From: The SANS Institute (NewsBitessans.org)
Date: Fri Apr 28 2006 - 15:07:44 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SANS will announce eight updates to the Top 20 Internet Security
Vulnerabilities on Monday, May 1. Several leading national newspapers
papers and media outlets will be doing early stories about the
announcement because it includes some surprising (and unpleasant)
information patterns. Members of the press who want to participate in
the online press conference Monday morning should email pallersans.org.
All readers of RISK (the weekly update of the Top20) will get a copy
of the announcement Monday morning. If you don't get RISK, just go to
your portal account and add it. It is free.
                               Alan

*************************************************************************
SANS NewsBites April 28, 2006 Vol. 8, Num. 34
*************************************************************************

TOP OF THE NEWS
  NISCC Warns of DNS Implementation Flaws
  Cisco Issues Fixes for Multiple Flaws
  Symantec Warns of Flaws in Scan Engine

THE REST OF THE WEEK'S NEWS
  ARRESTS, CONVICTIONS AND SENTENCES
    Student Arrested for Allegedly Changing School Records
  SPYWARE, SPAM & PHISHING
    Phishers Turn to VoIP-based Attack
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    Microsoft Pushes Out Anti-Piracy Tool
  ATTACKS & INTRUSIONS & DATA THEFT & LOSS
    MasterCard Tight-Lipped About Details of Credit Card Data Breach
    LexisNexis Says Honesty About Security Breach Was a Good Decision
  STATISTICS, STUDIES & SURVEYS
    Companies Failing to Address Flash Drive Security Concerns
    Cyber Consequences Unit Releases Draft Cybersecurity Checklist
  MISCELLANEOUS
    States Use Redaction Software to Remove Sensitive Data from Web Sites

************** SPONSORED SANSFIRE 2006 IN WASHINGTON DC ****************
July 5-13 - Bring your family for the fireworks and stay for SANS
largest conference in Washington.

The industry's best security courses - extraordinary faculty;
authoritative up-to-the-minute material - shows you how to do the job
and gives you the confidence to go back and do it immediately.

"Jacked my paranoia level up around my ears, and then gave me the tools
to manage the threat." (Don Geiger, DCPS Division of Technology)

Offers every one of SANS' 17 immersion training courses plus 12 short
courses and a big exposition: SANS Security Essentials, Hacker
Exploits, System Forensics, Intrusion Detection, Auditing, plus training
for CISSP exam and all Technical certification required for DoD 8570 and
more. Plus special evening sessions by the global security leaders who
staff the Internet Storm Center.

http://www.sans.org/sansfire06/
*************************************************************************

TOP OF THE NEWS

 --NISCC Warns of DNS Implementation Flaws
(26/25 April 2006)
The UK's National Infrastructure Security Co-ordination Centre (NISCC)
has issued an advisory warning that flaws in implementations of the
Domain Name System (DNS) protocol could allow attackers to crash DNS
servers or run arbitrary code. Researchers at Finland's University of
Oulu have uncovered several vulnerabilities in the software that is used
to administer the Internet's Domain Name System (DNS). They have
developed a test suite for the flaws.
http://www.computerworld.com/printthis/2006/0,4814,110897,00.html
http://www.niscc.gov.uk/niscc/docs/br-20060425-00311.html
http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf
[Editor's Note (Northcutt): I hate to pass up any chance to mention that
friends don't let friends use BIND8! This is not a really lethal bug,
the more interesting story is the latest PROTOS toolkit they used to
find the problem. My understanding is that they have not released the
tool into the wild yet, but they are finding and reporting
vulnerabilities, that is good! The round with the SNMP PROTOS tool was
a bit painful for the industry.]

 --Cisco Issues Fixes for Multiple Flaws
(25/24 April 2006)
Cisco Systems has issued patches for several vulnerabilities in a number
of its products, including CiscoWorks Wireless LAN Solution Engine
(WLSE), Hosting Solution Engine, User Registration Tool, Ethernet
Subscriber Solution Engine and CiscoWorks 2000 Service Management
Solution. Cisco did not issue patches for the last two products as they
have been discontinued and are no longer supported. "A privilege
escalation vulnerability ... could allow attackers who already have
authenticated access to the command line interface to obtain access to
the underlying operating system of certain products." In addition, Cisco
issued an advisory for a cross-site scripting flaw in WLSE running
software earlier than version 2.13. Another advisory addresses a Multi
Protocol Label Switching (MPLS)-related flaw on the Cisco IOS XR modular
operating platform that could be exploited to cause a denial-of-service
condition.
http://www.itnews.com.au/newsstory.aspx?CIaNID=31916&src=site-marq
http://www.computerworld.com/printthis/2006/0,4814,110879,00.html

