From: The SANS Institute (NewsBitessans.org)
Date: Tue Apr 25 2006 - 15:42:50 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites April 25, 2006 Vol. 8, Num. 33
*************************************************************************

TOP OF THE NEWS
  Bot Crimes on the Rise
  Studies Say HIPAA Privacy Rule Compliance Not Improving
  Westchester County, NY Wireless Security Bill Signed Into Law
  Federal Data Breach Disclosure Law Could Diminish Protections

THE REST OF THE WEEK'S NEWS
  ARRESTS, CONVICTIONS AND SENTENCES
    Man Charged in USC Computer Intrusion
  SPYWARE, SPAM & PHISHING
    FTC Reaches Settlement With Spammers
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Zero-Day IE Flaw Could Allow Remote Code Execution
    Mozilla Updates Thunderbird, Releases Final Version of Mozilla
       Browser Suite
    Apple Investigating Report of Seven Flaws in Mac OS X
    Microsoft to Release Updated Version of MS06-015
    Exploit Code for Oracle Flaw Released
    Researcher Warns Some Online Banking Sites Don't Provide Adequate
       Authentication
  ATTACKS & INTRUSIONS & DATA THEFT & LOSS
    University of Texas Says Cyber Intrusion Exposed Data on Nearly
       200,000 Associated with Business School

****************** SPONSORED SANS SECURITY SAN DIEGO ******************

The industry's best courses - extraordinary faculty; authoritative
up-to-the-minute material - shows you how to do the job and gives you
the confidence to go back and do it immediately.

SANS Security Essentials, Hacker Exploits, System Forensics, Intrusion
Detection, Auditing, plus training for CISSP exam and all Technical
certification required for DoD 8570.

Join 600 security professionals in San Diego in May for SANS best
instructors, a great security product expo, and evening networking and
new technology sessions. Bonus: Smaller classes than the national
conferences:
http://www.sans.org/security06/

*************************************************************************

TOP OF THE NEWS

 --Bot Crimes on the Rise
(23 April 2006)
An estimated 47 million PCs worldwide have been unwittingly recruited
into botnets, which can be used for spamming, phishing attacks,
denial-of-service attacks, self-propagation and man-in-the-middle/key
logger attacks. While sophisticated attackers are adept at covering
their tracks, script-kiddies tend to be sloppier and more easily caught.
This article provides detailed accounts of three men who were arrested
for bot-related cyber crimes.
http://www.usatoday.com/tech/news/computersecurity/infotheft/2006-04-23-bot-herders_x.htm
[Editor's Note (Boeckman): Clearly this is out of control and it
demonstrates that Microsoft Windows can not be used safely by a
significant portion of users. Perhaps it is time that they be required
to include a product warning stating this on all new PC's that run
Windows.]

 --Studies Say HIPAA Privacy Rule Compliance Not Improving
(19/16 April 2006)
According to a survey from the American Health Information Management
Association (AHIMA), compliance with the Health Insurance Portability
and Accountability Act (HIPAA) patient privacy rules appears to be on
the wane. Of 1,117 hospitals and health systems responding to the
survey, 91 reported HIPAA compliance last year while 85 percent said
they were in compliance this year. The top reasons given for declining
compliance were "lack of resources and diminished management support."
However, 75 percent of respondents said they were "fully or mostly
compliant" with HIPAA's information security rules, marking a 60 percent
improvement over last year's figure. A separate study conducted by
Phoenix Health Systems and Healthcare Information and Management Systems
Society (HIMSS) found the level of compliance with patient privacy rules
among companies involved in health care is higher than 80 percent, but
says that figure has not changed in the last six months. The
respondents in this study said their problems with compliance were due
to HIPAA's vaguely worded rules and the ever-changing array of available
technology.
http://govhealthit.com/article94120-04-19-06-Web
http://www.eweek.com/article2/0,1759,1949646,00.asp
[Editor's Note (Schultz): Figures such as the ones quoted in this study
can be very misleading. The difference between the reported 91 percent
HIPAA compliance last year and the 85 percent compliance this year
might, for example, be due to sampling error, not a downward trend in
compliance.]

