--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A longer introduction to NewsBites this week, for a good cause:
The American Red Cross needs help in areas that NewsBites readers know
well. SANS Internet Storm Center is leading the search for technically
savvy volunteers who can help in two ways - at the shelters in
implementing Windows and Cisco systems for the volunteers and people
living there, and at Red Cross headquarters in the Washington DC area
to improve the implementation of security software tools that have been
implemented but are not fully exploited. Here's how you can help.
1. People who live near the shelters (or who could get there and who
have family/friends with whom you could stay), and who have lots of
experience deploying Windows XP and/or Cisco systems, please register
your willingness to help at
http://isc.sans.org/volunteers
The Red Cross will contact you directly.
2. People in the Washington DC area (or who could get here quickly) and
would volunteer to help, and who have substantial experience with any
of the following:
-- tuning Cisco IDS
-- tuning NetIQ Manager
-- tuning McAfee ePolicy Orchestrator
please do two things:
a. register at http://isc.sans.org/volunteers and
b. send me an email at [EMAIL PROTECTED] telling me which tool you know
well and how available and close you are so I can set up a contact for
you.
SANS is also donating $100,000 to the Red Cross, and we learned today
that at least one leading security vendor, TippingPoint, has offered to
give the Red Cross the equipment they need to protect their networks -
without asking for compensation.
If you know of people or companies in the IT or security field who are
trying to make a difference in the recovery effort, please let us know
what you or they are doing (Email [EMAIL PROTECTED]).
Alan
PS. SANS Network Security 2005 (October 24-30) has moved to Los Angeles
from New Orleans. All of the great courses, the award-winning teachers,
the expositions, the special sessions, the evening programs, and some
additional bonus programs will be there. We'll announce the hotel
tomorrow (the hotel is setting up the discounted room registration
today). But please register right away for the conference to get space
in the courses you want. http://www.sans.org/ns2005 and for SANS
security and audit training in a twenty other cities around the world:
http://www.sans.org
*************************************************************************
SANS NewsBites September 7, 2005 Vol. 7, Num. 36
*************************************************************************
TOP OF THE NEWS
Federal Agencies Set Procurement Language to Buy Security "Baked-In"
Consumer Reports: One Third Of Net Users Damaged By Malware
New York's Data Theft Notification Law May Replace California's as de
Facto National Standard
Gulf Coast Businesses Activate IT Disaster Recovery Plans
ARRESTS, CONVICTIONS AND SENTENCES
Admitted ChoicePoint Data Thief Faces Additional Charges
Man Pleads Guilty to Selling Windows Source Code
UK Court Approves Extradition for Couple to Face Charges of Industrial
Espionage
LEGISLATION
New South Wales Workplace Surveillance Act Requires Clear Facilities
Use Policies
California Puts Aside RFID Blocking Bill
SPAM & PHISHING
Reputation Filters Help Web Site Identify Which Machines and Domains
are Sending Spam
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Australian Court Finds in Favor of Recording Industry, Against Kazaa
Korean Court Rules Soribada Must Stop P2P Service
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Warns of Problem in Windows Firewall
MP3 Players Recalled Due to Worm-Infected File
Workaround Available for HP Network Node Manager Flaw
Microsoft Investigating Possible Remote Code Execution Flaw in IE
ATTACKS, INTRUSIONS & DATA THEFT
Phony Yahoo Site Tries to Collect User Names and Passwords
MISCELLANEOUS
Windows Vista Patching Technology Will Require Fewer Restarts
Trusted Computing Group Releases Best Practices Document for TPM
Alternative Browsers Present Challenges for Cyber Investigators
Myfip Could be Part of Titan Rain
INTERESTING NEWS AND ANALYSIS PUBLICATIONS
Bruce Schneier's Cryptogram
************* Sponsored by LURHQ Managed Security Services *************
Enhance your security posture and painlessly comply with regulations in
a cost effective manner with LURHQ's integrated suite of Managed
Security Services. LURHQ's services integrate key operational processes
and security technologies to deliver an effective Threat and
Vulnerability Management solution. Learn more by downloading our
"Delivering Threat and Vulnerability Management" presentation, featuring
Gartner's Kelly Kavanagh.
http://www.lurhq.com/gartner.html
*************************************************************************
TOP OF THE NEWS
--Federal Agencies Set Procurement Language to Buy Security "Baked-In"
(1 September 2005)
The federal government is taking steps to build security requirements
into vendor contracts. According to HUD CIP Lisa Schlosser, all Housing
and Urban Development vendor contracts now must include minimum baseline
standards. In addition, the CIO Council is working with the General
Services Administration's SmartBuy office to ensure that security is
built into existing and future agreements.
http://www.gcn.com/vol1_no1/daily-updates/36876-1.html
[Editor's Note (Paller): Procurement (and $70 billion a year in IT
spending) is the single biggest lever the federal government can wield
to improve security for the critical infrastructure. Kudos to HUD and
the Air Force that led the way in using procurement to force vendors to
deliver safer systems. As HUD's contract clauses gain broad adoption in
government, all other buyers will be benefited as the vendors decide to
deliver safer systems to everyone.]
