point of contact would help address the problem; presently the industry-specific ISACs are funded by members. Information Technology ISAC president Guy Copeland said his group is stronger precisely because it has never received government funding.
[Editor's Note (Tan): It takes two to Tango. To be successful in information sharing, all parties must contribute and participate. The day when industry voluntarily shares information with Government will be the day that marks the success of information sharing. ]
Singapore's Infocomm Security Masterplan (22 February 2005)Singapore's Infocomm Security Masterplan will focus on increasing capabilities to address cyber threats and creating a cyber attack early warning system. Initiatives include the enhancement of security training and certification programs, cyber security public awareness campaigns and establishing a National Cyber-Threat Monitoring Center. Plans also include the introduction of a Common Criteria Certification Scheme. The Masterplan has a budget of S$38 million (US$23.4 million) for a three year period.
[Editor's Note (Shpantzer): Common Criteria again? Spend the money elsewhere. There are plenty of commercial products available with certification, and some of these certs are useless (ex: Windows 2000 is EAL4+, higher than any other commercial OS!) in the context of a real production environment. Please see this link for one point of view on caveats for Common Criteria:
Lost Bank of America Backup Tapes Contain Federal Employees' Personal Data (26/25 February 2005)Bank of America has revealed that it has lost backup tapes that contain personal data, including Social Security numbers and account information, of 1.2 million federal employees. Band of America Spokeswoman Eloise Hale said there is no evidence the tapes or the data they contain have been used, and that the tapes are presumed lost. Senator Charles Schumer (D-NY) says he was told it is likely the tapes were stolen from a commercial airliner by baggage handlers in December. Senator Susan Collins (R-Maine) is drafting a letter to the General Services Administration and Bank of America asking how federal employee personal data is going to be protected.
(site requires free registration)
Paymaxx Closes Site After Data Exposure Vulnerabilities Acknowledged (25 February 2005)Accounting firm Paymaxx closed its on line site after becoming aware of vulnerabilities that put customer data at risk of exposure. Apparently online W-2 forms had been given sequential ID numbers which appeared in the links given to their owners, allowing users to alter the number and view others' forms. In addition, the PayMaxx database included a test record with a Social Security number and password consisting of all zeroes. The vulnerabilities affected data belonging to 25,000 people.
[Editor's Note (Shpantzer): We reported on this back in 2002. For a tragicomic example of this 'hack' see
and look for the story with this headline: 28 October 2002 Reuters Charged with Hacking.
(Northcutt): They didn't have time to do it right, but they have time to do it over; maybe. I bet the CEO of Paymaxx wishes his development team would have watched SANS First Wednesday Webcast - Control Security Risks in Software Design and Development Featuring: David Read Wednesday, March 02 at 1:00 PM EST (1800 UTC)
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
IG Report: IRS Secure Messaging Must be Used by All to be Effective (28 February 2005)A report from the Treasury Department Inspector General of tax administration found that while the Internal Revenue Service has a Secure Messaging system which allows employees to securely share sensitive information through email, only 76% of IRS email mailboxes have been enrolled. The program is not effective unless both the sender and the recipient of the message are using the encryption service. The encryption program consumes both storage and financial resources; if the IRS decides it wants to keep the program, the IG report recommends making sure that 100% of employees who send sensitive data are enrolled.
[Editor's Note (Grefer): If all email were encrypted, this would become a moot point.
(Tan): It is essential to have a secure system to protect the taxpayers' financial data. IRS should gather feedback to understand why their employees choose not to use the secure system and then eliminate the problems that make it hard to use. ]
DHS Will Conduct Cyber Preparedness Exercise in November (22 February 2005)The Department of Homeland Security has announced its intention to conduct an unclassified "cyber preparedness exercise" in November of this year. The exercise will be designed to allow government agencies to test their responses to cyber attacks on networks that support the country's critical infrastructure.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
SP2 Automatic Update Blocking Will Expire in April (28 February 2005)April 12, 2005, marks the end of the grace period allowed by Microsoft for users to block XP SP2 from downloading via Automatic Update. After that date, users will have no choice, and SP2 will be automatically delivered to all Automatic Update customers with Windows XP or XP SP1. SP2 was initially distributed in August 2004; users were given a 120-day grace period, which was later extended to 240 days, to block the update from downloading onto their machines.
Mozilla Releases First Firefox Update (24 February 2005)Mozilla has released the first update to its Firefox 1.0 web browser, which was introduced in November, 2004. The update fixes flaws that could allow spoofing and phishing attacks and others that cause the browser to crash. Firefox 1.0.1 was released on February 24 and is expected to become available soon via Firefox's automatic update feature. None of the flaws addressed are highly critical, nor are there any known exploits for the flaws.
[Editor's Note (Northcutt): After the systems folks completed testing, the majority of SANS employees were directed to upgrade to Firefox version 1.0.1. I have seen two issues, the update reset the home page back to firefox and Internet Explorer is now the automatically launched browser when a link is clicked in applications like MS Word. Both are minor and I am sure there are simple workarounds, but those are the gotchas that could limit the perceived success of a rollout. ]
T-Mobile Warns of Voice Mail Box Vulnerability (24 February 2005)T-Mobile has issued a warning about a vulnerability in a voice mail feature that could allow attackers armed with subscriber phone numbers to listen to and download voice mailbox contents and control voice mail functions. The attack could be carried out via a public pay phone. T-Mobile advises subscribers to use passwords for voice mail access.
