SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #10

February 02, 2007

Both the 2007 Mobile Encryption Summit and the 2007 Log Management Summit are now open for registration. These user-to-user meetings, running in parallel in San Jose, April 23-25, feature first-person case studies of successes and failures and will help you develop a step by step plan for successful deployment and a short list of products that will meet your requirements:
Mobile Encryption Summit: http://www.sans.org/encryptionsummit07/
Log Management Summit: http://www.sans.org/logmgtsummit07/

Speaking of short lists of security products that work, we are putting the final touches on the new "WhatWorks" poster showing all the categories of important security products, what each one does, how they are justified, which are growing fastest, plus short lists of products that actually work in each category. 250,000 copies will be distributed. Please check your SANS portal account to be sure your address is correct. And if you know of products that were not on the last WhatWorks poster, but should have been, email scrofts@sans.org so we can see where the products fit on the roadmap.

Alan

---

TOP OF THE NEWS

Simon says: Let Me Hack Your Vista PC
Companies Held Responsible for How Their Ads are Delivered
GAO's High-Risk Status Report
Florida Governor Calls for New Voting Machines with Paper Audit Trail

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Man Arrested for Software Piracy
Dutch Botmasters Get Time Served, Parole and Fines
Man Avoids Jail for Accessing Former Employer's Network and Stealing Information
Text Spammers to Compensate Cell Phone Customers
South Korean Spammers Arrested
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Bank Glitch Exposes Information on 75,000 Accounts
Notre Dame Security Breach Includes Old Graduate Test Data
Vermont Human Svcs. Dept. Computer Attack Exposes Info. of 70,000 Citizens
STATISTICS, STUDIES & SURVEYS
IBM Internet Security Systems Report: Highlights

---

********************* Sponsored By Symark Software **********************

How do you meet compliance and guard against insider threat at the same time? PowerBroker and PowerKeeper are compliance-based solutions that centralize systems administration while creating and enforcing strong privileged password and security policies. Granular, dynamic password management and audibility ensure a secure access control infrastructure. Sign up for a FREE 30 day trial with full technical support today.
http://www.sans.org/info/3246

*************************************************************************

TRAINING UPDATE: The early registration discount for SANS 2007 expires in 3 weeks. SANS 2007 is the world's largest security training conference with 56 immersion courses and a huge expo. It is in San Diego March 29 - April 5. Complete program:
http://www.sans.org/sans2007/event.php

*************************************************************************

---

TOP OF THE NEWS

Simon says: let me hack your Vista PC (10 February 2007)

Vista's speech recognition feature is vulnerable to a rather simple attack: A sound file downloaded from a web site may trigger commands as the user currently logged in to Vista. It's particularly sad for Microsoft and their users because as this attack is 15 years old. After Apple introduced a similar feature in MacOS 15 years ago, pranksters immediately discovered it's attack potential; Apple implemented a keyword feature to limit access to voice control.
-http://www.theregister.co.uk/2007/02/01/vista_voice_recognition_attack/
-http://isc.sans.org/diary.html?storyid=2148
-http://lists.immunitysec.com/pipermail/dailydave/2007-January/003995.html
-http://blogs.zdnet.com/Ou/?p=416

Companies Held Responsible for How Their Ads are Delivered (31 January 2007)

Priceline.com, Travelocity.com and Cingular Wireless have agreed to pay fines of between US $30,000 and US $35,000 each for advertising through illegal adware. All three companies had bought advertisements on DirectRevenue, which has been the target of a lawsuit for "fraudulent software installations and serving illegal pop-up ads." The three companies that purchased the ads paid the fines to settle a separate lawsuit brought by New York Attorney General Andrew Cuomo. The settlement sets a precedent for holding companies liable "when their ads end up on consumers' computers without full notice and consent," said Cuomo. In the past, companies have claimed ignorance because the advertising had been outsourced.
-http://www.vnunet.com/vnunet/news/2173818/adware-funders-fined-supporting
[Editor's Note (Schultz): The fines that these three companies must pay are so small that they are functionally meaningless. Just as this news item states, however, this case has established the precedent that popping up ads on users' screens without their having consented to this is not legal. This case may thus serve as a landmark case in the fight against adware.
Honan): This is an encouraging development. Companies need to realise that outsourcing a function does not mean they can abdicate responsibility for that function. ]

GAO's High-Risk Status Report (31 January 2007)

