SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #24
March 24, 2006
Now that it is widely recognized that insecure programming practices are the key enablers of many of the most critical security problems, we are looking for additional ways SANS can invest in improving the security skills of programmers. Please send ideas to firstname.lastname@example.org with the subject: Secure Programming. We already are negotiating a large SANS grant to a major university to enable the faculty to imbed appropriate secure programming elements in every required computer science course. We also have developed two very highly rated courses on secure programming to teach programmers at SANSFIRE in Washington
For Microsoft .Net programmers and managers: http://www.sans.org/sansfire06/description.php?tid=250
For JAVA programmers: "Secure Web Applications http://www.sans.org/sansfire06/description.php?tid=394
Can you send us suggestions of associations or other groups of programmers who should be aware of these courses, or trusted magazines or newsgroups for programmers?
TOP OF THE NEWSFISMA's Effectiveness Questioned
HHS System Security Problems Place Medical Data at Risk, Says GAO
Sendmail Flaw Could Allow Remote Code Execution
THE REST OF THE WEEK'S NEWSHOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
DOE Cannot Account for Some Computing Equipment
POLICY & LEGISLATION
Australian Internet Content May be Filtered by ISPs
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Trojan Filches Financial Account Details
Microsoft Investigating Reported Flaw in IE 6
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Fidelity Informs HP Employees Their Data is on Stolen Laptop
Visa Acknowledges Data Retention Problem Lies in Tracer Utility
Sourcefire Checkpoint Deal Is Off:
New York AG Suit Alleges Confidentiality Violation
Anti-Adware and Badware Groups Release Lists of Offenders
Claria Sets Timetable for Getting out of Adware Business
Flawed McAfee Virus Definition Update Causes Big Problems
*****Sponsored By GFIRST: Securing Government Cyberspace Conference ****
The Best *Free* Conference In Security - Hosted By The Department Of Homeland Security: When: April 30 - May 4, 2006; Where: Orlando, FL.
Register at http://www.us-cert.gov/gfirst
Plenary sessions with industry leaders and four concurrent tracks Management, Technical, Incident Response, and Law Enforcement plus a big exposition.
And you cannot beat the price.
SANS Training in San Diego, Munich, London and Washington DC
Turbo charge your security career or the careers of any of your coworkers this spring in San Diego in early May: a dozen of SANS most popular courses and a vendor exposition right on the harbor.
Or in London at the end of June: http://www.sans.org/london06
Or Munich in early April: http://www.sans.org/munich06
Or Washington in July right after July 4 for the biggest SANSFIRE ever: with all 17 SANS immersion tracks and more than a dozen special courses, a big exposition, and an inside look at how the Internet's Early Warning System (Internet Storm Center) actually works Bring your family for the national fireworks show. http://www.sans.org/sansfire06
TOP OF THE NEWS
FISMA's Effectiveness Questioned (15 March 2006)Former federal CISO Bruce Brody has questioned the efficacy of the Federal Information Security Management Act (FISMA). Because of the way the FISMA grading system is structured, agencies have an incentive to conduct certification and accreditation (C&A) system-by-system rather than take an overall approach to cyber security. This means that FISMA grades are not necessarily an accurate measure of the agency's level of cyber security. FISMA requires a significant amount of paperwork and encourages rote hole plugging but ignores the need for real-time monitoring.
[Editor's Note (Weatherford): Maybe if this gets enough attention something will be done about this waste of time and effort involved with FISMA. Mr. Brody's comments are on-target.
(Honan): If US Government agencies are not seen to be taking information security seriously then we should not be surprised a lack of concern for information security in many private organizations.
(Schultz) Mr. Brody is once again entirely correct. Having "accredited systems" and the like is better than nothing, but it does not take into account network environments in the same way that MIL-STD 5200 ("The Orange Book") did not. One would think that after all this time the US government would wake up to this reality.
(Ranum): I can't believe it's taken so long for government IT execs to figure this out. Substituting box-checking for actually understanding what you are doing will never work. Security based on paperwork simply creates a "priesthood" to push paper; when what is really needed is knowledgeable security-oriented IT management. ]
HHS System Security Problems Place Medical Data at Risk, Says GAO (23 March 2006)A forthcoming Government Accountability Office (GAO) review of the Department of Health and Human Services (HHS) says that "significant weaknesses in information security controls" could place at risk the privacy and security of sensitive data gathered about millions of Americans through Medicare, Medicaid and other government programs. GAO investigators examined 2004 and 2005 management and audit reports of security practices at 13 HHS divisions. Among their findings: anti-virus software was either not installed or not current; passwords were not adequately controlled; and physical controls were lacking. Among the data retained by the systems are Social Security numbers, names, addresses and medical conditions.
