From: The SANS Institute (NewsBitessans.org)
Date: Tue Apr 04 2006 - 18:34:46 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

When you explain cyber risk to management and operations staff, the
2006 Cyber Threat Map helps you show (1) who are the cyber attackers,
(2) what are their objectives, (3) what vulnerabilities they are
exploiting, (4) what target systems they use to gain entry, and (5)
what protections could stop them. It also includes Ed Skoudis list of
the top 10 new tools attackers are using and the WhatWorks list of
five key defensive walls. Order them from the SANS bookstore ($26)
at https://store.sans.org/
                                  Alan

*************************************************************************
SANS NewsBites April 4, 2006 Vol. 8, Num. 27
*************************************************************************

TOP OF THE NEWS
  Senate Committee Approves Protecting Consumer Phone Records Act
  House Committee Approves Data Accountability and Trust Act
  Zero-Day IE Flaw Exposes Holes in Microsoft's Security Patch Process
  PA County Voting System Test Halted; Examiner Cites Software Problems

THE REST OF THE WEEK'S NEWS
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    Anti-Piracy Group Targets UK Firms
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Attackers Hone IE TextRange() Exploit
    Australian ISP Suffers Alleged Privacy Breach
  ATTACKS & INTRUSIONS & DATA THEFT & LOSS
    Missing Drive Holds Marines' Personal data
    Winny Worm Exposed Trend Micro Information
  MISCELLANEOUS
    DOJ Study Estimates Identity Theft Costs Citizens US$6.4 Billion a Year
    Project Yields Simpler Privacy Notice Prototype
    Microsoft Extends Support for Older Version of MBSA
    DOJ Subpoenas Records from More ISPs and Tech Companies
    San Francisco BART Computer Error Strands 35,000 Commuters

********************* Sponsored By ArcSight, Inc. ***********************

Download Top 10 Guide to Evaluating SIM Solutions

Many factors go into buying a SIM solution. Discover the best
practices, based on customer experiences, that should be an integral
part of your evaluation process with the new Top 10 Guide to
Evaluating SIM Solutions. Brought to you by ArcSight, the one vendor
that's been proven in demanding real-world trials, for security,
compliance and insider threat. Download a copy of the guide today!
http://www.sans.org/info.php?id=1090

*************************************************************************
SANS Training in San Diego, London and Washington DC

Turbo charge your security career or the careers of any of your
coworkers this spring in San Diego in early May: a dozen of SANS most
popular courses and a vendor exposition right on the harbor.
http://www.sans.org/security06/
Or in London at the end of June: http://www.sans.org/london06
Or Washington in July right after July 4 for the biggest SANSFIRE ever:
with all 17 SANS immersion tracks and more than a dozen special courses,
a big exposition, and an inside look at how the Internet's Early Warning
System (Internet Storm Center) actually works. Bring your family for the
national fireworks show. http://www.sans.org/sansfire06
*************************************************************************

TOP OF THE NEWS

 --Senate Committee Approves Protecting Consumer Phone Records Act
(31 March 2006)
The Senate Commerce, Science and Transportation Committee has approved
S. 2389, the Protecting Consumer Phone Records Act, which makes it a
crime "to acquire, use or sell a person's confidential phone records
without that person's written consent." Several companies that offer
phone records for sale have employed pretexting, the practice of
pretending to be a customer to obtain that customer's records. Voice
carriers would also be required to inform customers when their phone
records have been accessed without their authorization. The bill also
mandates the Federal Communications Commission (FCC) must create
regulations for phone records akin to the financial protections of
Gramm-Leach-Bliley. Violators could face civil lawsuits and fines. The
bill now goes before the full Senate for a vote.
http://www.computerworld.com/printthis/2006/0,4814,110109,00.html
http://www.technologynewsdaily.com/node/2372

