SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #45

October 18, 2005

Congratulations to Leonard Ong, GCFA, GSNA, GCIH, for winning the
Singapore Government's IT Specialist of the Year 2005. This prestigious
award recognizes the national "role model" for the person who best
exemplifies effective training and IT advancement, and has been picked
up in several newspapers and magazines. When advised of the news,
Stephen Northcutt, SANS CEO, said, "Leonard is one of the hardest
working members of the GIAC advisory board and one of the most well
rounded security professionals I have ever met. If anyone should be a
role model, it would be Leonard."

---

TOP OF THE NEWS

Congress Agrees to Split Cyber Security From IA/IP
DDoS Attacks Tops ISPs List of Security Threats

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
US House of Representatives Holds Joint Hearing on SCADA System Vulnerabilities
LEGISLATION
Nigeria Considers Anti-Spam Legislation, Signs Agreement with Microsoft to Fight Internet Fraud
SPAM & PHISHING
Anti-Phishing Working Group's August Report
FBI Agents Seize Alleged Spammer's Computers and Financial Records
Banks, Internet Companies Dealing with Phishing Privately
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
MPAA Files Lawsuits Against Movie Download Web Sites
Three Indicted in Software and Music Piracy Scheme
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Patch Can Cause Problems
Exploit Code for Four Microsoft Flaws Already Created
MISCELLANEOUS
Lloyds TSB to Test Security Tokens for Online Banking Customers

---

******************* Sponsored by Watchfire AppScan **********************

Web application security vulnerabilities are a growing threat for anyone doing business online. See if your applications are vulnerable. Download a free trial copy of AppScan today. http://www.watchfire.com/securityzone/product/appscanaudit.aspx?id=701300000002I
2f

*************************************************************************
Security Training Update Baltimore, Amsterdam, and San Diego are all hosting large SANS training conferences. Plus smaller programs in a dozen other cities. http://www.sans/org
*************************************************************************

---

TOP OF THE NEWS

Congress Agrees to Split Cyber Security From IA/IP (13 October 2005)

Congress has agreed to separate the Department of Homeland Security's cyber security division from information analysis and infrastructure protection (IA/IP). In addition, the cyber security division's director will be elevated to an assistant secretary position. The decision came as part of the fiscal 2006 spending measure. The DHS budget for next year includes $93 million for the cyber division's public and private sector exercises and outreach programs. In addition, $17 million is designated for the science and technology division for research and development into cyber attack detection and response devices.
-http://www.govexec.com/story_page.cfm?articleid=32555&printerfriendlyVers=1&
amp;

DDoS Attacks Tops ISPs List of Security Threats (13 October 2005)

Results of Arbor Networks' Worldwide ISP Security Report indicate that 90 percent of ISPs find that "brute force" distributed denial-of-service (DDoS) attacks from bot networks are their single biggest hassle. Rapidly spreading worms and DNS poisoning attacks ranked second and third, respectively, on the list. Just 29 percent of the ISPs have automated services to counter and trace DDoS attacks; furthermore, most ISPs have become aware of DDoS attacks only when alerted by customers. Results were based on responses from 36 large ISPs in the US, Europe and Asia.
-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=4570

---

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

US House of Representatives Holds Joint Hearing on SCADA System Vulnerabilities (October 18 2005)

