SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #26

March 31, 2006

TOP OF THE NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Twenty-one Arrested in On-Line Cyber Crime Crackdown
GAO Report: NIAP Testing and Accreditation Program Problematic
Phishers Take New Tack With Three Florida Banks
DDoS Attacks Target DNS Servers

THE REST OF THE WEEK'S NEWS

POLICY & LEGISLATION
Virginia Law Requires Schools to Teach Cyber Safety; NY School Debuts
Cyber Security Education Program
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Bagle Variants Contain Rootkit
Third-Party Companies Issue Workarounds for IE Flaw
Attackers Lure Users to Malicious Web Site with Real News Story
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Bank of New Zealand Suspends Cards in Wake of Skimming Attack
Georgia State Pension Database Intruder Exploited Known Flaw
Hong Kong Police Complaint Database Leak
STATISTICS, STUDIES & SURVEYS
UK Dept. of Trade and Industry Biennial Survey

---

*************** Sponsored By Core Security Technologies **************

SANS WEBCAST: WhatWorks for Vulnerability Management, Auditing &
Penetration Testing

"Improving System Health with Care New England:" Regulatory compliance
coupled with numerous false positives produced by vulnerability
scanners, prompted Care New England to investigate solutions that would
give them a more accurate view of their network security. Learn how they
were able to cost-effectively manage vulnerabilities while improving
overall network security.

VIEW WEBCAST NOW: http://www.sans.org/info.php?id=1088

************************************************************************
SANS Training in San Diego, Munich, London and Washington DC

Turbo charge your security career or the careers of any of your
coworkers this spring in San Diego in early May: a dozen of SANS most
popular courses and a vendor exposition right on the harbor.
http://www.sans.org/security06/
Or in London at the end of June: http://www.sans.org/london06
Or Munich in early April: http://www.sans.org/munich06
Or Washington in July right after July 4 for the biggest SANSFIRE ever:
with all 17 SANS immersion tracks and more than a dozen special courses,
a big exposition, and an inside look at how the Internet's Early Warning
System (Internet Storm Center) actually works Bring your family for the
national fireworks show.
http://www.sans.org/sansfire06
*************************************************************************

---

TOP OF THE NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Twenty-one Arrested in On-Line Cyber Crime Crackdown (29 March 2006)

Seven people in the US were arrested as part of Operation Rolling Stone, which is targeting on-line criminal activity in the financial sector. The seven join 14 others arrested in the US and the UK over the last three months. The people are allegedly involved with on-line groups that trade financial and other consumer data. (Site requires free registration)
-http://www.nytimes.com/2006/03/29/technology/29theft.html?_r=1&oref=slogin&a
mp;pagewanted=print

GAO Report: NIAP Testing and Accreditation Program Problematic (27 March 2006)

A report from the Government Accountability Office (GAO) says that the National Information Assurance Partnership's (NIAP) independent validation and accreditation of IT security products has proven helpful in some areas but also has some serious shortcomings. NIAP is responsible for implementing the Common Criteria Evaluation and Validation Scheme; they provide laboratories with guidelines to conduct the testing. While the program offers agencies guidance on what products they may use, agencies have often found that the products they need are not available. In addition, the number of people qualified to validate products is falling, which means vendors will experience greater lag times in hearing whether or not their products meet the criteria. Finally, NIAP has not implemented any sort of system to measure the program's effectiveness.
-http://www.fcw.com/article92750-03-27-06-Web
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&
story.id=40218
-http://www.gao.gov/new.items/d06392.pdf
[Editor's Note (Pescatore): GAO could have saved a few dollars and just reprinted the findings of several cybersecurity advisory panels back in 2003 and 2004. The NIST/NSA side has to allocate budget to reinvigorate the development and validation of standard protection profiles. Even more important, they have to require NIAP testing to put way more emphasis on vulnerability testing of the overall software, not just testing of security controls.]

