SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VI - Issue #45
November 10, 2004
For next month's "Security Awareness Tool of the Month," we are actively considering the phishing quiz posted at http://survey.mailfrontier.com/survey/quiztest.html
To be chosen a product needs to have been used effectively in an awareness program by some large organization. If you have introduced the quiz to your users and have some evidence that leads you to believe it is effective, please email us at info@sans.org with subject "Phishing quiz impact" Thanks in advance.
Alan
TOP OF THE NEWS
Siblings Convicted of SpammingNew Phishing Tactic is Stealthy
Legislators Ask GAO to Look Into eVoting Irregularities
Microsoft Makes Early Warning Available to Everyone
Microsoft Forewarns of ISA Vulnerability
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESInternet Scam "Mastermind" Sentenced to Prison
Former University of Texas Student Indicted on Fraud Charges for Alleged Data Theft
DDoS Boss on FBI's Most Wanted List
eVOTING
Mixed Reaction to e-Voting's Success
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
BSA to Double Reward Cap for UK Whistleblowers
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
New MyDoom Variant
Code Circulating for IFrame Vulnerability in Internet Explorer 6.0
STATISTICS, STUDIES AND SURVEYS
Study Shows IT Security Professionals Will Number 2.1 Million by 2008
October Malware Stats Indicate Malware Writers are Increasingly Motivated by Financial Gain
MISCELLANEOUS
New Zealand Internet Banking Customers to use Two-Factor Authentication
Stolen Computers Contain Wells Fargo Customer Data
Training is a Good Investment
************************ Sponsored by NetIQ *****************************
Keeping up with the latest security knowledge can seem like an impossible task. Even if you stay informed of the latest regulations, vulnerabilities, and best practices, how do you effectively use that knowledge to reduce risks and secure assets in your IT environment?
Join Rebecca Herold, Information Privacy, Security and Compliance Consultant, and NetIQ on 11/16 for a free audiocast on "Leveraging Security Knowledge to Assure Policy Compliance."
Register Now! http://www.windowsitpro.com/seminars/policycompliance/index.cfm?code=NS_SANS_111
004
************************************************************************
Highlighted Cybersecurity Training: Washington, DC, Dec. 7-13, 2004
SANS best instructors will be in DC teaching great courses for
**Auditors who want the technical skills so critical to successful audits.
**Security Managers interested in best practices and SANS exclusive "security make-over"
**Security professionals seeking CISSP (a trademark of (ISC)2) certification who want a more effective course.
**Technical security professionals with hands-on responsibility: Hacker Exploits; Intrusion Detection In-Depth; Introduction to Information Security; SANS Security Essentials; Firewalls, VPNs, and Perimeter Protection; Securing Windows; Securing Linux/Linux; System Forensics, Investigation & Response; .Net Security.
