SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VII - Issue #66

December 31, 2005

2006 is not going to get off to a very good start for security people because of Microsoft's newest zero day exploit (see the first story in Top of the News). If you have parents or friends who have not kept their anti-virus signatures up to date, try to persuade them to update it right now. Otherwise you may be spending some of next week trying (and failing) to clean bots and spyware out their systems.

Alan

---

TOP OF THE NEWS

Zero-Day Exploit for WMF Flaw Circulating; Causing Widespread Infections
The Year in Security

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Guilty Plea in eBay DDoS Attack
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
FBI Recruiting IT Personnel
NSA Addresses Cookie Error
NIST Issues Revised Cryptography Guidelines
SPYWARE, SPAM & PHISHING
UK Man's Spam Claim Successful
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Sony BMG Settles Class Action DRM Lawsuit
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Virkel.f Trojan Horse Program Spreads Via IM Network
ATTACKS & INTRUSIONS & DATA THEFT
Marriott Acknowledges Missing Backup Tapes Contain Personal Data
Iowa State University Acknowledges Data Security Breaches

---

************************ Security Training Update ******************************

1) Earn your Masters degree in Information Security Engineering, from SANS.
http://www.sans.edu

2) SANS 2006 (Orlando, Feb 24 - March 2) Deadline for early registration is January 4.
http://www.sans.org/sans2006

********************************************************************************

---

TOP OF THE NEWS

Zero-Day Exploit for WMF Flaw Circulating; Causing Widespread Infections (29/28 December 2005)

A zero-day exploit for a vulnerability in Microsoft Windows Metafile Format (WMF) has been circulating in the wild. Microsoft is "looking into the problem," which lies in the way Windows renders WMF image files. Security firms have given the flaw a critical rating because it is a zero-day vulnerability and because an exploit is already available. Users can become infected with the Exploit-WMF Trojan if they visit web sites with malicious WMF files or if they open malicious WMF image files that arrive as email attachments. The exploit that is circulating allows attackers to download software - a keystroke logger and an IRC-based remote administration tool - to vulnerable Windows PCs. A spyware site is reportedly using the exploit to place spyware and adware on vulnerable computers. The flaw affects Windows XP with SP1 and SP2 and Windows Server 2003. Great information at two sites: Internet Storm Center:
-http://isc.sans.org
FSecure:
-http://www.f-secure.com/weblog/archives/archive-122005.html#00000752#00000752
Other news stories:
-http://news.zdnet.com/2102-1009_22-6011406.html?tag=printthis
-http://www.theregister.co.uk/2005/12/29/wmf_trojan_alert/print.html
-http://www.eweek.com/print_article2/0,1217,a=168152,00.asp
-http://www.eweek.com/print_article2/0,1217,a=168161,00.asp
-http://blogs.washingtonpost.com/securityfix/2005/12/update_on_the_c.html
-http://www.techweb.com/wire/security/175700769
CERT Tech Alert:
-http://www.us-cert.gov/cas/techalerts/TA05-362A.html

The Year in Security (29/28 December 2005)

Data security breaches lead a run-down of the 2005's significant security events; more than 130 data security breaches were reported, exposing more than 55 million Americans to potential data theft. Other issues include the arrests of "bot masters", the increased focus on creating stealthy attack tools and narrowly targeted attacks, and Sony BMG's problems with digital rights management (DRM) software on certain CDs.
-http://www.usatoday.com/tech/news/computersecurity/2005-12-28-computer-security_
x.htm

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Guilty Plea in eBay DDoS Attack (29 December 2005)

Anthony Scott Clark has pleaded guilty to using a bot network to launch a distributed denial of service (DDoS) attack on eBay's web site. Clark apparently had accomplices in the attack; the bots were also used to send spam and steal data, according to Clark. In his plea agreement, Clark promised to cooperate with authorities. Clark pleaded guilty to intentionally damaging a protected computer, which carries a maximum prison sentence of 10 years and a fine of up to twice the losses suffered.
-http://www.mercurynews.com/mld/mercurynews/business/13506617.htmhttp://www.zdnet
.co.uk/print/?TYPE=story&AT=39244661-39020330t-10000025c

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

FBI Recruiting IT Personnel (29 December 2005)

The FBI has announced that it is seeking to hire Information Technology (IT) professionals for "critical IT positions;" interviews for computer scientists and engineers, IT specialists and IT project managers are scheduled to begin in January.
-http://www.computerworld.com/printthis/2005/0,4814,107390,00.html
-http://www.fbi.gov/pressrel/pressrel05/pr_it122305.htm
[Editor's Note (Schultz): The real issue for the FBI is not so much recruiting IT experts, but rather retaining them. Time-after-time industry, which often pays far more than does the FBI can, hires the "best and brightest" away from the FBI. ]

NSA Addresses Cookie Error (29 December 2005)

