From: The SANS Institute (NewsBitessans.org)
Date: Fri Mar 24 2006 - 15:07:44 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Now that it is widely recognized that insecure programming practices are
the key enablers of many of the most critical security problems, we are
looking for additional ways SANS can invest in improving the security
skills of programmers. Please send ideas to infosans.org with the
subject: Secure Programming. We already are negotiating a large SANS
grant to a major university to enable the faculty to imbed appropriate
secure programming elements in every required computer science course.
We also have developed two very highly rated courses on secure
programming to teach programmers at SANSFIRE in Washington
For Microsoft .Net programmers and managers:
http://www.sans.org/sansfire06/description.php?tid=250
For JAVA programmers: "Secure Web Applications
http://www.sans.org/sansfire06/description.php?tid=394

Can you send us suggestions of associations or other groups of
programmers who should be aware of these courses, or trusted magazines
or newsgroups for programmers? Thanks.

                                Alan

*************************************************************************
SANS NewsBites March 24, 2006 Vol. 8, Num. 24
*************************************************************************

TOP OF THE NEWS
  FISMA's Effectiveness Questioned
  HHS System Security Problems Place Medical Data at Risk, Says GAO
  Sendmail Flaw Could Allow Remote Code Execution

THE REST OF THE WEEK'S NEWS
  HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
    DOE Cannot Account for Some Computing Equipment
  POLICY & LEGISLATION
    Australian Internet Content May be Filtered by ISPs
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Trojan Filches Financial Account Details
    Microsoft Investigating Reported Flaw in IE 6
  ATTACKS & INTRUSIONS & DATA THEFT & LOSS
    Fidelity Informs HP Employees Their Data is on Stolen Laptop
    Visa Acknowledges Data Retention Problem Lies in Tracer Utility
  MISCELLANEOUS
    Sourcefire Checkpoint Deal Is Off:
  New York AG Suit Alleges Confidentiality Violation
    Anti-Adware and Badware Groups Release Lists of Offenders
    Claria Sets Timetable for Getting out of Adware Business
    Flawed McAfee Virus Definition Update Causes Big Problems
  
*****Sponsored By GFIRST: Securing Government Cyberspace Confernce ****
The Best *Free* Conference In Security - Hosted By The Department Of
Homeland Security: When: April 30 - May 4, 2006; Where: Orlando, FL.
Register at http://www.us-cert.gov/gfirst.

Plenary sessions with industry leaders and four concurrent tracks
Management, Technical, Incident Response, and Law Enforcement plus a
big exposition.

And you cannot beat the price.
Register at http://www.us-cert.gov/gfirst.
************************************************************************
SANS Training in San Diego, Munich, London and Washington DC

Turbo charge your security career or the careers of any of your
coworkers this spring in San Diego in early May: a dozen of SANS most
popular courses and a vendor exposition right on the harbor.
http://www.sans.org/security06/
Or in London at the end of June: http://www.sans.org/london06
Or Munich in early April: http://www.sans.org/munich06
Or Washington in July right after July 4 for the biggest SANSFIRE ever:
with all 17 SANS immersion tracks and more than a dozen special courses,
a big exposition, and an inside look at how the Internet's Early Warning
System (Internet Storm Center) actually works Bring your family for the
national fireworks show. http://www.sans.org/sansfire06
*************************************************************************

TOP OF THE NEWS
 --FISMA's Effectiveness Questioned
(15 March 2006)
Former federal CISO Bruce Brody has questioned the efficacy of the
Federal Information Security Management Act (FISMA). Because of the way
the FISMA grading system is structured, agencies have an incentive to
conduct certification and accreditation (C&A) system-by-system rather
than take an overall approach to cyber security. This means that FISMA
grades are not necessarily an accurate measure of the agency's level of
cyber security. FISMA requires a significant amount of paperwork and
encourages rote hole plugging but ignores the need for real-time
monitoring.
http://www.govexec.com/story_page.cfm?articleid=33605&printerfriendlyVers=1&
[Editor's Note (Weatherford): Maybe if this gets enough attention
something will be done about this waste of time and effort involved with
FISMA. Mr. Brody's comments are on-target.
(Honan): If US Government agencies are not seen to be taking information
security seriously then we should not be surprised a lack of concern for
information security in many private organizations.
(Schultz) Mr. Brody is once again entirely correct. Having "accredited
systems" and the like is better than nothing, but it does not take into
account network environments in the same way that MIL-STD 5200 ("The
Orange Book") did not. One would think that after all this time the US
government would wake up to this reality.
(Ranum): I can't believe it's taken so long for government IT execs to
figure this out. Substituting box-checking for actually understanding
what you are doing will never work. Security based on paperwork simply
creates a "priesthood" to push paper; when what is really needed is
knowledgeable security-oriented IT management.]

