2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321 2109876543210987654321
Operated by Hong Kong Productivity Council Published by Hong Kong CERT
654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321 654321098765432121098765432109876543210987654321
9
6
2
1
Inside This Issue
MARCH 2006
SMS Alert Service is a FREE valueadded service. You can receive updated security alert anywhere and anytime to allow you responding timely.
Please visit HKCERT web-site for more details:
Top News
Security Alert
Email Security
Anti-Spam Conference
https://www.hkcert. org/subscribe/ home.html
Free SMS Service
S
http://www.hkcert.org/event/event120.htm
Application form and details are available at:
Fee: Free
Language: Cantonese (with English terminology)
Venue: 4/F, Hong Kong Conventional & Exhibition Centre
Date & Time: March 10, 2006 (9:15am - 5:15pm)
Supporting Organization: HKCERT and other Supporting Organization
Organization: Hong Kong Productivity Council
ECURITY BULLETIN
Anti-Spam Conference
1
�www.hkcert.org
Email Security
by HKCERT (24 February 2006)
Introduction
Email is playing an important role in today’s society. 95% of an organization communications is through email. It has become a part of our daily life. The Radicati Group survey showed that worldwide email traffic increased by 26% each year. In 2005, the average number of emails received per person per day was 133, and it was estimated to increase to 160 in 2009. Email is no doubt faster, more efficient, more convenient and less costly when compared with the traditional paper mail. However, email is insecure at the same time. It is accompanied with risks and threats. Email could be stored unencrypted on servers; someone may read and modify messages in transit; username and password can be stolen and hackers can impersonate the sender. Also, email is a propagation channel for viruses and worms.
Basic Knowledge on Email
Sending an email is like sending a postcard. An email server acts as a “post office” and a protocol acts as the procedure by which a post office collects a postcard and forwards it to another post office closer to the recipient. Simple Mail Transport Protocol (SMTP) is the protocol used when users sending email messages to a mail server or one mail server forwarding email to another mail server, whereas IMAP and POP are the protocols used when users retrieving emails from a mail server. If a user uses an email client program like Outlook, their personal computer will communicate with the mail server directly, using SMTP when sending emails or IMAP or POP when receiving emails. If a user uses web mail, their personal computer will communicate with a WebMail server using HTTP, then, WebMail server contacts the mail server using SMTP when sending emails or IMAP or POP when receiving emails.
Lack of Security
We can see the email infrastructure has several security weaknesses from the above paragraph. Firstly, HTTP, SMTP, IMAP and POP do not encrypt the data in transit. All information in the connection including username and password is in plain text. Secondly, as eavesdroppers may listen to the messages in transit, then modify or delete the messages, and the recipient has no knowledge whether the messages has been modified or deleted, email is lack of integrity. Thirdly, in most Internet Service Providers (ISP), sending SMTP email does not require authentication. So, identity theft is very probable and spoofing is
Issue 2006 March
2
�www.hkcert.org
very easy. Fourthly, email messages are stored on mail server in plain text. The administrators can read the email messages on those machines. Lastly, the email messages may be saved unexpectedly and indefinitely when the server data is being backed up.
Types of Security Threats
Eavesdropping: The Internet is a huge distributed network with a lot of users. People with access to computers or network equipment through which email is traveling can intercept the information in transit. Username, password and sensitive information can be stolen by eavesdroppers in this way. Identity Theft: If someone steals your username and password, they can read your email messages and even send false email messages on your behalf. These credentials can be often obtained by eavesdropping on SMTP, POP, IMAP or WebMail connections as mentioned in the previous section. Bogus email in phishing is another common way to obtain credentials. Lack of Integrity: People who have system administrator permission on the mail servers where a message transits, can read, modify and even delete the message before it is forwarded to its destination. The recipient has no knowledge whether the message has been modified or deleted. In addition, the message can be saved, modified and re-sent later. Spoofing: It is easy to create an email that appears to be sent from someone you know. Spam, viruses and worms usually spread using this technique. From an email, we cannot tell for sure the actual identity of the sender. Unprotected Backups: As mentioned before, messages are stored in plain text on mail servers. Backups of mail server data may contain plain text copies of messages. If the backup media is not kept securely, it can be read by anyone with access to them.
Securing Email Transport by SSL
One simple way to make email connection more secure is using “Secure Socket Layer” (SSL). SSL is a combination of asymmetric and symmetric key encryption mechanisms. If the connection is using SSL, the server will first use its private key to prove that it is in fact the server that the user is trying to connect to. Then, the user will send the server the user’s public key. After the server receiving the user’s public key, the server will generate a “secret key” and send it to the user encrypted with your public key. Only the user with the access to the private key can decrypt this secret key. The ongoing communication
Issue 2006 March 3
�www.hkcert.org
between the user and the server will be encrypted using the shared secret key. Using SSL for WebMail, POP, IMAP and SMTP ensures that you are connecting to the right server and the connection is secure as all of the communication will be authenticated and encrypted. It has to be noted that SSL protects the confidentiality of connection between the client and the server only. SSL does not protect the messages once they reach their destinations. However, it completely protects your username and password sent to the server from being sniffed along the path. Furthermore, using SSL is easy. It just involves a simple configuration of the email client. The senders can use SSL disregard whether the recipients use SSL or not. So, it is better to use SSL for email communications whenever possible.
Fig. 1: Configuration of Microsoft Outlook with SSL turned on for SMTP and POP3.
