From: The SANS Institute (NewsBitessans.org)
Date: Fri Apr 21 2006 - 11:03:04 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Security Log and Event Management:
Regulatory requirements have made log management the fastest growing
area of security. More than 200 log management users will be gathering
in Washington, July 12-14, to share the mistakes they made and the
lessons they learned in making log management meet regulatory
requirements and significantly improve security. They'll also attend
optional half-day classes. Most of the seats are reserved for attendees
at SANSFIRE and participating speakers, but 70 are being held for other
SANS alumni and GIAC certification holders and other readers of
NewsBites. If you would like an invitation, email logssans.org. And
if you have a great story about how log management made a significant
difference in improving security, or a huge mistake, please send that
to me (pallersans.org). It might result in an invitation to speak.

                             Alan

*************************************************************************
SANS NewsBites April 21, 2006 Vol. 8, Num. 32
*************************************************************************

TOP OF THE NEWS
  Ireland to Begin Introducing Biometric Passports
  Yahoo Implicated in Another Chinese Dissident Arrest

THE REST OF THE WEEK'S NEWS
  HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
    US Military Buying Back Stolen Flash Drives at Bagram Bazaar
  SPYWARE, SPAM & PHISHING
    Man Fined US$84,000 in Spyware Removal Tool Case
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Apple Releases Java Update
    Recent Microsoft Patches Causing Problems
    Oracle Quarterly Security Update
    Microsoft to End Support for "Outdated" Operating Systems
  STATISTICS, STUDIES & SURVEYS
    UK Security Professionals Feeling Good About Security
    Identity and Access Management Budgets on the Rise
    Lag Time in Applying Patches Opens the Door for Attacks
  MISCELLANEOUS
    FBI: Data on NH State Computer Not Compromised

****************** SPONSORED SANS SECURITY SAN DIEGO ******************

"SANS has the highest quality instructors and the most relevant, current
information of any training I have attended." (Melodee McHone, Hallmark)

SANS offers the industry's best courses and extraordinary faculty,
offering authoritative up-to-the-minute material that shows you how to
do the job and gives you the confidence to go back and do it
immediately.

SANS Security Essentials, Hacker Exploits, System Forensics, Intrusion
Detection, Auditing, plus training for CISSP exam and all Technical
certification required for DoD 8570.

Join 600 security professionals in San Diego in May for SANS best
instructors, a great security product expo, and evening networking and
new technology sessions. Bonus: Smaller classes than the national
conferences:
Register today: http://www.sans.org/security06/

*************************************************************************

TOP OF THE NEWS

 --Ireland to Begin Introducing Biometric Passports
(20 April 2006)
The Irish government plans to start incorporating biometric information
into new passports. The passports will contain embedded microchips that
hold digitized versions of the facial image and details included in the
passport. Airports around the world are starting to deploy biometric
passport systems.
http://www.siliconrepublic.com/news/news.nv?storyid=single6313

 --Yahoo Implicated in Another Chinese Dissident Arrest
(20/19 April 2006)
According to Reporters Without Borders, Yahoo is linked to the jailing
of yet another Chinese dissident. Yahoo allegedly provided Chinese
authorities with information that helped them identify Jiang Lijun who
received a four-year prison sentence in November 2003 for writing
pro-democracy articles that appeared online. Information provided by
Yahoo has led to the identification and arrests of two other dissidents,
Shi Tao and Li Zhi. Reporters Without Borders has called on Yahoo to
remove its email servers from China.
(Note: Washington Post requires free registration)
http://www.washingtonpost.com/wp-dyn/content/article/2006/04/19/AR2006041902536_pf.html
http://www.techweb.com/wire/186100319
http://www.computerworld.com/printthis/2006/0,4814,110669,00.html
[Editor Note (Northcutt): For your reading convenience, here are links
to previous similar arrests:
http://www.hrichina.org/public/highlight/index.html and
http://www.theregister.co.uk/2006/02/10/yahoo_china_cyber-dissident_flak/]

************************* Sponsored Links: ******************************

1) Strata Guard Free - Freeware version of StillSecure's award
winning intrusion detection/prevention system (IDS/IPS)
Download now.
http://www.sans.org/info.php?id=1117

2) Free SANS WhatWorks in Intrusion Prevention Systems Webcast "Low-
Maintenance Security"
Tuesday, April 25 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info.php?id=1118

3) "From Logs to Logic: Turning Log Piles into Log Intelligence" a
Free SANS Tool Talk Webcast next week!
Wednesday, April 26 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info.php?id=1119
*************************************************************************