 --Westchester County, NY Wireless Security Bill Signed Into Law
(21/20 April 2006)
A new law in Westchester County, NY, requires organizations that use
wireless networks to store, use or maintain personal data as well as
those that offer wireless Internet access to deploy minimum security
measures to protect customers from identity fraud. According to county
officials, organizations could install network firewalls, change their
systems' default service set identifiers (SSIDs) or disable SSID
broadcasting. The bill was signed into law on April 20 and will take
effect 180 days from that date. People who have wireless networks at
home are not subject to the law. Those found in violation will receive
a warning and be given 30 days to address the security problems.
Further violations will result in fines of up to US$500.
http://www.computerworld.com/printthis/2006/0,4814,110762,00.html
http://www.fcw.com/article94140-04-20-06-Web
http://entmag.com/news/rss.asp?editorialsid=7368
Internet Storm Center: http://isc.sans.org/diary.php?storyid=1280
[Editor's Note (Pescatore): This is pure silliness. The "minimum
security measures" specified in the legislation don't protect anything,
so they include a meaningless phrase that the minimum security measures
"shall include but not be limited to..." This is an example of security
legislation for press release value, not security value. They do have
one good idea, though - hotspot providers should provide some level of
security info.
(Schultz): This law breaks new ground when it comes to security in
wireless networks. At the same time, however, I seriously doubt whether
the prospect of a $500 fine will serve as much of a deterrent to those
who do not obey this law.
(Honan): While well intentioned, my concern with this law is that it
focuses on a technology and not necessarily the underlying problem. The
underlying problem is organisations are not protecting client personal
data correctly. I believe a law similar to the EU Data Protection
legislation which obliges companies to protect clients' personal data
irregardless of the technology or medium used, would be more beneficial.
(Weatherford): The law also assumes a higher level of skill and
awareness on the part of a small business offering free wireless service
and that of the home user...a bad assumption!]

 --Federal Data Breach Disclosure Law Could Diminish Protections
(20 April 2006)
Bruce Schneier details the ways in which a federal security breach
disclosure bill currently being debated by US legislators could diminish
protections presently available under current state laws. Lobbyists
went after the precise definitions of "personal information" and "breach
of security" to allow companies to decide themselves whether or not the
circumstances of a particular breach constitute a "significant risk of
identity theft." A federal law as such would pre-empt more stringent
state laws. Schneier suggests that one way to ensure protections will
not continue to be pared away is to make the federal law a minimum, with
states permitted to make theirs stronger. He also points out that the
problem of identity fraud will not be properly addressed until financial
institutions require stronger authentication before issuing credit to
individuals.
http://www.wired.com/news/columns/1,70690-0.html

********************** Sponsored Links: *********************************

1) ALERT: "How A Hacker Launches A Blind SQL Injection Attack
Step-by-Step"!"- SPI Dynamics White Paper
http://www.sans.org/info.php?id=1123

2) FREE WEBINAR: Securing Visitors' Access to the Network.
Hosted by ForeScout Technologies featuring Gartner on April 27th.
http://www.sans.org/info.php?id=1124

3) "Top 10 Database Vulnerabilities" whitepaper - What they are, how
they work & how to stop them.
http://www.sans.org/info.php?id=1125
*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
 --Man Charged in USC Computer Intrusion
(21/20 April 2006)
The US Attorney's Office in Los Angeles has filed a criminal complaint
against network administrator Eric McCarty for "intentionally
transmitting a code or command to cause damage to the University of
Southern California (USC) online application system." McCarty allegedly
used a SQL injection attack to break into a password-protected USC
database containing information belonging to over 275,000 people who
applied to the school between 1997 and June 2005. McCarty was traced
through the IP number on his home computer; he faces up to ten years in
prison if he is convicted.
http://news.zdnet.com/2102-1009_22-6063470.html?tag=printthis
http://www.linuxelectrons.com/article.php/20060421110940758

SPYWARE, SPAM & PHISHING
 --FTC Reaches Settlement With Spammers
(18 April 2006)
The US Federal Trade Commission (FTC) has arrived at a settlement with
two people who sent millions of unsolicited commercial email messages
in violation of the CAN-SPAM Act. Washington state residents Matthew
Olson and Jennifer LeRoy sent spam with false "from" data, misleading
subject lines; they also failed to provide a means for recipients to opt
out of receiving future emails. Among the products Olson and LeRoy
pushed included mortgage plans and a device for improving automobile gas
mileage. Olson and LeRoy have agreed they will not violate the law in
the future. A suspended US$45,000 judgment against the pair will be
reinstated if evidence emerges to indicate they have misrepresented
their financial condition.
http://www.internetnews.com/xSP/print.php/3599796

