Techs:
Haven't had time to evaluate this yet but thought would pass on
to others. I don't plan to install the unofficial patch but will
instruct staff to stay off internet sites until a good patch is
available. Any newer information would be appreciated.
George
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of The SANS Institute
Sent: Tuesday, January 03, 2006 1:59 PM
To: George Tuttle
Subject: SANS NewsBites Vol. 8 Num. 1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This Microsoft WMF vulnerability is causing real damage to a lot of
people and organizations. See the first story for a temporary fix and
a discussion of the pros and cons of using it.
Alan
PS. SANS 2006 is in Orlando in late February. The deadline for getting
the $250 early registration discount is a week from tomorrow (1/11).
http://www.sans.org/sans2006
************************************************************************
*
SANS NewsBites January 3, 2006 Vol. 8,
Num.1
************************************************************************
*
TOP OF THE NEWS
Users Urged to Install Unofficial Patch to Protect Computers from WM
Exploits
Three States Have New Data Security Laws for 2006
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Alleged ChoicePoint Data Thief Pleads Guilty
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Trojan Horse Displays Phony Google Ads on Web Sites
ATTACKS & INTRUSIONS & DATA THEFT
Pennsylvania Medical Office Informs 700 People Whose Data Were on
Stolen Computer
MISCELLANEOUS
White House Says Web Bugs Do Not Violate Federal Privacy Guidelines
DHS to Test RFID Passport Technology at San Francisco Airport
*************************** Sponsored Links
*****************************
1) Join us for a Free SANS Webcast "Migrating from WEP to WPA2"
Wednesday, January 04 at 1:00 PM EST (1800 UTC/GMT)
http://www.sans.org/info.php?id=974
2) To find the security products you can trust (along with user
interviews showing why) start your selection process at
http://www.sans.org/whatworks
3) Free courses on SCADA Security (a gift from DHS and DOE) still have
a have a few seats available. (March 1-2) Also the SCADA Security Summit
(March 2-3) registration page is now open. Find both at:
http://www.sans.org/scadasummit06
************************************************************************
*
TOP OF THE NEWS
--Users Urged to Install Unofficial Patch to Protect Computers from WMF
Exploits
(2/1 January 2006/31/30 December 2005)
The threat posed by the flaw in Windows WMF files is increasing. Now
hundreds of sites are using exploits for the flaw to install malicious
software on people's Windows-based computers. What makes the WMF
vulnerability particularly insidious is that it can infect computers
when users merely visit sites or view a maliciously crafted image in the
preview pane of older versions of Microsoft Outlook; machines can become
infected without requiring the user to click on anything or open any
files. Microsoft is investigating the issue and says it will issue a
patch, but has not yet said when that patch will be available. The SANS
Internet Storm Center recommends applying an unofficial patch; a link
to the patch is available in the Handler's Diary.
Authoritative overview from Internet Storm Center:
http://isc.sans.org/diary.php?storyid=993
Other news stories:
http://www.computerworld.com/printthis/2006/0,4814,107419,00.html
http://www.computerworld.com/printthis/2006/0,4814,107420,00.html
http://www.computerworld.com/printthis/2006/0,4814,107421,00.html
http://www.msnbc.msn.com/id/10651414/
http://www.eweek.com/print_article2/0,1217,a=168161,00.asp
(Schmidt) The idea of installing "unofficial patches", while it sounds
like a good idea, is pretty scary as it becomes yet another way to
potentially distribute malware and/or introduce yet a new vulnerability
if not written correctly. Who handles "support" when the unofficial
patch breaks other things? I support doing "work-arounds" but worry
about ANY "quick fix" patches.
(Northcutt): While I agree with Howard's observations, the path of
wisdom is to download the unofficial patch, and test it on some
non-production systems and also to make sure you are ready to go when
the worm breaks loose. Also, the WMF FAQ has been translated into a
number of different languages at this point, so if you are a
multinational organization you might want to be familiar with:
http://isc.sans.org/diary.php?storyid=994
(Pescatore): Even with a trusted source of an unofficial patch, the odds
of causing self inflicted damage by doing so are very high for
enterprise users. The workarounds (like unregistering the .dll and
losing thumbnails) are likely to have fewer unintended consequences than
an unsupported, unofficial patch.
