Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VIII - Issue #11

February 07, 2006


A surprising thing happened in the past few months. Online, anytime security training improved in quality so much that it is now a wonderful way to learn. More than 300 people have tried the new programs and we are getting the kind of feedback that we thought only came from people attending live courses. Maybe it is because our online programs now simulate the live courses. If you want to upgrade your security skills and your bosses cannot send you to SANS in Orlando or Monterey or Honolulu, try the new SANS On Demand for either SANS Security Essentials or Hacker Exploits. On Demand web site: http://www.sans.org/ondemand/ Schedule of live training: http://www.sans.org/index.php

Alan

TOP OF THE NEWS

Senate Committee Wants Answers About GSA's eOffer Flaw
Mobile Phone Tapping Affected Greek PM and Other Government Officials
Malware Takes Down Russian Stock Exchange

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
NIST Issues Guidelines for Removing Data from Storage Devices
SPYWARE, SPAM & PHISHING
Phishing Scam Pretends to Provide Information About Tax Refunds
AOL and Yahoo Will Introduce Paid eMail Plans
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Company Aims to Improve Users' Experience with DRM Software
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Investigating Flaw in HTML Help Workstation
Winamp Flaw Exploited by Spyware Distributors
Cyber Criminal Groups Sold WMF Exploit in December
STATISTICS, STUDIES & SURVEYS
Irish IT Security Spending to Grow Eight Percent in 2006
MISCELLANEOUS
Fax Number Confusion Exposes Health and Financial Data
CORRECTION
Presumption of Innocence


*********************** Sponsored by Core Security **********************
IDC ON-DEMAND WEBCAST: Taking the Guess Work out of Vulnerability Management.

Please join featured speaker Charles Kolodgy, IDC's Security Research Director, for the on-demand Webcast, "Penetration Testing: Taking the Guess Work out of Vulnerability Management." Kolodgy will discuss how penetration testing software can help you understand the real threats posed by vulnerabilities and enable you to regularly test the effectiveness of your network defenses.

http://www.sans.org/info.php?id=1016
*************************************************************************

TOP OF THE NEWS

Senate Committee Wants Answers About GSA's eOffer Flaw (6 February 2006)

The Senate Government Affairs Committee wants to know why the General Services Administration (GSA) took more than two weeks to shut down its eOffer system. GSA was alerted to a vulnerability in the system on December 22, 2005 that allowed vendors to view and possibly alter other vendors' bids, but did not shut it down until January 11, 2006. The committee also wants to know what GSA is doing to identify security problems in its other electronic tools and why GSA's certification and accreditation process under the Federal Information Security Management Act (FISMA) did not prevent the flaw from occurring.
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=38208

[Editor's Note (Murray): FISMA is intended to ensure "due diligence," not perfection. It is the managers that are at fault, not the process.
(Paller): FISMA is not failing because of agency managers. It is failing - has failed - in its mission of protecting federal systems, because NIST has buried the agencies in an avalanche of paper requirements that no agency can ever hope to meet effectively. NIST has failed to provide the prioritization of requirements that agency managers need, and OMB has made compliance with every one of those myriad NIST documents mandatory. Blaming the federal managers is unfair to them and will not lead to NIST correcting its errors. ]

Mobile Phone Tapping Affected Greek PM and Other Government Officials (3/2 February 2006)

The Greek government has acknowledged that several of the country's top officials, including Prime Minister Costas Karamanlis, "have had their mobile phones tapped for more than a year." The scheme involved installing spy software on the Vodaphone central system that diverted calls to hard to trace pay-as-you-go mobile phones. An investigation is underway, but authorities have not determined who is conducting the surveillance. A total of approximately 100 phones belonging to Greek politicians are believed to be involved. The taps reportedly started before the 2004 Athens Olympics and continued through March 2005, when the scheme was discovered.
-http://news.bbc.co.uk/2/hi/europe/4674216.stm
-http://www.smh.com.au/news/breaking/top-greeks-targeted-in-phone-tapping-scandal
/2006/02/03/1138836413044.html

[Additional reporting (5 February) raises questions about who was behind the taps, and the suicide of a technician may severely hamper the investigation:
-http://observer.guardian.co.uk/world/story/0,,1702505,00.html
(Pescatore): While many like to hype the threat of viruses hitting cell phones, a much bigger risk is attacks against the cellular infrastructure, as this points out. There is much over-the-air updating going on with smart phones, many opportunities for 1980's telco style hacking to be successful.]