The Homeland Security Committee of the US House of Representatives is holding a joint hearing (of two Subcommittees) on vulnerabilities in SCADA systems this afternoon (October 18). SANS Director of Research, Alan Paller, has been invited to testify along with Andy Purdy from the Department of Homeland Security, representatives of Sandia and Idaho National Labs and Bill Rush of the Gas Technology Institute. The testimony will illuminate the significant threat to electric power and other critical industries that unprotected SCADA and other digital control systems pose.
-http://homeland.house.gov/release.cfm?id=420
SANS (Paller) Testimony:
-http://www.sans.org/info/901
GAO Report on the growing SCADA threat:
-http://www.gao.gov/new.items/d04354.pdf
[Editor's Note (Paller): Critical infrastructure asset owners and technology suppliers engaged in SCADA or DCS security should keep track of the SCADA Security Summit, being arranged by private asset owners and researchers and British and US government agency personnel. The goal is to find the technologies that actually work and develop consensus procurement language that will allow buyers of SCADA equipment to ensure their suppliers are delivering the most secure systems possible. Send an email to info@sans.org with the subject SCADA Summit (and your name and company and role in SCADA security) and we'll send you the early information about the Summit. ]

LEGISLATION

Nigeria Considers Anti-Spam Legislation, Signs Agreement with Microsoft to Fight Internet Fraud (14 October 2005)

Nigerian legislators are considering draft legislation that would make sending spam a criminal offense punishable by three years in jail, a fine or both. Nigeria is known for being the source of a number of Internet scams. In addition, the Nigerian government has signed a contract with Microsoft in which the software company agrees to help the country's law enforcement officials break up crime rings that use the Internet.
-http://edition.cnn.com/2005/WORLD/africa/10/14/nigeria.spam.ap/index.html
-http://www.computerworld.com/printthis/2005/0,4814,105425,00.html
-http://news.yahoo.com/s/ap/20051014/ap_on_hi_te/nigeria_microsoft_internet_fraud

SPAM & PHISHING

Anti-Phishing Working Group's August Report (17/13 October 2005)

According to the Anti-Phishing Working Group's August 2005 Phishing report, phishing sites are remaining on line an average of 5.5 days. A year and a half ago, phishing web sites usually remained on line for a week or more. The number of "phishing campaigns" detected fell for the second month in a row, although the number of new phishing web sites reached an all-time high of 5,259, up from a reported 4,564 in July.
-http://www.computerworld.com/printthis/2005/0,4814,105368,00.html
-http://www.techweb.com/wire/security/172301645%3Bjsessionid=VALLZBNST2MZ4QSNDBCS
KHSCJUMEKJVN
-http://antiphishing.org/apwg_phishing_activity_report_august_05.pdf

FBI Agents Seize Alleged Spammer's Computers and Financial Records (16 October 2005)

Recently unsealed warrants reveal that FBI agents raided the Michigan home of Alan M. Ralsky, allegedly one of the nation's most prolific senders of bulk email, and seized his financial records, computers and disks. The seizure has reportedly halted his operation. Mr. Ralsky was sued by Verizon Communications in 2001 for shutting down Verizon's network by sending millions of unsolicited email messages; he settled the case for an undisclosed sum and promised not to send spam on the company's networks any more.
-http://www.usatoday.com/tech/news/techpolicy/2005-10-16-fbi-spammer_x.htm
-http://www.detnews.com/2005/technology/0510/16/B01-349738.htm

Banks, Internet Companies Dealing with Phishing Privately (7 October 2005)

Because law enforcement seems to give phishing a low priority, banks and companies that conduct business on the Internet are taking matters into their own hands. The organizations work with ISPs, web hosting services and regional Internet authorities to track down the servers the phishing email is coming from and work with contacts to shut the sites down. They have also been setting up phony accounts and working with banks and law enforcement organizations to track the stolen data and ultimately arrest the thieves.
-http://www.newsfactor.com/story.xhtml?story_id=38544
[Editor's Note (Schultz): I was not aware that law enforcement has not been very interested in phishing cases. One would think that phishing, something that exposes many individuals to the potential of identity theft, would get more of law enforcement's attention.
(Schneier) I've been saying that companies won't do much about phishing until they have a financial incentive to do so; perhaps a sufficient number of disgruntled customers constitutes an incentive. ]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

MPAA Files Lawsuits Against Movie Download Web Sites (14 October 2005)