(Schultz): To me it is not at all clear what the correct course of
action in dealing with this serious vulnerability is. Installing
unofficial patches is generally not a good practice, but it may be the
only truly viable solution at this time. Meanwhile, Microsoft owes it
to its users to do everything in its power to create a patch for this
vulnerability as soon as possible.
(Tan): Microsoft has updated its security advisory providing a piece of
good news that an official patch is on the way. But the bad news is that
you still have to wait until 10 Jan 06. Let's keep our fingers cross
from now till then.
http://www.microsoft.com/technet/security/advisory/912840.mspx]
ARRESTS, CONVICTIONS AND SENTENCES
--Alleged ChoicePoint Data Thief Pleads Guilty
(28 December 2005)
A man allegedly responsible for the ChoicePoint consumer record database
security breach has pleaded guilty to charges of conspiracy and grand
theft. Olatunji Oluwatosin is the only person charged in the massive
data theft that compromised the personal data of 145,000 people.
Oluwatosin will be sentenced on February 10, 2006; he is already serving
a 16-month prison term for an earlier felony count of identity theft.
http://www.consumeraffairs.com/news04/2005/choicepoint_guilty.html
[Editor's Note (Schmidt): It would send a good message if they gave him
the maximum sentence and made the term run consecutive to the current
term he is serving. It should also be part of the sentencing that he
cannot do a book, movie or public speaking for profit. Unfortunately,
it is too often the case where today's convicted felon becomes the
"security speaker" du jour.]
--Three States Have New Data Security Laws for 2006
(2 January 2006/31 December 2005)
New state laws in Louisiana, New Jersey and Illinois require that people
be notified when data security breaches compromise their personal
information. In New Jersey a law that took effect January 1, 2006 allows
residents to freeze access to their credit reports to thwart identity
fraud, even when the data thief has possession of the person's Social
Security number. New Jersey residents must pay a US$5 fee to unfreeze
their reports when they need to be accessed legitimately. Other states
have enacted data security legislation as well.
http://www.kplctv.com/Global/story.asp?S=4307966&nav=0nqx
http://www.thejournalnews.com/apps/pbcs.dll/article?AID=/20060102/OPINIO
N01/601020305/1015
http://www.philly.com/mld/philly/news/13532711.htm?template=contentModul
es/printstory.jsp
http://www.chicagotribune.com/business/chi-0512310060dec31,1,1644957.sto
ry?coll=chi-business-hed
http://www.wluctv6.com/Global/story.asp?S=4306169&nav=81AX
THE REST OF THE WEEK'S NEWS
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--Trojan Horse Displays Phony Google Ads on Web Sites
(2 January 2006/30 December 2005)
A Trojan horse program is replacing legitimate Google AdSense
advertisements with counterfeit ads. The Trojan targets small
publishers. Normally AdSense advertisements are relevant to the web
site's content; however, the ads generated by the Trojan promote
products Google stays away from, including gambling and adult
entertainment products. AdSense works by paying web site publishers to
place relevant advertisements on their sites. When users click on the
illegitimate ads, they are reportedly taken to three other sites and
finally to a page of advertisements with links to more advertisements.
http://www.eweek.com/print_article2/0,1217,a=168268,00.asp
http://www.ebcvg.com/articles.php?id=1016
[Editor's Note (Shpantzer): For a great article about the economics of
click fraud, see http://www.wired.com/wired/archive/14.01/fraud.html
This is a relative newcomer on the cyberfraud scene, yet there's a
cottage industry set up to monitor click fraud and alert advertisers.
Click fraud can be used to increase your own profits (ex: splogging) as
well as to grind away at your competition, by inflating their
advertising spending. Legal action by search engines (and against them)
is already underway, and this latest trojan is just a milestone in the
road towards more sophisticated malware, designed to target specific
companies or a broader attempt at making money by gaming the
pay-per-click system.]
