From: The SANS Institute (NewsBitessans.org)
Date: Tue Jan 17 2006 - 20:33:46 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites January 17, 2006 Vol. 8, Num. 5
*************************************************************************

TOP OF THE NEWS
  IRS Imposes Strict Security Rules on New Contractors
  Government Web Site for Contractor Bids Offline for Security Fix

THE REST OF THE WEEK'S NEWS
  ARRESTS, CONVICTIONS AND SENTENCES
    Spanish Civil Guard Arrests Suspected Cyber Intruder
    Alleged Spammer Reportedly Reaches Plea Deal
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    Researcher: SonyBMG DRM Software Still Widespread
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Windows Wi-Fi Vulnerability
    Microsoft Issues WMF Patches for Vista
    QuickTime Patch Problems
  MISCELLANEOUS
    UK Banks Will Not Face Legal Action Over Alleged Indian Call Center
       Data Security Breach
    iTunes MiniStore Feature Raises Privacy Concerns

****************** Sponsored by ArcSight ********************************
Download Top 10 Guide to Evaluating SIM Solutions

Many factors go into buying a SIM solution. Discover the best practices,
based on customer experiences, that should be an integral part of your
evaluation process with the new Top 10 Guide to Evaluating SIM
Solutions. Brought to you by ArcSight, the one vendor that's been proven
in demanding real-world trials, for security, compliance and insider
threat. Download a copy of the guide today!
http://www.sans.org/info.php?id=987
*************************************************************************
Training Opportunities in the Next Five Weeks

SANS 2006 in Orlando (Feb 24- March 4) 36 tracks of extraordinary
training - the best instructors in the world, and a great security tools
exposition. Lots of people are bringing their families to Orlando to
join them at the end of the program.

Plus: San Francisco, Phoenix, St. Louis, Brisbane, Tokyo, Ottawa
Or you can take SANS training anytime, anywhere with the new SANS On Demand.

   Details on these and other programs: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --IRS Imposes Strict Security Rules on New Contractors
(16 January 2006)
Beginning in March, the US Internal Revenue Service (IRS) will have
three private contractors helping to collect back taxes from US
citizens. The contractors will be obliged to follow stringent IRS
security rules. All their work must be done in the United States;
contractors must purge taxpayer data from IT systems when a case is
completed, or if that is not possible, guarantee the security of that
information. The contractors must also abide by federal security
standards.
http://www.informationweek.com/story/showArticle.jhtml?articleID=177100345
[Editor's Note (Schultz): If you read the Information Week article,
you'll see that there is another side to this story, one that focuses
on concerns that the IRS will not sufficiently protect taxpayer
information. I share these concerns, especially given that contractors
are not required to immediately delete taxpayer information from their
computers when a case is done if doing so "is not possible." This
creates all kinds of loopholes for contractors. Furthermore, will
contractors actually be able to delete all of this information if and
when the time comes?]

 --Government Web Site for Contractor Bids Offline for Security Fix
(13 January 2006)
The eOffer/eMod web site, which is used by vendors to bid on government
contracts through the General Services Administration (GSA), has been
closed to address security concerns. One of the site's users says he
was able to look at and possibly edit others' bids by altering unique
ID numbers on applications; he reported the problem to the GSA on
December 22, 2005. The site is scheduled to be back on line by the
middle of this week.
http://www.computerworld.com/printthis/2006/0,4814,107750,00.html
http://www.fcw.com/article91960-01-13-06-Web
(New York Times web site requires free registration)
http://www.nytimes.com/2006/01/13/technology/13secure.html?pagewanted=print
White Paper on the Flaw:
http://www.thinkcomputer.com/corporate/news/restassured.pdf

********************* Sponsored Links: **********************************

1) Email Security Strategies: What to Plan for in 2006 Gartner
analyst featured in this On Demand webinar beginning January 19th
http://www.sans.org/info.php?id=988

2) WhatWorks Webcasts
WhatWorks in Secure Email - January 19
WhatWorks in Penetration Testing - January 25
Organizations that select security tools without first checking
WhatWorks case studies and interviews are unnecessarily, and foolishly
increasing their risks.
Upcoming Webcasts: http://www.sans.org/webcasts/
All the WhatWorks Webcasts Archived: http://www.sans.org/whatworks
*************************************************************************

THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
 --Spanish Civil Guard Arrests Suspected Cyber Intruder
(16 January 2006)
The Spanish Civil Guard says that a man has been arrested in Malaga for
allegedly breaking into a computer with sensitive information at a US
Navy base in San Diego. The Spanish Civil Guard searched the man's home
and seized a computer and other effects. The Civil Guard says the
suspect is allegedly part of a group that has broken into more than 100
computer systems and caused damages exceeding US$500,000.
http://www.cnn.com/2006/WORLD/europe/01/16/spain.us/index.html
http://abcnews.go.com/Technology/wireStory?id=1510995

