From: The SANS Institute (NewsBitessans.org)
Date: Fri Jan 13 2006 - 14:50:45 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites January 13, 2006 Vol. 8, Num. 4
*************************************************************************

TOP OF THE NEWS
  Clause in New Law Criminalizes Anonymous "Annoying" eMail and Web
      Postings
  MasterCard Offers Merchants Free Network Scans and Incentives

THE REST OF THE WEEK'S NEWS
  ARRESTS, CONVICTIONS AND SENTENCES
    Singapore Student Jailed for Selling Pirated Software
  HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
    Audit of Military User Accounts Finds Problems
  SPYWARE, SPAM & PHISHING
    Amended Qwest Subscriber Agreement Describes Fines for Sending Spam
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Symantec Fixes Flaw that Could Allow Malware to Hide
    Apple Fixes QuickTime Flaws
    Microsoft Bulletins Address Two Critical Flaws
  ATTACKS & INTRUSIONS & DATA THEFT
    Connecticut Bank Says Lost Tape Contains Customer Data
    Resort Acknowledges Security Breach Compromised Customer Data
  STATISTICS, STUDIES & SURVEYS
    2005 FBI Computer Crime Survey
  
*********************** Sponsored by BigFix, Inc. ***********************
NEW WEBCAST AND COMPLIMENTARY GARTNER RESEARCH NOTE: "MINIMIZING RISK"
Join BigFix, and guest speaker, Mark Nicolett, of Gartner, for
"Minimizing Risk with Vulnerability and Security Configuration
Management" and learn how the right vulnerability management solution
helps BigFix customers worldwide reduce costs, maintain compliance and
increase security without adding expensive infrastructure.

http://www.sans.org/info.php?id=986
*************************************************************************

TOP OF THE NEWS
 --Clause in New Law Criminalizes Anonymous "Annoying" eMail and Web Postings
(10/9 January 2006)
The recently enacted Violence Against Women and Department of Justice
Reauthorization Act contains a clause that makes it a crime to post
"annoying messages or send annoying email" without disclosing one's true
identity. The clause, which amends existing phone harassment laws,
prohibits people from using the Internet "without disclosing their
identities and with the intent to annoy." People convicted under the law
could face fines and prison sentences of up to two years.
http://news.com.com/2102-1028_3-6022491.html?tag=st.util.print
http://www.vnunet.com/vnunet/news/2148324/flame-wars-criminalised
http://www.whitehouse.gov/news/releases/2006/01/20060105-3.html

 --MasterCard Offers Merchants Free Network Scans and Incentives for
    Using Authentication Service
(11 January 2006)
MasterCard says it will reduce transactions charges for merchants using
its SecureCode customer authentication service, which allows merchants
to authenticate customers by having them enter a passcode that is known
only by the customers and the issuing banks. MasterCard will also
provide free network vulnerability scans for one IP address per merchant
until June 2006. Network vulnerability scans are required under the
Payment Card Industry Data Security Standard that took effect in July
2005.
http://www.computerworld.com/printthis/2006/0,4814,107659,00.html
http://www.mastercard.com/us/merchant/security/what_can_do/SDP/merchant/free_scan.html
[Editor's Note (Schultz): Offering reduced transaction charges for using
MasterCard's SecureCode authentication is a brilliant idea, as is
offering free network scans. By taking these initiatives MasterCard is
substantially reducing resistance to security measures; information
security practitioners should note and imitate this approach whenever
possible.
(Pescatore): The Payment Card Industry Data Security Standard program
needs more attention and investment from the Payment Card Industry than
just giving out free single IP address vulnerability scans. Merchants
and processors are frustrated by the lack of guidance and feedback from
Visa and Mastercard on the issues around acceptable compensating
controls when issues are found. While the PCI DSS approach is a good
idea, the Payment Card industry's execution has been lacking.]

ARRESTS, CONVICTIONS AND SENTENCES
 --Singapore Student Jailed for Selling Pirated Software
(11 January 2006)
Ang Chiong Teck, a student at Singapore's Nanyang Technological
University, has been sentenced to four months in prison for selling
pirated copies of Microsoft software. The phony copies of software
included forged certificates of authenticity. Ang's scheme was
discovered when those who had purchased the software found they lacked
the codes required to register the software online and download updates.
When Ang was arrested, authorities confiscated S$20,000 (US$12,270)
worth of pirated software in his possession. Ang was arrested in
September, but his sentencing was delayed until December to allow him
to finish his university examinations.
http://www.zdnet.co.uk/print/?TYPE=story&AT=39246559-39020651t-10000022csa

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
 --Audit of Military User Accounts Finds Problems
(10 January 2006)
An audit of US military computer user accounts found that as many as 20
percent of all accounts are unauthorized or inactive, with 3,000 in the
Defense Information Systems Agency (DISA) alone. Inactive accounts are
those abandoned when those to whom they were issued moved on to other
positions; unauthorized accounts are those that were created with
"unnecessary or unauthorized permissions." The existence of these
accounts together with the fact that military systems experience slow
patch distribution presents opportunities for malicious attackers to
infiltrate military computer systems.
http://www.eweek.com/print_article2/0,1217,a=168898,00.asp
[Editor's Note (Kreitner): Closing no longer needed user accounts is
especially important in organizations like the military where there is
so much personnel turnover, but this is a ubiquitous management
failure--and a good candidate for a metric tracking the effectiveness
over time of improved access management discipline.
(Grefer): Exit procedures, independent of the reason (lay-off,
promotion, cross-organizational move), should include a phased approach
to dealing with the former accounts and privileges. Following an
initial lockdown of said account, migrate the remaining data and
privileges to a successor, substitute or surrogate and to subsequently
disable or delete the account. ]

