From: The SANS Institute (NewsBitessans.org)
Date: Wed Apr 13 2005 - 07:39:48 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

More than 3,000 CISOs and other security managers have discovered that
they can get the inside story on which security tools actually work.
Their secret: the WhatWorks interviews. The one this Thursday (1 PM
EST) is with a large paper company that has found a tool that eliminates
all false positives from vulnerability testing, resulting in much better
cooperation between sysadmins and security staff, and much faster
vulnerability remediation. To listen in on the interview go to
https://www.sans.org/webcasts/show.php?webcastid=90578

                                      Alan

*************************************************************************
SANS NewsBites April 13, 2005 Vol. 7, Num. 15
*************************************************************************

TOP OF THE NEWS
  Agency Funding May Eventually be Tied to FISMA Compliance
  Spammer Receives Nine Year Sentence
  Stolen Computers Contain 185,000 People's Medical Records
  Hard Drive Bought on eBay Contains Sensitive Police Information

THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
  Ericsson Network Intruder Charged with Espionage
  Outsourced Call Center Employees Arrested for Credit Card Fraud
  Man Arrested for Alleged Dating Web Site Intrusion
  Israeli Court Sentences Man to 16 Months in Prison for Cyber Bank Robbery

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
  DHS CIO Cooper Resigns
  FISMA Compliance Reporting Standards Would Be Helpful
  US Dept. of Education Wants to Create Student Tracking Database

SPAM & PHISHING
  Hard Drives Seized in Australian Spam Raid

COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
  Microsoft Lawsuits Allege Pirated Software Distribution

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
  Microsoft's April Security Update Will Contain Eight Patches
  Cisco Patches Two IOS Vulnerabilities
  Computer Associates Releases Workaround for Buffer Overflow Flaw
  Two More Smart Phone Trojans Target Symbian-Based Series 60 Handsets
  Windows XP SP2 Blocking Grace Period Ends
  Microsoft Looking Into Reports of IE and Outlook Flaws

MISCELLANEOUS
  Sybase Withdraws Threat of Legal Action Against NGS
  CIO Council Honors Luigart, Paller with Azimuth Awards

********************** Sponsored by Shavlik *****************************

Now Available! Introducing Shavlik HFNetChkPro(tm) 5, the next
generation of security patch management. With over 50 awesome new
features including detailed reporting, advanced reboot options, email
notification, and distribution servers, staying up to date on patches
has never been easier and your network has never been more secure. Keep
your world in Chk with Shavlik. Download the trial version today at
http://www.sans.org/info.php?id=754

*************************************************************************
Highlighted Training Program of the Week
Rocky Mountain SANS 2005, in Denver in May offers nine immersion tracks
plus short programs on Cutting Edge Hacker Techniques, Security Policy
Development, Security Awareness Training, and more. Wonderful teachers
give you material you can put to work immediately upon returning to the
office and present the most current tools and techniques. Details at
http://www.sans.org/rockymnt2005

What attendees say:
"SANS is the gold standard in network security training, in terms of
relevance of material, knowledgeable instructors, and sheer usefulness."
(Steve Keifling, SGI)
*************************************************************************

TOP OF THE NEWS
 --Agency Funding May Eventually be Tied to FISMA Compliance
(7 April 2005)
House Government Reform Committee Chairman Tom Davis (R-Va.) said that
if agencies do not continue to improve their grades on the Federal
Information Security Management Act (FISMA) mandated cyber security
report cards, they will eventually lose their funding. Davis allowed
that FISMA is just a few years old and that government agencies are
working to improve their IT security and report card grades. The
Department of Homeland Security (DHS), which received a failing grade
on its most recent report card, faces the challenge of certifying and
accrediting 3,600 systems; other agencies have significantly fewer
systems.
http://www.govexec.com/story_page.cfm?articleid=30927&printerfriendlyVers=1&

 --Spammer Receives Nine Year Sentence
(9 April 2005)
Jeremy Jaynes, who in November was convicted of violating Virginia's
anti-spam statute for sending thousands of spam messages to AOL
accounts, was sentenced to nine years in prison. The Loudon County
judge who sentenced Jaynes has allowed him to remain free on bond while
his appeal is pending. Jaynes's sister was also convicted in November,
but the charges were dropped; a third defendant was acquitted.
Note: this site requires free registration
http://www.washingtonpost.com/ac2/wp-dyn/A38788-2005Apr8?language=printer