A status report from the Government Accountability Office (GAO) places government systems security and critical infrastructure protection on its 2007 "high-risk" list. The report notes that many government agencies have not complied with the Federal Information Security Management Act (FISMA) requirements to create and implement information security programs. According to the report, the Department of Homeland Security (DHS) and the National Cyber Security Division have not completely fulfilled their "key cybersecurity responsibilities" in leading the way to secure the government's information systems and the nation's critical infrastructure. The GAO provides high-risk status reports at the start of each new Congress to help set agendas. "GAO's audits and evaluations identify federal programs and operations that, in some cases, are high risk due to their greater vulnerabilities to fraud, waste, abuse, and mismanagement."
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&stor
y.id=43029
-http://www.gao.gov/new.items/d07310.pdf

Florida Governor Calls for New Voting Machines with Paper Audit Trail (31 January 2007)

Florida's new governor, Charlie Crist, is getting kudos for his call to replace touch screen voting machines in 17 counties with electronic voting machines that produce voter-verifiable paper audit trails. The change is expected to cost more than US $20 million and is part of Governor Crist's proposed budget. Florida has been the site of several disputed election results due to accountability problems with voting systems.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9009900&source=rss_topic17
[Editor's Note (Schultz): Mr. Crist richly deserves all the kudos he is getting. Hopefully, his bold stance will motivate governors and legislators in other states that have voting machines that do not have audit trails to devote the necessary resources to fix this serious problem. ]

---

************************ Sponsored Links: *****************************

1) Join LogLogic at RSA on Monday, Feb 5th to celebrate Log Management. Cocktails,Food and Nintendo Wii door prize
http://www.sans.org/info/3251

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Man Arrested for Software Piracy (1 February 2007)

A California man has been arrested for allegedly making and selling counterfeit software. Since 2000, Gad Zamir allegedly netted US $750,000 selling pirated copies of Microsoft and Adobe software online at prices far below retail cost.
-http://www.theregister.com/2007/02/01/counterfeit_arrest/print.html

Dutch Botmasters Get Time Served, Parole and Fines (1 February 2007)

Two Dutch men were sentenced to time served in prison plus parole for running a botnet that they used to steal credit card information and to commit cyber extortion by threatening denial-of-service attacks if they were not paid. The men were also fined. One man was ordered to pay 9,000 Euros (US $11,714); he is believed to have created the Toxbot and the Wayphisher Trojan horse programs. The other man was fined 4,000 Euros (US $5,207); he reportedly helped with the spread of the malware and maintained the botnet.
-http://news.com.com/2102-7348_3-6155251.html?tag=st.util.print
[Guest Editor's Note (Swa Frantzen): If you read Dutch, here's more coverage:
-http://www.netkwesties.nl/editie149/artikel1.html
-http://www.nieuwsbedrijf.nl/nl/1/westbrabant/1393/
They appear to have been convicted for 2 and 1.5 years respectively, but the judge seems to believe the time served already (11 and 9 months) is enough. The fines seem to be lower than what the court found to be their proven financial gain (60.000 EUR). Proving the entire thing in court hasn't been easy. Their equivalent of a District Attorney ws able to make only 4 of the 9 charges stick. ]

Man Avoids Jail for Accessing Former Employer's Network and Stealing Information (1 February 2007)

A man in Australia will not serve jail time for breaking into his former employer's computer system in order to pass confidential information on to his current employer. He pleaded guilty to 18 charges of breaking into email accounts at Access Economics. He avoided jail time because, according to the judge, he did not benefit financially from his actions and because Access Economics suffered no loss of work; the company made no claim for compensation. The man will have to pay a US $2,000 fine if he breaches his suspended sentence within the next two years. [Editor's Note: name redacted 12/23/16 from original story]
-http://www.infosecnews.org/hypermail/0702/12734.html

Text Spammers to Compensate Cell Phone Customers (1 February/31 January 2007)

As a result of a class action lawsuit settled by Distributive Networks LLC, approximately 1,000 cell phone users who received unsolicited text messages advertising certain web pages could each receive up to US $150. Other lawsuits have been filed against text spammers in Florida.
-http://www.chicagotribune.com/technology/chi-070131cell-phone-suit,0,823610,prin
t.story?coll=chi-bizfront-hed
-http://www.chicagotribune.com/business/chi-0702010166feb01,0,1639240.story?coll=
chi-business-hed
-http://washingtontimes.com/upi/20070201-033028-6549r.htm