ARJ File Parsing Flaw in Trend Micro Virus Scanning Products (25/24/23 February 2005)Trend Micro has issued an advisory warning of a buffer overflow vulnerability in VSAPI ARJ file parsing in 29 of its virus-scanning products; the flaw could be exploited to execute arbitrary code. Users are being encouraged to update their scan engines to VSAPI 7.510 or higher
Phony eMail Appears to Come from FBI, Has Virus Attached (24/23 February 2005)The FBI has posted a warning on its web site about email messages that appear to come from the agency, but which actually contain a virus as an attachment. The FBI says in its statement that it never sends unsolicited email and that people should not open unexpected attachments or those from unrecognized senders. The FBI also recommends that people who receive one of the fraudulent emails report it to the Internet Crime Complaint Center at
Patch Available for Java Flaw in MacOS X (23 February 2005)Apple released a patch for a critical Java vulnerability in its MacOS X on February 23. The flaw could allow an untrusted applet go obtain elevated privileges and "potentially execute arbitrary code." The flaw was first noted three months ago, leading some to question why it took Apple so long to address the critical vulnerability.
New Worm Variants Include MyDoom, Sober (21 February 2005)A number of new worms have been detected in the wild, including variants of MyDoom, Sober and Bropia. The new MyDoom variant, which has been given a variety of names, has been given a high alert rating by at least one company.
Cabir Phone Worm Migrates to US (18 February 2005)Two cell phones on display in a California store have been infected with the Cabir virus, marking the first reported Cabir infections in the US. The phones were in the store's window, which could have allowed passersby to infect them, and some have speculated that from that vantage, the phones could have been infecting other passersby, though there have been no reports of additional infections. Cabir emerged in June of last year as a proof-of-concept worm, but has since become more destructive.
Homograph IDN Flaw Allows Spoofing (18 February 2005)A "homograph" vulnerability in the International Domain Names (IDN) standard could allow phishing and spoofing attacks. IDN uses the Unicode character set to accommodate the variety of characters in international domain names, but the Domain Name Service (DSN) system, "which facilitates the Internet" uses ASCII. Therefore, Unicode URLs must be converted by web browsers into what is called "punycode," and herein lies the Achilles heel. Unicode allows for characters that appear the same but which are different, allowing web sites to be spoofed.
ATTACKS AND INTRUSIONS
Two Japanese Government Web Sites Downed by DoS Attacks (24 February 2005)Two Japanese government web sites have been targeted by denial-of-service attacks; users were unable to access the Prime Minister's Office web site and the Cabinet Offices' web site last week. Investigators have not determined the source of the attacks.
Mitigating Web Application Security Risks (25 February 2005)The first half of a two-part article discusses how to address security risks associated with authentication, session security and session IDs, SQL injection vulnerabilities, buffer overflows and cross-site scripting.
UK Establishes Cyber Security Site for Home and Small Business Users (25/24 February 2005)The UK has created a web site that is designed to provide home and small business computer users with security alert information. In addition, the site, www.itsafe.gov.uk, will provide advice on protecting personal data on computers. Run by the National Infrastructure Security Co-ordination Centre (NISCC) ITsafe will send out alerts only if there is action home and small business users can take to protect their systems. Based on past experience, the Home Office predicts between 6 and 10 such alerts will be issued each year.
Lawsuit Against ChoicePoint Alleges Fraud and Negligence (24/23 February 2005)A California woman has filed a lawsuit against ChoicePoint which she hopes will gain class action status. Ellen Goldberg's suit alleges fraud and negligence on the part of the data brokerage company which has admitted selling personal information belonging to more than 140,000 people to scam artists. The identity thieves posed as legitimate businesses and opened 50 customer accounts which allowed them to buy the data. There have been at least 750 cases of identity theft associated with the ChoicePoint breach. The case could lead to standards for the way in which data brokerages handle the information they collect and regulations that would hold companies liable for "lax data protection." Legal experts are not confident that attempts to win financial compensation from ChoicePoint will be successful because in past cases, "courts have been unwilling to penalize companies when the victims are not the direct customers of the company."
ChoicePoint Taking Steps to Protect Data From Unauthorized Access (22 February 2005)ChoicePoint is making changes it hopes will protect the consumer data it holds from unauthorized access. First, the Georgia-based personal information vendor says it is checking the credentials of all existing clients to ensure their legitimacy. The company is also "masking or truncating sensitive personal identifier numbers."
Firefox Downloads Top 25 Million (28/22 February 2005)As of Friday, February 18, the number of Firefox downloads exceeded 25 million, fewer than 100 days after the release of the open-source browser. Firefox now holds 4.8% of the browser market, compared to Microsoft Internet Explorer's 92.7%. The growth can be attributed at least in part to the security of the browser. Some have urged caution in making firefox a corporate default browser, for as it gains in market share and popularity, it will become an increasingly appealing target for attackers. While Firefox market share gains against Internet Explorer were 15% over the past five weeks, that figure is down from 34% in the first few weeks after the browser's release on November 9th and 22% in the five week period between December 3, 2004 and January 14, 2005. Mozilla set the goal that Firefox would have a 15% market share by the end of 2005.
Microsoft Will Reimburse Dutch Web Company for Inadvertently Blocked Portal (22 February 2005)Microsoft will pay a Dutch web company EUR10,000 (US$13,185) because its Windows Anti-Spyware blocked one of the company's portals, Startpagina, a popular Dutch directory page. The result was that Internet users who wanted to have Startpagina as their home page were forced to use MSN.com as their home page instead. The flaw has been fixed in the most recent version of the Windows AntiSpyware.
NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit