Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-12-13 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

PCI Compliance

Published: 2005-12-13
Last Updated: 2005-12-13 23:52:36 UTC
by Scott Fendley (Version: 2)
0 comment(s)
For those that have not heard,  Computerworld is reporting that Sam's Club is investigating a security breach involving credit card data.  This is going to be very interesting to see how the major credit card companies will enforce the PCI (Payment Card Industry) standards on large or small merchants.

Just thinking back, I do not remember a diary about the PCI standards, but I have slept once or twice in the past year since it came into existance.  So for those that have missed this, the major credit card companies have developed a set of data security standards that merchants will need to comply.  This include the Sam's Club's or other large merchants all the way down to that coffeehouse down the street who may only be processing 20,000 transactions in a year. (Personally I think that some subsection of these standards should also apply to merchants with a single transaction _ever_ .)   For many companies the point of contact with the credit card industry is probably not an IT person.  This person should have shared with you a long time ago that your company needs to work on this type of compliancy.  Unfortunately, in some cases this may not have occurred or was written off as being already covered under GLBA, or other Federal or State laws.

As IT Security professionals, are you aware of locations within your company which processes credit card transactions?  If you aren't, then take a closer look there is probably somewhere in most companies.  Have your business complied with the PCI standards?  If you haven't,  you need to get moving because you are about 6 months late.

If you are looking for resources to catch up on PCI standards,  here are a few sites where you can get more information.  If any of you have other good resources, please go ahead and post them our direction.  I will update the below list with a more comprehensive list.

Resources:

SANS PCI Webcast - November 2005
Visa Cardholder Information Security Program
Keywords:
0 comment(s)

Gmail SSL Cert Expiration

Published: 2005-12-13
Last Updated: 2005-12-13 22:56:48 UTC
by Scott Fendley (Version: 1)
0 comment(s)
For those that use POP3 access to Gmail, you have most likely seen some problems this afternoon with access.  We have received reports that one of the SSL certificates used within the certificate chain has expired.  We are investigating this, and hope to have something more to report later.

Update (22:30 UTC):  This seems to have been resolved in the past hour.  Not exactly sure what happened, but I guess that is what you get for using beta software right?  In any case, thank you google for the free 2.6G and growing disc space.


Keywords:
0 comment(s)

Microsoft December Patches

Published: 2005-12-14
Last Updated: 2005-12-14 19:17:32 UTC
by Johannes Ullrich (Version: 6)
0 comment(s)
Greetings everyone.  It is Microsoft Patch Tuesday.   Without any further ado.....Here are the Microsoft Security Bulletins. 

Update for SUS 1 Users:
We got this note from our Australian reader Scott A.:
After the latest MS patches were announced I synchronised my SUS server. Now ALL previously approved patches are marked as updated but not approved.
[...]
http://www.wsus.info/forums/index.php?showtopic=7035
claims that:
Atter speaking with a SUS engineer, It has been confirmed that if you have syncronized your SUS server anytime after 5:00A.M PST there is an issue with a corrupt catalog file that will make all of your APPROVED updates show as UPDATED and you will have to manually re-approve everything that was previously approved.

Microsoft is aware of this issue and has published a
Microsoft Knowledge Base Article 912307. It details the workaround if you have performed a synchronization and previously approved software updates have appeared as not approved.

MS05-054: Cumulative Security Update for Internet Explorer (905915)

This appears to be the long awaited IE patch which I had hoped would have come out a couple of weeks ago (see http://www.microsoft.com/technet/security/advisory/911302.mspx ).   This update addresses the following vulnerabilities:

File Download Dialog Box Manipulation Vulnerability - CAN-2005-2829
HTTPS Proxy Vulnerability - CAN-2005-2830
COM Object Instantiation Memory Corruption Vulnerability  - CAN-2005-2831
Mismatched Document Object Model Objects Memory Corruption Vulnerability - CAN-2005-1790

As this update addresses a number of problems, which do aggregate to a critical severity in all operating systems earlier then Windows 2003, the ISC is recommending that you patch this as soon as possible.

As we have been going through the documentation on this bulletin, we note that one there is a kill bit set for the First4Internet XCP uninstallation ActiveX control.  For those that do not remember, First4Internet is the maker of the "Sony rootkit" related to digitial rights management.  In the aftermath of this issue hitting the mainstream, an uninstaller was created using ActiveX controls which also had security vulnerabilities.

MS05-055: Vulnerability in Windows Kernel Could Allow Elevation of Privilege. (908523)

A vulnerability in the Asynchronous Procedure Call queue allows local users to escalate their privileges. A regular user (who has to be logged in first) could use this vulnerability to gain Administrator privileges.
Microsoft rates this vulnerability as "Important" as there is no direct remote vector to exploit this issue. However, coupled with an Internet Explorer vulnerability or similar issues, this could be used to gain Administrator privileges even if a user runs Internet Explorer as a less privileged user.

Note that remote exploit may be possible if user credentials are known.

MS05-011  Bulletin Update involving SMB

Microsoft update this bulletin to make technical staff aware of KB896427.  It would appear that in some cases after patching with MS05-011, you would not be able to view the contents of subfolders on a network share in Windows XP.  This is not necessarily a security issue, but may be critical for your organization.

MS05-050Bulletin Update involving DirectX

Microsoft also updated this bulletin to advise of a revised version of this security update for Windows 2000 SP4, Windows XP SP1 and Windows 2003.  Also, this may not be a super critical issue in general, but you should be aware of this release.

KB905648: Update for Outlook 2003 Junk Email Filter

As usual, Microsoft updated their Junk Email Filter for Outlook 2003 for December.

Malicious Software Removal Tool

Microsoft updated their Malicious Software Removal Tool again this month to include variants of IRCBot, Ryknos, and F4IRootkit.  For more information on this, take a look at  the malware sofware removal tool website.

Thanks Johannes for putting up the initial diary, and the other handlers for helping point out details to go into this extended diary.

Scott Fendley
Handler On Duty


Keywords:
0 comment(s)
Diary Archives