Early registration deadline is this Friday. Details: http://www.sans.org/cdieast04 *************************************************************************
TOP OF THE NEWS
Siblings Convicted of Spamming (4 November 2004)
Jeremy Jaynes and Jessica DeGroot have been convicted of sending thousands of spam emails to AOL subscribers through the company's servers in Virginia. The jury recommended that Jaynes receive a 9-year prison sentence and that DeGroot, his sister, be fined US$7,500; they will be formally sentenced early next year. A third defendant in the case was found not guilty.-http://www.computerworld.com/printthis/2004/0,4814,97229,00.html
-http://www.theregister.co.uk/2004/11/04/sibling_spammers_convicted/print.html
-http://www.vnunet.com/news/1159170
[Editor's Note (Schultz): This conviction may be just a taste of things to come, and it will send a powerful message to current and would-be spammers. ]
New Phishing Tactic is Stealthy (4 November 2004)
MessageLabs has reported seeing what could become a new twist in phishing scams. These emails contain a script that, once the email is opened, rewrite host files to automatically redirect users to phishing sites when they attempt to visit legitimate banking sites. Traditionally, phishers' emails have required victims to open an email and then click on a link to the fraudulent web site. The only banks that have been targeted thus far are three Brazilian banks. Users can protect themselves from this particular attack by disabling Windows Scripting Host.-http://www.computerworld.com/printthis/2004/0,4814,97213,00.html
-http://www.theregister.co.uk/2004/11/04/phishing_exploit/print.html
[Editor's Note (Pescatore and Ranum): There have already been spyware and viruses that change the local hosts file to keep spyware and AV software from updating. It is really beyond the typical home user to figure that kind of thing out - Windows Scripting Host is something that should never be on by default. ]
Legislators Ask GAO to Look Into eVoting Irregularities (8/5/4/3 November 2004)
Three House democrats have asked the General Accountability Office (GAO) to launch an investigation into electronic voting machine irregularities in the November 2 elections. A problem with a memory card reader in an Ohio precinct caused one candidate to receive 3,893 more votes than he should have, despite records which indicate that only 638 people voted at the location. In North Carolina, more than 4,500 votes were lost due to memory card limitations. Software used to count absentee ballots in Florida began to subtract votes after the total reached 32,000. There were also reports of voters having trouble voting for their chosen candidate: either the machine wouldn't select the voters' choices, or the review page had the wrong candidate marked. The GAO has apparently been planning to produce a report on e-voting after the election.-http://www.fcw.com/fcw/articles/2004/1108/news-evote-11-08-04.asp
-http://www.wired.com/news/print/0,1294,65623,00.html
-http://www.wired.com/news/print/0,1294,65609,00.html
-http://www.wired.com/news/print/0,1294,65601,00.html
-http://www.nwfusion.com/news/2004/1103grouptalli.html
[Editor's Note (Schultz): Comment: This is an extremely serious issue. I would think that the U.S., a country that is dependent on free and fair elections, would give the highest priority to pursuing the matter of the integrity of electronic voting. ]
Microsoft Makes Early Warning Available to Everyone (4 November 2004)
Microsoft has announced that it will post summaries of its security bulletins on its web site three days before the bulletins are released in order to give customers adequate preparation time to schedule appropriate IT staff and prioritize related activities. The information will include which products the patches will be for and the severity rating of each vulnerability, but will not provide details of the flaws which could be used to exploit them. This service was previously available to certain customers who had signed up for the privilege.-http://www.computerworld.com/printthis/2004/0,4814,97221,00.html
Microsoft Forewarns of ISA Vulnerability (5 November 2004)
Microsoft's first early warning notice alerted customers to an upcoming patch for a vulnerability in Internet Security and Acceleration (ISA) server which has been given a rating of "important." The security update was scheduled to be released on Tuesday, November 9.-http://www.securitypipeline.com/showArticle.jhtml;jsessionid=JEDYHZONJWSPAQSNDBC
CKH0CJUMEKJVN?articleId=52200214&printableArticle=true
[Editor's Note (Pescatore): It is doubly bad when a security product, and the operating system it runs on, both frequently need to be patched. ]
************************** SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Free Whitepaper - Roadmap to Risk & Responsibilities for Secure Messaging Strategy http://www.sans.org/info.php?id=646
(2) FREE White Paper: "Why the web browser is the most dangerous hacking tool" http://www.sans.org/info.php?id=647
(3) Enable secure remote SSL VPN access: Free Web Security Informational Kit! http://www.sans.org/info.php?id=648
*************************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Internet Scam "Mastermind" Sentenced to Prison (8 November 2004)
An Australian judge has sentenced Nick Marinellis to at least four years in jail for "masterminding" a Nigerian 419 scam in which he stole approximately AU$5 million (approximately US$3.78 million) from his victims. Marinellis will not be eligible for parole until February 28, 2008.-http://australianit.news.com.au/articles/0,7204,11319598%5E15331%5E%5Enbv%5E1530
6%2D15318,00.html
[Editor's Note (Shpantzer): In the U.S. the Secret Service handles this type of crime. See
-http://www.secretservice.gov/alert419.shtml
See this link for a detailed account of the process a victim goes through as the scam develops.
