SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VII - Issue #28
July 13, 2005
Ever wonder how credit card thieves turn stolen numbers into cash? Some extraordinary reporting in USA Today answers that question. It is a troubling story - the thieves are using ordinary Americans who are just looking for work. See the first story under TOP OF THE NEWS.
The SANS Research Office is doing a comparative study of how well the major Internet Service Providers protect their clients from cyber attacks. We are looking for two researchers to help with this project, part time, over the next two months. It is paid work. If you know someone who is really good at technical research, interviewing, and writing, please have them send a resume to sansro@sans.org with subject ISP research resume.
Alan
TOP OF THE NEWS
Honest Job Hunters Ensnared in Cyber Crime RingSasser Author Receives Suspended Sentence
Credit Card Security Standard Takes Effect
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCESPolice Arrest Florida Man for Unauthorized Wireless Network Use
University Student Arrested for Alleged Data Theft
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
US-CERT Warns of Targeted Trojan Attacks
Microsoft July Update Will Include Three Fixes
Fixes Available for Zlib Buffer Overflow Flaw
Exploit Code Circulating for Flaw in Older Versions of Firefox
Buffer Overflow Flaw in Adobe Acrobat Reader
Microsoft Issues Advisory for IE ActiveX Vulnerability
Doomboot.A Trojan Infects Symbian Smartphones, Carries Commwarrior.B Worm
ATTACKS, INTRUSIONS & DATA THEFT
University of Southern California Computer Security Breach
STATISTICS, STUDIES & SURVEYS
Study Shows Users are Changing Internet Habits to Avoid Spyware
IM-Based Attacks Increasing Rapidly
MISCELLANEOUS
PDF File of Alleged Cyber Intruder Indictment Doesn't Fully Hide IP Addresses of Compromised Sites
Microsoft Denies Favoritism in Reclassifying Claria Adware
CardSystems Solutions Class Action Lawsuit Amended
************************ Sponsored to NetIQ ***************************
Assure Compliance & Manage Risks with Free NetIQ eBook! Do you know how to secure your infrastructure and prove compliance with government regulations? Get the insight you need to assure compliance, secure your assets and manage your IT risks. Download a FREE copy of "The Practical Guide to Compliance & Security Risks".
http://www.netiq.com/f/form/form.asp?id=2802&origin=SANSNS071305
******************** Security Training News******************************
1) SANS@HOME: Live courses with SANS best teachers - without leaving your home or office - amazingly effective and satisfying. Hacker Techniques, Auditing, SANS Security Essentials, Firewalls, all start within the next two weeks. Sign up today at www.sans.org
2) SANS Network Security 2005 in New Orleans (October) just opened for registration http://www.sans.org/ns2005
Why Attend SANS Training Instead of Less Effective Courses? "SANS reminds me of 'The Matrix'. You can take the blue pill and go on happily thinking your network is safe, or you can take the red pill and find out what the computer world is really like. This class is the red pill, and if it doesn't drive you insane in the process, you will leave better prepared to handle the real world of security." (Shawn Wenzel, Par Pharmaceutical)
*************************************************************************
TOP OF THE NEWS
Honest Job Hunters Ensnared in Cyber Crime Ring (11 July 2005)
Cyber thieves are using the Internet to recruit people to aid them in their fraudulent schemes. These unwitting accomplices, called "mules," become enmeshed in the murky business dealings when they respond to postings offering jobs they can do from home. Often the mules are instructed to receive and resend good to overseas addresses. A man whose story is detailed in this article tried to cut ties with his shady employers after becoming suspicious of their actions. He contacted law enforcement agents, and when he refused to do what the thieves asked of him, he received threatening messages. Later still, the thieves began changing the billing addresses on accounts they stole to the mule's address and he began receiving other people's on line banking statements.-http://www.usatoday.com/money/industries/technology/2005-07-10-cyber-mules-cover
_x.htm
Sasser Author Receives Suspended Sentence (8/5 July 2005)
Sven Jaschan, the German man who authored the Sasser worm, has been given a 21-month suspended prison sentence and ordered to perform 30 hours of community service. The light sentence is due to the fact that Mr. Jaschan was a teenager when he wrote and released Sasser so he was tried in youth court; had he been tried as an adult, he could have faced a 5-year sentence for his conviction of computer sabotage. Sasser exploited a known vulnerability in Windows Local Security Authority Subsystem service that Microsoft addressed in MS04-011; it began spreading in May 2004 and disabled an estimated one million computers. In accordance with its Anti-Virus Reward Program, Microsoft says it will pay US$250,000 to two people who helped identify Mr. Jaschan as the worm's author. (please note this site requires free registration)-http://www.nytimes.com/reuters/technology/tech-crime-germany-sasser.html
-http://news.com.com/2102-7348_3-5778774.html?tag=st.util.print
-http://www.theregister.co.uk/2005/07/05/sasser_trial_begins/print.html
[Editor's Note (Schultz): The suspended sentence that Jaschan received does not seem fair considering the magnitude of the crimes committed, even if Jaschan was only a teenager at the time he wrote and released worm code. Unfortunately, this sentence also sends the wrong message to young people who are considering engaging in illegal computer activity. ]
Credit Card Security Standard Takes Effect (4 July 2005)
The Payment Card Industry standard, which requires that merchants who conduct credit card transactions comply with certain criteria for handling the data, went into effect in early July. The standard, which is backed by Visa U.S.A. Inc. and MasterCard International Inc., has raised concerns that many of those who will be required to abide by it do not possess the resources to implement the necessary changes and that some are unclear about what they need to do to comply with the standards.-http://www.computerworld.com/printthis/2005/0,4814,102932,00.html
[Editor's Note (Northcutt): The standard did not appear overnight. Merchants that lack the resources to implement this have chosen to be in the situation they are in.