SPYWARE, SPAM & PHISHING
 --Amended Qwest Subscriber Agreement Describes Fines for Sending Spam
(9 January 2006)
Qwest has added a clause to its subscriber agreement, indicating that
customers will be charged US$5 for each spam message sent from their
computers if the spam sent results in damages awarded against Qwest.
The fine would stand regardless of whether or not the customers are
aware of the spam being sent, according to the new clause. However, a
Qwest spokesperson said that the company would be unlikely to impose
fines if a customer or end-user were the victim of malware that caused
the computer to send out spam.
http://www.techworld.com/security/news/index.cfm?RSS&NewsID=5116
http://www.qwest.com/legal/highspeedinternetsubscriberagreement/

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Symantec Fixes Flaw that Could Allow Malware to Hide
(12 January 2005)
Symantec has updated its Norton SystemWorks to address a flaw that could
be used by attackers to hide malicious code on vulnerable computers.
The flaw lies in the Norton Protected Recycle Bin feature that creates
a hidden directory on Windows systems and is designed to allow
restoration of deleted or modified files. The flaw affects Norton
SystemWorks 2005 and 2006 and Norton SystemWorks Premier 2005 and 2006.
Symantec disputes allegations that this feature constitutes a rootkit.
http://software.silicon.com/security/0,39024888,39155548,00.htm
http://www.theregister.co.uk/2006/01/12/symantec_fixes_rootkit_bug/print.html
http://www.techweb.com/wire/175804046

 --Apple Fixes QuickTime Flaws
(11/10 January 2006)
Apple Computer has released QuickTime 7.0.4 which fixes five serious
security flaws in earlier versions of the QuickTime media player. The
vulnerabilities could be exploited to "run unauthorized code" on
machines running vulnerable versions of QuickTime. Attackers would need
to trick users into viewing maliciously crafted TIFF, GIF, TGA or QTIF
files.
Internet Storm Center Note: http://isc.sans.org/diary.php?storyid=1033
http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/01/10/73787_HNquicktimepatch_1.html
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39304153-39000005c
http://docs.info.apple.com/article.html?artnum=303101
[Editor's Note (Dhamankar): With vulnerabilities in so many file formats
these days, may be its time to re-learn the good old days of text
browsing!]

 --Microsoft Bulletins Address Two Critical Flaws
(10 January 2006)
Microsoft's January security update, released on January 10, 2006,
includes fixes for two critical remote code execution flaws. A
vulnerability in Outlook and Exchange involves the way the products
decode the Transport Neutral Encapsulation Format (TNEF); the second
flaw involves the way Windows "handles malformed embedded Web fonts."
The TNEF flaw is perceived to be more dangerous than the Windows flaw
as it requires no user interaction to be exploited.
Internet Storm Center Notes: http://isc.sans.org/diary.php?storyid=1032
https://www.sans.org/webcasts/show.php?webcastid=90616
http://www.computerworld.com/printthis/2006/0,4814,107621,00.html
http://www.microsoft.com/technet/security/Bulletin/MS06-003.mspx
http://www.microsoft.com/technet/security/Bulletin/MS06-002.mspx

ATTACKS & INTRUSIONS & DATA THEFT
 --Connecticut Bank Says Lost Tape Contains Customer Data
(12 January 2006)
Connecticut-based People's Bank has acknowledged that a tape containing
sensitive data belonging to approximately 90,000 customers was lost en
route to a credit-reporting bureau. The data on the tape includes
Social Security numbers, names and bank account numbers. The bank said
there is no evidence that the data have been misused and made no comment
about whether or not it was encrypted. Affected customers will be
provided with one year of free credit monitoring service.
http://news.com.com/2102-1029_3-6026692.html?tag=st.util.print
http://www.peoples.com/pressroom/article/0,8401,14103,00.html

 --Resort Acknowledges Security Breach Compromised Customer Data
(10 January 2006)
Kerzner International, owner of the Atlantis resort in the Bahamas,
filed a document with the Bahamas Securities and Exchange Commission
that included information about a data theft; personal data belonging
to approximately 55,000 resort customers was among the information
compromised in a database security breach. Atlantis hotel management
is notifying those affected in writing and is offering them one year of
credit monitoring service. The compromised information includes Social
Security numbers and credit card and bank account details.
http://news.com.com/2102-7348_3-6025591.html?tag=st.util.print
http://www.pcworld.com/resource/article/0,aid,124339,pg,1,RSS,RSS,00.asp

STATISTICS, STUDIES & SURVEYS
 --2005 FBI Computer Crime Survey
(11 January 2006)
According to the 2005 FBI Computer Crime Survey, 87 percent of those
responding said their organizations had experienced a security incident.
Ninety-eight percent of respondents said they used antivirus software;
ninety percent said they used firewalls. The report found a "positive
correlation between the number of security measures employed and the
number of denial-of-service attacks" experienced. More than 79 percent
of respondents said their organizations experienced problems with
spyware. Some security incidents went unreported due to beliefs that
there was no criminal activity involved in the incident, that the
incident was too small to report and that law enforcement would not be
interested in the incidents. The survey asked 23 questions of 2,066
organizations in New York, Iowa, Texas and Nebraska.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1157706,00.html?track=sy160
[Editor's Note (Boeckman): This is a sad fact about the state of
computer security today and serves as an indication that things are not
improving much. The only thing worse is that the 13% that did not
report an incident are probably just oblivious.]

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDyALs+LUG5KFpTkYRAs/oAJ4oeWOykBn98mpijZB8hVdUcLEglwCaAiWu
ZpUmB47PMNj66S2Lp1UoLOw=
=PWfu
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]