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
 --US Military Buying Back Stolen Flash Drives at Bagram Bazaar
(15/13 April 2006)
Following reports that stolen military computer hardware was being sold
at a bazaar near a US air base in Bagram, Afghanistan, the US military
is apparently doing its best to buy all the stolen flash drives it can
find. The drives contain potentially sensitive military information.
An investigation into the theft of the devices and a computer security
policy review are pending.
http://www.nytimes.com/2006/04/15/world/asia/15afghanistan.html?_r=1&oref=slogin&pagewanted=print
http://news.bbc.co.uk/1/hi/world/south_asia/4913174.stm
http://www.latimes.com/news/nationworld/world/la-fg-disks13apr13,0,1166178.story?coll=la-home-headlines

SPYWARE, SPAM & PHISHING
 --Man Fined US$84,000 in Spyware Removal Tool Case
(19 April 2006)
Zhijian Chen has been fined US$84,000 for using deceptive advertising
techniques that urged computer users to purchase a bogus anti-spyware
program. By using Windows' "Net send" command, Chen was able to
generate pop-ups on users' computers that looked something like security
warnings. If the users clicked on the supplied link they were
eventually led to the Secure Computer web site, where they were offered
a free scan, and then a chance to purchase Spyware Cleaner to remove the
often non-existent spyware the scanner claimed to have detected. Chen
is the first to learn his penalty from a suit brought by Microsoft and
Washington state Attorney General Rob McKenna against Secure Computer,
Chen and two other men.
http://www.techweb.com/wire/186100344
http://www.theage.com.au/news/breaking/us-spyware-suit-reaches-settlement/2006/04/20/1145344168599.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Apple Releases Java Update
(20 April 2006)
Apple has released the Java 2 Standard Edition 5.0 Release 4 update,
which addresses five flaws in the Java Virtual machine. The most
serious flaw could be exploited to gain access to vulnerable systems.
The flaws addressed in the update affect Mac OS X version 10.4.5 and the
corresponding server edition.
http://news.com.com/2102-1002_3-6062766.html?tag=st.util.print
http://www.vnunet.com/vnunet/news/2154369/apple-plugs-java-holes
http://docs.info.apple.com/article.html?artnum=303658

 --Recent Microsoft Patches Causing Problems
(20 April 2006)
Some of the patches released by Microsoft last week have been causing
problems for users. Some people reported their Outlook Express address
book was gone after installing MS06-016. The same patch caused problems
with sending template-based messages. When the patch was uninstalled,
the problems disappeared. MS06-015 has reportedly been causing problems
for users of HP hardware. There have also been problems reported with
users of Sunbelt's Kerio Personal Firewall, Siebel and Google.
Microsoft has provided a "compatibility" patch that rolls back the
Active X changes for causing these problems and provides a 60 day Window
for those vendors to update their own products.
http://www.techweb.com/wire/186500211
http://www.techworld.com/security/news/index.cfm?NewsID=5812
http://www.eweek.com/article2/0,1895,1950095,00.asp
http://software.silicon.com/security/0,39024655,39158122,00.htm

 --Oracle Quarterly Security Update
(19/18 April 2006)
Oracle has released fixes for a variety of vulnerabilities in several
of its products. Included in the Critical Patch Update are patches for
14 flaws in Oracle database products. Oracle also released a tool to
find default passwords that users have failed to change. Oracle, which
releases security updates on a quarterly schedule, has faced criticism
for being slow to address vulnerabilities in its products. Oracle CSO
Mary Ann Davidson has responded that people who use irresponsible
disclosure practices cause security problems themselves.
http://news.com.com/2102-1002_3-6062438.html?tag=st.util.print
http://www.computerworld.com/printthis/2006/0,4814,110642,00.html
Davidson on irresponsible disclosure practices:
http://news.com.com/2102-1071_3-5807074.html?tag=st.util.print
http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html

 --Microsoft to End Support for "Outdated" Operating Systems
(18 April 2006)
Microsoft plans to retire support for Windows 98, Windows 98 SE and
Windows ME on July 11, 2006; after that date, there will be no more
security updates for these versions of the company's operating systems.
Microsoft calls these systems "outdated" and recommends that users
upgrade to a more secure operating system, such as Windows XP.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1182527,00.html
[Editor's Note (Schultz): Microsoft's decision is a good thing for
security, but it would be even better if Microsoft eliminated the many
backwards compatibility mechanisms that are built into in more recent
and intrinsically more secure products such as Windows XP and Windows
Server 2003. Backwards compatibility mechanisms introduce many
security-related vulnerabilities in these products.
(Grefer): Upgrading systems still running on Windows 98, 98 SE and ME
to XP is not really an option since the operating system has a much
larger footprint, especially with regards to its _real_ memory and CPU
requirements, which typically result in upgrade costs approaches the
purchase price of a current computer system.]