Issue 2006 March
4
�www.hkcert.org
Securing end-to-end email security by PGP and S/MIME
SSL provides the security of transport between the email client and the mail server only. The messages stored on the mail server are still in plain text. The total solution is to use asymmetric key encryption to provide message signature and encryption. PGP and S/MIME allow you to add signatures and encryption to the messages. But, you should be reminded that PGP and S/MIME are totally incompatible. S/MIME uses the public key infrastructure where a trusted certificate authority (e.g. Hong Kong Post) signed the user certificates to be used in email. PGP relies on the parties to exchange their PGP public keys. Although PGP offers key servers to simplify the process of exchanging keys, not everyone has their PGP keys listed on a key server. So key exchange mechanism is an issue for PGP. Both PGP and S/MIME require users at both ends to install the certificate. They are more secure but at the same time more complicated.
Conclusions
The current email infrastructure is insecure. A simple and easy way to secure the communications between computers and email servers is using SSL. If ISP uses both authenticated SMTP and SMTP over SSL, the email security will be much enhanced. In addition, users can use PGP or S/MIME to encrypt messages and add signatures to the messages to provide end-to-end email security. Lastly, please ensure you have already installed anti-virus, anti-spyware and have activated personal firewall in your computers. And it is important to update the virus definitions regularly to protect your computers from virus infection effectively.
Reference 1. Erik Kangas, The Case For Email Security, LuxSci http://luxsci.com/extranet/articles/email-security.html 2. Lydia Chan, Internet Standard and Guideline for Anti-Spam, Professional Information Security Association Journal, Issue 1, pp 4 – 9 (March 2005) http://www.pisa.org.hk/publication/journal/pisa_j01.pdf
Issue 2006 March
5
�www.hkcert.org
Security Alert
Date/ Source Common Name Operating System/ Vendor/ Platform Vulnerability System Impact Patches/ Worarounds/ Solutions *
Bugs, Holes & Patches
2006/2/1 Winamp Multiple Playlist Parsing Buffer Overflow Vulnerabilities Mozilla Products Multiple Memory Corruption and Security Bypass Vulnerabilities Winamp - Winamp 5.x - Remote Code Execution Install the patch provided by manufacturer. Please visit our web- site for more details. http://www.hkcert.org Install the patch provided by manufacturer. Please visit our web- site for more details. http://www.hkcert.org
2006/2/3
Mozilla
- Mozilla Firefox version - Complete control of an affected system 1.5 and prior - Bypass security restrictions - Mozilla Suite version 1.7.12 and prior - Mozilla Thunderbird version 1.5 and prior - Mozilla SeaMonkey versions prior to 1.0 - JDK 5.0 Update 4 and prior - JRE 5.0 Update 4 and prior - SDK 1.4.2_09 and prior - JRE 1.4.2_09 and prior - SDK 1.3.1_16 and prior - JRE 1.3.1_16 and prior - IBM Lotus Notes 6.x - IBM Lotus Notes 7.x - Compromise the vulnerable system
2006/2/9
Sun Java Sun Java JRE "reflection" APIs Sandbox Security Bypass Vulnerabilities
Install the patch provided by manufacturer. Please visit our web- site for more details. http://www.hkcert.org
2006/2/11
IBM Lotus Notes Multiple Vulnerabilities
IBM Lotus Notes
- Security Bypass - Remote code execution
Install the patch provided by manufacturer. Please visit our web- site for more details. http://www.hkcert.org Install the patch provided by manufacturer. Please visit our web- site for more details. http://www.hkcert.org
2006/2/15
Microsoft Windows IGMP v3 DoS Vulnerability
Windows
- MS Win XP SP 1 and MS Win XP SP 2 - MS Win XP Professional x64 Edition - MS Win Server 2003 and MS Win Server 2003 S P 1 - MS Win Server 2003 for Itanium- based Systems and MS Win Server 2003 with SP1 for Itanium- based Systems - MS Win Server 2003 x64 Edition
- Denial of Service
Issue 2006 March
6
�www.hkcert.org
Date/ Source
Common Name
Operating System/ Vendor/ Platform
Vulnerability System
Impact
Patches/ Worarounds/ Solutions *
Bugs, Holes & Patches
2006/2/15 Microsoft Windows Media Player Plug- in Vulnerability Windows - MS Win 2000 SP 4 - MS Win XP SP 1 and MS Win XP SP 2 - MS Win Server 2003 and MS Win Server 2003 S P 1 - MS Win XP Professional x64 Edition - MS Win Server 2003 x64 Edition - MS Win XP SP 1 and MS Win XP SP 2 - MS Win XP Professional x64 Edition - MS Win Server 2003 and MS Win Server 2003 S P 1 - MS Win Server 2003 for Itanium- based Systems and MS Win Server 2003 with SP1 for Itanium- based Systems - MS Win Server 2003 x64 Edition - Win Media Player for XP on MS Win XP SP 1 - Win Media Player 9 on MS Win XP SP 2 - Win Media Player 9 on MS Win Server 2003 - MS Win Media Player 10 when installed on Win XP SP 1 or Win XP SP 2 - MS Win Media Player 9 when installed on Win 2000 SP 4 or Win XP SP 1 - MS Win Media Player 7.1 when installed on Win 2000 SP 4 - Remote Code Execution Install the patch provided by manufacturer. Please visit our web- site for more details. http://www.hkcert.org
2006/2/15
Microsoft Windows Web Client Vulnerability
Windows
- Remote code execution
Install the patch provided by manufacturer. Please visit our web- site for more details. http://www.hkcert.org
2006/2/15
Microsoft Windows Media Player Vulnerability
Windows
- Remote code execution
Install the patch provided by manufacturer. Please visit our web- site for more details. http://www.hkcert.org
Issue 2006 March
7
�www.hkcert.org
Date/ Source
Common Name
Operating System/ Vendor/ Platform
Vulnerability System
Impact
Patches/ Worarounds/ Solutions *
Bugs, Holes & Patches
2006/2/15 Microsoft Internet Explorer WMF Image Parsing Memory Corruption Vulnerability Apple Mac OS X "__MACOSX" ZIP Archive Shell Script Execution Windows - IE 5.01 SP 4 on MS Win 2000 SP 4 - Remote Code Execution Install the patch provided by manufacturer. Please visit our web- site for more details. http://www.hkcert.org Install the patch provided by manufacturer. Please visit our web- site for more details. http://www.hkcert.org