-http://www.theregister.co.uk/2004/07/09/419_scam_anatomy/]
Former University of Texas Student Indicted on Fraud Charges for Alleged Data Theft (5 November 2004)
A federal grand jury has indicted Christopher Andrew Phillips, a former University of Texas student, on charges he broke into the university's computer system and stole personal data belonging to more than 37,000 students, faculty and staff. Phillips's attorney maintains his client had no criminal intent, that he did not use any "hacking tools" and that the school's computer system was not posted with "Do Not Enter" signs.-http://www.usatoday.com/tech/news/computersecurity/hacking/2004-11-05-ut-hack-ch
arge_x.htm
[Editor's Note (Schneier): What a spurious defense. My house doesn't have a "Do Not Enter" sign in front of it, but that doesn't mean I would take it kindly if someone chose to wander around uninvited. ]
DDoS Boss on FBI's Most Wanted List (5/4 November 2004)
Saad "Jay" Echouafni, who allegedly hired people to launch distributed denial of service attacks against business competitors, has been placed on the FBI's most wanted list after he apparently skipped bail, possibly fleeing to his home country of Morocco. He is a fugitive from a five-count federal indictment. Five men Echouafni allegedly hired to orchestrate and conduct the attacks are headed for federal court.-http://www.securityfocus.com/printable/news/9870
-http://news.zdnet.co.uk/internet/security/0,39020375,39172604,00.htm
eVOTING
Mixed Reaction to e-Voting's Success (8/3 November 2004)
Supporters of electronic voting maintain the election was a success and have confidence in the technology. Detractors, however, remain concerned about the lack of a verifiable paper audit trail.-http://www.techweb.com/article/printableArticle.jhtml?articleID=51202547&sit
e_section=700029
-http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story.id=
27828
-http://www.fcw.com/fcw/articles/2004/1108/news-evote-11-08-04.asp
[Editor's Note (Pescatore): This is sort of like saying "Millions of people smoked cigarettes on November 2nd and didn't die." For the level of trust required for something like voting, the standard of success has to be much higher than just "well, nothing went wrong this time." ]
COPYRIGHT, PIRACY AND DIGITAL RIGHTS MANAGEMENT
BSA to Double Reward Cap for UK Whistleblowers (8 November 2004)
The Business Software Alliance has announced that it is doubling the maximum reward it offers to people who inform them about UK companies using pirated software. Whistleblowers will now receive 10% of the face value of the software recovered up to GBP20,000.-http://asia.cnet.com/news/industry/printfriendly.htm?AT=39200335-39037106t-39000
003c
-http://www.bsa.org/uk/press/newsreleases/Report-Illegal-Software.cfm
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
New MyDoom Variant (8 November 2004)
A new MyDoom variant exploits an as yet unpatched IFrame vulnerability in Internet Explorer in order to spread itself to other machines.-http://news.zdnet.com/2102-1009_22-5443828.html?tag=printthis
Code Circulating for IFrame Vulnerability in Internet Explorer 6.0 (5/4/3 November 2004)
Microsoft is looking into reports of a new IFrame buffer overflow vulnerability in Internet Explorer 6.0 in Windows XP systems through Service Pack 1 and Windows 2000. Windows XP with SP2 appear to be protected from the vulnerability. Security researchers maintain that code to exploit the flaw is already circulating on the Internet, but Microsoft has not seen the code.-http://www.computerworld.com/printthis/2004/0,4814,97258,00.html
-http://www.techweb.com/article/printableArticle.jhtml?articleID=51202479&sit
e_section=700028
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39200111-39037064t-39000
005c
STATISTICS, STUDIES AND SURVEYS
Study Shows IT Security Professionals Will Number 2.1 Million by 2008 (8 November 2004)
A study conducted by IDC projects that the number of IT security professionals worldwide will increase to 2.1 million by 2008, a compound annual growth rate of 13.7% from 2003. In addition, the study found that 93% managers responsible for hiring security staff consider certifications to be important.-http://www.vnunet.com/news/1159247
