From: The SANS Institute (NewsBitessans.org)
Date: Tue Jan 09 2007 - 15:49:17 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites January 9, 2006 Vol. 9, Num. 3
*************************************************************************
TOP OF THE NEWS
  Revised Civil Procedure Rules Mean Companies Need to Retain More
     Digital Data
  Cisco to Provide CVSS Scores in Advisories
  AIB Corporate and Business Customers Get Security Devices
THE REST OF THE WEEK'S NEWS
  LEGAL MATTERS
    Two Charged with Accessing Traffic Center Computers, Disabling
       Signals
    Teen Faces Fine, Jail Time for Allegedly Running File Sharing Site
    Singapore Man Faces Charges for Unauthorized Wireless Access and
       Making Threat
  POLICY & LEGISLATION
    VA Legislators to Introduce Data Breach Bill
  SPYWARE, SPAM & PHISHING
    Phishers Target UK Taxpayers
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    File Sharing Program Blamed for Data Leaks
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Cisco Fixes Clean Access Flaws
    Microsoft Halves Number of Bulletins for January's Patch Tuesday
    Acrobat Reader Flaw Allows Access to Hard Drive; Adobe to Release
       Patches This Week
    Fix Available for OpenOffice Flaw
  
********************** Sponsored By Symark Software *********************

Security and compliance go hand-in-hand. How can you meet compliance
requirements and guard against unauthorized access or theft of data?
Learn how PowerBroker, the most widely used solution for systems
administration and controlling Unix/Linux root privileges, helps you
meet data privacy and compliance requirements. Download the FREE White
Paper "PowerBroker vs. sudo."
http://www.sans.org/info/2786

*************************************************************************
SECURITY TRAINING UPDATE: Several of the hands-on immersion security
training courses at SANS 2007 (San Diego, March 29 - April 4) are
starting to fill up. If you want a place, register early. You'll also
save hundreds of dollars if you do it in the next few weeks.
Full Schedule (53 courses): http://www.sans.org/sans2007/event.php
*************************************************************************

TOP OF THE NEWS
 --Revised Civil Procedure Rules Mean Companies Need to Retain More Digital Data
(4 January 2007)
The revised Federal Rules of Civil Procedure, which took effect on
December 1, 2006, broaden the types of electronic information that
organizations may be asked to produce in court during the discovery
phase of a trial. The new types of digital information include voice
mail systems, flash drives and IM archives. This will place a burden
on organizations to retain the data in the event it is needed in a legal
case. Section V, Depositions and Discovery, Rule 34 of the Federal
Rules of Civil Procedure reads, in part, "Any party may serve on any
other party a request to produce and permit the party making the
request, or someone acting on the requestor's behalf, to inspect, copy,
test or sample any designated documents or electronically stored
information - including writings, drawings, graphs, charts, photographs,
sound recordings, images, and other data or data compilations stored in
any medium from which information can be obtained ..."
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9007162&taxonomyId=17&intsrc=kc_top
http://www.law.cornell.edu/rules/frcp/Rule34.htm
[Editor's Note (Honan): As the legal profession has become more aware
of the wealth of information available to them in electronic format,
e-discovery is becoming a major issue for organisations and in
particular those who manage that information. As with all policies,
processes and procedures it is best that you develop one now while you
(arguably) have the time rather than make it up in response to an
e-discovery request. Make sure to include how to deal with personal
electronic devices such as PDAs and pen drives - hint best to prohibit
their use in a corporate environment in the first place.]

 --Cisco to Provide CVSS Scores in Advisories
(4 January 2007)
The Cisco Product Security Incident Response Team (PSIRT) plans to start
including severity scores along with their security advisories. Cisco
hopes the system will help users prioritize their patch management based
on their particular environments. The severity score will be calculated
according to the Common Vulnerability Scoring System (CVSS). Cisco will
provide the base and temporal CVSS scores for vulnerabilities in all
future advisories.
http://www.vnunet.com/vnunet/news/2171804/cisco-signs-security-reporting
http://www.huliq.com/4622/cisco-adds-severity-scores-to-psirt-security-advisories
[Editor's Note (Schultz): PSIRT has done the right thing. The severity
scores that it produces will serve as metrics that will greatly help in
determining the proper responses as well as the urgency in responding
to security advisories.]