Malware Takes Down Russian Stock Exchange (6/3 February 2006)

Russia's stock exchange, the Russian Trading System (RTS), was downed by malware for approximately one hour late last week. The infection caused an unusually large amount of outbound traffic and overloaded RTS routers. Normal traffic was consequently not processed. The malware infected a computer connected to the trading testing system.
-http://www.theregister.co.uk/2006/02/03/virus_hits_stock_exchange/print.html
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39310023-39000005c


**************************** Sponsored Links: ***************************

1) ALERT: "How A Hacker Launches A Blind SQL Injection Attack Step-by-Step!"- SPI Dynamics White Paper http://www.sans.org/info.php?id=1017

2) Messaging Security, It's More Than Just E-Mail - CipherTrust Road Show http://www.sans.org/info.php?id=1018

3) WhatWorks in Intrusion Prevention Systems: Guarding Sensitive Data with Financial Profiles Inc. Wednesday, February 08 at 1:00 PM EST (1800 UTC/GMT) http://www.sans.org/info.php?id=1019

*************************************************************************

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

NIST Issues Guidelines for Removing Data from Storage Devices (6 February 2006)

The National Institute of Standards and Technology (NIST) has released draft guidelines for safely removing data from storage devices. Special Publication 800-88, "Guidelines for Media Sanitization" addresses three strategies for removing data from various storage devices: clearing, which can involve overwriting data or deleting data and performing a manufacturer's hard reset; purging, which involves degaussing the storage device; and destroying the device. The report also addresses how to apply each of the strategies to different types of storage media.
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=38206

-http://csrc.nist.gov/publications/drafts/DRAFT-sp800-88-Feb3_2006.pdf

SPYWARE, SPAM & PHISHING

Phishing Scam Pretends to Provide Information About Tax Refunds (6 February 2006)

A recently detected phishing scam purports to be a message from the US Internal Revenue Service (IRS) regarding a tax refund. The email provides a link to a web site that claims to be able to tell taxpayers the status of their refunds and asks for visitors' names, Social Security numbers and credit card data.
-http://www.computerworld.com/printthis/2006/0,4814,108430,00.html
[Editor's Note (Murray): There will never be a shortage of clever bait nor of some to take the hook. What is interesting is that people will gladly authenticate themselves to others without first examining the credentials or bona fides of those others.]

AOL and Yahoo Will Introduce Paid eMail Plans (6/5 February 2006)

America Online (AOL) and Yahoo will soon introduce optional plans that will charge for sending email. Users who sign up for the plan will pay between US$2 and 3 per 1,000 messages sent. Entities that sign up for the program must promise they are sending email to people who have chosen to receive it; their messages will not go through spam filters, will be guaranteed to arrive and will "bear a stamp of authenticity." Current filters look for keywords to identify spam and strip out images and web links. Some marketers feel that the plan amounts to email taxation.
-http://news.bbc.co.uk/2/hi/technology/4684942.stm
-http://hosted.ap.org/dynamic/stories/E/E_MAIL_FEE?SITE=ASIAONE&SECTION=TECHN
OLOGY&TEMPLATE=DEFAULT

-http://www.redherring.com/Article.aspx?a=15603&hed=AOL%2c%2BYahoo%2Bto%2BCha
rge%2Bfor%2BEmail

-http://www.usatoday.com/tech/news/computersecurity/2006-02-05-aol-yahoo-email_x.
htm

-http://money.cnn.com/2006/02/06/technology/yahoo_aol_email/index.htm?cnn=yes
[Editor's Note > (Boeckman): This seems like a really bad idea, as it would serve as a way to pay for guaranteed Spam/Phishing/Malware delivery. The ordinary spam and malware coming from systems that are botted would still be dropped, since it would go through existing spam filters.
(Pescatore): I know it is a taboo issue, but having Internet email be like cell phone plans where you pay extra if you go over a "bucket" of emails would really solve a lot of problems without inconveniencing hardly anyone. Getting a bill for $250 because your botnet controlled unsecured PC was spewing out spam and viruses all month would also spur home PCs to get more secure.
(Honan): SPAMHAUS and others have come out against this idea
-http://news.zdnet.co.uk/internet/security/0,39020375,39250867,00.htm
-http://www.silicon.com/research/specialreports/thespamreport/0,39025001,39156231
,00.htm

(Murray): AOL, Yahoo!, and Earthlink, not to mention end recipients like you and I, now bear much of the cost of spam. One can hardly blame them for pushing back. As long as the cost of spam is born by the recipient, rather than the sender, it will be difficult to resist. Get over it.]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Company Aims to Improve Users' Experience with DRM Software (6 February 2006)

