From: The SANS Institute (NewsBitessans.org)
Date: Fri Jan 06 2006 - 13:46:32 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Congratulations to Microsoft for reducing the pain from the programming
error they made on processing WMF files. The national policy issue that
remains is summed up in the question: "If 9 days is rapid and
extraordinary response, and the US government has ceded responsibility
for correcting its most widely used software to the vendors, what will
we do when the attack comes from a nation-state adversary and tens of
thousands of computers are having critical data destroyed every hour?"

                                Alan

PS The deadline for SANS 2006 (Orlando in February) early registration
discount of $250 is next Wednesday (1/11)
www.sans.org/sans2006

*************************************************************************
SANS NewsBites January 3, 2006 Vol. 8, Num.1
*************************************************************************

TOP OF THE NEWS
  Microsoft Releases Out-of-Cycle Patch for WMF Flaw
  Study Shows IT Professionals Gaining Increased Influence

THE REST OF THE WEEK'S NEWS
  ARRESTS, CONVICTIONS AND SENTENCES
    UK's Crown Prosecution Service Mulling Appeal of DDoS Case Dismissal
    Iowa Man Pleads Guilty in Phishing Case
    Two Men Ordered to Pay Damages and Court Costs in Domain Name Phishing Scam
  HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
    DHS IG Report Says Department CIO Is "Not Well-Positioned" to Carry Out Tasks
    US Government Contractors Now Face Same Background Checks as Federal Employees
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    BlackBerry Acknowledges Security Flaws
  ATTACKS & INTRUSIONS & DATA THEFT
    Mortgage Company Says Transition to Secure Digital Network for Data
       Transfer Will be Complete This Month
  STATISTICS, STUDIES & SURVEYS
    Viral eMail Increased in December in Ireland
  MISCELLANEOUS
    Bank of America Deploys Two-Factor Authentication

*********** Sponsored by SANS New Master of Science Degrees **********

Earn your Masters degree in Information Security Engineering, from SANS.
http://www.sans.edu

Also, two Free SANS Webcasts next week "Update on the Law of IT Security
Policies: New Guidance under GLBA" Tuesday, January 10 at 1:00 PM EST
(1800 UTC/GMT) http://www.sans.org/info.php?id=977 and Internet Storm
Center: "Threat Update" webcast Wednesday, January 11 at 1:00 PM EST
(1800 UTC/GMT) http://www.sans.org/info.php?id=978

**********************************************************************

TOP OF THE NEWS

 --Microsoft Releases Out-of-Cycle Patch for WMF Flaw
(5/4 January 2006)
On Thursday, January 5, 2006, Microsoft released a patch for the WMF
flaw. Microsoft released the out-of-cycle bulletin with updates in
response to overwhelming customer demand. Microsoft initially said the
fix would be released on January 10, the date for the scheduled monthly
update. A pre-release version of Microsoft's patch for the WMF
vulnerability was inadvertently posted to the web.
http://www.computerworld.com/printthis/2006/0,4814,107500,00.html
http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx
http://www.microsoft.com/technet/security/bulletin/advance.mspx
http://www.us-cert.gov/cas/techalerts/TA06-005A.html
http://www.computerworld.com/printthis/2006/0,4814,107420,00.html
http://www.microsoft.com/technet/security/advisory/912840.mspx
http://www.securityfocus.com/brief/94
[Editor's Note (Schultz): This was an excellent move by Microsoft. By
coming out with an update so quickly, Microsoft not only defused
controversy and confusion surrounding the availability of the
"unofficial patch," but also, given the seriousness of the WMF flaw,
quickly helped protect its user community from potential disaster.]