STATISTICS, STUDIES & SURVEYS
 --UK Security Professionals Feeling Good About Security
(20 April 2006)
According to the responses to a Cisco-sponsored survey of 100 chief
security officers and IT directors in the UK, 72 percent believe their
companies are more secure than they were one year ago. Eighty-nine
percent have some form of proactive security management in place. At
least 80 percent of those polled said their organizations have some sort
of disaster contingency plan in place. In addition, however, 23 percent
of respondents said "security is still not recognized as a boardroom
level issue."
http://www.theregister.co.uk/2006/04/20/cisco_security_survey/print.html
[Editor's Note (Schultz): Ignorance is bliss. Do these CSOs have metrics
to back up their subjective feelings?]

 --Identity and Access Management Budgets on the Rise
(19 April 2006)
A Forrester Consulting survey of companies in the US and eight European
countries found 38 percent had budgets of at least 250,000 euros
(US$308,000) for identity and access management; twelve percent had
identity management budgets higher than 1 million euros (US$1.23
million). Forty-one percent of those surveyed said they expected
identity management budgets to increase over the next three years.
Increasing cyber attacks and regulatory demands appear to be driving the
budget increases.
http://www.silicon.com/research/specialreports/idmanagement/0,3800011364,39158187,00.htm
[Editor's Note (Honan): A recent survey carried out for the Infosecurity
Europe exhibition claims 81% of those surveyed would give away enough
personal details to enable their identity to be stolen in return for
some chocolate -
http://www.infosec.co.uk/page.cfm/T=m/Action=Press/PressID=255. If
this is the case, then companies will have to invest more time and money
in educating and protecting their customers from themselves.]

 --Lag Time in Applying Patches Opens the Door for Attacks
(18 April 2006)
According to a McAfee study, 19 percent of companies take more than a
week to apply software patches. Twenty-seven percent said they take two
days to deploy fixes for vulnerabilities. The delay could be attributed
to the volume of patches released. Other research has demonstrated
"that 85 percent of the damage done by automated attacks occurs during
the first 15 days after vulnerabilities become known."
http://news.bbc.co.uk/2/hi/technology/4907588.stm
[Editor's Note (Pescatore): Of course, as the story above on problems
with recent Internet Explorer patches points out, if you apply patches
*too soon* you can also cause yourself a lot of problems. After all, the
majority of vulnerabilities for which patches are issued are *never*
attacked - for most enterprises, patching without testing is just as
likely to cause damage as hacker attacks due to waiting to patch until
*after* testing. So, 81% of enterprises doing expedited testing and
patching within a week is a very good thing - back in 2003, less than
25% of enterprises were patching within a week.
(Paller) One of the most important reasons that patches cause problems
and that patch testing is time consuming, is that application developers
take liberties with the operating system. The first step toward rapid
testing is agreeing on common operating system configurations and asking
application developers to have the discipline to not make changes unless
they are willing to take on the patch testing responsibility, too. That
strategy is already starting to work: SCADA and process control system
vendors are already doing the patch testing for their customers (nearly
always within 24 hours). In addition parts of the US Department of
Defense are already drafting procurement policies that require
programmers to make sure their software works on the standard OS
configurations that are being deployed. These required behaviors are
being written into contracts as procurement specifications.]

MISCELLANEOUS

 --FBI: Data on NH State Computer Not Compromised
(17 April 2006)
An FBI investigation has determined that the Cain & Abel password
recovery program found on a New Hampshire state computer had never been
run, so it is unlikely that the card data on the server were accessed.
The investigation into the tool's discovery on the state computer is
ongoing. Douglas A. Oliver, an employee who was placed on paid leave
during the investigation, will be allowed to return to work. Oliver
says he installed a number of tools on the computer for testing purposes
and that Office of Information Technology managers knew about his
actions.
http://www.computerworld.com/printthis/2006/0,4814,110612,00.html
[Editor's Note (Honan): A lesson here for all security professionals
conducting a security test either on client systems or those of their
employers. Make sure you have a clear and detailed test plan that has
been agreed and authorized by those with responsibility for the
systems.]

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFESPhF+LUG5KFpTkYRAtHPAJsE6n/Clp2IwFPUIOnM+MWZ6Vc7MACeJobn
aMFScqdEwLCV9qzOHoH8prw=
=gnhE
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]