Phishers Take New Tack With Three Florida Banks (29/27 March 2006)

Attackers broke into servers belonging to an Internet service provider (ISP) that hosts web sites for three small Florida banks. They then redirected traffic from those sites to a phony server designed to mimic the real banking sites where they attempted to gather sensitive customer account data. The attack is believed to be the first of its kind.
-http://www.computerworld.com/printthis/2006/0,4814,110046,00.html
-http://www.techweb.com/wire/security/184401079
-http://news.netcraft.com/archives/2006/03/27/phishers_hack_bank_sites_redirect_c
ustomers.html

DDoS Attacks Target DNS Servers (29/28/26 March 2006)

German domain name registrar Joker.com and Network Solutions both experienced distributed denial-of-service (DDoS) attacks against Domain Name System (DNS) servers in recent days. Attacks against DNS servers are especially significant because of their potential to cause serious service degradation and interfere with the availability of large numbers of web sites. Internet Storm center:
-http://isc.sans.org/diary.php?storyid=1219
-http://www.computerworld.com/printthis/2006/0,4814,109972,00.html
-http://www.theregister.co.uk/2006/03/29/dns_ddos_attacks/print.html
-http://news.netcraft.com/archives/2006/03/26/domain_registrar_joker_hit_by_ddos.
html

---

************************ Sponsored Links: *****************************

1) SANS OnSite InfoSec Training
Your Location! Your Schedule! Lower Cost!
Receive a bonus seat for your OnSite Course (up to $4,750 value).
Simply complete the interest form today!
http://www.sans.org/info/1087

2) Security 508: System Forensics, Investigation & Response via
SANS@Home starts April 19!
http://www.sans.org/athome/details.php?id=1404
Also Security 506: Securing Unix/Linux led by the SANS System Administrators
http://www.sans.org/athome/details.php?id=1431
See http://www.sans.org/athome/ for complete SANS@Home listings.

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

POLICY & LEGISLATION

Virginia Law Requires Schools to Teach Cyber Safety; NY School Debuts Cyber Security Education Program (30/28 March 2006)

Under a new Virginia law, the state Department of Education must provide schools with guidelines "for integrating Internet safety into their regular instruction." In a separate story, Syracuse University and the US Air Force Research laboratory in Rome, NY are funding a cyber security education program at an area private high school. Classes taught in the program include "encryption and data protection, computer networking and security, and ethical and legal concepts of cyber defense." (Site requires free registration)
-http://www.washingtonpost.com/wp-dyn/content/article/2006/03/29/AR2006032900705_
pf.html
-http://www.dailyorange.com/home/index.cfm?event=displayArticlePrinterFriendly&am
p;uStory_id=b33d481c-a909-4eba-aae2-dda120e16b50

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Bagle Variants Contain Rootkit (29 March 2006)

At least three new variants of the Bagle worm have been outfitted with rootkits. The Bagle variants spread through email and try to download files from a number of Internet addresses, many of which are in the .ru domain. The Bagle variants try to disable security software. In addition, a rootkit has been detected in Gurong.A, a new worm based on code from Mydoom.
-http://www.eweek.com/print_article2/0,1217,a=174601,00.asp
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1176494,0
0.html

Third-Party Companies Issue Workarounds for IE Flaw (29/28 March 2006)

Two third-party companies have issued temporary workarounds to protect Windows computers using Internet Explorer (IE) from being exploited through the TextRange vulnerability that affects IE 6.0 and IE 5.01. This is not the first time a third-party company has issued a workaround to address a vulnerability that Microsoft has not yet patched; a third-party patch for the WMF flaw was released in January. Users can also protect themselves by disabling Active Scripting in IE. Microsoft has not said when it plans to release a fix for the flaw; its next security updates are scheduled for April 11. Internet Storm Center:
-http://isc.sans.org/diary.php?storyid=1226
-http://www.theregister.co.uk/2006/03/29/ie_patches_released/print.html
-http://www.techworld.com/security/news/index.cfm?NewsID=5666
-http://news.com.com/2102-1002_3-6055051.html?tag=st.util.print
[Editor's Note (Pescatore): My neighbor is a smart guy, and he designs medical machinery. However, I'm pretty sure I won't be using his homegrown remedy for bird flu. I'm also really sure I don't want my kids to think its OK to accept medicine from anywhere they find it. It is not a good idea for enterprises or consumers to get in the habit of accepting patches to software from anywhere other than the vendor of the software. Use the time you'd spend undoing them to pressure software vendors to reduce the time the spend talking about security and increase the time they spend reducing security vulnerabilities before they ship their products. ]