South Korean Spammers Arrested (31 & 30 January 2007)

Police in South Korea have arrested two men on spam charges. The two are believed to have sent 1.6 billion unsolicited messages in the last quarter of 2006. The emails tried to get recipients to divulge personal and financial information. The pair reportedly sold information belonging to 12,000 people to loan companies, making a profit of 100 million won (US $106,577). If found guilty, the pair could face up to three years in prison or a fine of as much as 30 million won (US $32,000)
-http://www.theregister.co.uk/2007/01/30/south_korea_spam_arrests/print.html
-http://www.smh.com.au/news/Technology/South-Koreas-Internet-spam-legend-arrested
/2007/01/31/1169919406962.html
-http://www.zdnet.co.uk/misc/print/0,1000000169,39285709-39001093c,00.htm

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Bank Glitch Exposes Information on 75,000 Accounts (30 January 2007)

Halifax Bank of Scotland has launched an investigation into a glitch that resulted in one customer, who had requested her own statement, receiving account and transaction information of 75,000 other account holders. The woman received five packages in the mail. The bank was unaware of the problem until the customer returned the documents.
-http://www.thisisnorthscotland.co.uk/displayNode.jsp?nodeId=149664&command=d
isplayContent&sourceNode=149490&contentPK=16523463&folderPk=85696&am
p;pNodeId=149221

Notre Dame Security Breach Includes Old Graduate Test Data (29 January 2007)

Simson Garfinkel recently received a letter from Notre Dame University's Mendoza College of Business informing him that personally identifiable information, including his Social Security number (SSN), was inadvertently made available on the Internet. Garfinkel has no affiliation with the University of Notre Dame; when he took a battery of graduate school admission exams six years ago, he checked boxes allowing his information to be sent to the school for recruitment purposes. Apparently the information had been on a "decommissioned" computer that was later turned on and connected to the Internet. The files on the computer were made available through a file-sharing program. Notre Dame said log files indicate there was no other access beside the individual who discovered his or her information. Garfinkel thinks Google also accessed the information.
-http://www.technologyreview.com/printer_friendly_blogPost.aspx?id=17512
-http://www.technologyreview.com/media/notre_dame.pdf

Vermont Human Svcs. Dept. Computer Attack Exposes Info. of 70,000 Citizens (1 February/30 & 29 January 2007)

A computer at Vermont's Human Services Department suffered an automated attack that could place about 70,000 state residents at risk for identity fraud. The state will notify affected people by letter. The computer was taken out of commission in December 2006 when workers discovered malware on the machine. The computer was supposed to contain information about people who owed back child-support payments. However, just 12,000 of the individuals affected by the breach fit that criteria; the remaining 58,800 are members of the New England Federal Credit Union. The credit union normally provides the state with information about people who owe payments, but on two occasions, the state received information on nearly the entire credit union's membership. A patch for the flaw that was exploited in the attack had been downloaded but not installed.
-http://www.wcax.com/Global/story.asp?S=6006557&nav=4QcS
-http://www.burlingtonfreepress.com/apps/pbcs.dll/article?AID=/20070201/BUSINESS/
702010324/1003&theme=
-http://www.boston.com/news/local/vermont/articles/2007/01/30/state_was_warned_of
_potential_computer_security_breach/

STATISTICS, STUDIES & SURVEYS

IBM Internet Security Systems Report: Highlights (1 February/31 & 30 January 2007)

IBM Internet Security Systems (ISS) released highlights of its 2006 security statistics report on January 30. Among their predictions for security trends 2007: Internet Explorer (IE) will continue to provide a trove of vulnerabilities, browser attacks will increase and more spam will be image-based. In addition, close to 90 percent of new vulnerabilities this year will be remotely exploitable. The report also predicts that malware purveyors will organize themselves into more efficient networks, resulting in the development of "exploits-as-a-service" industry, and the rise of customized attacks.
-http://www.theregister.co.uk/2007/02/01/windows_vista_security/print.html
-http://www.itnews.com.au/newsstory.aspx?CIaNID=45136
-http://www.eweek.com/print_article2/0,1217,a=199933,00.asp
-http://www10.mcadcafe.com/nbc/articles/view_article.php?section=CorpNews&art
icleid=347382

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/