Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VIII - Issue #33

April 25, 2006

TOP OF THE NEWS

Bot Crimes on the Rise
Studies Say HIPAA Privacy Rule Compliance Not Improving
Westchester County, NY Wireless Security Bill Signed Into Law
Federal Data Breach Disclosure Law Could Diminish Protections

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Man Charged in USC Computer Intrusion
SPYWARE, SPAM & PHISHING
FTC Reaches Settlement With Spammers
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Zero-Day IE Flaw Could Allow Remote Code Execution
Mozilla Updates Thunderbird, Releases Final Version of Mozilla Browser Suite
Apple Investigating Report of Seven Flaws in Mac OS X
Microsoft to Release Updated Version of MS06-015
Exploit Code for Oracle Flaw Released
Researcher Warns Some Online Banking Sites Don't Provide Adequate Authentication
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
University of Texas Says Cyber Intrusion Exposed Data on Nearly 200,000 Associated with Business School


****************** SPONSORED SANS SECURITY SAN DIEGO ******************

The industry's best courses - extraordinary faculty; authoritative
up-to-the-minute material - shows you how to do the job and gives you
the confidence to go back and do it immediately.

SANS Security Essentials, Hacker Exploits, System Forensics, Intrusion
Detection, Auditing, plus training for CISSP exam and all Technical
certification required for DoD 8570.

Join 600 security professionals in San Diego in May for SANS best
instructors, a great security product expo, and evening networking and
new technology sessions. Bonus: Smaller classes than the national
conferences:
http://www.sans.org/security06/

*************************************************************************

TOP OF THE NEWS

Bot Crimes on the Rise (23 April 2006)

An estimated 47 million PCs worldwide have been unwittingly recruited into botnets, which can be used for spamming, phishing attacks, denial-of-service attacks, self-propagation and man-in-the-middle/key logger attacks. While sophisticated attackers are adept at covering their tracks, script-kiddies tend to be sloppier and more easily caught. This article provides detailed accounts of three men who were arrested for bot-related cyber crimes.
-http://www.usatoday.com/tech/news/computersecurity/infotheft/2006-04-23-bot-herd
ers_x.htm

[Editor's Note (Boeckman): Clearly this is out of control and it demonstrates that Microsoft Windows can not be used safely by a significant portion of users. Perhaps it is time that they be required to include a product warning stating this on all new PC's that run Windows. ]

Studies Say HIPAA Privacy Rule Compliance Not Improving (19/16 April 2006)

According to a survey from the American Health Information Management Association (AHIMA), compliance with the Health Insurance Portability and Accountability Act (HIPAA) patient privacy rules appears to be on the wane. Of 1,117 hospitals and health systems responding to the survey, 91 reported HIPAA compliance last year while 85 percent said they were in compliance this year. The top reasons given for declining compliance were "lack of resources and diminished management support." However, 75 percent of respondents said they were "fully or mostly compliant" with HIPAA's information security rules, marking a 60 percent improvement over last year's figure. A separate study conducted by Phoenix Health Systems and Healthcare Information and Management Systems Society (HIMSS) found the level of compliance with patient privacy rules among companies involved in health care is higher than 80 percent, but says that figure has not changed in the last six months. The respondents in this study said their problems with compliance were due to HIPAA's vaguely worded rules and the ever-changing array of available technology.
-http://govhealthit.com/article94120-04-19-06-Web
-http://www.eweek.com/article2/0,1759,1949646,00.asp
[Editor's Note (Schultz): Figures such as the ones quoted in this study can be very misleading. The difference between the reported 91 percent HIPAA compliance last year and the 85 percent compliance this year might, for example, be due to sampling error, not a downward trend in compliance. ]

Westchester County, NY Wireless Security Bill Signed Into Law (21/20 April 2006)

