SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #21

May 25, 2005

Want to attend SANS security and audit training, but cannot take the time off work or pay for travel? Beginning in June and July, for the first time, you may complete any of ten SANS immersion training programs without leaving home. Live, interactive evening sessions, once a week, with great SANS instructors. And each session is recorded so you can catch up if you miss one. Find details at http://www.sans.org/athome/

---

TOP OF THE NEWS

Hackers Holding Computer Files 'Hostage'
California Legislators Pass Identity Information Protection Act
US Senate Passes Real ID Act
GAO Report Finds Wireless Security Lacking at Federal Agencies
US Cyber Czar Position Elevated by House of Representatives
Court Rules German ISPs Do Not Have to Provide Record Companies with Customer Data

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Teen Pleads Guilty to DoS Attacks
WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES
Phony Microsoft Update eMail Infects Computers with Malware
Microsoft Warns of DoS Vulnerability in TCP/IP Implementation
Sober.Q Spreads Spam
ATTACKS AND INTRUSIONS
Wachovia and Bank of America Alert Customers to Data Theft
Bank Data Theft Grows To 676,000 Customers
STANDARDS AND BEST PRACTICES
Some Companies Fail to Take Action on Audit Results
STATISTICS, STUDIES AND SURVEYS
Healthcare Industry IT Managers Say HIPAA Has Prompted Significant Increases in Security Spending
Insider Revenge Motivates Cyber Attacks
Australians Report Cybercrime Down, DDoS Up
MISCELLANEOUS
Equipment Seized in Lexis-Nexis Database Theft Case
MasterCard Closes Down More Than 300 Asian Phishing Sites

---

************************ Sponsored by CipherTrust ***********************

Federal legislation targeting the dissemination of private information has forced businesses to rethink how they communicate. As e-mail has become the most important communication tool for any organization, care must be taken to ensure the integrity of non- public information. Download CipherTrust's free white paper to learn how e-mail security contributes to regulatory compliance.

http://www.ciphertrust.com/files/forms/landing_template.php?sp=SSQ2_SANS_Newsbit
es_May25
*************************************************************************
Why Do Security Professionals Get More Value From SANS Than from Any Other Source?

"Years of experience downloaded into your brain in 6 days."
- Chris Koutras, Titan, Inc.

"The perfect balance of theory and hands on experience."
- James D. Perry II, University of Tennessee

"SANS courses bring the best of the best to one place to learn cutting-edge information."
- Jeremy Baca , Sandia National Labs

"SANS has opened my eyes to things I never would have considered based on my own research."
- Doug Wells, Media General, Inc.

Current Training Schedule: http://www.sans.org
**********************************************************************

---

TOP OF THE NEWS

Hackers Holding Computer Files 'Hostage' (23 May 2005)

A new type of extortion plot has been identified, unlike any other cyber extortion, according to the FBI. Hackers used an infected website to infect computers with a program that encrypts the users file. Then the criminal demanded money for the key to decrypt the files. Enhanced versions of this attack threaten large numbers of users with loss of important data, loss of money, or both.
-http://news.yahoo.com/s/ap/20050524/ap_on_hi_te/internet_ransom
[Editors' Note (Paller and Dhamankar): This is a substantial expansion of the extortion threat. Previously large organizations were targeted. Now because infection is indiscriminant, everyone is at risk. To protect your systems: (1) ensure your back ups are current and retrievable, (2) ensure your operating system and browser are fully patched (through automated patching), (3) refrain from opening *any* attachments unless you are expecting them. ]

California Legislators Pass Identity Information Protection Act (19 May 2005)

On May 16, the California Senate passed SB 682, the Identity Information Protection Act, which prohibits the use of radio frequency identification (RFID) tags in state and federal government-issued identification cards. The law would also make it illegal to read or attempt to read identification documents without the owner's knowledge. The bill now moves to the state assembly.
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=35857
-http://www.govtech.net/news/news.php?id=94036

US Senate Passes Real ID Act (12 May 2005)

The US Senate has unanimously approved the Real ID Act which would require that all American citizens obtain machine readable, federally approved identification cards. People who do not possess such a card will not be permitted to travel by air or Amtrak, open a bank account or enter a federal building. The Real ID Act was attached to an Iraq military spending bill; supporters of the act say it will help prevent illegal immigrants from obtaining driver's licenses. The law would take effect in May 2008.
-http://asia.cnet.com/news/security/printfriendly.htm?AT=39229811-39037064t-39000
005c

GAO Report Finds Wireless Security Lacking at Federal Agencies (17 May 2005)