SunComm, which makes the controversial MediaMax software found on SonyBMG CDs last year, said it would take steps to prevent security holes in its products; all future versions of MediaMax will be submitted to a third-party for security testing. SunComm said it would make it easier for users to refuse installation of the software or to uninstall it. Until now, many users were unaware that MediaMax was being installed on their computers when they played the CDs that included the DRM software. Once it was installed, MediaMax made machines vulnerable to hijacking. In addition, the company has also published a complete list of CDs that contain the software.
-http://news.bbc.co.uk/2/hi/technology/4684920.stm
[Editor's Note (Pescatore): I hope all the other software vendors (not just DRM software vendors) see what happened with the Sony debacle and take these same steps before they put out their own horribly flawed software: test for security issues during development and before shipping, and always make opt-in the default model.
(Shpantzer): In the original version, after putting a 'protected' CD in the computer, users who were running in a reduced privilege mode were warned that the software needed administrative privileges to install. This proves that operating as a non-admin for routine use is one of the best (and cheapest) protective measures available on the PC.]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Microsoft Investigating Flaw in HTML Help Workstation (6 February 2006)

Microsoft is looking into reports of a remotely exploitable buffer overflow flaw in HTML Help Workshop following the release of a proof-of-concept exploit. A successful exploit could conceivably allow remote code execution. The vulnerability exists in HTML Help Workstation version 4.74.8702.0 and may exist in other versions as well.
-http://www.eweek.com/print_article2/0,1217,a=170864,00.asp

Winamp Flaw Exploited by Spyware Distributors (6 February 2006)

Spyware purveyors are reportedly exploiting the Winamp flaw to install their malware on vulnerable machines. A malicious web site downloads a malicious playlist to users' computers; the playlist starts to execute almost immediately and downloads a file called x.pls onto users' machines. The flaw exists in Winamp version 5.12 and possibly in earlier versions as well; an updated version of Winamp, Winamp 5.13, was released last week.
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39236749-20000
61744t-10000005c

Cyber Criminal Groups Sold WMF Exploit in December (3/2 February 2006)

Russian cyber criminals allegedly sold an exploit for the Windows metafile (WMF) vulnerability online for US$4,000. The exploit was reportedly made available shortly after the December 1, 2005 discovery of the flaw. One of the alleged purchasers was a spyware and adware company, which then reportedly used the exploit to place its products on people's computers surreptitiously. Microsoft released an out-of-cycle patch for the WMF flaw in January, 2006.
-http://www.computerworld.com/printthis/2006/0,4814,108355,00.html
-http://www.computerweekly.com/Articles/2006/02/03/214046/Russianhackergroupssold
WMFexploitcode.htm

-http://news.com.com/2102-7349_3-6034591.html?tag=st.util.print
[Editor's Note (Ranum): Hang on, here we call them "cyber criminals" but when they do the EXACT SAME THING working for a security start-up they are "security researchers"?? I have been speaking out against the practice of vulnerability pimping for nearly 10 years -- will this kind of incident be enough to FINALLY get the security industry to adopt less of a nudge-nudge-wink-wink attitude toward vulnerability disclosure?
(Murray) Not likely, Marcus. However, I do not even grant them "security." These are "vulnerability" researchers, something different altogether. "Security" people publish work-arounds. These scum publish "exploits." As a colleague is wont to say, "You are either part of the solution or you are part of the problem." ]

STATISTICS, STUDIES & SURVEYS

MISCELLANEOUS

Fax Number Confusion Exposes Health and Financial Data (5 February 2006)

A Canadian company that sells herbal remedies has been receiving faxes intended for the insurance division of US-based Prudential financial. The faxes contain personal data belonging to hundreds of US citizens, including Social Security and bank account numbers and health information. Prudential says it is trying to fix the problem, which is due to the fact that the Canadian company's fax number is nearly identical to that of Prudential's insurance division. The company has suggested that Prudential buy the toll-free number from them as a solution.
-http://www.theglobeandmail.com/servlet/story/RTGAM.20060205.wdata0205/BNStory/Na
tional/home

CORRECTION

Presumption of Innocence

In a comment from editor Gene Schultz regarding a recent story, a defendant in an RIAA copyright case was referred to as having downloaded music. In fact, Mr. Gruebel is being sued for alleged copyright infringement; he has not been found guilty. We regret any confusion this may have caused.

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Bill Murray, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/