A new law in Westchester County, NY, requires organizations that use wireless networks to store, use or maintain personal data as well as those that offer wireless Internet access to deploy minimum security measures to protect customers from identity fraud. According to county officials, organizations could install network firewalls, change their systems' default service set identifiers (SSIDs) or disable SSID broadcasting. The bill was signed into law on April 20 and will take effect 180 days from that date. People who have wireless networks at home are not subject to the law. Those found in violation will receive a warning and be given 30 days to address the security problems. Further violations will result in fines of up to US$500.
-http://www.computerworld.com/printthis/2006/0,4814,110762,00.html
-http://www.fcw.com/article94140-04-20-06-Web
-http://entmag.com/news/rss.asp?editorialsid=7368
Internet Storm Center:
-http://isc.sans.org/diary.php?storyid=1280
[Editor's Note (Pescatore): This is pure silliness. The "minimum security measures" specified in the legislation don't protect anything, so they include a meaningless phrase that the minimum security measures "shall include but not be limited to..." This is an example of security legislation for press release value, not security value. They do have one good idea, though - hotspot providers should provide some level of security info.
(Schultz): This law breaks new ground when it comes to security in wireless networks. At the same time, however, I seriously doubt whether the prospect of a $500 fine will serve as much of a deterrent to those who do not obey this law.
(Honan): While well intentioned, my concern with this law is that it focuses on a technology and not necessarily the underlying problem. The underlying problem is organisations are not protecting client personal data correctly. I believe a law similar to the EU Data Protection legislation which obliges companies to protect clients' personal data regardless of the technology or medium used, would be more beneficial.
(Weatherford): The law also assumes a higher level of skill and awareness on the part of a small business offering free wireless service and that of the home user...a bad assumption! ]

Federal Data Breach Disclosure Law Could Diminish Protections (20 April 2006)

Bruce Schneier details the ways in which a federal security breach disclosure bill currently being debated by US legislators could diminish protections presently available under current state laws. Lobbyists went after the precise definitions of "personal information" and "breach of security" to allow companies to decide themselves whether or not the circumstances of a particular breach constitute a "significant risk of identity theft." A federal law as such would pre-empt more stringent state laws. Schneier suggests that one way to ensure protections will not continue to be pared away is to make the federal law a minimum, with states permitted to make theirs stronger. He also points out that the problem of identity fraud will not be properly addressed until financial institutions require stronger authentication before issuing credit to individuals.
-http://www.wired.com/news/columns/1,70690-0.html


********************** Sponsored Links: *********************************

1) ALERT: "How A Hacker Launches A Blind SQL Injection Attack
Step-by-Step"!"- SPI Dynamics White Paper
http://www.sans.org/info.php?id=1123

2) FREE WEBINAR: Securing Visitors' Access to the Network.
Hosted by ForeScout Technologies featuring Gartner on April 27th.
http://www.sans.org/info.php?id=1124

3) "Top 10 Database Vulnerabilities" whitepaper - What they are, how
they work & how to stop them.
http://www.sans.org/info.php?id=1125

*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Man Charged in USC Computer Intrusion (21/20 April 2006)

The US Attorney's Office in Los Angeles has filed a criminal complaint against network administrator Eric McCarty for "intentionally transmitting a code or command to cause damage to the University of Southern California (USC) online application system." McCarty allegedly used a SQL injection attack to break into a password-protected USC database containing information belonging to over 275,000 people who applied to the school between 1997 and June 2005. McCarty was traced through the IP number on his home computer; he faces up to ten years in prison if he is convicted.
-http://news.zdnet.com/2102-1009_22-6063470.html?tag=printthis
-http://www.linuxelectrons.com/article.php/20060421110940758

SPYWARE, SPAM & PHISHING

FTC Reaches Settlement With Spammers (18 April 2006)

The US Federal Trade Commission (FTC) has arrived at a settlement with two people who sent millions of unsolicited commercial email messages in violation of the CAN-SPAM Act. Washington state residents Matthew Olson and Jennifer LeRoy sent spam with false "from" data, misleading subject lines; they also failed to provide a means for recipients to opt out of receiving future emails. Among the products Olson and LeRoy pushed included mortgage plans and a device for improving automobile gas mileage. Olson and LeRoy have agreed they will not violate the law in the future. A suspended US$45,000 judgment against the pair will be reinstated if evidence emerges to indicate they have misrepresented their financial condition.
-http://www.internetnews.com/xSP/print.php/3599796

