SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #15

February 21, 2006

TOP OF THE NEWS

The Agony of Spyware
Google Files Formal Rejection of Government Request for Search Data
Microsoft Decries iDefense's Offer of Cash for Critical Windows Holes

THE REST OF THE WEEK'S NEWS

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Man Arrested for Allegedly Uploading Oscar-Nominated Film
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Worm Targets Linux Systems
New Mac OS X Worm Exploits Patched Flaw
IBM Readying Fix for Tivoli Directory Server 6.x
Proof-of-Concept Code Exploits Holes in Windows Media Player
Cisco Releases Fixes for Various Products
MISCELLANEOUS
Former CA Exec Accused of Erasing Data Pertinent to Investigation
Morgan Stanley Offers to Pay US$15 Million for Deleting eMail Relevant to Lawsuits

---

************************* Sponsored by Permeo ***************************

SSL VPN Buyers Guide -- Permeo Technologies

Considering SSL VPN for remote access? Download the latest Buyers Guide from security analyst Mark Bouchard (CISSP) to learn how to evaluate SSL VPN technology including features to look for and implementation best practices. In addition, Mark discusses the importance of integrated endpoint security and information controls. Learn more.

http://www.sans.org/info.php?id=1036

*************************************************************************

World-Class Security Training Opportunities in the Next Few Weeks

SANS 2006 in Orlando (Feb 24- March 4) 36 tracks of extraordinary training - the best instructors in the world, and a great security tools exposition. Lots of people are bringing their families to Orlando to join them at the end of the program. Plus: San Francisco, Phoenix, St. Louis, Monterey Brisbane, Tokyo, Ottawa

Or you can take SANS training anytime, anywhere with the new SANS On Demand. Details on these and other programs: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

The Agony of Spyware (19 February 2006)

This article provides extraordinary detail about the motivation and techniques used by a young criminal who makes his living by installing spyware on thousands of computers. Brian Krebs, the Washington Post cyber security journalist who wrote this analysis, was able to get very close to this criminal. The article also covers other aspect s of the adware and spyware scourge.
-http://www.washingtonpost.com/wp-dyn/content/article/2006/02/14/AR2006021401342_
pf.html
[Editor's Note (Paller): Metadata in a picture in the article may have provided sufficient information to identify the criminal.
-http://www.theinquirer.net/?article=29805]

Google Files Formal Rejection of Government Request for Search Data (20/18 February 2006)

Google has filed court documents over the weekend with a federal judge in San Jose formally rejecting the US government's request for search data. The documents say Google believes providing that information to the government would violate users' privacy and expose the company's trade secrets. Google goes on to say that the information requested would not "accomplish what the government wanted." The requests were made by the Department of Justice (DoJ) to demonstrate that voluntary regulation is not preventing minors from accessing inappropriate web content and appeal the injunction against a law that would impose penalties on web site operators who allow minors to view inappropriate material. The American Civil Liberties Union (ACLU) has filed an amicus brief on behalf of Google.
-http://news.bbc.co.uk/2/hi/technology/4731640.stm
-http://management.silicon.com/government/0,39024852,39156583,00.htm
-http://www.computerworld.com/printthis/2006/0,4814,108843,00.html
[Editor's Note (Northcutt): Northcutt: I ran a few tests and what I found was really offensive; then I ran a couple dozen more tests ( I am kidding if that helps the humor impaired). One of my tests was the phrase "nude women", this matches 9,040,000 English web pages, so our government is going to have its hands full running all that inappropriate content to ground; even sorting the really inappropriate from the possibly inappropriate would be a significant task. That test also brought up 8 paid Google ads so it is probable that Google is not unbiased. Now the rich question is, whose responsibility is this really? It would seem parents and schools should have a significant role in controlling what kids are able to do with computers and for that I suggest typing "protect kids online" into Google. ]

Microsoft Decries iDefense's Offer of Cash for Critical Windows Holes (17 February 2006)

Microsoft has spoken out against iDefense's offer to pay US$10,000 to people who find and reveal to them critical vulnerabilities in Windows. According to a Microsoft spokesperson, the company "does not believe that offering compensation for vulnerability information is the best way
[to ]
protect customers," and instead prefers that "researchers" ensure a fix is available from vendors before disclosing the details of a vulnerability. iDefense says it believes their offer "promotes the concept of responsible disclosure." iDefense Labs Michael Sutton said he finds it curious that Microsoft's Antivirus Reward Program offers US$250,000 for information leading to the arrest and conviction of malware writers, but is opposed to iDefense's program. Peter Mell, who manages the National Vulnerability Database (NVD) at the National Institute of Standards and Technology (NIST), says iDefense's program could skew bug hunters' attention to certain vendors rather than helping improve security in the industry.
-http://www.eweek.com/print_article2/0,1217,a=171828,00.asp
-http://www.techweb.com/wire/security/180204034%3Bjsessionid=C5IBZ5TJU1EZAQSNDBGC
KHSCJUMEKJVN
-http://www.microsoft.com/security/antivirus/default.mspx
[Editor's Note (Schultz): I side with Microsoft on this issue. Dealing with vendors, not "bounty hunters," is much more likely to result in satisfactory outcomes when new vulnerabilities are discovered.
(Schmidt): Next thing you know someone will be offering a "finders fee" for people that leave their keys in their cars. I see no value in this and agree with Marcus that there is a name for those that do this and it is not "researchers" I thought these folks were above this type of thing.
(Grefer): Even Michael Sutton should be able to notice the fundamental difference between his company's bug hunting premium and Microsoft's bounty on malware writers. (Murray): Perhaps iDefense is unable to see the difference between rewarding responsibility, which is its own reward, and incenting mischief.]

