SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #43

October 11, 2005

If you work with or near any web application developers, and want them
to know how to write secure web applications, please ask them to email
me and I'll send them the outline of SANS new course on Writing Secure
Web Applications (November 17-18 in Baltimore). Auditors will find the
course extremely useful, too, but my main reason for mentioning it here
is to ask you to let your development co-workers know about this unique
opportunity. There is no other course, AFAWK, that teaches this material
well; it has gotten rave reviews in many of the most security-sensitive
development organizations in government and industry. Tell them to email
me (paller@sans.org) and ask for the secure development course outline
and schedule. Our big goal here is to help turn the tide against
insecure program development.
Alan

---

TOP OF THE NEWS

Symantec Files Complaint with EU Antitrust Regulators About Microsoft Security Product
US Legislators Eyeing Data Security Bills
Dutch Police Arrest Three in Bot Scheme

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Men Sentenced for TK Worm
SPAM & PHISHING
Phishers Target Scandinavian Internet Banking Customers
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Google Repairs Cross-Site Scripting Flaws Promptly
Microsoft's October Security Update Includes Eight Patches for Windows
Phony Google Toolbar Spreads Via IM, IRC and Steals Credit Card Numbers
ATTACKS & INTRUSIONS & DATA THEFT
Bank of America Notifies Buxx Customers After Laptop Stolen
STANDARDS & BEST PRACTICES
DHS Web Portal Offers Best Practices for Secure Software Development
MISCELLANEOUS
On-line Betting Sites Often Pay Cyber Extortionists, Says Researcher

---

************************** Sponsored by NetIQ *************************

Executive Guides to Assuring Compliance and Managing Risk from NetIQ Get the best practices you need to manage IT risk and assure policy compliance with these two free Executive Guides. You'll learn how to simplify your risk management processes and reduce the time and effort spent ensuring compliance. Download these FREE guides now.

http://www.netiq.com/f/form/form.asp?id=2920&origin=NS_SANSNS_101205

************************************************************************

Security Training Update SANS immersion training programs in the next two months (everything from hacker exploits to wireless security and more) in Atlanta, Orlando, Dallas, Portland, Los Angeles, Chicago, Baltimore, and San Diego and in Barcelona, Vancouver and Amsterdam. Details: http://www.sans.org/

*************************************************************************

---

TOP OF THE NEWS

Symantec Files Complaint with EU Antitrust Regulators About Microsoft Security Product (7/6 October 2005)

Symantec has made an informal complaint with European Commission antitrust regulators regarding Microsoft's announcement that it will be entering the security market. The nature of the complaint will allow the commission to decide whether or not the situation merits an antitrust case against Microsoft. Microsoft announced last week that it will begin offering a beta version of an integrated antivirus/antispyware product by the end of the year with a full rollout expected in 2006. The complaint focuses on Microsoft's plan to bundle the software with its upcoming Windows Vista operating system.
-http://www.computerworld.com/printthis/2005/0,4814,105239,00.html
-http://www.eweek.com/print_article2/0,1217,a=161840,00.asp

US Legislators Eyeing Data Security Bills (5 October/30 September 2005)

US Representative Mike Castle says he plans to introduce data privacy legislation, that would require businesses holding sensitive information to secure their data and would require prompt investigations of data security breaches. Another proposed data security bill, the Personal Security and Privacy Act, originally introduced in June, might soon see an amended version come to a committee vote. Criminal penalties included in the proposed legislation would provide for a maximum sentence of five years in prison for individuals convicted of concealing security breaches that involve sensitive personal data for even one person. The bill also contains minimum privacy and security standards for companies that hold sensitive and personally identifiable data.
-http://news.com.com/2102-7348_3-5889229.html?tag=st.util.print
-http://news.com.com/2102-7348_3-5886478.html?tag=st.util.print
[Editor's Note (Honan): At long last it appears that the US is taking data privacy more seriously and will begin to force companies to change their approach to protecting sensitive customer information. If successful, this bill may allay the concerns many Europeans have about their personal information being stored in US. ]

Dutch Police Arrest Three in Bot Scheme (10/7 October 2005)

Dutch police have arrested three men who allegedly used software to break into 100,000 computers around the world and install programs that steal personal data and enlist the machines for use in cyber attacks. The trio is also believed to be behind a blackmail threat made to a US company to launch a distributed denial-of-service attack on its web site.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39276456-39000005c
-http://www.enterprise-security-today.com/story.xhtml?story_id=38550

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Men Sentenced for TK Worm (7 October 2005)

Two British men have been sentenced to jail for their roles in the creation and spread of the TK worm. Jordan Bradley was sentenced to three months in jail and Andrew Harvey to six months; both admitted to conspiring to "effect unauthorized modifications to the contents of computers with the intent to impair the operation of those computers." The worm created a network of infected computers that were used to launch distributed denial-of-service attacks on web sites. In May 2005, American Raymond Stegerwalt, who also had a role in the worm, was sentenced to 21 months in prison and ordered to pay US$12,000 in restitution to the US Department of Defense. Stegerwalt's trial was held in the US.
-http://software.silicon.com/malware/0,3800003100,39153152,00.htm
-http://www.computerworld.com/printthis/2005/0,4814,105247,00.html
(Stegerwalt story from May 2005) www.computerworld.com/printthis/2005/0,4814,101670,00.html
[Editor's Note (Honan): Computerworld reports that the TK worm caused over $10.3 million in damages (See: www.computerworld.com/printthis/2005/0,4814,101670,00.html ). Three month and six month sentences seem to be far too lenient for that amount of damage ]