[Editor's Note (Schultz): The trend continues--yet another US government agency has been found to have massive security exposures. God help us all.
(Ranum): After the gigantic sums spent for HIPAA compliance by the private sector, this is not a funny joke. It is a joke, right? ]
Sendmail Flaw Could Allow Remote Code Execution; Users Urged to Update (23/22 March 2006)The Sendmail Consortium has issued a patch for a "signal race vulnerability" in the Sendmail SMTP (simple mail transfer protocol) mail server versions 8 through 8.13.5. Users are urged to upgrade to Sendmail 8.13.6. The flaw, which affects Linux- and Unix-based versions but not Windows-based versions, could allow the remote execution of arbitrary code.
Internet Storm Center Analysis:
************************* Sponsored links: ******************************
1) Free WhatWorks in Log Management Webcast next week - "Meeting Regulatory Compliance Requirements Northwestern Memorial Hospital" Tuesday, March 28 at 1:00 PM EST
THE REST OF THE WEEK'S NEWS
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
DOE Cannot Account for Some Computing Equipment (20 March 2006)According to a report from the US Department of Energy's (DOE) Inspector General (IG), the DOE has lost at least 18 pieces of computing equipment, including at least one laptop. The Department does not know if the equipment handled or contained classified data. The missing equipment had not been reported to the Office of Security. Investigators were told the laptop had no accreditation documentation because it was legacy equipment and that the other equipment lacked accreditation documentation because pieces are not individually accredited if they are connected to an accredited network.
[Editor's Note (Weatherford): This is pure sloppiness. They have an inventory policy but they don't follow it for three years? Every IT asset in a classified environment should be tagged appropriately as to whether it processes unclassified or classified information and those in DoD are used to seeing those green, red, and orange labels. I don't see how defining something as "legacy" has any bearing on whether or not the accreditation of that asset is documented. This article is filled with double-speak.
(Northcutt): This isn't news, but I am glad we are running the story since it is a good reminder. I was just teaching a policy course and for the majority of my students, missing laptops and PDAs was the biggest problem they were facing. And it is a safe bet to assume that 18 is at least an order of magnitude low for the actual number of missing pieces of equipment. A good read is Sen. Chuck Grassley's attempt to get legislation started to control this problem:
POLICY & LEGISLATION
Australian Internet Content May be Filtered by ISPs (21 March 2006)If the Australian Labor Party wins the country's next federal election, the Australian Communications and Media Authority (ACMA) may require Internet Service Providers (ISPs) to block pornographic and violent Internet content before it reaches citizens' home computers. The ban on the content will apply to all Australian households except for those that specifically opt out. According to Opposition leader Kim Beazley, current methods of preventing offensive material from reaching minors, which involve requiring the installation of free or inexpensive filtering software. On the other hand, the Internet Industry Association says the change is unnecessary. According to IIA executive director Peter Coroneos, the low-cost and free filters provide stronger filtering than would the proposed alternative. Users can report offensive content to ACMA; if the content is hosted within Australia. Reported content must be taken offline within 48 hours under threat of penalties. If it is hosted elsewhere, the federal police are informed and filter providers add it to the list of blocked sites.
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Trojan Filches Financial Account Details (22 March 2006)Variants of a sophisticated Trojan horse program have been infecting vulnerable computers for months; an estimated one million machines have been compromised. The Trojan, called MetaFisher and known alternately as Spy-Agent and PWS, exploits the Windows Metafile flaw to download itself onto vulnerable machines and uses HTML injection to harvest financial account information. Users become infected after being tricked into visiting a maliciously constructed web site from an email link. The Trojan is currently aimed at customers of Spanish, British and German banks.
[Editor's Note (Pescatore):While people have become more suspicious about entering their passwords or account information into websites they got to from URLs in email, they still seem to be going to the websites. Whammo, spyware downloads.