 --HHS System Security Problems Place Medical Data at Risk, Says GAO
(23 March 2006)
A forthcoming Government Accountability Office (GAO) review of the
Department of Health and Human Services (HHS) says that "significant
weaknesses in information security controls" could place at risk the
privacy and security of sensitive data gathered about millions of
Americans through Medicare, Medicaid and other government programs. GAO
investigators examined 2004 and 2005 management and audit reports of
security practices at 13 HHS divisions. Among their findings:
anti-virus software was either not installed or not current; passwords
were not adequately controlled; and physical controls were lacking.
Among the data retained by the systems are Social Security numbers,
names, addresses and medical conditions.
http://www.usatoday.com/tech/news/computersecurity/2006-03-23-medical-data_x.htm
[Editor's Note (Schultz): The trend continues--yet another US government
agency has been found to have massive security exposures. God help us
all.
(Ranum): After the gigantic sums spent for HIPAA compliance by the
private sector, this is not a funny joke. It is a joke, right?]

 --Sendmail Flaw Could Allow Remote Code Execution; Users Urged to Update
(23/22 March 2006)
The Sendmail Consortium has issued a patch for a "signal race
vulnerability" in the Sendmail SMTP (simple mail transfer protocol) mail
server versions 8 through 8.13.5. Users are urged to upgrade to
Sendmail 8.13.6. The flaw, which affects Linux- and Unix-based versions
but not Windows-based versions, could allow the remote execution of
arbitrary code.
http://www.computerworld.com/printthis/2006/0,4814,109791,00.html
http://www.theregister.co.uk/2006/03/23/sendmail_security_bug/print.html
http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39247494-2000061744t-10000005c
http://www.us-cert.gov/cas/techalerts/TA06-081A.html
Internet Storm Center Analysis: http://isc.sans.org/diary.php?storyid=1210

************************* Sponsored links: ******************************

1) Free WhatWorks in Log Management Webcast next week - "Meeting
Regulatory Compliance Requirements Northwestern Memorial Hospital"
Tuesday, March 28 at 1:00 PM EST
http://www.sans.org/info.php?id=1080

*************************************************************************

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
 --DOE Cannot Account for Some Computing Equipment
(20 March 2006)
According to a report from the US Department of Energy's (DOE) Inspector
General (IG), the DOE has lost at least 18 pieces of computing
equipment, including at least one laptop. The Department does not know
if the equipment handled or contained classified data. The missing
equipment had not been reported to the Office of Security.
Investigators were told the laptop had no accreditation documentation
because it was legacy equipment and that the other equipment lacked
accreditation documentation because pieces are not individually
accredited if they are connected to an accredited network.
http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=40184
[Editor's Note (Weatherford): This is pure sloppiness. They have an
inventory policy but they don't follow it for three years? Every IT
asset in a classified environment should be tagged appropriately as to
whether it processes unclassified or classified information and those
in DoD are used to seeing those green, red, and orange labels. I don't
see how defining something as "legacy" has any bearing on whether or not
the accreditation of that asset is documented. This article is filled
with double-speak.
(Northcutt): This isn't news, but I am glad we are running the story
since it is a good reminder. I was just teaching a policy course and for
the majority of my students, missing laptops and PDAs was the biggest
problem they were facing. And it is a safe bet to assume that 18 is at
least an order of magnitude low for the actual number of missing pieces
of equipment. A good read is Sen. Chuck Grassley's attempt to get
legislation started to control this problem:
http://www.senate.gov/~grassley/releases/2002/p02r8-15.htm]