 --Study Shows IT Professionals Gaining Increased Influence
(3 January 2006)
According to the 2005 Global Information Security Workforce Study,
sponsored by the International Information Systems Security
Certification Consortium (ISC)2, IT security professionals are gaining
increased access to corporate boardrooms. More than 70 percent of those
surveyed said they felt they had increased influence on executives in
2005 and even more expect that influence to keep growing. "They are
increasingly being included in strategic discussions with the most
senior levels of management." Howard Schmidt, who serves on (ISC)2's
Board of Directors said "There's more attention and focus on IT security
as a profession, as opposed to just a job." Companies are increasingly
looking for employees who have not only security expertise, but
experience in management and business as well. More than 4,300
full-time IT security professionals provided responses for the study.
http://www.techweb.com/wire/175800558
[Editor's Note (and shameless plug) (Paller): The enormous need for
management and communications skills in security professionals is the
principal driver behind the SANS Institute's new Master of Science
degree program authorized by the Maryland Higher Education Commission,
but available to the entire security community, world-wide.
(www.sans.edu) Note the .edu]

ARRESTS, CONVICTIONS AND SENTENCES
 --UK's Crown Prosecution Service Mulling Appeal of DDoS Case Dismissal
(5 January 2006)
The UK's Crown Prosecution Service "is considering appealing a judge's
decision" to dismiss a distributed denial-of-service (DDoS) attack case
brought against a teenager under the Computer Misuse Act (CMA). The
teenager allegedly deluged his former employer with five million email
messages. The judge's ruling said the attack described in the case was
not illegal under the CMA. The CPS requested and received "a draft case
outlining how [Wimbledon Magistrate's Court] reached its decision." The
CPS may take the case to the High Court to ask its opinion on the
judge's ruling. If the High Court upholds the decision, it will stand;
if the High Court overturns the judge's decision, the case will return
to the magistrate's court and continue.
http://www.zdnet.co.uk/print/?TYPE=story&AT=39245718-39020375t-10000025c

 --Iowa Man Pleads Guilty in Phishing Case
(4 January 2006)
An Iowa man has pleaded guilty to charges stemming from a phishing scam.
Jayson Harris conducted a scam between January 2003 and June 2004,
targeting MSN customers and duping them into believing they needed to
provide credit card numbers to keep their accounts active. Harris
reportedly stole about US$57,000 through the scam. The fraud charge
against Harris could bring him a fine of up to US$250,000 and up to 10
years in prison; for wire fraud, Harris faces another maximum fine of
US$250,000 and up to 20 years in prison. If his crimes affected a
financial institution, the penalties could be more stringent.
http://www.informationweek.com/story/showArticle.jhtml?articleID=175800879

 --Two Men Ordered to Pay Damages and Court Costs in Domain Name Phishing Scam
(3 January 2006/13 December 2005)
An Australian court has ordered two men to pay AU$2.3 (US$1.72 million)
million in damages and legal fees for running a domain registration scam
that targeted as many as 50,000 UK website owners. Brad Norrish and
Chesley Rafferty sent notices that appeared to be genuine informing
people that they would lose their domain names unless they paid a fee.
Norrish and Rafferty used data they obtained from domain name registrar
Nominet's database.
http://www.theregister.co.uk/2006/01/03/domain_scam/print.html
http://www.theaustralian.news.com.au/common/story_page/0,5744,17549155%255E2702,00.html

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
 --DHS IG Report Says Department CIO Is "Not Well-Positioned" to Carry Out Tasks
(5 January 2006/29 December 2005)
A report recently released by Department of Homeland Security (DHS)
inspector general Richard Skinner said that DHS CIO Scott Charbo is not
in a position "to accomplish the department's goal of creating a single
IT infrastructure." The problem is that Charbo is not "a member of the
senior management team," meaning he does not have the "authority to
manage departmentwide assets and technology." Skinner recommends the
DHS follow the example of other agencies where the CIOs have the
necessary authority and influence to manage and "guide executive
decisions on departmentwide IT investments and strategies."
http://www.computerworld.com/printthis/2006/0,4814,107499,00.html
http://www.dhs.gov/interweb/assetlibrary/OIG_06-14_Dec05.pdf