2006/2/22
Mac
- Apple Mac OS X
- Compromise a user's system
* (Please check instructions carefully on related web site before applying the solutions)
Issue 2006 March
8
�www.hkcert.org
Top News
Identity theft losses grow; Web a small factor February 01, 2006 U.S. consumers lost nearly $57 billion last year to criminals who stole their identities, but online fraud was the culprit in just one in 10 cases, according to a survey released on Tuesday. The study by the Council of Better Business Bureaus and Javelin Strategy & Research showed that identity theft cost U.S. consumers 4 percent more in 2005 than the $54.4 billion it cost in 2004. The average fraud rose to $6,383 from $5, 885. Nevertheless, the number of adult Americans who learned that criminals had stolen personal data and used it to commit fraud fell to 8.9 million, or 4 percent, from 9.3 million in 2004 and 10.1 million in 2003. Data showed that people who were younger and had lower incomes were more vulnerable. (from CNET)
has alleged. Grimes claims that the firewall will allow any Java application or Java script to contact the internet, and is also set up to trust any application that uses a digital certificate. While Microsoft has its reasons for assuming that traffic from these sources can be trusted, the facility goes against best practice by allowing it through by default, argued Grimes, who referred to it as a "misconfiguration error". (from vnunet)
British Industry (CBI). Despite 60 per cent of medium-sized firms using the internet in their supply chain, 52 per cent have poor, or no security to cope with online attacks, says the CBI, which yesterday (Wednesday) launched an IT security guide for small and medium-sized businesses. (from vnunet)
Spyware tunnels in on Winamp flaw February 03, 2006 A security bug in Winamp is being exploited by miscreants to install spyware on machines running the media player software, experts have warned. Earlier this week, security companies warned that attack code for exploiting the flaw was circulating on the Internet. On Thursday, Sunbelt Software said it had found a Web site hosting a malicious Winamp playlist file. Opening the file loads spyware onto an unwitting user's PC, it said. "After surfing to a malicious Web site on our test machines, the file 'x.pls' begins to download," Sunbelt's Adam Thomas wrote in a posting on the anti-spyware software maker's corporate blog. "Almost immediately, Winamp starts to execute the play list and remote code execution begins." (from CNET)
FAQ: The Kama Sutra worm February 02, 2006 A computer worm is set to damage computer systems, starting midnight local time on Feb. 3. There has been a lot of confusion surrounding this worm, especially because media organizations and antivirus vendors haven't decided on a common name. CNET has settled upon Kama Sutra. Its other aliases include CME-24 (USCERT), MyWife (McAfee), Tearec (Panda), Nyxem (Sophos), Blackmal (Symantec, Computer Associates, Vet), and Grew (Trend Micro). (from CNET) Fake F-Secure e-mail contains malware February 02, 2006 A Trojan horse has been sent to e-mail addresses disguised as a message from antivirus software vendor F-Secure Corp. in Helsinki, Finland, the company said in a statement. F-Secure said that an unknown attacker sent out thousands of infected e-mails crafted so that they appear to be from a nonexistent F-Secure employee, “David Adams, Dept. Research, FSecure Development.? The addresses used in the attack include press@f-secure.com, info@f-secure.com and editor@f-secure.com, F-Secure said. The e-mails were not sent from the company’s network but were spoofed to look like they were coming from an F-Secure address, the company said. (from ComputerWorld)
Security snafu at Boston Globe exposes subscriber data February 01, 2006 An apparent attempt to recycle discarded internal reports has ended up in the compromise of credit card and bank number information belonging to more than 240,000 subscribers of The Boston Globe and the Worcester Telegram & Gazette. The snafu occurred when the account information of Globe and T&G subscribers who pay for their home delivery subscriptions by credit card was disclosed on the back of more than 9,000 individual routing slips used to label bundles of the Worcester Sunday Telegram, the Globe said in a statement today. The bank routing information of some T&G subscribers who do not pay by credit card may have also been inadvertently disclosed, the paper said. (from ComputerWorld) Microsoft's OneCare offers malware loophole February 01, 2006 The firewall in Microsoft's forthcoming OneCare security suite fails to stop two potentially harmful data streams, security expert Roger Grimes
Kama Sutra worm threat shrivels February 03, 2006 The Kama Sutra worm, designed to begin deleting files on infected computers this morning, has caused virtually no damage, according to antivirus firms. The worm, also known as Nyxem.E, MyWife and Blackworm, has been circulating for a couple of weeks, and antivirus vendors said businesses have done well to ensure that their networks were protected against the pest. There have been "no reports of any (Kama Sutra) detonations so far. Also, the virus seems to be dropping in e-mail prevalence. It was down to second place yesterday, according to our monitoring stations, and slid again into third place today," Paul Ducklin, head of technology at Sophos Asia-Pacific, told ZDNet Australia. (from CNET)
Small firms face IT security risk February 02, 2006 Inadequate IT security is putting small and medium-sized firms and their supply chain partners at risk, according to the Confederation of
Firms look for spyware standard February 03, 2006
Issue 2006 March
9
�www.hkcert.org