 --Symantec Warns of Flaws in Scan Engine
(24/21 April 2006)
Symantec is encouraging its Scan Engine customers to upgrade from
version 5.0 to version 5.1 following the disclosure of three
vulnerabilities. The first vulnerability is due to the fact that
Symantec Scan Engine does not properly authenticate web-based user
logins; this flaw could be exploited to control the Scan Engine server.
The second flaw involves a static private DSA key for SSL communications
and could be exploited by a man-in-the-middle attack. The third flaw
allows unauthenticated remote users to download files located under the
Scan Engine installation directory.
http://securityresponse.symantec.com/avcenter/security/Content/2006.04.21.html
http://www.networkworld.com/news/2006/042406-symantec-scanner.html?fsrc=netflash-rss
[Editor's Note (Boeckman): A company that sells software intended to
improve the security of a system should be the last to have such serious
vulnerabilities. If their product does nothing else, it should at least
not make things worse.]

*********************** Sponsored Links: ********************************

1) Stop spyware! Try Webroot Spy Sweeper Enterprise for free and assess
your spyware risk exposure.
http://www.sans.org/info.php?id=1126

2) Strata Guard Free - Freeware version of StillSecure's award winning
intrusion detection/prevention system (IDS/IPS) Download now.
http://www.sans.org/info.php?id=1127

3) "Web Application Security" - Free SANS First Wednesday Webcast next
week - Wednesday, May 03 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info.php?id=1128

*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
 --Student Arrested for Allegedly Changing School Records
(21 April 2006)
An 18-year-old Florida student has been charged with felony fraud for
allegedly gaining unauthorized access to the school district's computer
system and changing students' grades, removing records of suspensions
and absences and giving himself credit for courses he never took. Jeff
Yorston allegedly used user IDs and passwords of four school district
employees. Yorston was booked into Palm Beach County Jail on a charge
of offense against intellectual property and released on US$5,000 bond
later the same day.
http://www.palmbeachpost.com/pbcsouth/content/local_news/epaper/2006/04/21/m1a_HACKER_0421.html

SPYWARE, SPAM & PHISHING
 --Phishers Turn to VoIP-based Attack
(26/25 April 2006)
In a new twist in phishing, attackers have apparently managed to
replicate the automated voice system of an unnamed US bank in an effort
to harvest customers' account information. The attackers sent spam to
their targets asking the recipients to call a certain telephone number
to speak with a bank representative to verify their account information.
The attackers used voice over Internet protocol (VoIP) telephony to
perpetrate their scheme. They used PBX software to create the illusion
for the bank customers that they are speaking to the actual bank.
http://www.computerworld.com/printthis/2006/0,4814,110894,00.html
http://www.techweb.com/wire/186701001

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --Microsoft Pushes Out Anti-Piracy Tool
(25 April 2006)
Microsoft has begun pushing out its Windows Genuine Advantage
Notifications tool to a random subset of Windows users. The tool will
check to see if users are running legitimately licensed versions of
Windows; those who are not will be alerted to the fact during startup,
login and during use of the operating system. Users will have the
option of declining or uninstalling the download. Microsoft is also
piloting a similar tool to test for authenticity of Microsoft Office
software.
http://www.zdnetasia.com/news/software/printfriendly.htm?AT=39353843-39000001c
[Editor's Note (Pescatore):Just think how much more useful this could
be if it also detected and removed rootkits.]

ATTACKS & INTRUSIONS & DATA THEFT & LOSS
 --MasterCard Tight-Lipped About Details of Credit Card Data Breach
(27/26 April 2006)
MasterCard has acknowledged that it and its card-issuing banks are
reissuing cards to at least 2,000 customers following a security breach
that exposed card details to data thieves. No details about the method
of attack or the scope of the breach have been released.
http://www.silicon.com/financialservices/0,3800010322,39158448,00.htm
http://news.com.com/2102-7349_3-6065267.html?tag=st.util.print

 --LexisNexis Says Honesty About Security Breach Was a Good Decision
(25 April 2006)
Speaking at the Infosec Europe 2006 conference in London, LexisNexis
senior director for information security Leo Cronin said his company's
decision to be up front about a data security breach that took place in
early 2005 was definitely the best approach to the situation. A social
engineering email attack exposed personal data belonging to as many as
300,000 people at Seisint, a data broker acquired by LexisNexis in fall
2004. The company decided to inform all those affected, using
California's data security breach notification law as a guideline.
LexisNexis also took a number of steps to better protect the data it
holds. Cronin believes the company's forthright approach minimized the
damage to its reputation.
http://www.computerworld.com/printthis/2006/0,4814,110866,00.html
[Editor's Note (Pescatore): This should not be a surprise, Egghead
learned this in 2000 when they took the high road and warned customers
of a breach.
(Schultz): It is good that a well-respected security professional has
gone on record as supporting a pro-customer approach when it comes to
notification of a confidentiality breach.]

