From: The SANS Institute (NewsBitessans.org)
Date: Wed Dec 22 2004 - 07:25:50 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

To win one of four Apple iPods, register for the big SANS Orlando
Training Program by December 31. It is in early February and has 14
immersion tracks. The drawing for iPods will be on January 1.
Conference and registration details: http://www.sans.org/orlando05

*************************************************************************
SANS NewsBites Dec. 22, 2004 Vol. 6, Num. 51
*************************************************************************
TOP OF THE NEWS
  Microsoft Releases Update for SP2 Firewall Flaw
  Australian Law Allows Police to Use Spyware to Gather Evidence
  Judge Awards Iowa ISP Damages in Spam Cases
  Phishing Attacks Increase in November

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
  Teen Receives Suspended Sentence for Randex Trojan
  NASA Cyber Intruder Sentenced
  Lowe's Wardrivers Sentenced

SPAM & PHISHING
  FDIC Report Offers Suggestions for Protecting Customers from Identity
     Theft

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
  Cisco Issues Security Advisories
  Google Fixes Desktop Search Utility Vulnerability
  IE ActiveX Vulnerability Allows Site Content Spoofing
  Updates Released for PHP Vulnerabilities
  Zafi.D Worm Spreading
  Microsoft's December Security Advisories Address WINS Vulnerability

MISCELLANEOUS
  Diebold Will Pay US$2.6 Million to California for Fraudulent Security
     Claims
  Students Find Unix Application Bugs; Researchers Find Linux Code Less
     Flawed than Proprietary Code
  Microsoft Recruits More NAP Supporters
  Healthcare Security Workgroup to Release HIPAA Compliance Guidelines

*********************** Sponsored by BindView ***************************

How do you eliminate internal security threats? What are traditional
attack vectors and their potential threats? How do you protect
non-controlled assets from attack? These and other questions are
answered in the BindView white paper "Internal Security Threats:
Identification & Mitigation" written by Mark "Simple Nomad" Loveless.

Download the paper at: http://www.sans.org/info.php?id=688
*************************************************************************

TOP OF THE NEWS
 --Microsoft Releases Update for SP2 Firewall Flaw
(17/16 December 2004)
Microsoft has released a Windows XP SP2 update that fixes a firewall
configuration flaw. Users with file and printer sharing turned on could
be sharing their files and printers with the entire Internet instead of
just the local network because of a problem with how broadly local
network was defined. The update narrows the definition. Even so, users
are being advised to place an additional firewall in front of the
network.
http://www.computerworld.com/printthis/2004/0,4814,98347,00.html
http://www.eweek.com/print_article2/0,2533,a=141102,00.asp
http://www.theregister.co.uk/2004/12/17/windows_bug_roundup/print.html
[Editor's Note (Paller): This vulnerability and patch was a stealth
announcement from Microsoft. It was not included with the monthly patch
announcement (even though it was ready the day before that
announcement); it was not posted at the standard location. And on top
of that, it is one of the worst vulnerabilities we've seen because it
made dial-up users' files available for reading by huge numbers of
people. No hacking necessary - any curious person could read your files.
It's equivalent to the Post Office putting your private mail in the
public library and pointing people to it if they are curious.]

 --Australian Law Allows Police to Use Spyware to Gather Evidence
(16 December 2004)
Australian legislators recently passed The Surveillance Devices Act,
allowing law enforcement to use backdoor and keystroke-logging programs
to gather evidence against suspected criminals. The warrants to use the
technology would be granted in cases where the offense being
investigated carries a sentence of three or more years. Some critics
of the act are concerned that it gives law enforcement too much power;
others are concerned that it conflicts with parts of the country's
Telecommunications Interception Act. Still others fear that evidence
gathered under the act would not be admissible in court, as the computer
in question has already been compromised in order to install the
spyware.
http://www.theregister.co.uk/2004/12/16/oz_police_surveillance/print.html
[Editor's Note (Schultz): Although this Act is controversial, there is
a consolation; the conditions under which law enforcement can use
backdoors and keystroke-logging programs appear to be well-defined.]

 --Judge Awards Iowa ISP Damages in Spam Cases
(20 December 2004)
A judge in Iowa has awarded a small ISP more than US$1 billion in
damages in a default judgment against three alleged spammers. The
enormous sum was determined under an Iowa law that levies a $10 fine for
each spam email sent. It is unlikely the plaintiff will recover any of
the awarded damages.
http://www.theregister.co.uk/2004/12/20/isp_wins_1bn_damages_from_spammers/print.html

 --Phishing Attacks Increase in November
(16 December 2004)
A newly released report from the Anti-Phishing Working group says that
phishing attacks were up 29% in November, nearly a third higher than the
figure for October. EarthLink and MSN were both highly targeted in
November. The US accounted for 27% of phishing sites; China accounted
for 21%.
http://asia.cnet.com/news/security/printfriendly.htm?AT=39209629-39037064t-39000005c