 --AIB Corporate and Business Customers Get Security Devices
(5 January 2007)
AIB (the leading Irish banking and insurance company) has begun
providing business and corporate online banking customers in Ireland and
the UK with alphanumeric Digipass 550 transaction signature devices to
help guard against fraudulent transactions. AIB is the first bank in
the world to use these particular devices. The devices provide
customers with one-time passcodes, e-signatures and host authentication
to help ensure banking transaction security.
http://www.siliconrepublic.com/news/news.nv?storyid=single7574

************************** Sponsored Links: ***************************

1) Visit Utimaco and Lenovo at RSA Booth 531 to learn about our layered
security solution.
http://www.sans.org/info/2791

2) AmbironTrustWave is a leading provider of information security and
compliance management solutions, serving businesses worldwide.
http://www.sans.org/info/2796

3) Guard against security leaks! Detect rogue modems and network
backdoors with our multi-line wardialer, PhoneSweep.
http://www.sans.org/info/2801
*************************************************************************

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
 --Two Charged with Accessing Traffic Center Computers, Disabling Signals
(8 & 6 January 2007)
Two Los Angeles transportation engineers have entered not guilty pleas
to criminal charges for allegedly gaining unauthorized access to Los
Angeles' traffic center computers. The two allegedly disconnected
traffic signals at four busy intersections shortly before a labor union
strike on August 21, 2006. The men have been released on their own
recognizance on the conditions that they not access city computers or
enter Department of Transportation facilities unless accompanied by
their lawyers. One of the men is accused of one count of unauthorized
access of a computer and identity theft; the other is accused of one
count of unauthorized access of a computer and four counts of
unauthorized disruption or denial of computer services. The actions did
not cause any accidents, but it took the city days to get the traffic
control system back to normal.
http://cbs2.com/local/local_story_008145026.html
http://www.latimes.com/news/local/politics/cal/la-me-trafficlights6jan06,1,1776756.story?coll=la-news-politics-california
[Editor's Note (Skoudis): Sometimes, people think of computer security
as a glorified video game, downplaying its importance. But, at the
interstitial points of computer networks and the Real World illustrated
by this story, we can see how serious computer security can be. This
is a good story to use for illustrating to management personnel how
vital it is for us all to protect our computer networks from intruders.
(Schmidt): This is an instance where "penalty enhancements" if convicted
should be applied. The danger imposed on the public based on these acts
was significant even IF there were no accidents as a result of this
action.]

 --Teen Faces Fine, Jail Time for Allegedly Running File Sharing Site
(5 January 2007)
A 16-year-old Norwegian boy who allegedly ran a file-sharing hub could
face up to 60 days in jail and a fine of NOK4,000 (US$630). The teen
allegedly used the Direct Connect P2P file sharing program to help make
more than 150,000 songs, 7,000 movies and 20,000 video clips available
for free downloading. His parents could also face a substantial fine
to compensate those in the music and film industries for lost revenue.
http://www.theregister.co.uk/2007/01/05/norwegian_filesharer_charged/print.html
[Guest Editor Note (Giannoulis): An article discussing the management
of P2P traffic using off the shelf network hardware has been posted on
the Leadership Laboratory:
http://www.sans.edu/resources/leadershiplab/controllingp2p.php
(Grefer): To put things in perspective, the average income in Norway is
approx. US$45,000.]

 --Singapore Man Faces Charges for Unauthorized Wireless Access and Making Threat
(5 January 2007)
A Singapore man has been charged with accessing a wireless network and
using that connection to post a bomb threat online. Lin Zhenghuang is
facing 60 charges of illegal wireless network access; each count carries
a maximum jail sentence of three years and a fine of as much as S$10,000
(US$6,510). Lin could also face additional penalties of up to seven
years in prison and a fine of as much as S$50,000 (US$32,540) dollars
if he is convicted on the bomb threat charges.
http://www.theage.com.au/news/Technology/Singaporean-faces-jail-for-tapping-wireless-network-to-make-bombthreat/2007/01/05/1167777273625.html

POLICY & LEGISLATION
 --VA Legislators to Introduce Data Breach Bill
(7 January 2007)
Virginia state legislators plan to introduce a data security breach bill
when the State Assembly convenes on Wednesday, January 10. The proposed
legislation would require government and private agencies to notify
individuals whenever their personal information has been accessed
without authorization or stolen. The law would give state agencies one
year to implement tightened database security.
http://www.wtopnews.com/index.php?nid=600&sid=1025457
[Editor's Note (Schmidt): I am sure the legislators are well meaning and
looking to protect the public but trying to comply with 50 plus state
data breach laws is a nightmare. If there is not consistency and
harmonization of these laws we will be swamped in notifications until
we are numb to them. One of the few times where federal preemption
might be in order. While not a popular concept it would be much easier
to comply with IF crafted properly.]