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Zero-Day IE Flaw Could Allow Remote Code Execution
(24 April 2006)
Another zero-day vulnerability has been detected in Microsoft's Internet
Explorer (IE). The flaw, which can be exploited remotely, could allow
attackers to execute arbitrary code on vulnerable systems. The problem
lies in the way IE handles malformed HTML content. The vulnerability
exists in fully patched versions of IE 6 for Windows XP SP2.
http://www.techweb.com/wire/186700456

 --Mozilla Updates Thunderbird, Releases Final Version of Mozilla Browser Suite
(24 April 2006)
Mozilla released Thunderbird email client version 1.5.0.2 and Mozilla
browser suite version 1.7.13 on April 21. This version of the Mozilla
browser suite will be the last. Mozilla will also stop development of
Firefox 1.0.x and Thunderbird 1.0.x.
http://www.techweb.com/wire/186700387

 --Apple Investigating Report of Seven Flaws in Mac OS X
(24 April 2006)
Apple Computer is looking into reports of seven unpatched flaws in its
Mac OS X operating system. The most serious of the flaws lies in the
Safari web browser and could be exploited to run code on vulnerable
systems. Five of the flaws are related to how the operating system
handles certain image file formats. There are presently no known
exploits for the vulnerabilities.
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39353738-39000005c
http://www.vnunet.com/vnunet/news/2154563/researcher-publishes-seven
Internet Storm Center: http://isc.sans.org/diary.php?storyid=1282

 --Microsoft to Release Updated Version of MS06-015
(24/21 April 2006)
Microsoft will release a re-engineered version of the patch for the
MS06-015 security bulletin. Users reported a patch it includes has been
causing problems due to conflicts with certain Hewlett-Packard and
NVidia software. The new version is being tested and it scheduled for
release on Tuesday, April 25. MS06-015 addresses a critical flaw in the
way Windows Explorer handles Component Object Model objects.
http://www.computerworld.com/printthis/2006/0,4814,110755,00.html
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1183420,00.html
http://www.zdnet.co.uk/print/?TYPE=story&AT=39265040-39020375t-10000003c
Internet Storm Centr: http://isc.sans.org/diary.php?storyid=1286

 --Exploit Code for Oracle Flaw Released
(21 April 2006)
Just a day after Oracle's quarterly security update, exploit code for
one of the flaws addressed in the update has been released on the
Internet. The code could be used to gain elevated privileges on
vulnerable systems. Users are urged to apply the updates as soon as
possible.
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39353411-39000005c
http://www.us-cert.gov/cas/techalerts/TA06-109A.html

 --Researcher Warns Some Online Banking Sites Don't Provide Adequate Authentication
(20 April 2006)
SANS Institute chief research officer Johannes Ullrich says many widely
used online banking sites do not use authentication technology to assure
that they are who they claim to be. Banks would be well advised to send
users to an HTTP Secure (HTTPS) web page which uses the Secure Sockets
layer (SSL) security protocol instead of merely encrypting login forms.
Web pages that do not use HTTPS make themselves vulnerable to DNS
spoofing in which attackers try to trick users into visiting phony web
sites in an attempt to gather their account information.
http://www.computerworld.com/printthis/2006/0,4814,110738,00.html
Internet Storm Center: http://isc.sans.org/diary.php?storyid=1278

ATTACKS & INTRUSIONS & DATA THEFT & LOSS
 --University of Texas Says Cyber Intrusion Exposed Data on Nearly
    200,000 Associated with Business School
(24 April 2006)
The University of Texas (UT) acknowledged that a computer intrusion has
compromised personal data belonging to nearly 200,000 people associated
with the university's McCombs School of Business. UT has established a
web site, a phone bank and a special email address to help deal with the
concerns of those affected by the breach. UT President William Powers
Jr. said the university would try to inform all those affected by email
and letter. UT suffered another security breach in 2003; a former
student received five years probation and was ordered to pay US$170,000
in restitution for that attack.
http://www.statesman.com/news/content/news/stories/local/04/24utcomputers.html
http://www.msnbc.msn.com/id/12459840/

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFETnF2+LUG5KFpTkYRAvhOAJsG6NfYmGWOvktvsKmoPSJYmIPvrgCcC0Z0
Ba3izYlP/7PVVWCRlicQXoM=
=aF0J
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]