The National Security Agency (NSA) website had until Tuesday, December 27 been placing two cookies on visitors' computers in violation of federal rules. A 2003 memo from the Office of Management and Budget (OMB) prohibits federal agencies from using persistent cookies, which remain on users' computers after they have closed their browsers, "unless there is a 'compelling need.'" Their use must be disclosed in the privacy policy. The cookies in question were set to expire in 2035. The NSA is permitted to place temporary cookies on site visitors' computers; these cookies are deleted once the visitor closes the web browser. The NSA addressed the problem following a complaint from a privacy activist and Associated Press inquiries, acknowledging that a mistake had been made and attributing the error to a software upgrade.
-http://www.informationweek.com/showArticle.jhtml?articleID=175700996

NIST Issues Revised Cryptography Guidelines (28 December 2005)

The National Institute of Standards and Technology (NIST) has issued a revised version of Special Publication 800-21-1, a cryptography manual redesigned to help federal organizations comply with Federal Information Security Management Act (FISMA) requirements. The revised publication provides "guidelines for selecting, specifying, employing and evaluating cryptographic protection mechanisms in federal information systems."
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=37840
-http://csrc.nist.gov/publications/nistpubs/800-21-1/sp800-21-1_Dec2005.pdf

SPYWARE, SPAM & PHISHING

UK Man's Spam Claim Successful (29/28/27 December 2005)

A UK Court found in favor of Nigel Roberts, a Channel Island man who filed a claim against Media Logistics UK, an Internet marketing company, after he received unsolicited commercial email from them on his personal email account. A three-year-old EU spam law, the Directive on Privacy and Telecommunications, allows individuals to claim damages from offenders. Media Logistics acknowledged the claim but did not defend it; Mr. Roberts will receive GBP270 (US$466) in compensation and GBP30 (US$52) in court fees.
-http://technology.timesonline.co.uk/article/0,,19509-1960845,00.html
-http://news.bbc.co.uk/2/hi/europe/jersey/4562726.stm
-http://www.theregister.co.uk/2005/12/29/uk_spam_win/print.html

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Sony BMG Settles Class Action DRM Lawsuit (29 December 2005)

Sony BMG has reached a settlement with plaintiffs in a class action lawsuit filed over the XCP and MediaMax digital rights management (DRM) copy protection that came with certain CDs. The XCP DRM software installed DRM software that was later exploited by attackers; MediaMax was also found to pose a security threat. Sony will recall all CDs protected with XCP and replace them with CDs without copy protection. Sony has also agreed to compensate the plaintiffs who purchased the CDs and to provide them with tools for removing the rootkit. Compensatory measures include allowing those who purchased CDs with the DRM software in question to download a limited amount of music at no cost. "The settlement filing is awaiting approval by the US District Court for the Southern District of New York."
-http://news.com.com/2102-1002_3-6012173.html?tag=st.util.print
[Editor's Note (Schultz): The Sony DRM software debacle has sent a clear message to the entertainment industry that the ends do not justify the means when it comes to copyright enforcement. It will be interesting to see what new approaches to this problem this industry will come up with in the future.]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Virkel.f Trojan Horse Program Spreads Via IM Network (27 December 2005)

The Virkel.f Trojan horse spreads through an instant message in the guise of a leaked version of MSN Messenger 8 beta. An accompanying link leads to a file that can be downloaded and run, but also places the Trojan horse program on users' computers. Once infected, the machine becomes part of a botnet; the Trojan can be updated with more malicious code so it can be manipulated to be a spam zombie or participate in a distributed denial of service (DDoS) attack. This malware spreads by sending itself out to IM contact names found on infected systems. The link is labeled "MSN Messenger 8 Working BETA" and the downloadable file is BETA8WEBINSTALL.EXE.
-http://www.techweb.com/wire/175700333
-http://news.com.com/2102-7349_3-6010163.html?tag=st.util.print
[Editor's Note (Pescatore): There has definitely been an increase in attacks via links in IM messages. Users who will no longer click on a link in an email for fear of phishing are still clicking on links in IM messages - and usually clicking within seconds of receipt, as compared to email messages that may sit in the users in-box for quite some time. Enterprises who have made the decision to allow public IM services to be used by employees need to make sure that IM filtering services are put in place, and employees warned that IM screen names are just as insecure as email addresses. ]

ATTACKS & INTRUSIONS & DATA THEFT

Marriott Acknowledges Missing Backup Tapes Contain Personal Data (28 December 2005)

More than 200,000 employees, owners and customers of Marriott Vacation Club International are being notified that backup tapes containing their personal data, including bank, credit card and Social Security numbers, are missing from a Florida office. Club officials have reported the missing tapes to authorities and have begun their own investigation into the tapes' disappearance.
-http://www.informationweek.com/showArticle.jhtml?articleID=1757005930

Iowa State University Acknowledges Data Security Breaches (25 December 2005)

Two computers at Iowa State University suffered security breaches this month, possibly exposing the personal data of ISU employees and university athletic department donors. University technology staff investigating the breaches says credit card numbers were encrypted and therefore unlikely to have been read by intruders. The breaches affected more than 3,000 ISU employees and approximately 2,500 donors. University officials say they do not plan to contact the police to help them find the intruder's identity. ISU suffered a similar security breach in June of this year.
-http://desmoinesregister.com/apps/pbcs.dll/article?AID=/20051225/NEWS01/51225036
4/1001&template=printart

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler, Jaap-Henk Hoepman, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/