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Zero-Day IE Flaw Could Allow Remote Code Execution (24 April 2006)

Another zero-day vulnerability has been detected in Microsoft's Internet Explorer (IE). The flaw, which can be exploited remotely, could allow attackers to execute arbitrary code on vulnerable systems. The problem lies in the way IE handles malformed HTML content. The vulnerability exists in fully patched versions of IE 6 for Windows XP SP2.
-http://www.techweb.com/wire/186700456

Mozilla Updates Thunderbird, Releases Final Version of Mozilla Browser Suite (24 April 2006)

Mozilla released Thunderbird email client version 1.5.0.2 and Mozilla browser suite version 1.7.13 on April 21. This version of the Mozilla browser suite will be the last. Mozilla will also stop development of Firefox 1.0.x and Thunderbird 1.0.x.
-http://www.techweb.com/wire/186700387

Apple Investigating Report of Seven Flaws in Mac OS X (24 April 2006)

Apple Computer is looking into reports of seven unpatched flaws in its Mac OS X operating system. The most serious of the flaws lies in the Safari web browser and could be exploited to run code on vulnerable systems. Five of the flaws are related to how the operating system handles certain image file formats. There are presently no known exploits for the vulnerabilities.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39353738-39000005c
-http://www.vnunet.com/vnunet/news/2154563/researcher-publishes-seven
Internet Storm Center:
-http://isc.sans.org/diary.php?storyid=1282

Microsoft to Release Updated Version of MS06-015 (24/21 April 2006)

Microsoft will release a re-engineered version of the patch for the MS06-015 security bulletin. Users reported a patch it includes has been causing problems due to conflicts with certain Hewlett-Packard and NVidia software. The new version is being tested and it scheduled for release on Tuesday, April 25. MS06-015 addresses a critical flaw in the way Windows Explorer handles Component Object Model objects.
-http://www.computerworld.com/printthis/2006/0,4814,110755,00.html
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1183420,0
0.html

-http://www.zdnet.co.uk/print/?TYPE=story&AT=39265040-39020375t-10000003c
Internet Storm Centr:
-http://isc.sans.org/diary.php?storyid=1286

Exploit Code for Oracle Flaw Released (21 April 2006)

Just a day after Oracle's quarterly security update, exploit code for one of the flaws addressed in the update has been released on the Internet. The code could be used to gain elevated privileges on vulnerable systems. Users are urged to apply the updates as soon as possible.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39353411-39000005c
-http://www.us-cert.gov/cas/techalerts/TA06-109A.html

Researcher Warns Some Online Banking Sites Don't Provide Adequate Authentication (20 April 2006)

SANS Institute chief research officer Johannes Ullrich says many widely used online banking sites do not use authentication technology to assure that they are who they claim to be. Banks would be well advised to send users to an HTTP Secure (HTTPS) web page which uses the Secure Sockets layer (SSL) security protocol instead of merely encrypting login forms. Web pages that do not use HTTPS make themselves vulnerable to DNS spoofing in which attackers try to trick users into visiting phony web sites in an attempt to gather their account information.
-http://www.computerworld.com/printthis/2006/0,4814,110738,00.html
Internet Storm Center:
-http://isc.sans.org/diary.php?storyid=1278

ATTACKS & INTRUSIONS & DATA THEFT & LOSS

University of Texas Says Cyber Intrusion Exposed Data on Nearly 200,000 Associated with Business School (24 April 2006)

The University of Texas (UT) acknowledged that a computer intrusion has compromised personal data belonging to nearly 200,000 people associated with the university's McCombs School of Business. UT has established a web site, a phone bank and a special email address to help deal with the concerns of those affected by the breach. UT President William Powers Jr. said the university would try to inform all those affected by email and letter. UT suffered another security breach in 2003; a former student received five years probation and was ordered to pay US$170,000 in restitution for that attack.
-http://www.statesman.com/news/content/news/stories/local/04/24utcomputers.html
-http://www.msnbc.msn.com/id/12459840/


===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/