A Government Accountability Office study found that federal agencies lack adequate wireless network security. In its report, GAO recommends that the Office of Management and Budget require agencies to incorporate wireless security into their information security programs under the Federal Information Security Management Act. This would include policies in wireless network implementation and use, configuration requirements for wireless security tools and training employees and contractors on wireless policies. Of 24 executive branch agencies, nine had no wireless network policies and 13 had no wireless equipment security configuration requirements. At six agency headquarters in downtown Washington, DC, the GAO found wireless signals leaking outside of buildings, unsecured wireless equipment configuration and unauthorized wireless devices operating on the network.
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=35827
-http://www.gao.gov/new.items/d05383.pdf
[Editor's Note (Schultz): What amazes me is that so many organizations continue to have cleartext wireless communications despite the inherent danger of eavesdropping and the availability of suitable encryption solutions.
(Shpantzer): Most places have either a 'no wireless' policy or a 'wireless with XYZ security' policy. Both require monitoring and enforcement. If you have no policy at all, you're virtually guaranteed to have insecure wireless in place, set up for convenience and mobility by enterprising employees. If you have no policy, what can you can do to those employees? Not much. ]

US Cyber Czar Position Elevated by House of Representatives (19 May 2005)

The US House of Representatives passed an authorization act that provided a $34 billion budget for the Department of Homeland Security. The Act also elevated the position of the head cybersecurity official to the Assistant Secretary level. The Senate has not taken a similar action, but the Secretary of DHS has the authority to elevate the position without Congressional action.
-http://www.techweb.com/wire/security/163105882

Court Rules German ISPs Do Not Have to Provide Record Companies with Customer Data (17 May 2005)

The Higher Regional Court in Hamburg, Germany has ruled that German ISPs are not required to provide record companies with information about their customers' identities. The court argued that ISPs "merely provide access to the web," but are not themselves a part of copyright infringement acts. This overturns a District Court ruling, based on Germany's Copyright Act, which allowed record companies access to ISP customer information after the discovery of an FTP server where songs were available for free download.
-http://www.theregister.co.uk/2005/05/17/hamburg_isp_ruling/print.html

---

*********************** SPONSORED LINKS *********************************
1) Live Secure Software Webcast this Thursday May 26, 2005 1:00pm EDT! During this webcast we will discuss secure and insecure software designs, understanding what we should be looking for as we convert the potentially ambiguous requirements into a solid definition.
https://www.sans.org/webcasts/show.php?webcastid=90570
2) Security is #1 with Shavlik HFNetChkPro(tm) security patch management. Download the trial version today at
http://www.sans.org/info.php?id=781
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Teen Pleads Guilty to DoS Attacks (14 May 2005)

17-year-old Jasmine Singh has pleaded guilty to launching denial-of-service attacks against several e-commerce businesses during the second half of 2004. The businesses in question suffered more than US$1 million in losses and damages. Court documents say that Singh was hired over the Internet by a Michigan man named Jason Arabo to launch the attacks against Arabo's competitors. Singh was charged with second degree computer theft which carries a maximum sentence of ten years; he is to be tried as an adult.
-http://www.phillyburbs.com/pb-dyn/news/112-05142005-489320.html
Arrest and criminal complaint records from the DOJ may be found at:
-http://www.usdoj.gov/usao/nj/publicaffairs/NJ_Press/files/arab0318_r.htm
;
-http://www.usdoj.gov/usao/nj/publicaffairs/NJ_Press/files/pdffiles/arabocomplain
t.pdf

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

Phony Microsoft Update eMail Infects Computers with Malware (18 May 2005)

Yet another phony Microsoft security update is circulating, timed to coincide with the company's monthly security release for May. The email message says it contains an update for Internet Explorer, Outlook Express and Outlook. Users who click on the embedded link will find their computers infected with the Pinfi virus and an unnamed Trojan horse program.
-http://www.techweb.com/wire/security/163105391

Microsoft Warns of DoS Vulnerability in TCP/IP Implementation (18 May 2005)

Microsoft has issued an advisory warning of a denial-of-service vulnerability in its TCP/IP implementation; exploit code for the flaw has already been released. This advisory is the first in Microsoft's program to respond promptly to vulnerabilities when details and exploits are disclosed before a patch becomes available. A successful exploit could cause systems to reset TCP connections. The attacker would not be able to execute code or elevate privileges.
-http://www.eweek.com/print_article2/0,2533,a=152239,00.asp
[Guest Editor's Note (Jason Fossen, SANS Top Windows Security Teacher) Fortunately, this vulnerability has a quick countermeasure other than applying a Service Pack or hotfix. Using Group Policy or a little bit of scripting, administrators should consider setting the Tcp1323Opts registry value to zero on all Windows machines in order to block the exploit. However, be aware that this can cause problems on very high-speed networks; for more information about this registry value, see Microsoft's bulletin (
-http://www.microsoft.com/technet/security/advisory/899480.mspx)
or the documentation for the value itself (
-http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-u
s/regentry/58800.asp).]