[Editor's Note (Paller): Most analysts familiar with the security field now agree that the vast majority of the added positions will be taken by system administrators, network administrators, and auditors who will be given more security responsibility rather than by individuals with general security knowledge but no hands-on technical skills. ]
October Malware Stats Indicate Malware Writers are Increasingly Motivated by Financial Gain (3 November 2004)
A study from Trend Micro's TrendLabs shows that nearly half of all malicious software detected in October 2004 were Trojan horse programs, suggesting that malware writers are moving away from seeking fame and toward making a profit. Trojan horse programs can be used to trick computers into running bot programs that can be use to launch denial of service attacks.-http://news.zdnet.com/2102-1009_22-5438228.html?tag=printthis
[Editor's Note (Ranum): As soon as hacking and malware become more obviously a vehicle for financial gain, we'll finally see a change in popular attitudes forgiving hacking. ]
MISCELLANEOUS
New Zealand Internet Banking Customers to use Two-Factor Authentication (8 November 2004)
Customers of New Zealand's ASB Bank and Bank Direct internet bank service will be required to use a new, two factor authentication system if they wish to transfer more than AU$2,500 (approximately US$1890) to a third party account. Customers wishing to make such a transaction will receive an 8-digit text message to their mobile phones which must be entered within three minutes of receipt in order to complete the transaction. Customers also have the option of making the two-factor authentication threshold even lower.-http://www.smh.com.au/news/Breaking/NZ-bank-adds-security-online/2004/11/08/1099
781306318.html?oneclick=true
[Editor's Note (Schultz): It is only a matter of time before other banks around the world will follow suit. Conventional password-based authentication is just not adequate for banking transactions, let alone a wide variety of other types of computer use.
(Schneier): This sounds like a good idea, though it will take some time to see how it works in practice. It also shows an interesting technological shift; it only works if you have a cell phone, so cell phones must be sufficiently pervasive in NZ society to be practical ]
Stolen Computers Contain Wells Fargo Customer Data (5/2 November 2004)
Four computers stolen from Regulus Integrated Solutions LLS's Atlanta office contain names, addresses, social security and account numbers belonging to thousands of Wells Fargo student loan and mortgage customers. Wells Fargo has notified affected customers by mail and is offering a free year of its credit monitoring service.-http://www.siliconvalley.com/mld/siliconvalley/news/editorial/10079221.htm?templ
ate=contentModules/printstory.jsp
-http://www.computerworld.com/printthis/2004/0,4814,97279,00.html
[Editor's Note (Pescatore): Back of the envelope calculation time: let's say 5,000 accounts were compromised and 500 of those offered took Wells Fargo up on the free credit reporting for a year. Let's also assume there were 10 PCs (vs. just the 4 that were stolen) in that Atlanta office that had customer data on them. The cost of this incident (notification, cleanup, free credit service) is at least $125,000 and the cost of having encryption software on those 10 PCs would be under $10,000. This type of math is what enterprises need to do when they outsource - if you don't push security requirements onto outsourcers, you better plan on paying the security bill later on.
(Shpantzer): Security at partner sites is often as important as security at the central organization's sites. ]
Training is a Good Investment (4 November 2004)
IT managers decide whether or not to provide training for their employees, which can be a considerable expense. Some choose not to for fear the employees will leave for a better position elsewhere; others choose to provide training for their employees for precisely the same reason -- if people feel they are not valued enough to educate, they may leave for other positions where they are given the opportunity to attend training courses. The author of this article advises managers to offer their staff educational opportunities. Also, employees need to maintain and update their skills.-http://www.securityfocus.com/printable/columnists/275
===end===
NewsBites Editorial Board: Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/