SPAM & PHISHING

Phishers Target Scandinavian Internet Banking Customers (5/4 October 2005)

Phishers have targeted the bank Nordea Sweden, which uses a one-time password/PIN authentication procedure. The phishing emails were written in Swedish; they told customers that the bank was changing security procedures. If the customers clicked on the link provided, they were sent to one of two bank look-alike sites hosted in South Korea. The sites ask for account details and the next password code on a scratch card the bank customers have in their possession. The sites would then say there was a problem with the code given and ask for the next code in an apparent attempt to collect a number of the one-time use passwords. Nordea has more than 4 million Internet banking customers in eight countries. Nordea closed down its Internet banking service for about 12 hours while it dealt with the problem.
-http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=baad
adeb-0a19-4136-94d9-a4bfac09b237&newsType=News
-http://newsroom.finland.fi/stt/showarticle.asp?intNWSAID=10241&group=Busines
s
-http://www.thelocal.se/article.php?ID=2213&date=20051004
[Editor's Note (Schultz): To attempt a phishing scheme of this nature, the perpetrators would have to have been aware of the nature of the authentication procedures used by this bank. It would be instructive to find out how they learned of these procedures-perhaps it was through one or more customers or perhaps it was through a bank employee. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Google Repairs Cross-Site Scripting Flaws Promptly (10 October 2005)

Google has fixed a cross-site scripting flaw in two of its sub-sites that could have put users at risk of having their accounts hijacked. The vulnerability could have been exploited to take over users' accounts, trick users into downloading malicious content or allow the attackers to steal personal data. Google was alerted to the vulnerability late last month and addressed the problem within 30 hours.
-http://www.techweb.com/wire/security/171204433;jsessionid=5OIXZCEUJWKFKQSNDBCSKH
SCJUMEKJVN
-http://news.zdnet.com/2100-1009_22-5892525.html

Microsoft's October Security Update Includes Eight Patches for Windows (7 October 2005)

Microsoft has announced that it will release eight patches for Windows flaws on Tuesday, October 11, the scheduled release date for its monthly security update; at least one of the vulnerabilities has received a "critical" rating from Microsoft. Some of the fixes may require users to restart their computers. There will also be a security bulletin with an "important" rating regarding Windows and Exchange mail server vulnerabilities.
-http://software.silicon.com/security/0,39024655,39153120,00.htm

Phony Google Toolbar Spreads Via IM, IRC and Steals Credit Card Numbers (6/5 October 2005)

Phishers have been sending out messages through IM and IRC that contain links to a page that downloads a phony Google toolbar and hijacks the Windows HOSTS file. The toolbar redirects most Google addresses and asks for credit card numbers in a pop-up window.
-http://www.informationweek.com/story/showArticle.jhtml?articleID=171203727
-http://www.eweek.com/print_article2/0,1217,a=161819,00.asp

ATTACKS & INTRUSIONS & DATA THEFT

Bank of America Notifies Buxx Customers After Laptop Stolen (7 October 2005)

Bank of America has begun notifying customers of its Buxx prepaid debit cards that their personal data may have been compromised following the theft of an unencrypted laptop computer. The data include bank account and routing transit numbers as well as names and credit card numbers. Bank of America stopped selling this particular product in January. The laptop was stolen from a Bank of America service provider on August 29; Bank of America was notified on September 9 and then sent out letters after a two-week investigation.
-http://www.computerworld.com/printthis/2005/0,4814,105246,00.html
[Editor's Note (Honan): Yet again another example of why security requirements must be built into outsourcing contracts to ensure your data remains secure. Notifications of security incidents should also be stipulated, as it appears it took nearly two weeks for the bank to be made aware of the theft.
(Shpantzer): I like the way this is worded: Unencrypted laptop. Laptops holding this type of data should be encrypted by mandatory policy, so the qualifier for the unencrypted ones is entirely appropriate. ]

STANDARDS & BEST PRACTICES

DHS Web Portal Offers Best Practices for Secure Software Development (6 October 2005)

The Department of Homeland Security's "Build Security In" web portal offers best practices resources for software developers and security professionals to help them develop more secure and reliable systems. The site provides articles on best practices, knowledge and tools in each of a variety of content areas, including Architecture and Design, Code, Test, Requirements, System and Fundamentals.
-http://www.washingtontechnology.com/cgi-bin/udt/im.display.printable?client.id=w
tdaily-test&story.id=27118
-https://buildsecurityin.us-cert.gov/portal/

MISCELLANEOUS

On-line Betting Sites Often Pay Cyber Extortionists, Says Researcher (6 October 2005)

An IBM security researcher says that on-line betting sites that have been targeted by extortionists often pay the ransom to avoid being targeted by distributed denial-of-service (DDoS) attacks instead of reporting the threats to law enforcement agencies. The financial demands the attackers make tend to be less than the cost of implementing measures to protect the sites from the attacks. A recent study by Forrester found that one in three businesses has been targeted by a DDoS attack; 40% of those suffered losses in excess of GBP54,000 (US$94,700). Organizations that pay the extortionists are likely to be targeted again and increase the likelihood of other businesses being targeted as well.
-http://www.theregister.co.uk/2005/10/06/ibm_botnet_vb/print.html

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler, Brian
Honan, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum,
Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/