From: The SANS Institute (NewsBitessans.org)
Date: Wed Feb 23 2005 - 08:09:28 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The early registration deadline for SANS 2005 (San Diego, early April
7-12) is this Friday, February 25.
Details at http://www.sans.org/sans2005

*************************************************************************
SANS NewsBites Feb. 23, 2005 Vol. 7, Num. 8
*************************************************************************

TOP OF THE NEWS
  Federal Computer Security Grades Average D+
  ChoicePoint will Expand Breach Notification
  Bank of America to Use Two-Factor Authentication for on-Line Banking Customers
  Microsoft Chastised for Security Approach

THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
  IM Spammer Arrested
  Man Pleads Guilty to Sending MSN TV Malware that Calls 911
  Guilty Plea in T-Mobile Intrusion Case
  T-Mobile Intrusion Underscores Disparity Between Virtual and Physical
     Privacy
  Teen Gets Three Years Probation for Microsoft DDoS Attack

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
  Treasury Bond Purchase Site Security Poses Concerns
  Senate Approves Chertoff Nomination to Head DHS
  IT Not Sharing Critical Infrastructure Security Concerns with Government

SPAM & PHISHING
  Phish Report Network

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
  Patch Available for HP HTTP Server Flaw
  Microsoft Releases Windows Media Player Update

MISCELLANEOUS
  Researchers Break SHA-1
  Gates Says Spyware Product Free to Windows Users, IE7 Due Out This Year
  Citibank UK Uses On Screen Keyboard for Passwords

RECOMMENDATION
  SANS Recommends Reviewing Disaster Recovery Plans To Consider H5 Avian
     Flu Risk

*********************** SPONSORED BY SANS 2005 **************************

SANS 2005, in San Diego in early April (on the ocean) is SANS' largest
security and audit training conference and expo. Extraordinary teachers
present the most current tools and techniques. Early registration
deadline for SANS 2005 is this Friday, February 25. Details at
http://www.sans.org/sans2005
*************************************************************************

TOP OF THE NEWS

 --Federal Computer Security Grades Average D+
(17/16 February 2005)
The new US government cyber security report card released by the House
Government Reform Committee gives agencies an average grade of D+.
While this represents a 2.3 point increase over last year's overall
grade, 7 of the 24 agencies included in the report card received failing
grades. Among the most significant changes: the Department of
Transportation rose from a D+ last year to an A- this year; the
Departments of Justice and the Interior both received failing grades
last year but rose to B- and C+ respectively on this year's report card.
Separately, a phone survey of 30 federal chief information security
officers graded the House Government Reform Committee's report card
itself: it got a C. The CISOs surveyed represented 24% of all CISOs in
the government. The CISOs want to improve the criteria by which the
agencies' cyber security is evaluated. HGRC chair Rep. Tom Davis
(R-Va.) announced the CISO Exchange, an initiative aimed at "giving
federal CISOs more of a voice in upgrading federal cyber security."
http://www.computerworld.com/printthis/2005/0,4814,99846,00.html
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=35092
[Editor's Note (Paller): The remarkable element of these grades was
that, for the first time, two large agencies (Transportation and
Justice) had substantial grade improvements. They used innovative
techniques that improved security while lowering the cost and pain of
compliance. They will be great models for the CISO Exchange to discuss.
(Schultz): Change of any nature in the government arena is difficult to
achieve, so the marks that government agencies recently received are
hardly surprising. If anything, it is in fact encouraging to see that
there was once again some improvement in cyber security.]

 --ChoicePoint will Expand Breach Notification
(19/18 February 2005)
ChoicePoint will inform more than 100,000 additional consumers that
their personal data was compromised; the consumer data services company
has already informed approximately 35,000 Californians of the breach in
compliance with a state law requiring such notification. Attorneys
general in 38 states have filed formal requests that ChoicePoint notify
affected consumers in their states. According to law enforcement
officials, 750 cases of identity theft have already been tied to the
data theft.
http://news.com.com/2102-1029_3-5582144.html?tag=st.util.print
http://www.theomahachannel.com/news/4214496/detail.html

 --Bank of America to Use Two-Factor Authentication for on-Line Banking Customers
(18 February 2005)
Bank of America plans to use two-factor authentication system to protect
applications used by its online customers to access banking services.
Within past weeks, a businessman sued Bank of America, claiming
US$90,000 was wired out of his online account without his authorization.
http://www.informationweek.com/showArticle.jhtml?articleID=60402074
[Editor's Note (Pescatore): We are inching closer to getting tokens into
the hands of consumers for use in online services. However, the
implementation costs will still be a barrier if each business has to
issue its own token, and if consumers are expected to cover token costs.
Some new business models are needed to allow all the lemmings to jump
off of the password cliff sooner rather than later.
(Schneier): Sadly, this will be too little too late. Modern attack
methods will just blow right by two-factor authentication.]