 --House Committee Approves Data Accountability and Trust Act
(31 March 2006)
The House Energy and Commerce Committee has unanimously approved the
Data Accountability and Trust Act (DATA), also known as HR 4127. The
bill requires organizations to inform those whose data are "acquired by
an unauthorized person" in the event of a data breach "if there is a
reasonable basis to conclude that there is a significant risk of
identity theft." The bill also designates the Federal Trade Commission
as the enforcing entity, requires data brokers to establish security
policies and requires audits of organizations that experience security
breaches.
http://www.techweb.com/wire/184417500
http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=40284
http://thomas.loc.gov/cgi-bin/query/z?c109:H.R.+4127:
[Editor's Note (Pescatore): The privacy groups seem happy with the final
wording. The FTC will not only be the enforcer but is required to
conduct an audit after any reported disclosure. Much like the original
California SB 1386, disclosure is not required if the compromised data
was encrypted. This bill, combined with increased pressure by the
Payment Card Industry for credit card processors to comply with PCI Data
Security Standards that require data encryption, will drive more
attention to the difficult problem of encrypting data at rest.
(Schultz): This legislation has taken a long time--really too long--to
get as far as it has given its critical importance in helping protect
against identity theft. It now appears likely that it will be passed in
the US House and Senate and will be signed into Law.]

 --Zero-Day IE Flaw Exposes Holes in Microsoft's Security Patch Process
(1 April/30 March 2006)
Cyber criminals are now using spam in an attempt to spread malware that
exploits an unpatched critical vulnerability in Microsoft's Internet
Explorer (IE). The spam tries to lure people to maliciously crafted web
sites; the sites download software that captures bank account log-in
data onto victims' computers and transmits them to the thieves.
Microsoft encourages users to disable active scripting pending the
availability of a legitimate patch. The emergence of zero-day
vulnerabilities illuminates problems with Microsoft's monthly security
releases. An executive with a company that released a third-party patch
for the flaw says he understands Microsoft's need to test, but that
Microsoft should also provide some sort of faster protection for the
interim, perhaps a "beta" patch.
http://www.usatoday.com/tech/news/computersecurity/2006-03-30-microsoft-security_x.htm
http://seattlepi.nwsource.com/business/265146_msftsecurity01.html
[Editor's Note (Honan): As we learnt with the WMF vulnerability, the
availability of a patch does not necessarily mean that the threat is
eliminated (see "Trojan Filches Financial Account Details" in the March
24 Issue of NewsBites).
(Schultz): Here we go again--Microsoft struggles to get a patch out
while a third-party has already has made one available. I'd still
recommend resisting the temptation to use the third-party patch in favor
of using a workaround, however.]

 --PA County Voting System Test Halted; Examiner Cites Software Problems
(30 March 2006)
Dr. Michael Shamos, a Carnegie Mellon University professor of computer
science, has halted testing of Sequoia Voting Systems' AVC Advantage
voting machines slated for use in Allegheny County, Pennsylvania's May
primary election, citing a flaw in the software that allowed him "to
transform a handful of votes into thousands." Dr. Shamos called the
software "not stable." Dr. Shamos said continuing with the test did not
make sense; Sequoia will be given an opportunity to address the software
flaw and submit it for retesting. Dr. Shamos's testing also encountered
flaws that shut down the program when it is asked to print. Some
voters' rights groups are opposed to the use of these particular
machines because they do not generate a verifiable paper audit trail.
http://www.post-gazette.com/pg/06089/678087-85.stm
[Editor's Note (Pescatore): Let's say that on a software security and
reliability scale of 1-10, space shuttle and laser surgery controller
software should be at least a 9. Maybe video games and Hot or Not
websites could get by with a 3. I'm pretty sure computerized voting
machines should be closer to the former than the latter. ]

************************** Sponsored Links: *****************************

1) ALERT: "How A Hacker Launches A Blind SQL Injection Attack"!"- White Paper
http://www.sans.org/info.php?id=1091

2) FREE Product Demo: Stop protecting while blind. Gain network visibility now.
http://www.sans.org/info.php?id=1092

3) Free White Paper: The Future of Perimeter Security by Norm
Laudermilch, CSO of Trust Digital
http://www.sans.org/info.php?id=1093
*************************************************************************