 --Stolen Computers Contain 185,000 People's Medical Records
(8 April 2005)
Two computers containing the financial and medical records of nearly
185,000 current and former patients were stolen from the offices of the
San Jose Medical group late last month. The group's vice president for
information technology says he believes the thieves were interested in
the computers and not the information they contained. Nonetheless, the
affected patients are being notified pursuant to California's Security
Breach Information Act. The company had been transferring patient data
from secured servers to the PCs; some of the data were encrypted.
http://news.zdnet.com/2102-1009_22-5660514.html?tag=printthis

 --Hard Drive Bought on eBay Contains Sensitive Police Information
(7 April 2005)
Jorg Schnobohm, Minister of the Interior of the State of Brandenburg,
Germany, has launched an investigation into how a 20GB hard drive
containing sensitive intelligence information came to be sold on eBay.
A student bought the hard drive for 20 euros. Pointsec, a company which
last year purchased hard drives on the Internet to see just how
prevalent this sort of problem is, recommends that if the data on old
drives is not encrypted, the drives should be reformatted at least eight
times or the special wipe-clean software be used before they are sold.
Pointsec found that data on seven of ten used drives it purchased was
still readable.
http://www.channelregister.co.uk/2005/04/07/hard_drive_with_police_info_sold_on_ebay/

**************************** SPONSORED LINKS ****************************
Privacy notice: Some of these links redirect to non-SANS web pages.

1) You're invited to a LIVE WEBCAST on 4/21: Gartner & Experian Discuss
Secure File Transfer
http://www.sans.org/info.php?id=755

2) Free Threat Management Software from Demarc Security: IDP, File
System Integrity, Service Monitoring and More
http://www.sans.org/info.php?id=756

3) SANS is happy to bring you the latest in our complimentary series of
Secure Software Webcasts. Database risks explored in depth at
https://www.sans.org/webcasts/show.php?webcastid=90568

*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
 --Ericsson Network Intruder Charged with Espionage
(9 April 2005)
A Hungarian man has been charged with espionage for breaking into the
internal, global computer network of the Ericsson Group and downloading
sensitive information. Csaba Richter told law enforcement officials
during questioning that he intended to demonstrate the network's
security problems to Ericsson in the hopes of landing a job with the
company. If convicted of the charges against him, Richter could be
facing eight years in prison.
http://www.thelocal.se/article.php?ID=1076&date=20050309
[Editor's Note (Tan): It is like trying to rob a bank in the hope of
landing a security guard job. There are other ways to convey the message
and demonstrate his skills without breaking the law.]

 --Outsourced Call Center Employees Arrested for Credit Card Fraud
(7 April 2005)
Three former employers of a business outsourcing operation in Pune,
India have been arrested for allegedly defrauding Citibank credit hard
holders of approximately US$300,000. The three worked at a call center
and apparently obtained personal identification numbers from four
cardholders. Nine other individuals have been arrested in connection
with the case, which involved transferring money into various accounts
using the Society for Worldwide Interbank Financial Telecommunication.
http://www.computerworld.com/printthis/2005/0,4814,100900,00.html

 --Man Arrested for Alleged Dating Web Site Intrusion
(7/6 April 2005)
A UK man has been arrested on suspicion of breaking into the web site
of London-based loveandfriends.com, and taking over member profiles.
The man allegedly threatened to destroy the company's database if he did
not receive payment. The suspect is currently out on bail; the
Metropolitan Police Computer Crime Unit is conducting a forensic
investigation on his computer. The man is also suspected of being
involved with authoring the Mirsa.A and Mirsa.B viruses.
http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=4a227c59-fc75-49f4-aad1-d9e041315e10&newsType=News
http://www.channelregister.co.uk/2005/04/07/dating_site_hack_arrest/

 --Israeli Court Sentences Man to 16 Months in Prison for Cyber Bank Robbery
(6 April 2005)
The Haifa, Israel magistrate's court has sentenced David Sternberg to
16 months in prison for "breaking into" a bank network and transferring
large sums of money into accomplices' accounts. Six collaborators were
also arrested. Sternberg allegedly broke into a bank branch and
connected a remotely controlled access point to the bank's computer
network, then rented a room nearby so he could be within range.
http://www.jpost.com/servlet/Satellite?pagename=JPost/JPArticle/Printer&cid=1112754019642&p=1078027574097