--Consumer Reports: One Third Of Net Users Damaged By Malware
(September 2005)
In the 2005 Consumer Reports State of the Net survey, the team led by
Jeff Fox found that home users of the Internet have a 1-in-3 chance of
sustaining computer damage and/or financial loss due to malware.
According to the survey, Americans spent over US$2.6 billion on software
to protect their computers last year, but also spent US$9 billion on
repairs, parts and replacements due to the damage caused by malware.
Consumer Reports maintains that on line threats are worse than they were
a year ago due to "government inertia and consumers' imprudent
practices." In addition the researchers discovered that major consumer
products companies are actually providing the economic sustenance for
spyware by buying advertising distributed using the scourge. The
culprits include computer companies that then make money when users find
their systems so overrun with spyware that they give up and buy a new
computer.
http://www.consumerreports.org/main/content/display.jsp?FOLDER%3C%3Efolder_id=760009&bmUID=1126013586822
--New York's Data Theft Notification Law May Replace California's as
de Facto National Standard
(2 September 2005)
New York became the 19th state to pass a data security breach
notification law; it will take effect in mid-December, 2005. The New
York law will require all companies that do interstate business to abide
by its provisions; it is stricter than the California law that has
become "the de facto standard." The New York law makes no exceptions for
small breaches, companies with their own disclosure policies or breaches
unlikely to lead to identity theft. Data brokers have called for a
national security breach notification law so they do not have to
navigate a patchwork system of state laws. Congress is likely to look
at passing legislation regarding data security breach notification this
fall. http://www.infoworld.com/article/05/09/02/HNcongressdata_1.html
[Editor's Note (Schultz): New York's disclosure law is another step in
the right direction as far as this type of legislation goes. As data
brokers have pointed out, however, having one disclosure law in one
state and another in another state is likely to result in massive
confusion. National legislation requiring disclosure in the event of a
compromise of personal and/or financial information is the logical
solution; it is difficult to understand why the U.S. Congress has been
so slow in passing such legislation.
(Paller) I hope Gene Schultz is correct, but I fear the business
lobbyists may spend enough money in Washington to persuade Congress to
pass a watered down bill that leaves so many loopholes that the impact
is dulled.
(Schneier): While this is a good idea, the effectiveness of this law is
diminishing. It increases security by public shaming. But as more of
these disclosures happen, the press is less likely to write about them
- and the public shaming is less.]
--Gulf Coast Businesses Activate IT Disaster Recovery Plans
(5/1 September/29 August 2005)
Businesses in the Gulf Coast have been setting their disaster recovery
programs in motion; companies that provide disaster recovery and
business continuity services say many other businesses were not
prepared. Affected businesses have switched to back-up networks and
data centers, requested mobile trailers that have servers and satellite
communications. Among Katrina's IT casualties is the US Coast Guard; a
Coast Guard Data Network hub in New Orleans and Coast Guard networks all
along the gulf coast have been knocked out by the storm. The SANS
Institute's Johannes Ullrich says the disaster brought by Hurricane
Katrina should prompt IT managers across the country to develop disaster
recovery plans. Mr. Ullrich also recommends testing the plans before
an actual disruption. The SANS Institute has released a list of steps
for companies to take when they may be affected by a hurricane.
http://www.zdnetasia.com/news/software/0,39044164,39252594,00.htm
http://www.fcw.com/article90545-09-01-05-Web&RSS=yes
http://news.com.com/2102-7350_3-5844041.html?tag=st.util.print
http://isc.sans.org/diary.php?date=2005-08-28
************************* Sponsored Link *******************************
1) Earn your Master's degree in Information Security from an NSA-
recognized online program.
http://www.sans.org/info.php?id=858
************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
--Admitted ChoicePoint Data Thief Faces Additional Charges
(31 August 2005)
A man who has already begun serving a 16-month prison sentence for his
role in the ChoicePoint data theft case now faces 22 additional charges.