A number of major security firms have joined forces to develop an industry standard to define spyware, and to create a methodology to validate anti-spyware products. The Spywaretesting.com group includes McAfee, Symantec, Trend Micro, ICSA Labs and Thompson Cyber Security Labs. ¡§This initiative has been set up to help customers and analysts to test and validate anti-spyware and ensure that products do what they say,¡¨ said McAfee¡¦s Greg Day. A web site managed by ICSA Labs has been set up to monitor the progress of the methodology. (from vnunet)
AOL and Yahoo! to charge for emails February 06, 2006 AOL and Yahoo! are to start charging for sending emails. Both companies will still accept free emails but are offering the chance to pay to avoid their spam filters. By paying between a quarter and one cent per message companies will get preferential delivery of their messages. So a "business class" email will go straight to an AOL-subscriber's inbox marked with a stamp saying "AOL Certified Email" while a free email will have to run the gamut of AOL spam filters. Free mails may also have images and web links removed. (from The Register)
Nyxem claimed up to 946,835 victims February 07, 2006 Although the Nyxem.E worm caused very little actual damage, researchers estimate that the worm infected between 469,507 and 946,835 systems from 15 January to 1 February. Nyxem.E was designed to overwrite several document types including Word and Excel files on an infected system on the third day of every month, beginning last Friday. The worm spreads through spam email messages promising pornographic pictures. The malware is considered rare because infected systems make a single call back to a website, providing the worm author and security researchers with information about its proliferation. (from vnunet)
Damage forecast low for file-trashing virus February 05, 2006 A virus that is scheduled to begin deleting files today from infected Windows computers is unlikely to result in widespread damage, security vendors said, although some businesses reported being affected. F-Secure Corp. has been in contact with one large U.S. company that had "tens of thousands of infected computers," said Mikko Hypponen, FSecure's chief research officer. The company, which Hypponen declined to identify but said was not an F-Secure customer, had been working to cleanse the machines. It may keep its computers switched off today as a precaution until it can be sure that they are virusfree. (from ComputerWorld)
Antispam group rejects e-mail payment plan February 07, 2006 A leading antispam agency has struck back at moves to charge companies a fixed fee to ensure e-mails are delivered, saying it will erode freedoms. On Monday, Richard Cox, chief information officer at antispam organization Spamhaus, said that "an e-mail charge will destroy the spirit of the Internet." "The Internet has become what it is because of freedom of communication. Open discussion is what gives it value. There should be no cost for particular services, and e-mail should be free and accessible to all. This will disenfranchise people, " Cox said. (from CNET)
Sun issues patches for critical Java flaws February 08, 2006 Sun Microsystems issued a patch Tuesday to address seven "highly critical" flaws in its Java Runtime Environment that could allow a malicious attacker to gain remote control over a user's system. The flaws affect systems running on Windows, Solaris and Linux that are using certain versions of Sun's Java Development Kit 1.5, Software Development Kit (SDK) 1.3 and 1.4, and JRE 1. 3, 1.4, 1.5 and 5.0, or earlier, according to an advisory issued by Secunia, which rated the flaws as "highly critical." Sun's JRE software, especially version 1.4, is found on a number of computers and allows users to run Java applications, which operate in a "sandbox"--a separate area cordoned off from the rest of the user's system. (from CNET)
Phishing e-mail purports to be from IRS February 06, 2006 The Internal Revenue Service today confirmed that an e-mail purporting to be from the IRS is part of a scam designed to trick users into revealing their personal information, including Social Security and credit card numbers. The subject line of the e-mail, which was received by a Computerworld reporter, reads "Refund Notice!" and claims to be from "refund@irs. gov." A portion of the e-mail reads, "You filed your tax return and you're expecting a refund. You have just one question and you want the answer now - Where's My Refund” New program enhancements allow you to begin a refund trace online if you have not received your check within 28 days from the original IRS mailing date." (from ComputerWorld)
Do we really care about storage security? February 07, 2006 How many stories about lost backup media will it take before we all finally get serious about storage security? Like clockwork, you can count on a new story appearing every couple of weeks. In the past month, we've learned of yet another bank sending unencrypted tapes with sensitive data via UPS as well as a health care company using an employee's garage for off-site media storage. In the latter case, the employee's car, which contained backup disks and tapes, was stolen. Interestingly, the tapes actually were encrypted; unfortunately, the disks were not. Too bad the car didn't have LoJack! (from ComputerWorld)
Russian keyloggers hit bank customers February 08, 2006 Russian scammers used key logging Trojans to steal more than a £á1m from French people accessing online bank accounts. The Trojans were sent by email but were not activated until people accessed their online bank accounts. Then the Trojan forwarded on user names and passwords to the crooks. The thieves then used the details to transfer funds to third party "mule" accounts. The worst individual loss was £á40,000. French police were told in November 2004 and the scam lasted 11
Issue 2006 March
10
�www.hkcert.org
months.