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
 --DHS CIO Cooper Resigns
(11/6 April 2005)
Homeland Security Department CIO Stephen Cooper has announced his
resignation. Mr. Cooper was appointed DHS CIO in January 2003 at the
department's inception. Cooper has recommended that the acting CIO be
drawn from within DHS IT leadership. Cooper's successor will face the
tasks of consolidating systems procurement, "closing the gaps in the
department's IT infrastructure" and overseeing the implementation of
programs such as US-VISIT.
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=35471
http://www.fcw.com/article88555-04-11-05-Print

 --FISMA Compliance Reporting Standards Would Be Helpful
(7 April 2005)
Federal agency officials and inspectors general agreed that there need
to be standards for analyzing agencies' FISMA compliance reports.
Lacking such standards, the numbers generated by the reports could be
seen as questionable. Despite an increase in the percentage of systems
certified and accredited, inspectors general for seven agencies said
that the processes for certification and accreditation at their
particular agencies were poor. Agencies said they would like more
guidance on FISMA compliance from the Office of Management and Budget
(OMB).
http://www.fcw.com/article88516-04-07-05-Web
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=35481

 --US Dept. of Education Wants to Create Student Tracking Database
(1 April 2005)
The Department of Education has asked Congress to approve the creation
of a database that will be used to track the post-secondary education
of individual students. The database would contain personally
identifiable information about post-secondary students including names,
Social Security numbers and education costs; the database which this one
would replace holds only aggregate data for individual educational
institutions. A study from the National Center for Education Statistics
says it is prepared to handle the technological, privacy and security
requirements of such a database. The NCES "operates under legislation
that makes it a Class E felony to violate data confidentiality rules."
http://www.fcw.com/article88461-04-01-05-Web
[Editor's Note (Schultz): This could turn out to be another gigantic
invitation for disaster. Legislation that punishes those who violate
data confidentiality rules is in place, true, but this won't motivate
those who are responsible for any student database that is created to
adequately *protect* the information in this database. Those who fail
to adequately protect such information should also face punishment such
as large fines.]

SPAM & PHISHING
 --Hard Drives Seized in Australian Spam Raid
(7 April 2005)
The Australian Communications Authority has raided a Perth company
suspected of sending millions of spam messages. Inspectors have seized
hard drives and other property as part of their investigation.
http://www.pcworld.idg.com.au/pp.php?id=1946285050&fp=2&fpid=1

COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
 --Microsoft Lawsuits Allege Pirated Software Distribution
(11 April 2005)
Microsoft has filed lawsuits against eight US companies for distributing
pirated versions of its Windows and Office software, alleging copyright
and trademark infringement. Microsoft had preceded the lawsuits with
cease-and-desist letters. The pirated software was discovered as part
of a Microsoft program that purchases software from distributors to test
for authenticity.
http://www.computerworld.com/printthis/2005/0,4814,100999,00.html
http://msnbc.msn.com/id/7462645/

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
 --Microsoft's April Security Update Will Contain Eight Patches
(8 April 2005)
Preceding the release of its scheduled monthly security update,
Microsoft has announced that it will be releasing eight patches, five
of which are for vulnerabilities in Windows. Several of the Windows
patches are for critical vulnerabilities; there will also be patches for
critical flaws in Office, MSN Messenger and Exchange. In addition,
Microsoft plans to release a new version of its malicious software
removal tool.
http://asia.cnet.com/news/security/printfriendly.htm?AT=39225144-39037064t-39000005c

 --Cisco Patches Two IOS Vulnerabilities
(8 April 2005)
Cisco has released patches for two IOS vulnerabilities. The first
vulnerability, which involves the IOS Secure Shell Server, could allow
IOS-based Cisco devices to be targeted by denial-of-service attacks; the
second, an Internet Key Exchange Xauth Implementation vulnerability,
could allow attackers to gain unauthorized access to vulnerable
networks.
http://www.networkingpipeline.com/showArticle.jhtml?articleID=160503400
http://www.cisco.com/en/US/products/products_security_advisory09186a008042d51b.shtml
http://www.cisco.com/en/US/products/products_security_advisory09186a008042d519.shtml
[Editor's Note (Tan): Another new release. This one looks as bad if not worse:
http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
http://www.niscc.gov.uk/niscc/docs/al-20050412-00308.html?lang=en ]