In February 2005, Oluwatunji Oluwatosin pleaded no contest to one charge
of identity theft. Mr. Oluwatosin allegedly used mail drops to trick
ChoicePoint into believing he ran a legitimate business which allowed
him access to the company's data. If convicted of all the charges in
the new indictment, which include conspiracy, grand theft and identity
theft, Mr. Oluwatosin could face up to 22 years in prison.
http://www.computerworld.com/printthis/2005/0,4814,104276,00.html
--Man Pleads Guilty to Selling Windows Source Code
(30 August 2005)
William P. Genovese, Jr. has pleaded guilty to one charge of unlawfully
distributing a trade secret; Mr. Genovese sold chunks of source code
from Microsoft's Windows NT 4.0 and Windows 2000. He apparently
obtained the code on the Internet after someone else stole it and made
it available. Mr. Genovese entered his guilty plea in a federal court
in Manhattan; he will be sentenced this fall. Federal prosecutors have
recommended a prison sentence of 10-30 months, although the maximum
penalties for this crime are 10 years in prison and a US$250,000 fine.
http://news.com.com/2102-1016_3-5844505.html?tag=st.util.print
--UK Court Approves Extradition for Couple to Face Charges of
Industrial Espionage
(28/26 August 2005)
A UK court has approved the extradition of Michael Haephrati and Ruth
Brier-Haephrati to Israel; a British judge ruled that there was prima
facie evidence that the two received payments from Israeli private
investigation agencies; Mr. Haephrati is suspected of creating software
that allows organizations, with the help of the private investigation
firms, to break into the computer systems of competitors. UK Home
Secretary Charles Clark has 60 days to decide whether or not to
extradite the couple to Israel.
http://www.globes.co.il/serveen/globes/DocView.asp?did=1000005627&fid=1725
http://www.ynetnews.com/articles/0,7340,L-3133649,00.html
LEGISLATION
--New South Wales Workplace Surveillance Act Requires Clear Facilities
Use Policies
(1 September 2005)
The Workplace Surveillance Act will come into effect in New South Wales
(NSW), Australia in October; the legislation requires that there is an
agreed upon policy regarding the use of workplace facilities understood
by employers and employees. For instance, companies would have to tell
their employees that their email is being monitored and that employee
Internet use could be tracked and possibly filtered. Other Australian
states are expected to follow NSW's lead. The legislation was prompted
by the case of an employee who used workplace facilities to disseminate
information about unions. The employee was fired, but was reinstated
after it was discovered that the company had no policy regarding
employee email use.
http://www.smh.com.au/news/breaking/workplace-watchdog-law-a-formality/2005/09/01/1125302672899.html
--California Puts Aside RFID Blocking Bill
(30 August 2005)
The California State Assembly's Appropriation's Committee has decided
to shelve the Identity Information Protection Act of 2005, which would
bar the use of RFID technology in drivers' licenses and other documents.
The legislation was crafted to address concerns that private citizens
could be broadly monitored with the technology. The high-tech industry
has lobbied against the measure, saying they are developing safeguards
that would alleviate those concerns.
http://management.silicon.com/government/0,39024677,39151785,00.htm
SPAM & PHISHING
--Reputation Filters Help Web Site Identify Which Machines and Domains
are Sending Spam
(29 August 2005)
The TrustedSource web site uses data from about 4,000 reputation filters
to help "determine whether a specific computer has been sending
legitimate email or spam." Reputation filters gather data on computers
that send email and from these data assign reputations to computers and
domains that send email. The site can also be used for configuring spam
filters and for checking which systems within organizations are sending
email; it could help identify zombie machines sending spam. In
addition, the site provides information on various email authentication
technologies.
http://news.com.com/2102-7355_3-5844408.html?tag=st.util.print
http://www.trustedsource.org/
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
--Australian Court Finds in Favor of Recording Industry, Against Kazaa
(6/5 September 2005)
An Australian federal court has found in favor of five recording labels
in a copyright infringement suit brought against Sharman Networks, the
owners and distributors of the Kazaa peer-to-peer file-sharing program.