POLICY & LEGISLATION
 --Australian Internet Content May be Filtered by ISPs
(21 March 2006)
If the Australian Labor Party wins the country's next federal election,
the Australian Communications and Media Authority (ACMA) may require
Internet Service Providers (ISPs) to block pornographic and violent
Internet content before it reaches citizens' home computers. The ban
on the content will apply to all Australian households except for those
that specifically opt out. According to Opposition leader Kim Beazley,
current methods of preventing offensive material from reaching minors,
which involve requiring the installation of free or inexpensive
filtering software. On the other hand, the Internet Industry
Association says the change is unnecessary. According to IIA executive
director Peter Coroneos, the low-cost and free filters provide stronger
filtering than would the proposed alternative. Users can report
offensive content to ACMA; if the content is hosted within Australia.
Reported content must be taken offline within 48 hours under threat of
penalties. If it is hosted elsewhere, the federal police are informed
and filter providers add it to the list of blocked sites.
http://zdnet.com.au/news/security/print.htm?TYPE=story&AT=39247048-2000061744t-10000005c
http://www.australianit.news.com.au/articles/0,7204,18548919%5E15319%5E%5Enbv%5E,00.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

 --Trojan Filches Financial Account Details
(22 March 2006)
Variants of a sophisticated Trojan horse program have been infecting
vulnerable computers for months; an estimated one million machines have
been compromised. The Trojan, called MetaFisher and known alternately
as Spy-Agent and PWS, exploits the Windows Metafile flaw to download
itself onto vulnerable machines and uses HTML injection to harvest
financial account information. Users become infected after being tricked
into visiting a maliciously constructed web site from an email link.
The Trojan is currently aimed at customers of Spanish, British and
German banks.
http://www.informationweek.com/story/showArticle.jhtml?articleID=183701982
http://www.computerworld.com/printthis/2006/0,4814,109803,00.html
[Editor's Note (Pescatore):While people have become more suspicious
about entering their passwords or account information into websites they
got to from URLs in email, they still seem to be going to the websites.
Whammo, spyware downloads.
(Honan): The fact that this Trojan is based on the well publicized WMF
vulnerability and yet has still managed to infect 1 million PCs
demonstrates that making a patch available does not automatically mean
the problem will disappear, the patch needs to be installed!]

 --Microsoft Investigating Reported Flaw in IE 6
(22/21 March 2006)
Microsoft is investigating a reported flaw in Internet Explorer 6 (IE
6). The vulnerability could be exploited to crash IE 6, even on the
most recent, updated version of Windows XP, by manipulating users into
viewing maliciously crafted web pages. The overflow flaw in IE 6 allows
the execution of HTML applications without end-user approval.
http://news.zdnet.co.uk/internet/security/0,39020375,39258538,00.htm
http://www.computerworld.com/printthis/2006/0,4814,109754,00.html
Internet Storm Center analyses: http://isc.sans.org/diary.php?storyid=1209
http://isc.sans.org/diary.php?storyid=1213

ATTACKS & INTRUSIONS & DATA THEFT & LOSS
 --Fidelity Informs HP Employees Their Data is on Stolen Laptop
(23 March 2006)
Fidelity Investments is notifying nearly 200,000 Hewlett-Packard (HP)
employees that their account information is on a laptop that has been
stolen. Fidelity serves as record keeper for HP's retirement plans.
The data include names, addresses and Social Security numbers. Fidelity
has set up a web site and a call center to help those affected take
steps to protect their data and have questions answered. A Fidelity
spokesperson said "the application was running on a temporary license
... [that has since] expired." The company has also "taken steps to
implement extra security processes requiring additional authentication
for access to those HP accounts as well as other measures to prevent
unauthorized use."
http://www.theregister.co.uk/2006/03/22/fidelity_laptop_hp/print.html
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39345372-39000005c
[Editor's Note (Kreitner): It will be interesting to see how companies
hold each other legally accountable in situations like this, in this era
of widespread outsourcing. I'd love to know whether the contract
between HP and Fidelity prohibited storing the data on a laptop in
unencrypted form, etc.]