 --Computer Associates Releases Workaround for Buffer Overflow Flaw
(7 April 2005)
A buffer overflow vulnerability in Computer Associates' eTrust Intrusion
Detection System could be exploited to cause denial-of-service. The
flaw is the result of "insufficient checking of values passed to
Microsoft's Crypto API function CPImportKey." Computer Associates has
released a workaround for the vulnerability; it is available for
versions 3.0 and 3.0 SP1.
http://asia.cnet.com/news/security/printfriendly.htm?AT=39224954-39037064t-39000005c
http://www.eweek.com/print_article2/0,2533,a=149415,00.asp

 --Two More Smart Phone Trojans Target Symbian-Based Series 60 Handsets
(7/6 April 2005)
The Fontal-A SIS file Trojan horse program targets Nokia Series 60 smart
phones. It spreads thought file sharing or Internet relay chat (IRC)
and tries to install a corrupted file that will cause the phone to fail
the next time it is rebooted. It also damages the application manager
which prevents the trojan from being uninstalled. In order to fix
phones infected by Fontal-A, they need to be reformatted, which will
result in the loss of all the data stored on the handset. The Mabir
Trojan horse targets a broader range of Series 60 smart phones, not just
Nokias. Mabir replicates via MMS messages.
http://asia.cnet.com/news/security/printfriendly.htm?AT=39224769-39037064t-39000005c
http://asia.cnet.com/news/communications/printfriendly.htm?AT=39224950-39037080t-39000002c
http://www.channelregister.co.uk/2005/04/06/mobile_killer_trojan/

 --Windows XP SP2 Blocking Grace Period Ends
(6/5 April 2005)
As of April 12, Windows XP users who have not downloaded Service Pack 2
will no longer be able to block the update from downloading onto their
machines without blocking other updates at the same time; users can
prevent SP2 from downloading by disabling Automatic Update. One survey
shows that only about 25% of corporate PCs running XP have downloaded
XP2.
http://www.cio-today.com/wrldwd/story.xhtml?story_title=Microsoft-To-End-Service-Pack---Download-Block-Feature-on-April---&story_id=32440&category=wrldwd
http://www.pcworld.com/news/article/0,aid,120288,00.asp
[Editor's Note (Schultz): There are definitely some problems associated
with this Service Pack. Installing this Service Pack on my main WXP
machine caused my system drive to start to become full. I had to move
many files and folders to another drive and then defragment to regain
the space that I needed.]

 --Microsoft Looking Into Reports of IE and Outlook Flaws
(4&1 April/31 March 2005)
Microsoft is investigating reports of two "high-risk" vulnerabilities
in default installations of Internet Explorer and Outlook. The flaws
could allow code execution with virtually no action required of the user
beyond visiting a web site that contains the malicious code. The flaws
affect all versions of Windows NT 4.0, 2000, XP including XP SP2 and
Windows Server 2003. There are no known exploits for the
vulnerabilities.
http://www.pcmag.com/print_article2/0,2533,a=148871,00.asp
http://www.technewsworld.com/story/security/ie-outlook-security-flaw-41978.html
http://news.com.com/2102-1002_3-5650238.html?tag=st.util.print

MISCELLANEOUS
 --Sybase Withdraws Threat of Legal Action Against NGS
(11/5 April 2005)
Sybase will not take legal action against Next Generation Security
Software that had said it was planning to disclose details of
vulnerabilities in the database maker's products. The companies have
issued a joint statement about the six vulnerabilities which pointed
readers to both a technical advisory from NGS and information on
Sybase's web site about fixes that were released in February.
http://www.securityfocus.com/printable/news/10827
http://www.computerworld.com/printthis/2005/0,4814,100965,00.html

 --CIO Council Honors Luigart, Paller with Azimuth Awards
(6/5 April 2005)
At last week's FOSE 2005 information technology conference in Washington
DC, the CIO Council honored Veterans Affairs' strategic planning
executive Craig B. Luigart and SANS Institute founder Alan Paller with
Azimuth Awards for the contributions their work has made to the
government information technology community. Mr. Luigart is known "for
focusing the government on Section 508 accessibility standards" and Mr.
Paller for his work on IT security. "Azimuth Awards are given to public
and private sector executives who have demonstrated far-reaching vision,
leadership in technology and direction setting for their organizations
in pursuing the goals of the United States government."
http://www.washingtontechnology.com/news/1_1/daily_news/25950-1.html
 
- ---end---

NewsBites Editorial Board:
Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz,
Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCXQ3S+LUG5KFpTkYRAjWkAJoDTMLGlBOe8R9Jo7d01Qm3FlZHbgCfQFPq
CAOMnP/vKsD5QaD7kR4b7RY=
=V+3b
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]