(Honan): The fact that this Trojan is based on the well publicized WMF vulnerability and yet has still managed to infect 1 million PCs demonstrates that making a patch available does not automatically mean the problem will disappear, the patch needs to be installed! ]
Microsoft Investigating Reported Flaw in IE 6 (22/21 March 2006)Microsoft is investigating a reported flaw in Internet Explorer 6 (IE 6). The vulnerability could be exploited to crash IE 6, even on the most recent, updated version of Windows XP, by manipulating users into viewing maliciously crafted web pages. The overflow flaw in IE 6 allows the execution of HTML applications without end-user approval.
Internet Storm Center analyses:
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Fidelity Informs HP Employees Their Data is on Stolen Laptop (23 March 2006)Fidelity Investments is notifying nearly 200,000 Hewlett-Packard (HP) employees that their account information is on a laptop that has been stolen. Fidelity serves as record keeper for HP's retirement plans. The data include names, addresses and Social Security numbers. Fidelity has set up a web site and a call center to help those affected take steps to protect their data and have questions answered. A Fidelity spokesperson said "the application was running on a temporary license ... (that has since) expired." The company has also "taken steps to implement extra security processes requiring additional authentication for access to those HP accounts as well as other measures to prevent unauthorized use."
[Editor's Note (Kreitner): It will be interesting to see how companies hold each other legally accountable in situations like this, in this era of widespread outsourcing. I'd love to know whether the contract between HP and Fidelity prohibited storing the data on a laptop in unencrypted form, etc. ]
Visa Acknowledges Data Retention Problem Lies in Tracer Utility (20 March 2006)Visa has acknowledged that a security problem that may relate to inadvertent retention of credit and debit card transaction data lies in a free tracer utility, not in Fujitsu point-of-sale (POS) software as Visa had warned last week. The tracer utility comes with many POS packages. The utility is designed to be used "for internal testing of the credit card transaction process and to help with identifying problems during installation and maintenance." Fujitsu is careful to warn its customers not to use the utility for long in a live environment. Fujitsu believes Visa issued the warning based on one retailer's installation of its software in which the retailer was using the utility in a live environment.
Sourcefire Checkpoint Deal Is Off: (23 March 2006)A leading Israeli software company abandoned its plans Thursday to buy a smaller U.S. rival in a $225 million deal because of national security objections by the Bush administration.
New York AG Suit Alleges Confidentiality Violation (23 March 2006)New York Attorney General Eliot Spitzer has filed a civil complaint against Gratis Internet, charging the company with deceptive practices. Gratis allegedly sold personal customer information in violation of its confidentiality agreement. The suit seeks monetary penalties and an injunction against further similar action. The suit alleges Gratis sold more than seven million email addresses to independent email marketers. Spitzer's office recently settled a case with Datran media for US$1.1 million, a company that was accused of purchasing six million files from Gratis.
Anti-Adware and Badware Groups Release Lists of Offenders (22/21 March 2006)The Center for Democracy and Technology (CDT) has published a list of companies that use adware to advertise their products. CDT is encouraging the companies, some of which may not have been aware that their products were being advertised this way, to be more vigilant about how their advertising dollars are spent. StopBadware.org has published its first list of "badware" applications that violate guidelines set by the group; these include deceptive installation, causing harm to other computers and modifying other software.
Claria Sets Timetable for Getting out of Adware Business (22 March 2006)Claria Corp. says it will phase out the adware branch of its business by the end of June of this year. The adware usually arrived bundled with other software, such as Kazaa. Claria plans to sell its adware assets to a company that promises to comply with anti-spyware groups such as Truste. Claria has been named in several lawsuits; the plaintiffs maintained Claria's advertisements were covering legitimate ads on their websites.
Flawed McAfee Virus Definition Update Causes Big Problems (20 March 2006)A faulty McAfee virus definition update quarantined or deleted hundreds of legitimate applications, including Microsoft Excel, Adobe Macromedia Flash Player and Adobe Update Manager. The glitch in the update mistakenly flagged the applications as W95/CTX, an obscure Windows 95 virus. A new virus pattern file was released soon after McAfee became aware of the problem. However, the flawed update was available for approximately one-and-a-half hours. Some organizations reported significant problems because they had set the program to automatically delete files perceived as threats.
Internet Storm Center analysis:
The list of files impacted by this problem is available at
[Editor's Note (Weatherford): There is a bigger issue here and that is the blind trust the public places in commercial organizations to provide protection. It's not a huge leap to see how a simple mistake like this could have grave consequences to the nation's critical infrastructure. ]
NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/