THE REST OF THE WEEK'S NEWS

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --Anti-Piracy Group Targets UK Firms
(31 March 2006)
The UK's Federation Against Software Theft (FAST) is going after "a
number of [as yet unnamed] companies in the UK that have been caught
making illegal copies of software available for download from their
networks." The companies may not be aware of the legal activity. In
phase one of the investigation, known as Operation Tracker, FAST
obtained the names and addresses of alleged software license violators
from their Internet service providers (ISPs) through a court order.
Individuals have received letters from FAST demanding they pay what
amounts to a licensing fee together with a contribution toward costs
incurred by the FAST investigation and that they agree to refrain from
illegal software activity. Phase two of Operation Tracker involves
going after the organizations whose IP addresses were revealed in the
course of the investigation.
http://www.theregister.co.uk/2006/03/31/corporate_p2p_crackdown/print.html
http://www.fast.org.uk/
http://www.fast.org.uk/tracker.asp

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Attackers Hone IE TextRange() Exploit
(31 March 2006)
A "new generation" of exploit code that takes advantage of the
TextRange() vulnerability in Microsoft's Internet Explorer (IE) has been
posted to the Internet. When the older exploits attempted to install
keystroke loggers on vulnerable machines, they froze browsers for
noticeable periods of time, allowing users to shut down their computers
and avoid being infected with the malware. The new exploit is faster
and employs techniques to evade antivirus signatures.
http://www.computerworld.com/printthis/2006/0,4814,110122,00.html

 --Australian ISP Suffers Alleged Privacy Breach
(31 March 2006)
A customer of Australian Internet service provider (ISP) Astratel has
notified the company that he was able to see other customers' account
information simply by entering their telephone numbers in a query form.
The customer made his findings public after repeated attempts to get the
company to address the security concerns proved fruitless.
http://australianit.news.com.au/articles/0,7204,18665780%5E15331%5E%5Enbv%5E15306%2D15318,00.html

ATTACKS & INTRUSIONS & DATA THEFT & LOSS
 --Missing Drive Holds Marines' Personal data
(30 March 2006)
A missing portable drive contains personal information that belongs to
over 207,000 US Marines. The data on the drive includes names, Social
Security numbers, and enlistment contract details for those on active
duty between January 2001 and December 2005. The drive was being used
at the Naval Postgraduate School as part of a research project. School
officials were alerted to the data loss on March 14 and the Marines were
informed 10 days later.
http://www.estripes.com/article.asp?section=104&article=35264&archive=true

 --Winny Worm Exposed Trend Micro Information
(3 April 2006)
A worm that spread through the Winny peer-to-peer file-sharing
application uploaded internal Trend Micro data to the Internet. The
data leak could have been prevented had the employee, who copied the
documents in question to his home computer, installed his own company's
anti-virus software. Trend Micro is just the latest in a string of data
exposures due to viruses exploiting the Winny file sharing program.
http://www.computerworld.com/printthis/2006/0,4814,110142,00.html
[Editor's Note (Northcutt): Northcutt: The article begins with, "The
failure of a Trend Micro Inc. employee to install his company's own
antivirus software." You can almost see Trend Micro CEO Eva Chen
banging her head on the monitor, or saying, "OK, let me get this
straight employee, you work for an AV company and you didn't update your
company-supplied AV *and* you were on a P2P network." And what a great
reminder that when calculating risk "low risk" doesn't mean "no risk,"
as we see below.
http://vil.mcafeesecurity.com/vil/content/v_101125.htm
Finally, Trend was not the only casualty:
http://www.latimes.com/news/nationworld/world/la-fg-computer21mar21,0,5159274.story
http://www.securitypark.co.uk/article.asp?articleid=25103&CategoryID=58