(from The Register)
Windows hit by yet another WMF hole February 08, 2006 Microsoft has issued a warning about a new vulnerability in the Windows Meta File (WMF) image format that affects older versions of Internet Explorer. The vulnerability exists in IE 5.5 running on Windows 2000 and IE 5.01 on Windows ME. Users of IE 6 or other Windows versions are not affected by this vulnerability, Microsoft emphasised in a security advisory. Roughly five per cent of the world's computers run IE 5. While the vulnerability is new, it behaves in a similar way to the WMF flaw that Microsoft was forced to patch last month. (from vnunet)
tor access to files. The point is that most administrators take security very seriously. What you might not realize is that all of this security can be easily undone through the simple action of a user accessing a file through legitimate means. In this article, I will show you how this is possible and what you can do to fight back. (from ComputerWorld)
a scene involving computers and you’ll often find that the software programs used by the characters look pretty slick but aren’t very realistic. Not so with the new Warner Bros. film Firewall, a bank-heist thriller that stars Harrison Ford and opens today in theaters nationwide. In the movie, Ford’s character, banking security expert Jack Stanfield, is a victim of identity theft by perpetrators who want to force his assistance in a $100 million theft. A Web site of creditmonitoring service Equifax Inc. is featured in a scene in which Stanfield checks his online credit report. (from ComputerWorld)
Islamist hackers attack Danish sites February 09, 2006 Protests over cartoon images of the prophet Mohammed have spilled onto cyberspace with a series of attacks against Danish and other western websites. Islamist ire over the publication of the "satiric pictures" portraying the prophet Mohammed, first published in Denish newspaper Jyllands-Posten, has resulted in 1,000 attacks against web servers, according to defacement archive Zone-H. Danish sites have copped the majority of attacks, but the barrage of assaults has also hit Israeli and other western web servers. Hacker groups from different Muslim nations have united in attacks that promote both moderate and extremist manifestos. Some defacements promote a boycott against Danish products, while others (such as those by the self-styled IIB Internet Islamic Brigades) threaten suicide bombing attacks on Denmark. (from The Register)
EFF issues Google Desktop warning February 10, 2006 Google has released a revamped version of its desktop search tool which introduces the ability to search the contents of one computer from another. Previous versions of the tool indexed files on user's PCs, but using the optional "Search Across Computers" facility in Google Desktop 3 temporarily stores text copies of searchable items on Google's own servers for up to 30 days. Search Across Computers makes a range of files - including web histories, Microsoft Word documents, Excel spreadsheets, power point presentations as well as PDF files and text files in the My Documents folder - searchable from other computers. The contents of secure web pages are excluded from the list. Users would log on using their Google password can find data on files they've worked on regardless of which PC they used to produce them. Users can also exclude certain file types or locations from indexing. (from The Register)
Vulnerabilities found in Sony Ericsson phones February 09, 2006 Several cell phones produced by Sony Ericsson Mobile Communications are vulnerable to denial-of-service attacks, two security companies reported this week. The flaw is found in four models of Sony Ericsson phones and comes from an error in their Bluetooth service, according to the French Security Incident Response Team, or FrSIRT. Danish security firm Secunia reported the same flaw, and both companies have rated the potential security risk as low. Thomas Kristensen, Secunia's chief technology officer, said that someone intent on knocking out one of the four Sony Ericsson phones, which includes the K600i and T68i, would need only to get within 50 feet while carrying a handheld device configured to send the malicious code via Bluetooth. The code would crash the phone. (from CNET)
Homeland Security wraps up first mock cyberattack February 10, 2006 The government has ended its first large-scale mock cyberattack, aimed at gauging the nation's readiness to handle such threats, the Department of Homeland Security said Friday. The weeklong exercise, dubbed "Cyber Storm," was organized by the department's National Cyber Security Division and 115 public- and private-sector partners. It was designed to model the coordination among government and industry necessary for responding to and recovering from "large-scale" intrusions affecting the energy, information technology, telecommunications and transportation sectors. (from CNET)
Web of intrigue widens in debit-card theft case February 11, 2006 'An investigation into thousands of compromised debit cards that was widely reported this week appears to involve two of the nation's largest retailers, according to multiple law enforcement and banking sources. This week, two major banks joined a credit union in canceling a combined 200,000 accounts belonging to debit-card holders. In letters to affected customers, Bank of America and Washington Mutual said they were canceling debit cards because of a security breach at a "third-party" location. Officials from both banks and law enforcement agencies have refused to identify the
Protecting your network against spoofed IP packets February 09, 2006 The vast majority of administrators go to great lengths to protect the files on their network. Typically, elaborate firewalls are used to keep outsiders away from file servers. The files residing on those servers often lie behind an intricate permissions scheme and are often encrypted. Complex auditing mechanisms might even moni-
Movie Firewall dramatizes dangers of ID theft February 10, 2006 Watch any recent movie or television series with
Issue 2006 March
11
�www.hkcert.org
location. Sources now say that the case might involve two separate retail chains--one which has ackowledged a problem and another whose possible role is uncertain. (from CNET)
thousands, of virtual computers that detect which websites attempt to download software to a visitor's computer and whether giving out an email address during registration can lead to an avalanche of spam. (from The Register)
loaded off its website. Microsoft said the new version has been redesigned with a simpler interface. Other features include a warning system that rates the severity of threats so the program is less intrusive for the user, Microsoft said. (from ComputerWorld)
RSA confab: Boom times for security February 13, 2006 The security industry converges at the annual RSA Conference this week, an event that's moved far beyond its origins as a get-together for cryptogeeks and other insiders. Though still organized by RSA Security, a company with its roots in cryptography, the confab has developed into a showcase for security companies and an annual gathering for IT professionals. This year is the 15th anniversary of the event. "There has been significant growth," said Ray Wagner, an analyst with Gartner. "The RSA Conference four, five years ago was much more of a technician conference." (from CNET)
Microsoft preps critical Windows Media patch February 13, 2006 Microsoft will issue a security update on Tuesday that patches a total of seven vulnerabilities in Windows and related applications. One of the vulnerabilities affects Windows Media Player and is rated 'critical'. This is Microsoft's highest severity rating and typically means that a system can become compromised without user interaction. Windows itself is scheduled to receive four security patches, at least one of which is rated 'critical'. Microsoft is also preparing an 'important' update for a flaw that affects both Windows and the Office productivity suite, and the final fix is for Office and is rated 'important'. (from vnunet)