STATISTICS, STUDIES & SURVEYS
 --Companies Failing to Address Flash Drive Security Concerns
(27 April 2006)
Statistics from the UK Department of Trade and Industry-backed
Information Security Breaches Survey indicate that more than half of the
companies surveyed do not have any measures in place to secure company
data on smart phones, iPods and USB memory sticks. One-third of the
companies tell their employees not to use flash drives, but most do
nothing to prevent workers from using them. Just 10 percent of the
companies encrypt data on flash drives.
http://news.bbc.co.uk/2/hi/technology/4946512.stm
[Editor's Note (Schultz): I am not at all surprised about these
statistics. I fear that smart phones, PDAs, and the like are a time bomb
waiting to go off. Most organizations have little conception of the
security risks that these devices pose.
(Northcutt): these concerns are vastly overrated! What could possibly
go wrong in a world where everything is connected by wireless technology
and also has persistent solid state memory. The US Military is still
in business after those USB drives in Afghanistan, what more proof could
we possibly need. (That was a joke.) On a serious note, organizations
concerned about their intellectual property being stored on hyper
portable devices should consider some form of encryption such as
commercial PGPdisk, or freeware/opensource LE and TrueCrypt:
http://www.pgpi.org/products/pgpdisk/
http://www.net-security.org/software.php?id=586
http://www.truecrypt.org/
You can even buy drives with the security technology built in:
http://www.lexar.com/jumpdrive/jd_secure.html
So let's all go review our organization's security policy on this topic
and then spot check what people are doing, starting with ourselves! ]

 --Cyber Consequences Unit Releases Draft Cybersecurity Checklist
(26 April 2006)
The US Cyber Consequences Unit (CCU), a private company, has developed
a draft Cybersecurity Checklist to help federal agencies and industry
to determine the possible consequences of risks posed by the current
state of their IT systems; the list also offers suggestions for
mitigating those risks. The list asks 478 questions about hardware
software, networks, automation, humans and suppliers. The checklist has
not yet received DHS approval. CCU is funded by DHS and aims to provide
the government with accurate assessments of the consequences of cyber
attacks. "The new lists shifts the focus from perimeter security to
internal systems monitoring and maintenance."
http://www.fcw.com/article94201-04-26-06-Web
http://www.gcn.com/online/vol1_no1/40564-1.html?topic=security
[Editors' Note (Multiple): Although the name and promotional material
of this organization seems to imply governmental affiliation, it is
actually private contractors drafting what they think the questions
ought to be. Most such private lists are never widely adopted. The one
exception is the Center for Internet Security's benchmarks that now
cover more than 20 types of systems. If the cybersecurity checklist is
ever to become adopted , it needs to go through as similar process to
what CIS uses to ensure the community agrees on the benchmarks.]

MISCELLANEOUS
 --States Use Redaction Software to Remove Sensitive Data from Web Sites
(24 April 2006)
At least six states in the US are using redaction software to remove
sensitive personal information from official web sites. Many states
require that property records, which often contain Social Security
numbers and financial account data, be posted on line. Florida and
Wisconsin have passed legislation requiring that sensitive data be
redacted from web sites. "A federal judge ... approved a settlement
forcing the removal of SSNs from financial documents posted on the Ohio
Secretary of state's web site" as resolution of a class-action lawsuit;
Ohio legislators have introduced two bills that seek to remove the data
from the Internet.
http://www.cio-today.com/story.xhtml?story_id=1210046642XU
[Editor's Note (Grefer): Please be aware that for the state of Florida
no additional funds were allocated to take care of these additional
responsibilities and as such progress is rather slow. To expedite the
redaction of your records, you will have to file a "Request for Removal
of Information" form identifying each document by book and page number.
http://www.pinellasclerk.org/aspInclude2/ASPInclude.asp?pageName=redaction.htm ]

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFEUnIL+LUG5KFpTkYRAjFIAJ9NpBtbn3vW9Ewo5ytOX3S+gmLyVgCeKUP9
T1ZL4SeaQhDr7JNy2eJqA20=
=fGO+
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]