SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #25

March 28, 2006

Did you know it is illegal to use a wireless connection without permission? If you didn't, take a look at the first story.

Alan

---

TOP OF THE NEWS

Man Fined and Sentenced to Court Supervision for Wireless Piggybacking
UK Fraud Bill Would Make it a Crime to Deceive a Computer
Web Sites Exploiting IE Flaw; Microsoft Working On Fix
Lenovo Says National Security Concerns Over Computer Deal Unwarranted

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Israeli Trojan Couple Sentenced to Prison
Four Indicted on Charges Related to Nigerian 419 Scam
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
HHS IG Refutes GAO Report Findings
SPYWARE, SPAM & PHISHING
Australian Judge Opens Door for Contempt Charges Against Kazaa
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
German Anti-Piracy Law Imposes Stiff Penalties
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
RealNetworks Addresses Four Vulnerabilities
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Florida State Employee Data Compromised
Stolen Laptop Contained Personal Data from Vermont State Colleges
MISCELLANEOUS
Company Will Pay Hefty Fine for Violating Anti-Spam Law
NEC to Restate Results Following Internal Theft of 50 Million Yen
Interpol: Police Forces Need Money, Manpower and Data Sharing

---

*********************** Sponsored By LURHQ *****************************

LURHQ's Managed Security and Consulting Sefvices empower the security
professional by enabling a strategic Threat and Vulnerability Management
process focused on your critical business assets. Download this
presentation, featuring Gartner Analyst Kelly Kavanagh, to learn how a
Threat & Vulnerability Management program enabled by our Services can
enhance your security posture and facilitate compliance efforts.
http://www.sans.org/info.php?id=1083


************************************************************************
SANS Training in San Diego, Munich, London and Washington DC
Turbo charge your security career or the careers of any of your
coworkers this spring in San Diego in early May: a dozen of SANS most
popular courses and a vendor exposition right on the harbor.
http://www.sans.org/security06/
Or in London at the end of June: http://www.sans.org/london06
Or Munich in early April: http://www.sans.org/munich06
Or Washington in July right after July 4 for the biggest SANSFIRE ever:
with all 17 SANS immersion tracks and more than a dozen special courses,
a big exposition, and an inside look at how the Internet's Early Warning
System (Internet Storm Center) actually works Bring your family for the
national fireworks show.
http://www.sans.org/sansfire06
*************************************************************************

---

TOP OF THE NEWS

Man Fined and Sentenced to Court Supervision for Wireless Piggybacking (24/23 March 2006)

David M. Kauchak has been fined US$250 and sentenced to one year of court supervision for accessing another person's wireless network without permission. Kauchak was arrested after he was seen sitting in his parked car with his computer.
-http://www.techweb.com/wire/183702832
-http://rrstar.com/apps/pbcs.dll/article?AID=/20060323/NEWS0107/103230036/1011
[Editor's Note (Schultz): I know many people who "piggyback" on others' wireless networks without any fear of being punished. Perhaps the ruling in this case will help them change their minds concerning engaging in such activity. ]

UK Fraud Bill Would Make it a Crime to Deceive a Computer (23 March 2006)

UK Attorney General Lord Goldsmith has added a clause to the Fraud Bill that would make it a criminal offense to deceive a computer, by, for example, engaging in activity such as trying to steal money from cash machines. The clause would "close a legal loophole." The present wording could result in unsuccessful prosecution of cyber criminals "on the grounds that you cannot deceive a machine."
-http://www.vnunet.com/computing/news/2152523/bill-seals-crime-loophole

Web Sites Exploiting IE Flaw; Microsoft Working On Fix (27/24/23 March 2006)

There are reports that web sites are already exploiting the Internet Explorer TextRange () flaw to install spyware on vulnerable computers. As of Monday morning, more than 200 such sites have been detected. The flaw exists in IE 6 and IE 7 beta 2; this marks the third IE vulnerability disclosed in one week. Microsoft is developing a fix. Users are advised to disable Active Scripting in IE. Internet Storm Center:
-http://isc.sans.org/diary.php?storyid=1223
-http://isc.sans.org/diary.php?storyid=1221
-http://www.techworld.com/security/news/index.cfm?NewsID=5629
-http://news.com.com/2102-1002_3-6053456.html?tag=st.util.print
-http://www.techweb.com/wire/183702818
-http://news.bbc.co.uk/2/hi/technology/4849904.stm
-http://www.computerworld.com/printthis/2006/0,4814,109943,00.html
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39346257-39000005c
[Editor's Note (Boeckman): Most web proxies have a feature that can enforce web client agent filtering. This provides a network administrator the ability to limit the use of Internet Explorer during periods of high risk, which seem to occur quite frequently. ]