ARRESTS, CONVICTIONS AND SENTENCES
 --Teen Receives Suspended Sentence for Randex Trojan
(20 December 2004)
A British teenager has been given a six-month suspended sentence for
releasing the Randex Trojan horse program, which allegedly launched
distributed denial of service attacks against several e-commerce sites.
http://www.theregister.co.uk/2004/12/20/uk_randex_worm_teenager_escapes_jail/print.html

 --NASA Cyber Intruder Sentenced
(18 December 2004)
Gregory Aaron Herns has been sentenced to 6 months in federal prison for
breaking into a NASA computer system at the Goddard Space Flight Center
in 2001, causing US$200,000 in damage. Herns told federal agents he was
searching for space to store downloaded movies. Herns has also been
ordered to pay restitution and to have his computer use restricted for
the next three years.
http://www.eweek.com/print_article2/0,2533,a=141274,00.asp
[Editor's Note (Schneier): Note to future hackers looking for places to
store their downloaded movies: (theoretically) secure government sites
are probably not your best option.]

 --Lowe's Wardrivers Sentenced
(17/16 December 2004)
Two men who broke into Lowe's wireless computer network and tried to
steal customer credit card numbers have received prison sentences for
their crimes. Though Brian Salcedo could have received a sentence of
up to 15 years under federal guidelines, his sentence was reduced to 9
years because he helped Lowe's address the security problems he had
exploited. Adam Botbyl, an accomplice, received a 26-month sentence to
be followed by 2 years of court supervised release. By compromising a
Lowe's store wireless network in Southfield, Michigan, the men were able
to access to the company's central computer system and other systems
around the country. Salcedo's sentence is the harshest ever handed down
for a cyber crime in the United States.
http://www.computerworld.com/printthis/2004/0,4814,98355,00.html
http://www.contractoruk.com/news/001872.html
http://www.securityfocus.com/printable/news/10138

SPAM & PHISHING
 --FDIC Report Offers Suggestions for Protecting Customers from Identity Theft
(14 December 2004)
The Federal Deposit Insurance Corporation is accepting comments on its
recently published report "Putting an End to Account-Hijacking Identity
Theft." To help combat the growing incidence of identity theft through
phishing and other cyber crimes, the FDIC recommends that financial
institutions upgrade from password authentication to two-factor
authentication, use scanning software to detect and guard against
phishing attacks, strengthen education for its customers to help them
be savvy consumers, and share information with other financial
institutions, the government and technology providers. Comments on the
report will be accepted through February 11, 2005.
http://www.fdic.gov/consumers/consumer/idtheftstudy/index.html
http://www.fdic.gov/consumers/consumer/idtheftstudy/identity_theft.pdf
[Editor's Note (Tan): The recommendation to mitigate the risks is
nothing new or rocket science. Yet saying is easier than getting it
done. Users, vendors, service providers and government will need to act
together to achieve the result.
(Paller): I agree with Koon Yaw, but I believe it will take leadership
by government using its billion-dollar FTS procurement to provide the
incentive that will persuade the service providers to take substantial
responsibility.]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
 --Cisco Issues Security Advisories
(20 December 2004)
Cisco has issued an advisory warning of vulnerabilities in Cisco Unity
unified messaging server versions 2, 3 and 4 and in Cisco Guard and
Traffic Anomaly Detector products, appliances designed to protect
companies from denial-of-service attacks. The simple fixes involve
changing default passwords and usernames.
http://asia.cnet.com/news/security/printfriendly.htm?AT=39210036-39037064t-39000005c
http://www.cisco.com/warp/public/707/cisco-sa-20041215-unity.shtml
http://www.cisco.com/en/US/products/products_security_advisory09186a008037d0c5.shtml

 --Google Fixes Desktop Search Utility Vulnerability
(20/15 December 2004)
Google has fixed a recently discovered vulnerability in its desktop
search utility. Attackers could embed a Java applet on a web page that
would trick users' computers into revealing their desktop searches to
the attacker. Some in the security field are concerned that the
emergence of desktop search tools could be exploited by cyber criminals
to steal email addresses and other personal data.
http://www.eweek.com/print_article2/0,2533,a=141305,00.asp
http://www.internetnews.com/security/print.php/3450251
http://news.com.com/2102-1002_3-5497885.html?tag=st.util.print
http://asia.cnet.com/news/security/printfriendly.htm?AT=39209364-39037064t-39000005c

 --IE ActiveX Vulnerability Allows Site Content Spoofing
(17 December 2004)
A vulnerability in a default ActiveX control in Internet Explorer could
be exploited by phishers It could allow people to display phony web
sites with all the appearances of legitimate ones. The flaw affects all
versions of IE including fully patched versions of Windows XP with IE
6.0 and SP2 installed. No patch has been released; users are encouraged
to turn off ActiveX or switch the Internet zone security setting to
high.
http://www.eweek.com/print_article2/0,2533,a=141173,00.asp
http://news.zdnet.com/2102-1009_22-5495719.html?tag=printthis