The Motion Picture Association of America (MPAA) has filed lawsuits in New York state courts against six web sites. The MPAA alleges the sites are violating federal copyright laws by pretending to be legitimate movie and music downloading web sites, but actually charging people to redirect them to file sharing sites where they have access to illegally copied content.
-http://news.bbc.co.uk/2/hi/technology/4342910.stm
-http://www.newsfactor.com/story.xhtml?story_id=03200000QISG

Three Indicted in Software and Music Piracy Scheme (13 October 2005)

Three California men have been indicted for their alleged roles in a music and software piracy scheme; the three were allegedly involved in illegally copying CDs. Charges in the indictments include conspiracy to commit criminal copyright infringement and traffic in counterfeit labels, criminal copyright infringement, trafficking in counterfeit labels, and aiding and abetting. The arrests and searches were part of the US Department of Justice's "Operation Remaster" which focused on the replicators in the chain of digital media piracy.
-http://www.computerworld.com/printthis/2005/0,4814,105374,00.html
-http://www.internetnews.com/bus-news/article.php/3556071

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Microsoft Patch Can Cause Problems (14 October 2005)

Microsoft has said that one of the patches in its monthly security update (Microsoft Security Bulletin MS05-051) released on October 11 may cause problems. Once installed, the patch for critical flaws in Microsoft Distributed Transaction Coordinator and the COM+ service could lock users out of their PCs, prevent the Windows firewall from starting, block some applications from starting or running and empty the network connections folder. The problems occur when the default permission settings on a Windows directory have been changed. Users can fix the problems by restoring default settings for the Windows folder and the COM+ catalog.
-http://news.zdnet.com/2102-1009_22-5896041.html?tag=printthis
-http://www.computerworld.com/printthis/2005/0,4814,105453,00.html
Internet Storm Center data:
-http://isc.sans.org/diary.php?storyid=765
-http://support.microsoft.com/kb/909444

Exploit Code for Four Microsoft Flaws Already Created (14/13 October 2005)

There is already exploit code created for four of the flaws addressed in Microsoft's October security update (MS05-051, MS05-045, MS05-046, and MS05-047). It is likely that publicly available malicious exploit code will soon be circulating. The exploit code appeared within 24 hours of the security update's release; generally, the lag time between disclosure and exploit code averages 5.8 days. Internet Storm Center Data:
-http://isc.sans.org/diary.php?storyid=759
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39278676-39000005c
-http://www.techworld.com/security/news/index.cfm?NewsID=4576
[Editor's Note (Shpantzer): The shortened cycle-time available to defenders is a trend that is well documented. See
-http://www.qualys.com/research/rnd/vulnlaws/
and
-http://www.isc.sans.org/presentations/MITSecCampISCPresentation.pdf]

MISCELLANEOUS

Lloyds TSB to Test Security Tokens for Online Banking Customers (14 October 2005)

UK Bank Lloyds TSB is piloting a new security program for its Internet banking customers. A key-fob token will generate a new six-digit, one-time-use security code for about 30,000 customers each time they wish to conduct an Internet banking transaction. Lloyds had previously used a two-stage authentication system: a username and password followed by a drop-down menu with choices of letter combinations. The program is slated to last for six months; Lloyds will then assess its effectiveness and customer reaction before deciding whether or not to roll it out to its entire customer base.
-http://news.bbc.co.uk/2/hi/business/4340898.stm
-http://www.computerworld.com/printthis/2005/0,4814,105430,00.html
[Editor's Note (Paller): Do you know which banks have done the best job of implementing two-factor authentication? Early indications are that UBS and Rabobank are the leaders in Europe and that the banks in Hong Kong and Singapore are doing the best job of making two-actor authentication easy and inexpensive (using cell phones). If you have any data on which banks are doing it best please share it with us. It is time to give consumers the information they need to choose their banks on the basis of who is best at protecting their money. ]

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler,
Jaap-Henk Hoepman, Brian Honan, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz,
Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/