 --US Government Contractors Now Face Same Background Checks as Federal Employees
(3 January 2006)
An interim rule issued by the Federal Acquisition Regulation Council
requires federal agencies to make contractors undergo the same
background investigations required of federal employees per Homeland
Security Presidential Directive 12: Policy for a Common Identification
Standard for Federal Employees and Contractors. The rule is backdated
to October 27, 2005; all contractors employed before that date must be
cleared by October 27, 2007.
http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=37856
http://a257.g.akamaitech.net/7/257/2422/01jan20061800/edocket.access.gpo.gov/2006/05-24547.htm
HSPD-12: http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html
[Editor's Note (Schultz): Given the pervasiveness and importance of
contractors in the US government, this new rule makes perfect sense.]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --BlackBerry Acknowledges Security Flaws
(5/4 January 2006)
BlackBerry maker Research in Motion (RIM) has acknowledged three
vulnerabilities in the Blackberry software. A fix for one of the
vulnerabilities is available. BlackBerry has provided information on
how to protect devices from attacks via the other two. The most serious
of the vulnerabilities involved a "flaw in processing Server Routing
Protocol (SRP) packets." Another flaw lies in the way maliciously
crafted TIFF image attachments are handled. Having BlackBerry servers
behind a firewall should protect users from being attacked via the SRP
flaw. A third vulnerability, which has been fixed in BlackBerry device
software 4.0.2 and later, could have allowed denial-of-service attacks
through maliciously crafted Java Application Description (JAD) files.
http://www.theregister.co.uk/2006/01/04/blackberry_security_bugs/print.html
http://www.out-law.com/page-6509
http://www.net-security.org/article.php?id=887
US CERT Vulnerability Notes: http://www.kb.cert.org/vuls/byid%3fsearchview%26query=rim_blackberry_fx_dec_2006
http://www.computerworld.com/printthis/2006/0,4814,107447,00.html
http://hardware.silicon.com/pdas/0,39024643,39155326,00.htm
http://www.eweek.com/print_article2/0,1217,a=168379,00.asp

ATTACKS & INTRUSIONS & DATA THEFT
 --Mortgage Company Says Transition to Secure Digital Network for Data
    Transfer Will be Complete This Month
(2 January 2006)
ABN Amro Mortgage Group, which in December acknowledged that a backup
tape containing customer account and personal data was missing for one
month, said their transition to sending encrypted data to credit bureaus
over networks instead will be complete this month. In the event a
recipient cannot accept electronic data, ABM Amro will send tapes by
special courier rather than through traditional shipping companies.
http://www.computerworld.com/printthis/2006/0,4814,107357,00.html

STATISTICS, STUDIES & SURVEYS
 --Viral eMail Increased in December in Ireland
(3 January 2006)
According to statistics compiled by Irish hosting firm IE Internet, 23.4
percent of all email messages it intercepted in December 2005 had
malicious code attached. The figure for November was 16.5 percent; the
significant increase is attributable to the Sober.Z worm, which
accounted for 45.2 of all infected intercepted messages. In addition,
38.9 percent of the intercepted email was spam, down slightly from
November's figure of 41.9 percent.
http://www.enn.ie/frontpage/news-9660727.html
http://www.siliconrepublic.com/news/news.nv?storyid=single5849

MISCELLANEOUS
 --Bank of America Deploys Two-Factor Authentication
(4 January 2006)
Bank of America has deployed two-way, two-factor authentication to
customers in 48 of the 50 states. The scheme uses an image, a phrase
and challenge questions to let customers know they are interacting with
the authentic banking site and not a phishing web site. The new
authentication scheme will become mandatory in 2006; Idaho and
Washington state are set to get the technology sometime this year.
http://www.techweb.com/wire/security/175801173%3Bjsessionid=E4PL4VCFYN1U0QSNDBECKHSCJUMEKJVN

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDvrg4+LUG5KFpTkYRAkbBAJ9w5fV0lZUDM+sCoAb9vrPus9U4eQCcDc+5
B5Jg4Pq5ZNDbO5syBKVoizs=
=cKie
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]