RSA: Security confidence low, but people buy anyway February 14, 2006 U.S. and Western European businesses are seeing their online sales grow, but many of them have questions about the security of their networks, according to a survey released today by RSA Security Inc. Three quarters of businesses surveyed said they have completed more online transactions in the last year than they had in years past, and only 1% said they saw a decline. But 67% of U.S. businesses reported some concern about the vulnerability of their networks, while 37% of businesses in the U.K., France and Germany also expressed security concerns. Results from business and consumer respondents to the survey showed a gap between security confidence and use of the Internet for transactions, said RSA in announcing its first Internet confidence security index. (from ComputerWorld)
Security Convergence February 13, 2006 In many respects, the physical and information security groups that coexist within companies are as different from each other as J. Edgar Hoover and Bill Gates. Physical security staffs predominantly consist of former law enforcement officials who report to legal, compliance or risk management departments, whereas information or logical security departments typically have employees with technical backgrounds who are part of the IT organization. Physical security divisions tend to focus on the three G's -- guards, guns and gates -- while logical security groups usually concentrate on safeguarding information systems. (from ComputerWorld) Gates: End to passwords in sight February 14, 2006 For years, Microsoft Chairman Bill Gates has had his sights set on the password as the weak link in the computer security chain. Now, with Windows Vista, Gates feels he finally has the right weapons to supplant the password as a means of verifying who is who on computers and over the Internet. The new operating system, due later this year, introduces a concept called InfoCards that gives users a better way to manage the plethora of Internet login names and passwords, as well as lets third parties help in the verification process. Vista will also make it easier to log on to PCs using something stronger than a password alone, such as a smart card. (from The Register)
Tips & Tweaks: Avoid viruses and phishing scams February 15, 2006 If you follow my blog, you know I've been embroiled in an ongoing struggle to troubleshoot my PC, which went south after a recent windstorm here in Southern California. If that wasn't enough, I've also been getting phishing e-mails to deal with. And, of course, we all heard about that Kama Sutra worm that was supposed to wreak havoc on Feb. 3. All of this set me to worrying about you and how you're faring. This week I've pulled together some free antivirus software to try, plus updates on phishing attacks and how you can avoid getting scammed. (from ComputerWorld)
Start-up seeks to spin a safer web February 13, 2006 File-sharing software that installs adware, websites that attempt to compromise a visitor's computer, and free downloads that install a host of other unwanted software - the web has become a confusing and sometimes dangerous place for the average home user. A group of graduates from the Massachusetts Institute of Technology (MIT) aim to change that by crawling the web with hundreds, and soon
Windows Defender Beta 2 released February 14, 2006 Microsoft Corp. has posted a second beta version of Windows Defender, its free spywareremoval tool. The program is in a name-change transition: Windows Defender initially was called Windows AntiSpyware. The new version can be down-
US completes Cyber Storm world hack February 15, 2006 The US Department of Homeland Security (DHS) has completed its Cyber Storm government-led IT security exercise.
Issue 2006 March
12
�www.hkcert.org
Cyber Storm aimed to examine response, coordination and recovery mechanisms to a simulated "cyber-event" within international, federal, state and local governments in conjunction with the private sector. The DHS reported that 115 public, private and international agencies, organisations and companies were involved in the planning and implementation of Cyber Storm. (from vnunet) Worms turn on Google to hunt for victims February 15, 2006 Malware authors are increasingly creating digital pests that use Google to find their next victim. Using the search tool for automated vulnerability detection is the latest trend in a technique known as 'Google hacking'. George Kurtz, senior vice president for risk management at security firm McAfee, told vnunet. com about the phenomenon after a presentation at the RSA Conference in San Jose. The Santy.a worm, for instance, targeted a known vulnerability in some versions of the phpBB open source bulletin board application to deface websites. It found its victims through an automated Google search query. (from vnunet)
rus -- the first ever to target the operating system. The virus, dubbed Leap-A by antivirus company Sophos PLC, apparently spreads using Apple’s iChat IM service, forwarding itself as a file called “latestpics.tgz?to an infected user’s buddy contacts, according to information from U.K.based Sophos. Clicking on the file allows the malware to install and disguise itself as a harmless-seeming .jpeg icon. (from ComputerWorld) Bluetooth worm targets Mac OS X February 17, 2006 Just a day after experts warned of what is believed to be the first Trojan in the wild to target Apple Computer's Mac OS X, alerts are being published on a new worm that exploits an 8month-old vulnerability in the operating system. The new Inqtana worm spreads through a security flaw in Apple's Bluetooth software, antivirus vendors Symantec and F-Secure said on Friday. Apple provided a fix for the flaw last June with security update 2005-006. The worm attempts to use Bluetooth to propagate. Once it infects a computer it searches for other Bluetooth-enabled devices and sends itself to those it finds, Symantec said. (from CNET) Hackers follow Microsoft patches with malware February 17, 2006 Hackers have released software that could be used to take over Windows PCs that lack the latest Microsoft security patches. But while this code is dangerous, security experts said today that it had yet to be used by attackers in any widespread way. The attack code exploits two separate bugs in Windows Media Player, which were addressed in Microsoft's MS06-005 and MS06-006 advisories released Tuesday. The MS06-005 bug concerns a flaw in the way the Media Player processes bitmap files, while MS06-006 has to do with the Media Player plug in for non-Microsoft browsers. (from ComputerWorld)
from becoming a mainstream application, a panel of experts at this year's RSA Conference concluded. "The largest complaint at biometrics conferences is that every year people say that this is the year of biometrics. And then they come back the next year and say maybe this is the year of biometrics, " said Richard Lazarick, chief technologist at CSC Global Security Solutions. Lazarick argued that one of the major problems preventing biometrics from becoming mainstream is a lack of agreed standards. (from vnunet)