(Paller): This is a very important new standard. SANS has a two-day training class for anyone who works with credit card data or audits companies that do, on how to implement and audit for this standard. First class with space available October 25-26 in New Orleans at SANS Network Security 2005. More information at
-http://www.sans.org/ns2005/description.php?tid=264]
*********************** Sponsored Links: ******************************
1) FREE White Paper: "Why Enterprise Network Security Architecture Doesn't End with IPS"
http://www.sans.org/info.php?id=815
2) Privacy breaches, information leakage, changing laws: Find out how to protect your company.
Expert webcast: http://www.sans.org/info.php?id=816
***********************************************************************
THE REST OF THE WEEK'S NEWS
ARRESTS, CONVICTIONS AND SENTENCES
Police Arrest Florida Man for Unauthorized Wireless Network Use (8 July 2005)
Police have arrested Benjamin Smith III and charged him with using another individual's home wireless computer network without permission. Mr. Smith was allegedly sitting in his car outside the person's home using his laptop computer. The owner of the network says he is less concerned with the fact that Mr. Smith accessed his network than with what Mr. Smith was doing while on the network. The law under which Mr. Smith was charged prohibits unauthorized access of a computer or network. His arrest is the first for unauthorized Wi-Fi access.-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4001
-http://news.com.com/2102-7351_3-5778822.html?tag=st.util.print
[Editor's Note (Schneier): This strikes me as unreasonable. It seems analogous to leaving a telephone line in the middle of the street and objecting if someone makes a phone call with it. If the owner of the network really cared about unauthorized access, he should have used some (easy to install) security features. On the other hand, I leave my home network unprotected; if someone wants to surf on my bandwidth, it's fine with me as long as it doesn't affect my performance. On the other hand, this should be an interesting test case in a situation that the law doesn't cover well right now.
(Ranum): An analyst quoted in the article shows a weak grasp on moral philosophy. He blames the victim: "It's the guy's fault that he left it open." and "Don't the police have anything better to do?" That kind of mindset needs changing, because it's exactly that attitude that gives people like the alleged perpetrator the feeling of self-justification that lets them go where they aren't invited. ]
University Student Arrested for Alleged Data Theft (7/6 July 2005)
Police in Japan have arrested a university student from China who allegedly broke into more than a dozen companies' computer systems and stole customer information. The student allegedly sold the data on line. He has admitted to the allegations, saying he was seeking additional funds for tuition and related school expenses. The man was arrested for a specific intrusion and is being questioned about the others.-http://www.asahi.com/english/Herald-asahi/TKY200507070202.html
-http://mdn.mainichi-msn.co.jp/national/news/20050706p2a00m0na012000c.html
-http://washingtontimes.com/upi/20050706-040227-8401r.htm
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
US-CERT Warns of Targeted Trojan Attacks (8/1 July 2005)
The US Computer Emergency Readiness Team (US-CERT) has issued a warning of targeted Trojan email attacks. US-CERT makes a number of suggestions for system administrators, including blocking executable or otherwise suspect attachment types at the email gateway, blocking download of executable content via HTTP, turning off "Preview Pane" functionality in email clients and setting default options to view open mail in plaintext. One recently detected attack targeted just 17 email addresses at four domains.-http://www.us-cert.gov/cas/techalerts/TA05-189A.html
-http://www.internetnews.com/security/article.php/3518881
-http://www.newsfactor.com/story.xhtml?story_id=37026
Microsoft July Update Will Include Three Fixes (8 July 2005)
Microsoft's scheduled monthly security release for July will include three security bulletins: two for flaws in Windows and one for a vulnerability in Office. Microsoft also plans to release a "high priority update for office that is not security related.-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39241870-39000005c
Fixes Available for Zlib Buffer Overflow Flaw (8/6 July 2005)
A buffer overflow flaw in the Zlib decompression process could be exploited to take control of a computer or crash applications that use the popular data compression library. Zlib is a widely used open-source component; a number of vendors have already released fixes for the flaw.-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39241869-39000005c
-http://www.eweek.com/print_article2/0,1217,a=155363,00.asp
Exploit Code Circulating for Flaw in Older Versions of Firefox (7 July 2005)
Exploit code for a vulnerability in older versions of the Firefox browser has been released on the Internet. The flaw exists in Firefox 1.0.1 and earlier versions and concerns the way in which GIF images are handled. The problem was fixed in Firefox 1.0.2 which has been available since March 2005. Firefox 1.0.4 was released in May.-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39241525-39000005c
Buffer Overflow Flaw in Adobe Acrobat Reader (6 July 2005)