---

************************** Sponsored Links: ***************************

1) ALERT! How hackers gain access to backend data via web applications- SPI Dynamics White Paper http://www.sans.org/info.php?id=1037

2) ALERT: YOU vs Sober/Zotob/Bagle Variants? Is Your Internal Network Safe? Download FREE White Paper "Zotob: Zero-Hour Detection and Response" http://www.sans.org/info.php?id=1038

3) "What is The Real Threat to SCADA and PCS Systems?" Wednesday, February 22 at 1:00 PM EST (1800 UTC/GMT) http://www.sans.org/info.php?id=1039

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Man Arrested for Allegedly Uploading Oscar-Nominated Film (17 February 2006)

A California man has been arrested for allegedly uploading an Academy Award nominated film to the Internet. Luis Ochoa was caught in a sting operation that was set up after somebody informed the Motion Picture Association of America (MPAA) that Ochoa had mentioned in a chat room that he wanted to upload the film. The film's watermark indicated that it was a "screener" copy intended for viewing by someone with Academy voting privileges; the copy in question was allegedly obtained "before it reached the intended recipient." If he is convicted of all charges against him, Ochoa could face penalties of a one-year prison sentence and a fine.
-http://news.bbc.co.uk/1/hi/entertainment/4724584.stm

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Worm Targets Linux Systems (20 February 2006)

The Mare-D worm exploits vulnerabilities in XML-RPC for PHP and Mambo to infect and spread between machines running Linux. The worm is capable of installing an IRC-controlled backdoor on systems it infects. While the worm has been given a low risk rating, it is noteworthy because it targets Linux systems.
-http://www.theregister.co.uk/2006/02/20/linux_worm/print.html

New Mac OS X Worm Exploits Patched Flaw (17 February 2006)

A newly detected proof-of-concept worm exploits a vulnerability in Apple's implementation of Bluetooth; Apple released a fix for the flaw in June, 2005 in Security Update 2005-006. The worm uses Bluetooth to self-propagate by searching for other Bluetooth-enabled devices. The worm is the second exploit for a flaw in Mac OS X in as many days.
-http://news.zdnet.com/2102-1009_22-6041091.html?tag=printthis
-http://www.theregister.co.uk/2006/02/17/macosx_bluetooth_worm/print.html
-http://www.vnunet.com/vnunet/news/2150563/second-virus-exploits-bluetooth

IBM Readying Fix for Tivoli Directory Server 6.x (17 February 2006)

IBM is preparing patches for a flaw in IBM Tivoli Directory Server 6.x that could make the software vulnerable to denial-of-service (DoS) attacks. The flaw lies in the way the LDAP server handles certain requests and could be exploited through the use of maliciously crafted requests to crash vulnerable servers.
-http://www.computerworld.com/printthis/2006/0,4814,108813,00.html

Proof-of-Concept Code Exploits Holes in Windows Media Player (17/16 February 2006)

Proof-of-concept exploit code for two recently patched flaws in Microsoft's Windows Media Player (WMP) has been released on the Internet. Both WMP flaws could be exploited to take control of vulnerable computers; Microsoft deemed just one of the flaws critical. The flaws were addressed by patches in MS06-005 and MS06-006, released on February 14, 2005.
-http://www.computerworld.com/printthis/2006/0,4814,108825,00.html
-http://news.com.com/2102-1002_3-6040746.html?tag=st.util.print

Cisco Releases Fixes for Various Products (15 February 2006)

Cisco Systems has released fixes for a handful of vulnerabilities that could be exploited to escalate privileges, launch denial-of-service (DoS) attacks or bypass security and gain access to vulnerable appliances, routers and switches.
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1166826,0
0.html

MISCELLANEOUS

Former CA Exec Accused of Erasing Data Pertinent to Investigation (17 February 2006)

Former CA (previously called Computer Associates) chief executive Sanjay Kumar has been accused of erasing data from his laptop computer's hard drive; the data could conceivably have been used as evidence in the accounting scandal that led to Kumar's departure from the company. The US District Court in Eastern New York plans to "submit evidence showing Kumar reformatted his laptop to run the Linux operating system, effectively wiping out the computer's memory." The reformatting allegedly took place after the government probe had begun and after a memorandum directed CA employees to retain pertinent information. Kumar was indicted as a result of the government probe into questionable accounting practices.
-http://management.silicon.com/government/0,39024852,39156541,00.htm

Morgan Stanley Offers to Pay US$15 Million for Deleting eMail Relevant to Lawsuits (14 February 2006)

Morgan Stanley, a US investment bank, has offered to pay US$15 million as resolution to an investigation spurred by the company's non-compliance with an order to retain electronic messages pertinent to a lawsuit filed against it. The Securities and Exchange Commission (SEC) has not yet accepted Morgan Stanley's offer. Morgan Stanley maintained the backup tapes containing the email messages in question had been overwritten.
-http://www.computerworld.com/printthis/2006/0,4814,108687,00.html

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Bill Murray, Stephen Northcutt, Alan Paller, John
Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer,
Koon Yaw Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/