SPYWARE, SPAM & PHISHING
 --Phishers Target UK Taxpayers
(8, 4 & 3 January 2007)
Phishers have targeted UK taxpayers, sending phony email messages that
appear to come from HM Revenue and Customs claming the recipients are
entitled to a GBP70 (US$136) refund. The email includes a link to what
is supposed to be a form to fill out to get the refund. In a separate
story, the US Computer Emergency Response Team (US-CERT) has warned that
phishers are targeting US taxpayers.
http://www.theregister.co.uk/2007/01/08/hm_revenue_phish/print.html
http://www.vnunet.com/vnunet/news/2171829/phishers-look-happy-tax-season
http://www.us-cert.gov/current/#irspham

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --File Sharing Program Blamed for Data Leaks
(9 January 2007)
Between fiscal 2002 and the end of October 2006, there were 27 incidents
in which members of Japan's Ground Self-Defense Force inadvertently
exposed information through the Winny file-sharing program. Four
additional incidents have been reported in FY 2006. In some cases,
sensitive information was exposed.
http://www.yomiuri.co.jp/dy/national/20070109TDY01004.htm
[Editor's Note (Honan): According to the article the 27 leaks were from
the personal computers belonging to members of the Japanese Ground
Self-Defense Force. It strikes me that the bigger issue here is not the
leaks via the Winny software but more so what was the leaked information
doing on personal computers in the first place and what control re in
place to prevent this happening again?]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Cisco Fixes Clean Access Flaws
(8 January 2007)
Cisco has fixed two vulnerabilities in its Clean Access networking
software that could be exploited to access database files without
authorization. Users can protect their systems by upgrading their Clean
Access software to versions 3.4.6.2, 4.0.4 and 4.1.0 and later; Cisco
has also made a patch available for those who choose not to upgrade at
this time.
Internet Storm Center Notes:
http://isc.sans.org/diary.html?storyid=2000
http://www.cisco.com/warp/public/707/cisco-sa-20070103-CleanAccess.shtml
http://www.vnunet.com/vnunet/news/2172005/cisco-patches-flaws-clean

 --Microsoft Halves Number of Bulletins for January's Patch Tuesday
(8 & 6 January 2007)
Microsoft has cut in half the number of security bulletins it plans to
release on Tuesday, January 9. Last week, the software company
announced it would release eight bulletins to address flaws in a variety
of products; the notice on the Microsoft web site has been amended to
say they will release four bulletins, three for Microsoft Office and one
for Windows, at least two of which have severity ratings of critical.
The bulletins that have been postponed were for Windows, Office and
Visual Studio; three had severity ratings of important and one a
severity rating of critical. A critical rating indicates a flaw could
be exploited to run malicious code on vulnerable systems without any
user interaction.
Internet Storm Center Notes:
https://isc.sans.org/diary.html?storyid=2003
http://blogs.technet.com/msrc/archive/2007/01/04/january-2007-advance-notification.aspx
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9007438
http://www.zdnet.co.uk/misc/print/0,1000000169,39285366-39001093c,00.htm
[Editor's Note (Skoudis): Last week, I lamented that these numbers were
not going down. And, now they've been cut in half! However, holding
back patches for flaws wasn't what I had in mind as a method of lowering
these numbers. Seriously, though, if the patches need further testing
and widespread exploitation is not yet occurring, it is a reasonable
policy to hold a patch for longer.]

 --Acrobat Reader Flaw Allows Access to Hard Drive; Adobe to Release Patches This Week
(8 & 5 January 2007)
The recently disclosed flaw in Adobe Acrobat Reader presents a greater
risk than previously believed. At first, it was thought that the flaw,
which can be exploited with malicious JavaScript, could expose users to
phishing attacks and allow attackers to access web-related information.
Now it appears that the flaw could be exploited to gain access to all
files on users' hard drives. Adobe plans to issue patches for the
vulnerability this week.
http://www.usatoday.com/tech/products/cnet/2007-01-05-pdf-risk_x.htm
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=278323&source=rss_topic17
[Editor's Note (Grefer): Apparently this flaw only affects Adobe Reader
and Acrobat Versions 7.0.8 and older running in Firefox, and Adobe 6.x
and older versions running in Internet Explorer. According to Pam
Deziel, director of Adobe's platform business unit, said that users can
"address the issue immediately" by upgrading to Adobe Reader 8 and
Acrobat 8.]

 --Fix Available for OpenOffice Flaw
(5 & 4 January 2007)
OpenOffice.org has issued a patch for a buffer overflow flaw in the way
the application suite handles .wmf files. The vulnerability could be
exploited to execute malicious code on vulnerable systems. Users have
the option of installing a patch by replacing the problematic file with
a new one available on the OpenOffice web site, or by upgrading to
OpenOffice 2.1.
http://www.zdnet.co.uk/misc/print/0,1000000169,39285348-39001093c,00.htm
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9007101
=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the
author/co-author of books on Unix security, Internet security, Windows
NT/2000 security, incident response, and intrusion detection and
prevention. He was also the co-founder and original project manager of
the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm
Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and
consulting firm, and author and lead instructor of the SANS Hacker
Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for
Intelguardians, a handler for the SANS Institute's Internet Storm
Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers.
Schneier has regularly appeared on television and radio, has testified
before Congress, and is a frequent writer and lecturer on issues
surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development
Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a
non-profit federally funded research and development corporation that
provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin,
Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFpANM+LUG5KFpTkYRAndPAJ99spyC5BhR/DFRKxoHHKSF59vU0gCdEqPq
K+x33bEG4+yTFjZvy209qvo=
=MsYR
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]