 --DOJ Study Estimates Identity Theft Costs Citizens US$6.4 Billion a Year
(3 April 2006)
According to the US Department of Justice's (DOJ) National Crime
Victimization Survey, identity theft costs US citizens an estimated
US$6.4 billion annually. Data gathered through the survey indicates
that three percent of US households experienced some form of identity
theft during the first half of 2004. Credit card fraud accounted for
roughly 50 percent of the cases; banking and financial account fraud
accounted for 25 percent. Average losses incurred averaged US$1290.
http://www.pcworld.com/news/article/0,aid,125291,00.asp
http://www.ojp.usdoj.gov/bjs/abstract/it04.htm

MISCELLANEOUS
 --Project Yields Simpler Privacy Notice Prototype
(31 March/3 April 2006)
A prototype for a privacy notice that can be used by financial
institutions across the US would allow consumers to easily compare
practices from institution to institution and to understand how their
information is being collected and used. The Kleimann Communication
Group developed the notice as part of a 365-page report, "Evolution of
a Prototype Financial Privacy Notice," commissioned by a half dozen
government agencies charged with enforcing Gramm-Leach-Bliley Act
provisions. The six agencies along with the office of Thrift
Supervision will fund the second phase, in which a larger group of
people will be involved in evaluating the efficacy of the prototype and
other versions of privacy notices.
http://www.computerworld.com/printthis/2006/0,4814,110121,00.html
http://seattlepi.nwsource.com/printer2/index.asp?ploc=b&refer=http://seattlepi.nwsource.com/business/1310AP_Financial_Privacy.html
http://www.out-law.com/page-6808
http://originatortimes.com/content/templates/standard.aspx?articleid=1774&zoneid=5
http://www.ftc.gov/privacy/privacyinitiatives/ftcfinalreport060228.pdf
[Editor's Note (Pescatore): This was a pretty small test (66 subjects)
but making these notices more consumer friendly is an important thing.
GLB was mostly an exercise in banks mailing their customers confusing
postcards, and the coming data protection legislation will require more
GLB-like regular notification of privacy rights. Making it easy for
normal human beings to understand that they do *not* have to let their
private information be used willy-nilly is a good thing. ]

 --Microsoft Extends Support for Older Version of MBSA
(31 March 2006)
In a bow to customer pressure, Microsoft has extended support for the
Microsoft Baseline Security Analyzer (MBSA) version 1.2 indefinitely.
Microsoft initially said it would end support for the tool on March 31,
2006, but feedback from customers made it clear that to discontinue
support "would create a gap in security update detection for Microsoft
products." MBSA is a free tool that scans computers for vulnerabilities
with available Microsoft patches. MBSA 2.0, released in July 2005,
fails to detect the need for patches in certain Microsoft products.
http://zdnet.com.au/news/security/print.htm?TYPE=story&AT=39248912-2000061744t-10000005c

 --DOJ Subpoenas Records from More ISPs and Tech Companies
(29/30 March 2006)
The US Justice Department (DOJ) has subpoenaed internal records from at
least 34 ISPs and technology companies in its effort to gather evidence
to defend the Child Online Protection Act (COPA). The Supreme Court has
twice blocked COPA on grounds that it could violate First Amendment
protections. Online publishers are challenging the law, maintaining
that filters protect children without the restrictions that COPA would
impose. InformationWeek Magazine obtained the subpoenas through the
Freedom of Information Act (FOIA).
http://www.usatoday.com/tech/news/internetprivacy/2006-03-30-justice-files_x.htm
http://www.informationweek.com/story/showArticle.jhtml?articleID=184401156

 --San Francisco BART Computer Error Strands 35,000 Commuters
(31 March 2006)
In an illustration of critical infrastructure dependence on vulnerable
computer systems, the Bay Area Rapid Transit (BART) system stranded
35,000 passengers during rush hour on Wednesday, March 29. Technician
errors rather than hacker attacks were the cause.
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/03/31/BART.TMP

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEMsHb+LUG5KFpTkYRArUCAKCS/WAlERbu7KClQWUm+ao6zLLYdACfT273
OuTYpAPxAe1WNExbSqslbkA=
=yk2x
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]