Justice Murray Wilcox found that Sharman took no action to prevent file
sharing and has ordered Sharman to pay 90% of the recording companies'
costs associated with the case. Justice Wilcox did not order Sharman
to shut down the Kazaa system but did order the company to modify its
technology to filter unlicensed copyrighted material; Sharman has two
months to comply.
http://www.thecouriermail.news.com.au/common/story_page/0,5936,16501516%255E953,00.html
http://www.cbc.ca/story/business/national/2005/09/05/kazaa_ruling20050905.html
http://www.wired.com/news/digiwood/0,1412,68762,00.html?tw=wn_tophead_4
--Korean Court Rules Soribada Must Stop P2P Service
(1 September/31 August 2005)
The Seoul Central District Court has ruled that on line music site
Soribada must halt its peer-to-peer file sharing service. The Korean
Association of Phonogram Producers had filed in November 2004 for an
injunction against Soribada. The court went even further than the
injunction, saying that it is now illegal for Internet users to
distribute Soribada file sharing software. If Soribada does not comply
with the order, it will face stiff fines.
http://times.hankooki.com/lpage/nation/200508/kt2005083117362711960.htm
http://english.chosun.com/w21data/html/news/200509/200509010012.html
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--Microsoft Warns of Problem in Windows Firewall
(5/2/1 September 2005)
Microsoft has issued an advisory warning that a problem in Windows
firewall could be used to hide information about open network ports from
Windows XP SP2 and Windows server 2003 users, but stopped short of
calling the problem a security flaw. The problem lies in the way in
which the "firewall displays exception entries, which are created by
administrators to allow incoming network connections; users would need
administrator privileges to create exceptions in the registry. An
exception created in the registry will not be displayed in the user
interface but would be displayed by the command line firewall
administration tools. Microsoft has made a patch available to
authenticated Windows users.
http://www.techworld.com/security/news/index.cfm?NewsID=4337
http://news.com.com/2102-7355_3-5845850.html?tag=st.util.print
http://informationweek.com/story/showArticle.jhtml?articleID=170700320
http://www.microsoft.com/technet/security/advisory/897663.mspx
--MP3 Players Recalled Due to Worm-Infected File
(1 September/31 August 2005)
Creative Labs has recalled approximately 3,700 5GB Zen Neeon MP3 players
that contain a file infected with the Wullik-B email worm. The worm
spreads through email and shared network folders. PCs will become
infected only if users browse the player's files and click on the
infected one.
http://www.theregister.co.uk/2005/09/01/creative_mp3_player_virus_flap/print.html
http://www.eweek.com/article2/0,1895,1854724,00.asp
--Workaround Available for HP Network Node Manager Flaw
(30 August 2005)
Hewlett Packard has issued an advisory warning of a vulnerability in its
Network Node Manager and has offered a workaround. The flaw could allow
attackers to execute malicious shell commands on vulnerable systems.
There is no patch available yet. The flaw affects Network Node Manager
versions 6.2, 6.4, 7.01 and 7.50 running on HP-UX, Solaris, Windows NT,
Windows 2000, Windows XP and Linux. A certain script "fails to properly
check inputs in a particular 'node' parameter before running them as
command-line arguments." Other scripts apparently have the same
problem; users can take precautions by moving those scripts to different
directories.
http://www.pcworld.com/news/article/0,aid,122356,00.asp
--Microsoft Investigating Possible Remote Code Execution Flaw in IE
(29 August 2005)
Microsoft is investigating a report of a remote code execution
vulnerability in Internet Explorer. The flaw affects IE6 on machines
running Windows XP SP2 with all current security patches. The
researcher who reported the flaw to Microsoft recommends using an
alternative browser.
http://news.com.com/2102-1002_3-5844431.html?tag=st.util.print
[Editor's Note (Schultz): According to Secunia statistics (see
http://secunia.com), the number of vulnerabilities in IE6 has declined
significantly over the last half year or so. Furthermore, many competing
browsers have also had their share of vulnerabilities lately. I am not
sure, therefore, that recommending using an alternative browser is
appropriate any more.]
ATTACKS, INTRUSIONS & DATA THEFT
--Phony Yahoo Site Tries to Collect User Names and Passwords
(31 August 2005)
A web site pretending to be a free Yahoo game service actually attempts
to gather information that could be used to steal identities. The site
is being hosted on a Yahoo Geocities account; site visitors are asked
to supply their Yahoo user IDs and passwords. Users are being lured to
the site by spam sent through Yahoo's instant messaging service; the
message, which urges the recipient to visit the malicious site, appears
to come from someone on the user's friends list.
http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39209468-2000061744t-10000005c
MISCELLANEOUS
--Windows Vista Patching Technology Will Require Fewer Restarts
(5 September 2005)
Windows Vista, Microsoft's next version of its Windows operating system,
will use a technology dubbed "Freeze Dry" that will reduce the number
of restarts required when patching systems. It will also save user data
before rebooting. In many instances, users will not have to restart
computers after updating applications and in some cases will be able to
patch applications while they are in use.
http://www.zdnetasia.com/news/software/printfriendly.htm?AT=39252585-39000001c
--Trusted Computing Group Releases Best Practices Document for TPM
(1 September 2005)
The Trusted Computing Group's Trusted Platform Module is designed to
help computers run more securely by restricting the access various
applications have to data and code. Because of the potential for abuse
of the technology, TCG has developed a best practices document titled
Design, Implementation and Usage Principles for TPM-Based Platforms.