 --Updates Released for PHP Vulnerabilities
(17 December 2004)
Two security updates are now available for vulnerabilities in versions
of PHP 4 and 5. Versions 4.3.10 and 5.0.3 address critical flaws,
including one that could be exploited to take control of vulnerable web
servers.
http://news.zdnet.com/2102-1009_22-5496086.html?tag=printthis
http://www.hardened-php.net/advisories/012004.txt

 --Zafi.D Worm Spreading
(17 December 2004)
The Zafi.D worm spreads in the guise of a Christmas greeting and sends
itself out to email addresses found on infected machines. Zafi is
capable of terminating applications with the words "firewall" or "virus"
in them and reportedly disables certain Windows tools.
http://www.pcadvisor.co.uk/index.cfm?go=news.view&news=4397
http://www.datafuse.net/page.php?news=398
http://www.contractoruk.com/news/001871.html
http://www.eweek.com/print_article2/0,2533,a=141027,00.asp

 --Microsoft's December Security Advisories Address WINS Vulnerability
(14 December 2004)
Microsoft's monthly security release for December includes fixes for a
known name validation vulnerability in the WINS name server, two code
execution vulnerabilities in WordPad, a buffer overflow flaw in Windows
HyperTerminal utility, two flaws in DHCP and privilege elevation
vulnerabilities in Windows Kernel and LSASS. Microsoft also re-released
an advisory for a JPEG parsing flaw.
http://www.eweek.com/print_article2/0,2533,a=140928,00.asp
http://news.zdnet.com/2102-1009_22-5491114.html?tag=printthis
http://www.microsoft.com/technet/security/bulletin/ms04-dec.mspx

MISCELLANEOUS
 --Diebold Will Pay US$2.6 Million to California for Fraudulent Security Claims
(17 December 2004)
Diebold has reached a settlement with the State of California and
Alameda County, both of which had sued the voting machine manufacturer
for fraudulent claims about the security of its products. The State of
California will receive US$2.6 million and the county US$100,000; the
court that approved the settlement has ordered that US$500,000 of the
money be spent on a voter education and poll worker training program.
http://www.internetnews.com/bus-news/print.php/3449691
[Editor's Note (Schultz): It's good to see this controversial voting
machine manufacturer taken to task. It is very possible that this
settlement will pave the way for legal actions against Diebold by
others, something that may in the long run be beneficial to the
integrity of electronic voting.]

 --Students Find Unix Application Bugs; Researchers Find Linux Code Less
    Flawed than Proprietary Code
(15 December 2004)
Students in a graduate level computer science course at the University
of Illinois at Chicago were required, as part of their coursework, to
find 10 security flaws in various Unix applications. A total of 44
different flaws were found by the 25 students. In a related story, a
four-year Linux source code analysis project found just 985 bugs in 5.7
million lines of code. The average for commercial software is 20-30
bugs for every 1,000 lines of code; the findings of the study suggest
that the Linux kernel code is more secure than most commercial software.
http://news.com.com/2102-1002_3-5492969.html?tag=st.util.print
http://www.wired.com/news/print/0,1294,66022,00.html
http://asia.cnet.com/news/security/printfriendly.htm?AT=39209224-39037064t-39000005c
[Editor's Note (Schneier): More eyes, shallower bugs? This doesn't
necessarily mean it's more secure, though. One killer security hole can
trump any number of minor bugs.
(Grefer): Comparing apples and oranges (Linux kernel vs. commercial
software, rather than commercial operating systems) does not do anybody
any good.]

 --Microsoft Recruits More NAP Supporters
(14 December 2004)
18 more security and networking suppliers have agreed to support
Microsoft's Network Access Protection scheme which will ship with
Longhorn in 2007. NAP provides policy enforcement that allows
administrators to restrict network access for machines that do not have
current operating system and anti-virus updates. The technology is
aimed at stopping the spread of malware like Nimda and Blaster.
http://www.theregister.co.uk/2004/12/14/ms_adds_nap_partners/print.html
[Editor's Note: Sygate and other companies are already providing
effective network access protection. They stop vulnerable systems from
gaining full network access and they automatically fix the problems so
the users can quickly reconnect. SANS WhatWorks project has found more
than a dozen security products that actually meet their promises today
and has posted live interviews with users who provided the proof. Visit
www.sans.org/whatworks for the user interviews and for the list of
security tools that have actually been proven to be effective.]

 --Healthcare Security Workgroup to Release HIPAA Compliance Guidelines
(13 December 2004)
The Healthcare Security Workgroup says it will release guidelines to
help health care organizations comply with the data security
requirements established by the Health Insurance Portability and
Accountability Act (HIPAA). The security provisions of the Act take
effect in April 2005.
http://www.computerworld.com/printthis/2004/0,4814,98232,00.html
http://www.urac.org/committees_sworkgroup.asp

===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz,
Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFByWgl+LUG5KFpTkYRAv2XAJ0Su9jM7ZOxnpPvUo/VoSYY0ct0nQCgkdWb
FOQ9om/1ASh5nccHJb2iAO0=
=kZat
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]