 --Microsoft Chastised for Security Approach
(17 February 2005)
Gartner's Neil MacDonald has taken Microsoft to task for missing the
mark on security. MacDonald says Microsoft should be working toward
eliminating the need for anti-virus and anti-spyware products rather
than entering the market and undercutting competitors' prices.
Furthermore, Microsoft's decision to restrict Internet Explorer 7.0 to
the Windows XP platform is irresponsible; it should work with Windows
2000 and not require an upgrade.
http://www.vnunet.com/news/1161348
http://www.techweb.com/wire/security/60402202

************************** SPONSORED LINKS ******************************
Privacy notice: Some sponsored links redirect to non-SANS web pages.

(1) ALERT: Google Hacking/Web Application Worms- Are You Vulnerable?-
WebInspect Product Trial
http://www.sans.org/info.php?id=726

*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
 --IM Spammer Arrested
(21 February 2005)
Anthony Greco has been arrested on charges of sending 1.5 million
unsolicited instant messages, known as "spim," to members of the
MySpace.com online networking service. Greco was arrested in Los
Angeles after being lured there from New York. Greco believed he was
heading for a meeting with the president of MySpace to sign an exclusive
marketing agreement; he had threatened to share his spimming techniques
with others if he did not get the agreement. Greco's arrest is the
first of someone for sending spam over IM.
http://www.silicon.com/research/specialreports/thespamreport/print.htm?TYPE=story&AT=39127999-39025001t-40000011c
[Editor's Note (Shpantzer): Unlike email spam, text message spam can end
up costing phone customers money, and there's no tools widely available
to block Spim.]

 --Man Pleads Guilty to Sending MSN TV Malware that Calls 911
(17 February 2005)
David Jeansonne has pleaded guilty to two federal felonies for
distributing malware disguised as a tool to change the colors on the MSN
TV user interface. The program actually reprogrammed infected set-top
boxes to dial 911 emergency services instead of the local Internet dial
up number. It also posted infected users' browser histories to a web
site and emailed hardware serial numbers to a certain email account.
http://www.securityfocus.com/printable/news/10523
http://news.zdnet.com/2102-1009_22-5576846.html?tag=printthis

 --Guilty Plea in T-Mobile Intrusion Case
(16 February 2005)
Nicolas Jacobsen has pleaded guilty to intentionally accessing a
protected computer and recklessly causing damage for breaking into
T-Mobile servers. Jacobsen accessed and monitored a US Secret service
cyber crime agent's email; he also downloaded customers' photographs.
When he is sentenced in May, Jacobsen faces up to five years in prison.
http://www.securityfocus.com/printable/news/10516

 --T-Mobile Intrusion Underscores Disparity Between Virtual and Physical Privacy
(14 February 2005)
Bruce Schneier uses the T-Mobile intrusion case as an illustration of
the fact that "virtual privacy and physical privacy do not have the same
boundaries." We no longer have control of our data's security. While
police require a warrant to read the email on individuals' home
computers, there is no warrant required to read email from an ISP's
backup tapes.
http://www.eweek.com/print_article2/0,2533,a=145311,00.asp

 --Teen Gets Three Years Probation for Microsoft DDoS Attack
(14 February 2005)
A fourteen-year-old has been sentenced to three years of probation for
creating a worm that took down the Microsoft home page for four hours
in August 2003. The RPCSDBOT trojan created a network of bots that
launched a distributed denial-of-service attack on the web site. The
worm reportedly took advantage of the same Windows vulnerability
exploited by Blaster.
http://software.silicon.com/malware/print.htm?TYPE=story&AT=39127841-3800003100t-40000041c

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
 --Treasury Bond Purchase Site Security Poses Concerns
(17 February 2005)
House Government Reform Committee chairman Tom Davis (R-Va.) has written
a letter to Treasury Department commissioner of the Public Debt Van
Zeck, voicing concerns about the security of information people are
required to provide at the www.treasurydirect.gov web site when
purchasing government savings bonds over the Internet. Buyers are
required to transmit bank account and routing numbers as well as social
security numbers, drivers license numbers and other personal information
to buy the bonds electronically. A disclaimer in the site's privacy and
security notice says that the security of transmitted data cannot be
guaranteed; however, the notice also says the Bureau of Public Debt uses
Secure Sockets Layer and 128-bit encryption technology to protect
information.
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=35113

 --IT Not Sharing Critical Infrastructure Security Concerns with Government
(11 February 2005)
The Protected Critical Infrastructure Information program has been
virtually unused by the IT sector. The program was designed to allow
entities that control sections of the nation's critical infrastructure
to share with the government information about their cyber and physical
security vulnerabilities free from fear that the information would be
made public under the Freedom of Information Act. Industry concerns
include the fact that once the information has been submitted, the
organizations that submitted it have no control over who gets to see it.
In addition, PCII presently requires submissions to be made through
paper rather than electronic filings, though that might be changing
soon.
http://www.securityfocus.com/printable/news/10481