A buffer overflow flaw in Adobe Acrobat Reader 5.x for Unix and Linux could allow attackers to execute arbitrary code, potentially taking control of vulnerable systems. The flaw could be exploited with a maliciously crafted PDF file. Users are urged to update to versions that are not affected by the flaw.-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=3984
Microsoft Issues Advisory for IE ActiveX Vulnerability (6 July 2005)
Microsoft has released a Security Advisory and a workaround for an ActiveX vulnerability in Internet Explorer. The flaw could be exploited to crash the browser and run unauthorized code, though no exploit has yet been detected. Microsoft has not yet decided whether to release a patch for the vulnerability.-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=3983
-http://www.microsoft.com/technet/security/advisory/903144.mspx
Doomboot.A Trojan Infects Symbian Smartphones, Carries Commwarrior.B Worm (5/4 July 2005)
The Doomboot.A Trojan horse program infects Series 60 Symbian smartphones through what appear to be pirated phone games. Doomboot.A contains the Commwarrior.B worm which sends itself out through MMS and short range Bluetooth, draining the phone's battery and requiring that the phones be reformatted as rebooting will prove futile.-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=3977
-http://www.channelregister.co.uk/2005/07/04/symbian_trojan_doomboot/
ATTACKS, INTRUSIONS & DATA THEFT
University of Southern California Computer Security Breach ( 9 July 2005)
The University of Southern California is notifying approximately 270,000 people who either applied to or began the application process for the school over the past eight years that their personal data may have been compromised. The exploited SQL injection flaw was discovered in June. Officials estimate that only about 10 records were exposed; these contain names, addresses and Social Security numbers. USC's Information Services Division has blocked access to the site.-http://www.latimes.com/news/local/state/la-me-hacker9jul09,1,1003945.story?coll=
la-news-state
-http://www.securityfocus.com/news/11239
STATISTICS, STUDIES & SURVEYS
Study Shows Users are Changing Internet Habits to Avoid Spyware (8 July 2005)
A Pew Internet Project survey of 2,000 Internet users found that more than 90% have altered their on line habits in an effort to reduce their exposure to spyware. More than 80% of those surveyed do not open attachments from unknown senders.-http://www.cio-today.com/news/Internet-Users-Change-Habits-for-Spyware/story.xht
ml?story_id=020000O5OSBS
[Editor's Note (Schultz): I am not sure that the reported figure concerning the percentage of people who do not open attachments they are not expecting is very encouraging. If this figure is true, nearly 20 percent of users open attachments they are not expecting, making their systems prime targets for worm and virus infections.
(Shpantzer): The word is out that spyware is a serious threat, and people are paying attention. Ideally there would be integrated tools that really prevent this crud from getting onto our systems. I must say that I'm very disappointed that the antivirus vendors are so late in bringing anti-spywarepyware functionality to their software that spyware has become so prevalent. ]
IM-Based Attacks Increasing Rapidly (6 July 2005)
A study from the IMlogic Threat Center found that IM-based attacks rose from 20 in all of 2004 to 571 in just the second quarter of 2005. People who use IM would be well advised to block all attachments on IM and filter IM traffic to allow it to come from trusted sites only.-http://www.computerworld.com/printthis/2005/0,4814,102987,00.html
MISCELLANEOUS
PDF File of Alleged Cyber Intruder Indictment Doesn't Fully Hide IP Addresses of Compromised Sites (11 July 2005)
A publicly available PDF file of the indictment of Gary McKinnon, who allegedly broke into numerous US government computer systems, has the IP addresses of the compromised servers blacked out. However, simply cutting and pasting the document into a text editor reveals these addresses.-http://www.theregister.co.uk/2005/07/11/mckinnon_indictment_snafu/print.html
Microsoft Denies Favoritism in Reclassifying Claria Adware (11 July 2005)
Microsoft says it is not giving preferential treatment to adware maker Claria. The beta version of Microsoft's AntiSpyware tool used to recommend quarantining several Claria products, but the newer version tells users to ignore those same products. Microsoft maintains Claria filed a dispute to have their products reevaluated and they were found to meet the criteria necessary to be reclassified. The situation is raising eyebrows because of rumors that Microsoft may acquire Claria.-http://www.betanews.com/article/Microsoft_Denies_Claria_Favoritism/1121100525
-http://www.zdnet.com.au/news/software/print.htm?TYPE=story&AT=39201837-20000
61733t-10000002c
CardSystems Solutions Class Action Lawsuit Amended (7 July 2005)
The class action lawsuit filed against CardSystems Solutions, MasterCard, Visa and Merrick Bank now has an amended complaint asking for "unspecified monetary damages" for the plaintiffs. The original lawsuit was filed on behalf of consumers and card-accepting merchants affected by the security breach that left 40 million accounts exposed; it alleges that CardSystems Solutions violated California law when it failed to secure its systems and to notify those affected by the breach promptly.-http://software.silicon.com/security/0,39024655,39150141,00.htm
-http://www.techfirm.com/cardsystems.pdf
===end===
NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/