Security Execs Push for Broader Use of Metrics February 20, 2006 Measuring IT security risks and the effectiveness of corporate defenses can be a difficult and somewhat imprecise task. But that shouldn't be an excuse for not trying to gather such metrics, IT managers said at the annual RSA Conference here last week. Security professionals have long advocated that companies use both quantitative and qualitative metrics to get a more granular view of IT risks and the controls needed to mitigate them. At RSA Conference 2006, many attendees said the topic is taking on increased importance because of regulatory requirements that are pressuring corporate executives to demonstrate due diligence on protecting their data assets. (from ComputerWorld) Apple iPod gets 007 data spying tool February 20, 2006 An IT security consultant has developed a program designed to scan corporate networks for sensitive files and automatically transfer them to an iPod. The 'slurp.exe' application fits on a standard iPod and when activated searches a network for relevant file formats, such as Word and Excel documents. Consultants at Sharp Ideas wrote the application as a proof of concept and posted it on the corporate website. It has since been hobbled so that it cannot copy files, but just counts how many are available. (from vnunet) Security experts see vulnerabilities in embedded databases February 21, 2006
FBI wants businesses' help to fight cybercrime February 16, 2006 The FBI needs more help from private businesses to stay ahead of the curve in the fight on cybercrime, said FBI Director Robert Mueller. "Those of you in the private sector are our first line of defense," Mueller said Wednesday, during a speech to attendees of the RSA Conference 2006 here. "We recognize that in certain areas we lack the expertise that you possess. We lack the specific knowledge of threats that affect individual businesses every day." The advent of the information age has made the world smaller and smarter, but the threats have become equally more diverse and dangerous, Mueller said. "We need your help, and we continue to ask for your cooperation," he said. (from CNET)
World's first OS X virus hits Apple February 16, 2006 Apple Computer Inc.’s Mac OS X software has been hit by a mischievous instant messaging viBiometrics struggles to go mainstream February 17, 2006 A host of problems is keeping biometric security
Issue 2006 March
13
�www.hkcert.org
With Oracle Corp.’s purchase last week of opensource embedded software maker SleepyCat Software Inc., at least one security analyst believes that Oracle -- which has come under fire for security vulnerabilities in its core database -- could be adding more potential problems. SleepyCat’s BerkeleyDB database has been deployed more than 200 million times, according to London-based research firm Ovum Ltd. Those deployments range from network routers and cell phones to business applications and popular Web sites. “Embedded databases are completely overlooked, yet they represent a soft underbelly, ”said Ted Julian, vice president of marketing at New York-based Application Security Inc. “You could have sensitive technical information such as configuration data stored on a router or customer information on a piece of software.” (from ComputerWorld)
Lineage is offered with a three day free pass for each new registration in Korea. Normally the game costs 29,700 Won ($31) per month. NCSoft maintains victims of the identity theft were not hit financially. Local reports speculate that Chinese hackers obtained the personal data on Koreans in order to resell game access on the black market. Local police are investigating the case. (from The Register)
on thousands of current and former McAfee employees, putting them at risk of identity fraud. The disc was lost on Dec. 15 by Deloitte & Touche USA, McAfee spokeswoman Siobhan MacDermott said Thursday. The Santa Clara, Calif.-based security software company was first notified on Jan. 11, and on Jan. 30, it received particulars of the data that may have been on the CD, MacDermott said. The disc contained personal details on all current U.S. and Canadian McAfee workers hired prior to April 2005 and on about 6,000 former employees in the same region, MacDermott said. (The security company currently has approximately 3,290 employees worldwide.) The information wasn't encrypted and potentially includes names, Social Security numbers and stock holdings in McAfee. (from CNET)
N.H. state server eyed in possible credit card data breach February 22, 2006 The FBI, the Department of Justice and New Hampshire officials are investigating a potential security breach after the Cain & Abel computer worm was found on a state Department of Motor Vehicles (DMV) server during a routine security check last week. The state’s Office of Information Technology said in a that no evidence has been found that indicates any user credit card information was accessed. Residents who used the state server for transactions were warned to keep an eye on their credit card transaction histories, but state officials said no illegal credit card use has been reported. The server held only credit card numbers, with no other personal information. (from ComputerWorld)
Study: Americans send USPS a love letter on privacy February 23, 2006 For the second year in a row, Americans have rated the U.S. Postal Service as the No. 1 government agency they trust to protect their privacy, according to a study by Ponemon Institute LLC. Not only did the Postal Service retain the top spot, but its customer satisfaction and trust scores were even better than last year, according to the institute’s 2006 Privacy Trust Study of the U.S. Government released yesterday. The study, sponsored by San Francisco-based Vontu Inc., is designed to measure the level of confidence Americans have in 57 federal agencies that routinely collect and use personal information. the study is available online (registration required). (from ComputerWorld)
Global safety zone February 21, 2006 If it seems that the world has become a more dangerous place for sensitive organizational data over the past five years, that's probably because it has. As natural disasters, terrorism, disease and social unrest have threatened to affect staffing in various parts of the globe, the business continuity plans of many organizations have had to become heavy on the disaster recovery side. Such safeguards become critical when companies extend their data infrastructures overseas. Catastrophic events such as the 2001 terrorist attacks in the U.S. have forced IT managers to make disaster recovery a priority. At Advance Transformer Co., a lighting manufacturer in Rosemont, Ill., and a division of Philips Electronics North America Corp., the attacks were a wake-up call, said CIO Julius Tomei. (from ComputerWorld)
Sophos sees OS X virus ghosts February 22, 2006 Anti-virus vendor Sophos has released an update of the Inqtana-B virus identity file for it Sophos Anti-Virus for OS X software due to false positives. The company initially released an antidote that incorrectly flagged various files in Microsoft Office 2004 and in Adobe Acrobat Reader as being infected with the OS X worm. Users in some cases reported that the anti-virus software claimed over 1,000 infections. The false positives have a great impact on users, as the anti-virus program will block access or delete all "infected" files, depending on the software's configurations. This effectively renders the systems useless. (from vnunet)
Is your cell phone due for an antivirus shot? February 24, 2006 You can put videos, games, pictures and music on your cell phone. Is antivirus software next? Programs that fight viruses have become a necessary evil on Windows PCs. Now the antivirus industry is turning its attention to mobile phones--but it's running into reluctance from cell service providers, who aren't so sure that the handset is the best place to handle security. Verizon Wireless, one of the top U.S. mobile networks, doesn't see a need for its customers to install antivirus software on cell phones. "At this point, that is absolutely not required by indi-
Chinese hackers allegedly make a game of ID theft February 21, 2006 Names and national identity numbers of 2,000 South Koreans have been stolen by sneak thieves who used the information to play the popular online computer game Lineage for free. Seoulbase game developer NCSoft issued a warning after getting numerous, and rising, reports of unauthorised players last week. It reckons the purloined data "leaked" from internet shopping malls, the Korea Times reports.