SPAM & PHISHING
 --Phish Report Network
(15 February 2005)
The Phish Report Network, an initiative that counts among its
participants Microsoft, eBay, PayPal and Visa, aims to reduce phishing's
spread by reporting suspect sites to a central database. Once a site
is confirmed as fraudulent, members are notified so that the URL can be
blocked.
http://asia.cnet.com/news/security/printfriendly.htm?AT=39217732-39037064t-39000005c
[Editorial Note (Paller): The Phish Report Network is different from the
Anti-Phishing Working Group (APWG). APWG is the global pan-industrial
and law enforcement association with 1,000 members focused on
eliminating the fraud and identity theft that result from phishing,
pharming and email spoofing of all types. It provides best practices and
other advice and maintains the definitive repository of phishing
examples. (http://www.antiphishing.org/)]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
 --Patch Available for HP HTTP Server Flaw
(16 February 2005)
Hewlett Packard has released a patch for a denial-of-service/remote code
execution vulnerability in its HP HTTP Server. The flaw affects
versions 5.0 to 5.95 of the product.
http://www.techworld.com/security/news/index.cfm?NewsID=3153

 --Microsoft Releases Windows Media Player Update
(16 February 2005)
Microsoft has released an update for Windows Media Player following
confirmed reports that attackers were exploiting the digital rights
management system to install spyware, adware and other malicious
programs. The update gives users more control over pop-ups during
license acquisition.
http://www.eweek.com/print_article2/0,2533,a=145957,00.asp

MISCELLANEOUS
 --Researchers Break SHA-1
(21/17 February 2005)
Scientists from Shandong University in China and Princeton University
in the US are circulating a paper called "Collision Search Attacks n
SHA-1" which describes methods for creating collisions with the SHA-1
algorithm 2,000 times faster than was believed to be possible before.
The National Institute of Standards and Technology recently recommended
that government begin moving from SHA-1 to SHA-256 and SHA-512.
http://www.computerworld.com/printthis/2005/0,4814,99852,00.html
http://www.theregister.co.uk/2005/02/17/sha1_hashing_broken/print.html
http://www.techworld.com/security/features/index.cfm?featureid=1213
http://theory.csail.mit.edu/~yiqun/shanote.pdf
[Editor's Note (Schultz): NIST's recommendation to quit using SHA-1 was
remarkably timely and accurate.]

 --Gates Says Spyware Product Free to Windows Users, IE7 Due Out This Year
(17/16/15 February 2005)
Speaking at RSA Conference 2005, Bill Gates said that all licensed
Windows users would receive the company's anti-spyware product at no
charge. Gates also said that Microsoft will release a new, more secure
version of Internet Explorer, IE 7, by the middle of this year. Though
Microsoft has indicated that it will charge users for its forthcoming
anti-virus product, the cost free anti-spyware product has fueled
speculation that if Microsoft ties the anti-virus software too closely
to its OS or prices it low enough, company practices could come under
antitrust scrutiny.
http://news.zdnet.com/2102-1009_22-5577202.html?tag=printthis
http://www.computerworld.com/printthis/2005/0,4814,99793,00.html
http://www.computerworld.com/printthis/2005/0,4814,99875,00.html
[Editor's Note (Northcutt): In SANS NewsBites, February 09, 2005,
Volume: 7, Issue: 6 we reported NIST's William Burr was quoted as saying
MD5, the most commonly used cryptographic hash, was vulnerable to
attack. These algorithms are used to ensure messages and files have not
been tampered with so these discoveries potentially affect IT process
ranging from forensics and evidence collection to ecommerce.]

 --Citibank UK Uses On Screen Keyboard for Passwords
(17 February 2005)
Citibank's UK division now requires its on-line banking customers to use
an on screen keyboard to enter their passwords. The move is likely an
effort to evade keystroke loggers, although malware that grabs
screenshots at designated times could defeat this security measure.
http://www.messagingpipeline.com/60401926

 --SANS Recommends Reviewing Disaster Recovery Plans To Consider H5
    Avian Flu risk
(17 February 2005)
CDC researchers report that over 100 million birds have died of the H5
flu strain over the past two years and that this flu has spread to
humans. There are 55 documented cases infection resulting in 42 deaths.
Human to human infection has also been documented, but as yet it has not
resulted in a self-sustaining outbreak. The flu has also spread from
birds to pigs and cats. The potential for an epidemic during the 2005
- - 2006 flu season is significant. SANS recommends the following:
- - Assess options to travel in the winter of 2005 - 2006
- - Consider the possibility of "work from home" especially in Asia and
high Asian contact areas
- - DR/BCP planners should incorporate the lessons learned from SARS into
continuity planning
http://www.cdc.gov/flu/avian/outbreaks/asia.htm

===end===

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz,
Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCHIpK+LUG5KFpTkYRAtTYAJ9FJ2Cqoeka44Bp4WaLk1atYGbflgCdG2iz
TR6JdfIRdFNel5ljL7Up0+0=
=6D/+
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]