Bruce Schneier, CTO of Counterpane Internet Security, is largely
supportive of the document. However, Mr. Schneier questions Microsoft's
motives in delaying the release of the document and blocking its
applicability to software-only applications. Mr. Schneier suggests that
Microsoft's tactics are aimed at making sure the document will not apply
to Windows Vista, the company's forthcoming operating system.
http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39209626-2000061744t-10000005c
https://www.trustedcomputinggroup.org/home
https://www.trustedcomputinggroup.org/downloads/bestpractices/Best_Practices_Principles_Document_v1.0.pdf
[Editor's Note (Schultz): Microsoft has adopted the posture that it puts
security first. It thus behooves Microsoft to explain its rationale for
delaying the release of this best practices document and making it
inapplicable to software-only applications.]
--Alternative Browsers Present Challenges for Cyber Investigators
(31 August 2005)
Forensic cyber investigators may have a more difficult time tracking
down important information on alternative browsers such as Firefox and
Opera. Investigators are usually familiar with where to find the cache,
cookie files and history on Internet Explorer, but the other browsers
keep the information in different locations. In addition, most common
forensic tools are helpful in searching for evidence on IE but may not
work as well on the other browsers. One particular challenge is the
fact that it is more difficult to determine whether a computer user
clicked on a link or manually typed a URL when visiting a site on
Firefox or Opera than it is on IE; this information is important because
it can mean the difference between accidentally clicking on a link and
deliberately visiting a specific address.
http://news.com.com/2102-7348_3-5845409.html?tag=st.util.print
[Editor's Note (Ranum): This sounds like a problem of "too many
investigators not knowing what they are doing" rather than "alternative
browsers present challenges." Any decent sysadmin should be able to
figure out where any browser stores its cache and cookies in about 2
minutes, tops.]
--Myfip Could be Part of Titan Rain
(31 August 2005)
Although the Myfip worm has relatively low profile, it could be part of
the Titan Rain attacks, that are believed to be coming from China. It
is precisely malware like Myfip, which doesn't attract a great deal of
attention, which could surreptitiously enter the US government computer
systems targeted by the attacks. When Myfip first appeared in August
2004, it stole .pdf files; current versions search out Word documents
and a variety of CAD/CAM files, the sorts of files that contain much
of companies' intellectual property. In addition, Myfip and its
variants have been traced back to China.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1120855,00.html
[Editor's Note (Shpantzer): Pretty soon we'll be seeing malware that
goes for the Google Desktop Search (GDS) cache. If GDS is on the
machine and it's configured to take snapshots of the web cache and file
types, such as password protected Office docs, then the GDS will
possibly be a very valuable mechanism for defeating password protection
and encryption in folders and virtual disk partitions. Please take a
look at your organization's use of GDS and make some decisions about
what should and shouldn't be indexed by GDS. Their new version allows
for central administration and encryption of the cache:
http://desktop.google.com/enterprise/index.html]
INTERESTING NEWS AND ANALYSIS PUBLICATIONS
--Bruce Schneier's Cryptogram
If you don't regularly read Bruce Schneier's monthly email on what's
happening in cybersecurity, it is definitely worth a look. His
commentary and analysis doesn't pull any punches, and his outspoken
positions at least get a hearing in Washington DC policy discussions.
Topics range all over cybersecurity, to privacy and beyond. Last month
he wrote about the Cisco debacle at BlackHat, Virginia's errors in
stopping illegal IDs, RFID chips in US passports, and more. You'll find
that issue at http://schneier.com/crypto-gram-0508.html
Previous issues along with a free subscription URL can be found at
http://schneier.com/cg.html
===end===
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan
Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier,
Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFDHuOZ+LUG5KFpTkYRAvrJAJ9YoHXQxXYn75xi9d/RvRWs30uOhACdFvq4
nPyQZBPglVvOOjFyqf3xfm8=
=/LDe
-----END PGP SIGNATURE-----
--- End Message ---