Lenovo Says National Security Concerns Over Computer Deal Unwarranted (27/25/24 March 2006)

Some members of the US China Economic and Security Review Commission have called for an investigation after expressing concerns that a US$15 million contract with CDW Government Inc. for upgrades to the US State Department's computer system could pose a threat to national security. They have called for an investigation. The computers to be bought are made by the Chinese-owned Lenovo Group. Lenovo "rejects that assertion and welcomes an inquiry into the matter."
-http://www.computerworld.com/printthis/2006/0,4814,109942,00.html
-http://news.com.com/2102-1014_3-6053586.html?tag=st.util.print
-http://www.eweek.com/print_article2/0,1217,a=174327,00.asp
[Editor's Note (Weatherford): While the political/intelligence aspect of this deal is certainly worth discussion, the other issue here is the lack of awareness expressed in the statement that "the computers were intended for unclassified systems." I suppose the State Department of the United States doesn't conduct any sensitive business on "unclassified" systems. ]

---

*********************** Sponsored Links: ******************************

1) Email threat protection for small and medium-sized businesses - get
our white paper now!
http://www.sans.org/info.php?id=1084
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Israeli Trojan Couple Sentenced to Prison (27 March 2006)

Ruth and Michael Haephrati, the Israeli couple convicted of developing and selling a Trojan horse program, have both been sentenced to prison. Ruth Haephrati received a four-year sentence; her husband received a two-year sentence. The couple sold their Trojan horse program to private investigators who used it to glean data from clients' business competitors. The couple was also ordered to pay 2 million Shekels (US$428,000) in compensation.
-http://news.zdnet.com/2102-1009_22-6054116.html?tag=printthis

Four Indicted on Charges Related to Nigerian 419 Scam (27/24 March 2006)

A grand jury in Brooklyn, NY has indicted four people on charges of conspiracy, wire fraud and mail fraud for their alleged roles in an email 419 scam that cost victims more than US$1.2 million. If convicted of all charges against them, the men face decades of prison time.
-http://zdnet.com.au/news/security/print.htm?TYPE=story&AT=39247806-200006174
4t-10000005c
-http://www.theregister.co.uk/2006/03/27/419_scammers_indicted/print.html

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

HHS IG Refutes GAO Report Findings (23 March 2006)

The Department of Health and Human Services (HHS) Inspector General (IG) Daniel Levinson has responded to a report from the Government Accountability Office (GAO) that says "significant weaknesses in information security controls at HHS ... put at risk the confidentiality, integrity and availability of their sensitive information and information systems." Levinson says the GAO used outdated reports to draw its conclusions and that progress has been made in securing HHS systems. Levinson also objects to "the frequent use of the word 'significant' ... throughout the assessment
[as it ]
evokes a negative connotation that is not reflective of the progress or current state of HHS's information security program."
-http://govhealthit.com/article92719-03-23-06-Web

SPYWARE, SPAM & PHISHING

Australian Judge Opens Door for Contempt Charges Against Kazaa (23 March 2006)

An Australian judge has ruled that Sharman networks, parent company of Kazaa, did not comply with an earlier order to take steps to prevent people in Australia from illegally downloading digital music files with its peer-to-peer (P2P) file sharing software by December 5, 2005. Rather than deploy keyword filters, Kazaa chose to block access to its network for Australian users. Sharman maintained that blocking the network met the requirements for compliance with the order. Record industry representatives said the measure would not prevent Australian citizens who already had the Kazaa software from downloading the music. The judge's ruling allows record companies to bring contempt of court proceedings against Kazaa.
-http://www.theage.com.au/news/breaking/kazaa-faces-new-court-battle/2006/03/23/1
143083882135.html

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

German Anti-Piracy Law Imposes Stiff Penalties (24 March 2006)

Under new legislation in Germany, people convicted of downloading movies and music for private use could face penalties of up to two years imprisonment; those who download movies for commercial use could face up to five years. The new law takes effect January 1, 2007.
-http://technology.timesonline.co.uk/article/0,,20409-2100973,00.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

RealNetworks Addresses Four Vulnerabilities (24 March 2006)