Attackers Lure Users to Malicious Web Site with Real News Story (30 March 2006)

One of the attacks exploiting the IE flaw (described elsewhere in this Newsbites under the title "Third-Party Companies Issue Workarounds") lures computer users to maliciously crafted web sites by enticing them with bits of real BBC news stories and offering a "read more" link. The spoofed site contains the rest of the story but also attempts to download and install a keystroke logger on vulnerable computers with no user interaction.
-http://www.eweek.com/print_article2/0,1217,a=174708,00.asp

ATTACKS & INTRUSIONS & DATA THEFT & LOSS

Bank of New Zealand Suspends Cards in Wake of Skimming Attack (30 March 2006)

The Bank of New Zealand (BNZ) has suspended 1,300 credit and debit cards that were used at an automatic teller machine (ATM) where thieves installed skimming technology. People also used the ATM for transactions with about 700 cards from other banks. According to BNZ, 21 customers reported fraudulent transactions on their accounts totaling NZD$20,000 (US$12,246); two ASB customers have reportedly lost a total of between NZD$3,000 and $5,000 (US$1,836 and $3,062). BNZ and the other banks plan to reimburse their customers for their losses.
-http://www.nzherald.co.nz/section/story.cfm?c_id=5&ObjectID=10375158

Georgia State Pension Database Intruder Exploited Known Flaw (30 March 2006)

A cyber intruder exploited an unpatched, known vulnerability in unnamed software to gain access to a Georgia Technology Authority database. The database contained information belonging to more than 570,000 people who invested in the state's pension plans. The intrusion took place in late February. A GTA spokesperson said they were in the process of fixing the flaw when the intruder exploited it. GTA is informing the 180,000 people for whom it has contact information and hopes media attention and other outreach efforts will alert those for whom it does not have contact information.
-http://www.computerworld.com/printthis/2006/0,4814,110094,00.html

Hong Kong Police Complaint Database Leak (29/28 March 2006)

A database containing the personal details about people who have made complaints about Hong Kong police was accidentally leaked to the Internet. The exposed data include complaints made between 1996 and 2004. "The Independent Police Complaints Council is seeking legal advice" regarding the security breach; there are apparently no penalty clauses in the contracts with the contractor.
-http://www.theregister.co.uk/2006/03/28/hk_data_leak_rumpus/print.html
-http://www.news.gov.hk/en/category/lawandorder/060329/html/060329en08005.htm

STATISTICS, STUDIES & SURVEYS

UK Dept. of Trade and Industry Biennial Survey (28 March 2006)

A survey conducted late last year by PricewaterhouseCoopers LLP on behalf of the UK Department of Trade and Industry found that Internet misuse ranks second behind viruses in accounting for security incidents at large companies in the UK. The biennial survey compiled responses from 1,000 UK companies. The number of companies with acceptable use policies at companies of all sizes has grown significantly. Two years ago, 43 percent of the companies had an acceptable use policy; this year's survey found that figure to be 63 percent. Eight-nine percent of the large businesses surveyed this year had acceptable use policies in place.
-http://www.techworld.com/security/news/index.cfm?NewsID=5661
[Editor's Note (Honan): While policy development is an important step it is equally important to ensure the policies are managed, monitored and enforced. (Pescatore): this is another survey where you have to read beyond the headlines. So, acceptable use policies grew from 43% of 63%? Sounds good, until you read that over the same period misuse of web surfing grew from 8% to 17%. a 50% increase in telling users not to do something" and a 100% increase in them doing that same thing occurred over the same period of time. Acceptable use policies are all well and good - use URL blocking if you actually want to stop dangerous, illegal or questionable surfing behavior. ]

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford


Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/