ATTACKS & INTRUSIONS & DATA THEFT
--Pennsylvania Medical Office Informs 700 People Whose Data Were on
Stolen Computer
(1 January 2006)
Squirrel Hill Family Medicine in Pennsylvania is taking steps to inform
approximately 700 patients that one of six computers stolen from their
office over the December 17-18 weekend contains a file with their names,
Social Security numbers and birth dates. The University of Pittsburgh
Medical Center, which owns Squirrel Hill Family Medicine, will pay for
one year of credit monitoring services for those affected.
http://www.philly.com/mld/philly/news/13530545.htm
[Editor's Note (Honan): This story illustrates how important information
security is to organisations of all sizes. The cost of a security
breach incurred by a smaller organisation is proportionately much higher
than that experienced by larger organizations, yet time and again I see
small organisations ignore investing in basic information security.]
MISCELLANEOUS
--White House Says Web Bugs Do Not Violate Federal Privacy Guidelines
(30 December 2005)
The White House has declared that it will continue to use web bugs on
its web site, maintaining that the anonymous tracking technology does
not violate 2003 federal privacy guidelines from the Office of
Management and Budget (OMB). The OMB directive prohibits the use of
persistent cookies, though it does allow session cookies that exist only
for the duration of the computer user's visit to the web site. Analysis
indicates that cookies already on users' computers from visiting other
sites have been read when users visit the White House site. The
National Security Agency (NSA) disabled persistent cookies on its web
site last week; the NSA maintained the cookies were the accidental
result of a software upgrade. Apparently an outside contractor placed
the tracking technology on the White House web site. The White House
was "caught off guard" when the existence of the tracking technology
came to light.
http://www.msnbc.msn.com/id/10644090/
http://news.bbc.co.uk/2/hi/technology/4569184.stm
http://www.cio-today.com/news/Did-Contractor-Bug-White-House-Site-/story
.xhtml?story_id=133004L22IA6
[Editor's Note (Ranum): How ridiculous! In an industry where 90% of the
desktop windows machines are infected by spyware people have the time
to waste worrying about persistent cookies from the NSA?
(Schultz): It is difficult to understand how the White House can justify
what appears to be a clear violation of the 2003 OMB guidelines. Worse
yet, there appears to be little recourse for American citizens concerned
about yet another government-initiated privacy infringement.]
--DHS to Test RFID Passport Technology at San Francisco Airport
(30 December 2005)
Beginning in approximately two weeks, the US Department of Homeland
Security (DHS) will be testing radio frequency identification (RFID)
chip-embedded passport technology at San Francisco International
Airport. Singapore, Australia and New Zealand have begun issuing
citizens passports with the technology. The US Department of State has
said that all US passports issued after October 2006 will have embedded
RFID technology that will carry personal data and a digital photograph.
Last fall, DHS conducted a three-month test of RFID-embedded passports
in Los Angeles through the US-VISIT program. In addition, the DHS has
"installed biometric entry facilities at all fixed points of entry."
http://www.techweb.com/wire/ebiz/175800140
http://www.fcw.com/article91831-12-30-05-Web
[Editor's Note (Boekman): The Government should be extremely thorough
in how they test the security of RFID technology, and pay attention to
the results. If they get this wrong initially, it will be extremely
difficult and expensive to retrofit something that is already deployed.]
===end===
NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFDusyR+LUG5KFpTkYRAjGUAJ9zmbPSVOG3RxYMivP2wJR8v8ZTgQCfYJlX
Q4vHxP9/z0RPaxSUcMX8Wn8=
=AUTb
-----END PGP SIGNATURE-----
---
[This E-mail scanned for viruses by Declude Virus on the server aea5.k12.ia.us]
---------------------------------------------------------
Archived messages from this list can be found at:
http://www.mail-archive.com/info-tech@aea8.k12.ia.us/
---------------------------------------------------------