 --Visa Acknowledges Data Retention Problem Lies in Tracer Utility
(20 March 2006)
Visa has acknowledged that a security problem that may relate to
inadvertent retention of credit and debit card transaction data lies in
a free tracer utility, not in Fujitsu point-of-sale (POS) software as
Visa had warned last week. The tracer utility comes with many POS
packages. The utility is designed to be used "for internal testing of
the credit card transaction process and to help with identifying
problems during installation and maintenance." Fujitsu is careful to
warn its customers not to use the utility for long in a live
environment. Fujitsu believes Visa issued the warning based on one
retailer's installation of its software in which the retailer was using
the utility in a live environment.
http://www.eweek.com/print_article2/0,1217,a=173842,00.asp

MISCELLANEOUS
 --Sourcefire Checkpoint Deal Is Off:
(23 March 2006)
A leading Israeli software company abandoned its plans Thursday to buy
a smaller U.S. rival in a $225 million deal because of national security
objections by the Bush administration.
http://news.yahoo.com/s/ap/20060324/ap_on_go_ot/software_sale

 --New York AG Suit Alleges Confidentiality Violation
(23 March 2006)
New York Attorney General Eliot Spitzer has filed a civil complaint
against Gratis Internet, charging the company with deceptive practices.
Gratis allegedly sold personal customer information in violation of its
confidentiality agreement. The suit seeks monetary penalties and an
injunction against further similar action. The suit alleges Gratis sold
more than seven million email addresses to independent email marketers.
Spitzer's office recently settled a case with Datran media for US$1.1
million, a company that was accused of purchasing six million files from
Gratis.
http://news.zdnet.com/2102-1040_22-6053252.html?tag=printthis
http://www.computerworld.com/printthis/2006/0,4814,109822,00.html
http://www.cnn.com/2006/TECH/internet/03/23/email.privacy.ap/index.html

 --Anti-Adware and Badware Groups Release Lists of Offenders
(22/21 March 2006)
The Center for Democracy and Technology (CDT) has published a list of
companies that use adware to advertise their products. CDT is
encouraging the companies, some of which may not have been aware that
their products were being advertised this way, to be more vigilant about
how their advertising dollars are spent. StopBadware.org has published
its first list of "badware" applications that violate guidelines set by
the group; these include deceptive installation, causing harm to other
computers and modifying other software.
http://news.zdnet.co.uk/internet/security/0,39020375,39258539,00.htm
http://www.techworld.com/security/news/index.cfm?NewsID=5617
http://www.informationweek.com/security/showArticle.jhtml%3Bjsessionid=54RKM21REQCSSQSNDBECKICCJUMEKJVN?articleID=183701988
http://www.stopbadware.org/home/reports
http://www.cdt.org/privacy/20060320adware.pdf

 --Claria Sets Timetable for Getting out of Adware Business
(22 March 2006)
Claria Corp. says it will phase out the adware branch of its business
by the end of June of this year. The adware usually arrived bundled
with other software, such as Kazaa. Claria plans to sell its adware
assets to a company that promises to comply with anti-spyware groups
such as Truste. Claria has been named in several lawsuits; the
plaintiffs maintained Claria's advertisements were covering legitimate
ads on their websites.
http://www.smh.com.au/news/breaking/adware-pioneer-to-come-clean/2006/03/22/1142703392329.html
http://news.zdnet.com/2102-9588_22-6052623.html?tag=printthis
http://www.techweb.com/wire/security/183701933

 --Flawed McAfee Virus Definition Update Causes Big Problems
(20 March 2006)
A faulty McAfee virus definition update quarantined or deleted hundreds
of legitimate applications, including Microsoft Excel, Adobe Macromedia
Flash Player and Adobe Update Manager. The glitch in the update
mistakenly flagged the applications as W95/CTX, an obscure Windows 95
virus. A new virus pattern file was released soon after McAfee became
aware of the problem. However, the flawed update was available for
approximately one-and-a-half hours. Some organizations reported
significant problems because they had set the program to automatically
delete files perceived as threats.
http://www.eweek.com/print_article2/0,1217,a=173672,00.asp
Internet Storm Center analysis: http://isc.sans.org/diary.php?storyid=1184
The list of files impacted by this problem is available at
http://vil.nai.com/images/CTX_file_list.pdf
[Editor's Note (Weatherford): There is a bigger issue here and that is
the the blind trust the public places in commercial organizations to
provide protection. It's not a huge leap to see how a simple mistake
like this could have grave consequences to the nation's critical
infrastructure.]

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEJExg+LUG5KFpTkYRAiNQAKCXcQF+YzUODFaxOsMsJDF9bjQjTwCdEa1i
KyDcrJeB86NdFwDl/gvKFW0=
=kG0J
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]