 --Alleged Spammer Reportedly Reaches Plea Deal
(13 January 2006)
Alleged spammer Daniel Lin is expected to enter a guilty plea in court
on January 17, 2005 after he admitted using corporate and government
computer networks to send unsolicited commercial email. Lin's deal with
prosecutors will send him to jail for between two years and 57 months;
if he had not agreed to the deal, Lin would face a much lengthier
sentence. Lin is one of four people charged in April 2005 with using
compromised computers to send spam. The group allegedly sent spam
through proxies with phony return-path addresses in violation of the
CAN-SPAM Act.
http://www.theregister.co.uk/2006/01/13/detroit_spam_case/print.html
[Editor's Note (Shpantzer): If we could figure out how to jail some of
the people who fund the spammers in the first place, that would be a
true deterrent. Let's remember the fundamentals: Spammers don't send
us those emails for their own amusement, they are serving their
corporate clients that use spam as a paid marketing channel. Same goes
with lots of spyware.]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --Researcher: SonyBMG DRM Software Still Widespread
(16 January 2006)
A security researcher estimates that hundreds of thousands of computer
networks around the world still have PCs on them that contain SonyBMG's
notorious digital rights management (DRM) software. Many of the
affected networks belong to the US military and government. The
problems caused by two different DRM programs, XCP and MediaMax,
resulted in several lawsuits being filed against SonyBMG. A New York
district court judge recently approved a settlement between SonyBMG and
attorneys for six class-action lawsuits.
http://www.securityfocus.com/news/11369

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Windows Wi-Fi Vulnerability
(16 January 2006)
A flaw in a Windows XP and 2000 feature that automatically searches for
Wi-Fi connections could be exploited to put vulnerable computers in
peer-to-peer networks, potentially exposing the contents of their hard
drives. When computers running these operating systems are turned on,
they automatically search for a Wi-Fi connection; if none is found, they
create an ad hoc connection to a local address using the SSID from the
last successful connection and broadcast the SSID in an attempt to
search for other computers to connect to. If an attacker is listening
for this type of broadcast, he can create a network connection with the
same SSID that would allow the machines to associate and give the
attacker access to files on the user's PC. Users with firewalls are
protected; users running Windows XP SP2 are not at risk. Users can
protect their computers by disabling Wi-Fi when they are not using it.
In addition, system administrators should block ports 135, 137, 138 and
139 from accepting NetBIOS connections.
http://news.com.com/2102-1029_3-6027399.html?tag=st.util.print
http://www.newsfactor.com/news/Windows-Wi-Fi-Flaw-Uncovered/story.xhtml?story_id=100009TZG1MS

 --Microsoft Issues WMF Patches for Vista
(16/14 January 2006)
Microsoft has released a patch for the critical WMF vulnerability for
its Windows Vista December Community Technology Preview (CTP) and
Windows Vista Beta 1. Microsoft plans to release Vista to the public
later this year.
http://www.computerworld.com/printthis/2006/0,4814,107798,00.html
http://www.eweek.com/print_article2/0,1217,a=169260,00.asp
http://www.microsoft.com/downloads/details.aspx?familyid=228f2cdc-7148-4002-86bb-e4ade080ea86&displaylang=en
[Editor's Note (Schultz): I don't think that Microsoft has gotten the
praise that it has so richly deserved for getting patches for the WMF
vulnerability out so quickly. In this particular case I would label
Microsoft's actions as heroic.]

 --QuickTime Patch Problems
(12 January 2006)
People who installed a security update for QuickTime media player are
reporting problems on both Mac OS X and Windows systems. The trouble
includes "deleted applications and files, unplayable movie files and the
disappearance of rights to use the professional version of QuickTime."
Others have reported that the media player has difficulty connecting to
the Internet after installing the update. Apple has released a tool for
Mac OS X users that removed QuickTime 7.0.4 and restores QuickTime
7.0.1.
http://news.com.com/2102-1002_3-6026745.html?tag=st.util.print

MISCELLANEOUS
 --UK Banks Will Not Face Legal Action Over Alleged Indian Call Center
    Data Security Breach
(13 January 2006)
The UK's Information Commissioner (IC) says that UK banks will not face
legal action following a data security breach at an Indian call center
last year. An undercover UK journalist was allegedly able to purchase
sensitive financial information belonging to 1,000 UK bank customers.
The banks were warned then that they could face legal action for
violations of the Data Protection Act. The IC now says there is no
evidence that any data were compromised. In addition, the City of
London police force says it has no jurisdiction outside the country.
http://news.com.com/2102-1029_3-6027073.html?tag=st.util.print
[Editor's Note (Honan): This story quotes The Financial Services
Authority, which oversees British banking, as saying "Our concerns are
whether adequate security controls were in place". It is time that
financial organisations realise that when they are entrusted with the
personal information of their customers that just "adequate" measures
are no longer acceptable!]

 --iTunes MiniStore Feature Raises Privacy Concerns
(13/12 January 2006)
iTunes users have expressed concern about a MiniStore feature in an
updated version of the software that keeps tabs on users' music
preferences. The feature recommends other, similar music tracks to
those being played on iTunes. Apple says it does not keep any of the
data after making recommendations. The update was released on January
10; Apple has posted information about how to turn the feature off.
http://news.bbc.co.uk/1/hi/technology/4608882.stm
http://news.com.com/2102-1029_3-6026542.html?tag=st.util.print
http://docs.info.apple.com/article.html?artnum=303066
[Editor's Note (Ranum): With zillions of people cheerfully running
systems that are cripplingly infested with spyware and keyloggers,
iTunes users are concerned about having their musical tastes tracked?
Get a grip!
(Pescatore): I think we should be way beyond this being a privacy issue,
as the Amazon.com and Tivo and may others have had this type of feature
for years. As long as you have notification and choice (easy to find
notification and easy to exercise choice), case closed. Even better: opt
in, with the default being no monitoring and suggestions.]

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDzZ68+LUG5KFpTkYRAum1AJwPqzs5VO3JTwSePOcKRLqswYd9TwCeOgGM
HicVgkxTPjmxhqPucIidf2M=
=JCZm
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]