Auditor loses McAfee employee data February 23, 2006 An external auditor lost a CD with information
Issue 2006 March
14
�www.hkcert.org
vidual customers," spokesman Jeffrey Nelson said. (from CNET)
Internet Explorer 7 adds security features February 24, 2006 Another preview version of Microsoft's Internet Explorer, with tabbed browsing, an integrated search box, and RSS support -- all features long taken for granted by Firefox users -- is now available. The Beta 2 preview of Version 7 also sports a much more compact and streamlined interface than that of the current Internet Explorer, with a strong emphasis on dedicating as much of the window as possible to the displayed Web site. The beta is functional for Windows XP machines running Service Pack 2. The preview release has various bugs and rough edges, including some display problems and program crashes. (from ComputerWorld)
-the use of keylogging programs that silently copy the keystrokes of computer users and send that information to the crooks. These programs are often hidden inside other software and then infect the machine, putting them in the category of malicious programs known as Trojan horses, or just Trojans. (from CNET)
Employees too lax with mobile data February 27, 2006 Businesses who use mobile devices as part of their IT infrastructures are leaving themselves open to major security risks, research warns. Research firm Quocirca says most IT professionals believe keeping company data on mobile devices greatly heightens the risk of its exposure. The best thing to do is enforce a disciplined policy to help employees understand the security risks involved, the report says. 'It is best to define a mechanism to let all employees in the company know where they stand on security issues right from the outset,' it said (from vnunet)
Zero-Day Infection Is Headed Off Efficiently February 27, 2006 Every morning at 8:30, our IT department has an operational status meeting. All the managers have a chance to review changes to the infrastructure and can raise their own concerns. For example, the data center operations manager discusses any major change controls scheduled for the day and reviews the Priority 0 and 1 issues from the past 24 hours. We also track help desk calls and virus tickets. Normally, about five to 10 virus tickets are open on any given day. That's not bad, considering that we have over 6,000 employees worldwide. Yesterday, though, the operations meeting was cut short by an explosion of virus-related help desk tickets. Within 30 minutes, the help desk received 40 virus-related calls, and the number was increasing rapidly. It seemed that a zeroday virus had made its way into the network. (from ComputerWorld)
New virus closes gap between PCs and Windows Mobile February 28, 2006 The Mobile Antivirus Researchers Association claims to have detected the first worm that can jump from a PC to a Windows Mobile-powered wireless device. Upon infection on a Windows PC, the "Crossover" worm nests itself in a directory. where it will automatically activate once the user connects a Windows Mobile device to the computer using the Microsoft ActiveSync synchronisation application. The digital pest was sent to the group anonymously and is a proof of concept that is designed to show off its features but won't cause any actual harm.
Ernst & Young fails to disclose high-profile data loss February 25, 2006 Ernst and Young should go ahead and pony up for its own suite of transparency services. The accounting firm failed to disclose a high profile loss of customer data until being confronted by The Register. Ernst and Young has lost a laptop containing data such as the social security numbers of its customers. One of the people affected by the data loss appears to be Sun Microsystems CEO Scott McNealy, who was notified that his social security number and personal information have been compromised. While pushing all out transparency for its customers, Ernst and Young failed to cop to the security breach until contacted by us. (from The Register)
Triple threat to Mac OS X largely academic February 27, 2006 At first blush, the past two weeks have not been good for the image of Apple's Mac OS X: Public descriptions of two worms and a trivial exploit for a serious software issue in the operating system appeared on the internet. However, the three programs are hardly a threat to systems running Mac OS X, according to security professionals. One worm, known as OSX.Leap.A and assigned CME-4 by the Common Malware Enumeration Project, requires too much user interaction, hobbling its attempts to spread. A second worm, dubbed InqTana, and its two variants are actually proof-of-concept programs that were not discovered on the internet but were instead sent to anti-virus vendors and Apple by a researcher to prove that worms can spread through Bluetooth. (from The Register)
Cyberthieves silently copy keystrokes February 27, 2006 Most people who use e-mail now know enough to be on guard against "phishing" messages that pretend to be from a legitimate business but are actually attempts to steal passwords and other personal data. But there is evidence that among global cybercriminals, phishing may already be passe. In some countries, like Brazil, it has been eclipsed by an even more virulent form of electronic con-
Issue 2006 March
32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321 32109876543210987654321
FOR FURTHER INFORMATION, PLEASE CONTACT
Tel: (852) 8105 6060 Fax: (852) 8105 9760 e-mail: hkcert@hkcert.org Web Site: http://www.hkcert.org Hong Kong Computer Emergency Response Team Coordination 15