RealNetworks has released updates to address four flaws in RealPlayer, Rhapsody, Helix Player and RealOne Player. The flaws affect software on Windows, Mac OS X and Linux systems. Three of the flaws are considered critical. Internet Storm Center:
-http://isc.sans.org/diary.php?storyid=1211
-http://news.com.com/2102-1002_3-6053912.html?tag=st.util.print
-http://service.real.com/realplayer/security/03162006_player/en/

ATTACKS & INTRUSIONS & DATA THEFT & LOSS

Florida State Employee Data Compromised (26 March 2006)

People who worked for the state of Florida between January 1, 2003 and June 30, 2004, are being notified that the privacy of their personal data may have been compromised. Florida's Department of Management Services was using an outsourcing service provider, Convergys, that outsourced the data to GDXData, that, in turn, outsourced the contract to a subcontractor in India. Convergys maintains the offshore work was done without its knowledge and has cancelled its contract with GDXData. One Florida state public employee union wants the contract with Convergys cancelled.
-http://www.computerworld.com/printthis/2006/0,4814,109938,00.html
[Editor's Note (Kreitner) Security is about accountability, accountability, and accountability. I am distressed about the reluctance of many enterprises to hold everyone (including executives and the star sales people) accountable for security policy compliance by stating clear consequences for policy violations. A security policy without explicit compliance requirements explicitly acknowledged by everyone granted access to enterprise information assets is of relatively little value. ]

Stolen Laptop Contained Personal Data from Vermont State Colleges (24 March 2006)

A laptop computer stolen from a car parked on a Montreal street contained personal data belonging to thousands of Vermont State Colleges students, faculty and staff. Security precautions were taken as soon as the school learned of the theft, which occurred on February 28, but people whose data were stored on the computer were notified just last week.
-http://www.timesargus.com/apps/pbcs.dll/article?AID=/20060324/NEWS/603240363/100
2

MISCELLANEOUS

Company Will Pay Hefty Fine for Violating Anti-Spam Law (24 March 2006)

Internet marketing company Jumpstart has agreed to pay a US$900,000 fine "to settle charges it violated federal anti-spam laws." Jumpstart allegedly sent out spam offering free movie tickets in exchange for five friends' email addresses. The company allegedly sent unsolicited email messages to the addresses it gathered with misleading subject lines and headers in an attempt to evade spam filters and to make the messages appear to come from friends. In its complaint, the Federal Trade Commission (FTC) accused Jumpstart of sending email with falsified or misleading subject lines, not identifying it as commercial email and not clearly informing recipients of ways to opt out of receiving more email.
-http://www.msnbc.msn.com/id/11996880/
[Editor's Note (Grefer): The fact that Jumpstart was willing and able to settle with the FTC to the tune of US$900,000 provides an inkling of the profits still involved in sending out spam. Please help to fight back and give the offenders a taste of what they're dishing out. Subscribe to the Do Not Intrude Registry and let BlueSecurity's Blue Frog utilize its Active Deterrence.
-http://www.ranum.com/security/computer_security/editorials/bluesecurity/
-http://www.bluesecurity.com/]

NEC to Restate Results Following Internal Theft of 50 Million Yen (23 March 2006)

NEC says it will restate previous financial results after learning that an employee pushed through numerous phony transactions to the tune of 36.3 billion yen (US$312 million) between February 2002 and December 2005. His actions netted him approximately 50 million yen (US$428,000). Once the auditors have completed their investigation, NEC plans to improve its financial controls. The company plans to fire the man and file a civil complaint against him.
-http://www.theregister.co.uk/2006/03/23/nec_accounting_woes/print.html
-http://search.japantimes.co.jp/cgi-bin/nn20060323a6.html

Interpol: Police Forces Need Money, Manpower and Data Sharing (22 March 2006)

Interpol says police forces worldwide lack sufficient human and financial resources to effectively combat cyber crime. Bernhard Otupal, crime intelligence officer for Interpol's financial and hi-tech crime unit, said at a Brussels anti-phishing conference that politicians are not adequately funding cyber crime fighting efforts because they are unaware of cyber criminals' methods and of the need for updates as technology changes. In addition, Otupal has called on politicians around the world to develop a "global legislative framework" to exchange evidence.
-http://www.crime-research.org/news/22.03.2006/1896/
-http://news.com.com/2102-7348_3-6052249.html?tag=st.util.print

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/