Sober.Q Spreads Spam (18/16 May 2005)

The Sober.Q virus turns infected PCs into spam machines, some of which are sending out an estimated 10,000 unsolicited email messages an hour. Earlier Sober variants were instructing the machines they infected to upload the new variant.
-http://www.ecommercetimes.com/story/O7kGjQ7UZjqjbs/Sober-Virus-Continues-To-Spre
ad-Political-Spam.xhtml
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39191987-20000
61744t-10000005c
[Editor's Note (Dhamankar): The big problem was that the Sober.P infection allowed attackers to load Sober.q. This is the first time I have seen a worm infection being used for right wing spam. Sober.p should be cleaned up immediately as it can allow attackers to upload more sinister programs. It is always surprising to see viruses like Sober.p, that are zip attachments, spread so quickly. Users should be frequently warned by ISPs and their enterprise security teams of the dire consequences of opening files attached to suspicious messages.
(Shpantzer): This needs to be filtered at the ISP level. If you want to send out 10,000 emails an hour from your home, you should get a call from your ISP asking what's up, and get charged a nominal fee for that. ]

ATTACKS AND INTRUSIONS

Wachovia and Bank of America Alert Customers to Data Theft (13 May 2005)

Wachovia Corp. and Bank of America are notifying certain active and inactive customers that the security of their personal data may have been breached. Police in New Jersey seized computer equipment, including disks that contained account information for some of the banks' customers. The account information was stolen as part of a scheme to sell the information to collection agencies.
-http://www.siliconvalley.com/mld/siliconvalley/rss/11642196.htm?template=content
Modules/printstory.jsp

Bank Data Theft Grows To 676,000 Customers (20 May 2005)

Police report that bank employees at four banks were involved in a New Jersey crime ring that used screen captures to record data about more than 676,000 customers. The criminals, nine of whom have been charged with crimes, sold the data to 40 collection agencies. The men charged are listed in the article
-http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,10
1903,00.html

STANDARDS AND BEST PRACTICES

Some Companies Fail to Take Action on Audit Results (19 May 2005)

According to one UK security consultant, some companies take no action on audit results, viewing the audits as merely a compliance issue. He estimates that 5% of the companies for whom he does penetration tests show up with the same problems year after year. Sometimes this can be due to resources or to the necessity of getting new applications running which takes precedence over security issues.
-http://www.theregister.co.uk/2005/05/19/audit_ignoramuses/print.html

STATISTICS, STUDIES AND SURVEYS

Healthcare Industry IT Managers Say HIPAA Has Prompted Significant Increases in Security Spending (16 May 2005)

An Info-Tech Research Group survey of 1,400 IT managers found that most said that the Health Insurance Portability and Accountability Act has prompted a significant increase in security spending. As of April 21, 2005, all but the smallest of healthcare organizations were required to be compliant with HIPAA. 80% planned to invest in core technology and 59% plan to increase spending on desktop hardware; 81% of larger hospitals plan to increase their investments in security hardware and 73% plan to increase security software investments.
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1088594,0
0.html
[Editor's Note (Pescatore): Of course, increasing spending often doesn't lead to increased security. It also appears that HIPAA is being used as a Y2K and Sarbanes Oxley like excuse for spending, if 80% are increasing core technology independent of security. While these regulations can help security managers get procurements approved, they are often seen by corporate management as one year investments - buying a guard dog is a bad investment if you can't feed it in later years.]

Insider Revenge Motivates Cyber Attacks (20 May 2005)

The US Secret Service and Carnegie Mellon University released a study of 80 insider attacks. 57% were carried out by system administrators, 33% by privileged users who were not sysadmins. The most significant damage cost $10 million in damages and resulted in the layoff of over 80 employees, and attack that was perpetrated by a system administrator who was angry about being terminated. The best defense appears to be tight configuration manager and disabling access when employees are terminated.
-http://www.computerworld.com/securitytopics/security/story/0,10801,101900,00.htm
l

Australians Report Cybercrime Down, DDoS Up (23 May 2005)

The Australian Computer Crime and Security Survey found that the number of organizations reporting cyber crime dropped from 49% in 2004 to 35% in 2005. The fastest growing and most costly category - accounting for 53% of the losses - was distributed denial of service attacks.
-http://www.zdnet.com.au/news/security/0,2000061744,39193086,00.htm

MISCELLANEOUS

Equipment Seized in Lexis-Nexis Database Theft Case (19 May 2005)

Warrants were served at the homes of nine people in connection with the massive data theft from Lexis-Nexis. Law enforcement agents seized evidence, including computers and disks.
-http://www.washingtonpost.com/wp-dyn/content/article/2005/05/19/AR2005051900704_
pf.html

MasterCard Closes Down More Than 300 Asian Phishing Sites (19 May 2005)

With the help of Name Protect, a security vendor, Mastercard ran a 24 x 7 monitoring program that identified online credit-card trading rings, phishing scams and other forms of payment fraud that target MasterCard's financial partners and cardholders. The project led to the shut down of more than 1,400 phishing and spoofing sites around the world, 300 of which were in Asia.
-http://asia.cnet.com/news/security/0,39037064,39230987,00.htm

---

===end===
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/