SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume VIII - Issue #29
April 11, 2006
For the folks who asked for more information on web application security, tune in to the web cast on Microsoft's five new patches as well as web application security Wednesday (4/12) at 1 PM EDT.
http://www.sans.org/webcasts/show.php?webcastid=90620
TOP OF THE NEWS
FTC Reaches Settlement in California Spam Ca seIrish Bank First in Country to Offer 100% Secure Guarantee
THE REST OF THE WEEK'S NEWS
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENTFive Arrested in Huge DVD Piracy Scheme
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Proof-of-Concept Cross Platform Virus Infects Windows and Linux
German Bank to Deploy Electronic Signatures to Thwart Phishers
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Everything You Ever Wanted to Know About Bots
Progressive Data Exposure Underscores Insider Threat
STATISTICS, STUDIES & SURVEYS
CISOs Reasons for Investing in IT Security Software
MISCELLANEOUS
Domain Name Registrar Confident Flaw Did Not Compromise Customer Data
Web Services' Flexibility Can Present Unintended Vulnerabilities
****** Sponsored By Blue Coat (formerly Permeo Technologies) **********
New security ebook on Information Theft Prevention
In The Definitive Guide to Information Theft Prevention, security author Dan Sullivan provides advice on information protection and privacy regulations; how to tackle threats from unmanaged devices; how to secure managed devices; and how to leverage new security technologies. This guide also discusses risk management, incident responses and emerging best practices around information security. Download the eBook now!
http://www.sans.org/info.php?id=1100
*************************************************************************
LOW COST SANS TRAINING OPPORTUNITY
To help boost DoD and US government security, SANS is now arranging on-site training for DoD and other government organizations that need to prepare large numbers of people for 8570 compliance and don't want to spend a lot of money for each student. Programs cover training for any or all of the effective 8570 technical certifications. Minimum 100 students. Email info@sans.org with subject "8570" if you would like to schedule a session at your facility.
If you don't have 100, but still need 8570 certification, use the same email to ask for large group (more than 25) discounts at any of the scheduled SANS conference (www.sans.org). Onsite programs for smaller groups also available.
*************************************************************************
TOP OF THE NEWS
FTC Reaches Settlement in California Spam Case (7 April 2006 and 10 April Updates)
The US Federal Trade Commission (FTC) along with California's Attorney General has reached a settlement with companies and individuals involved in a large spamming operation. Optin Global Inc., Vision Media Limited Corp., Qing Kuang "Rick" Yang and Peonie Pui Ting Chen have been barred from further violations of US anti-spam laws. They have been ordered to forfeit profits of approximately US$475,000 and are also required to "monitor their affiliates" to ensure they are not violating anti-spam laws. The defendants violated federal and state anti-spam laws by sending millions of unsolicited commercial emails messages with forged headers and deceptive subject lines; they also failed to provide a means for opting out of receiving more unsolicited email, did not identify the messages as advertisements and did not provide a valid physical postal address. The agreement does not include admission of wrongdoing.-http://www.computerworld.com/printthis/2006/0,4814,110333,00.html
-http://www.silicon.com/research/specialreports/thespamreport/0,39025001,39157964
,00.htm
Irish Bank First in Country to Offer 100% Secure Guarantee (9 April 2006)
Ireland's online bank RaboDirect has become the first bank in the country to offer its customers a security guarantee; customers are guaranteed they will not lose any money in the event of online theft. RaboDirect customers will have a token that generates a one-time use passcode to be used in their two-factor authentication scheme.-http://www.rabodirect.ie/press/press_releases/20060409_no_fraud_guarantee.asp
[Editor's Note (Grefer): A step in the right direction. When will U.S. banks start to adopt similar measures? ]
************************************************************************
Sponsored Links:
1) Defend the new data center with asset aware security from Lucid. Free ipANGEL asset centric security whitepaper.
http://www.sans.org/info.php?id=1101
2) Network Discovery like you've never seen it before: Complete, agentless, realtime. Free Trial
http://www.sans.org/info.php?id=1102
3) Free Webcast tomorrow - Internet Storm Center Threat Update: "What You Need to Know about 5 New Microsoft Patches" and "Advanced Web Application Hacking"
Wednesday, April 12 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info.php?id=1103
*************************************************************************
THE REST OF THE WEEK'S NEWS
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Five Arrested in Huge DVD Piracy Scheme (7 April 2006)
Law enforcement officers have arrested five people in London following a raid of what is being called the largest manufacturing facility of pirated DVDs ever discovered in the UK. The facility was equipped to create 2,700 pirated disks an hour.-http://www.theregister.co.uk/2006/04/07/dvd_piracy_factory_raid/print.html
-http://news.bbc.co.uk/1/hi/england/london/4886360.stm
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Proof-of-Concept Cross Platform Virus Infects Windows and Linux (7 April 2006)
A proof-of-concept virus that can infect both Windows and Linux platforms has been detected. The worm, known as both Linux.Bi.a and Win32.Bi.a, does not carry a malicious payload. However, the very fact of its appearance suggests that cross-platform malware could become more prevalent.-http://www.techweb.com/wire/184429692
-http://www.computerworld.com/printthis/2006/0,4814,110330,00.html
German Bank to Deploy Electronic Signatures to Thwart Phishers (7 April 2006)
In an effort to fight phishing attacks, Germany's Postbank plans to incorporate electronic signatures into all electronic correspondence with its customers. Postbank customers have been targeted in several phishing scams. Five people connected with one of the scams were arrested in December 2004.-http://www.theregister.co.uk/2006/04/07/postbank_curbs_phishing/print.html
[Editor's Note (Schultz): It is surprising that more financial institutions have not already gone in the direction that Postbank recently has. Identity assurance in electronic transactions and correspondence has become imperative; without it, perpetrators have a world of opportunity. ]
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Everything You Ever Wanted to Know About Bots (6 April 2006)
This article provides a thorough explanation of how bots work and what steps organizations can take to protect their systems. The author presents a detailed account of the case of Jeanson James Ancheta, which illuminates the scope of the bot problem; Ancheta reached a plea agreement in January in a large botnet case.-http://www.baselinemag.com/print_article2/0,1217,a=175186,00.asp
Progressive Data Exposure Underscores Insider Threat (6 April 2006)
The danger of insider threats was illuminated by a recent case in which a woman was fired from Progressive Casualty Insurance Company for accessing company records about property in foreclosure she was interested in purchasing. The company has contacted 13 people to let them know that their personal information, including names and Social Security numbers, had been viewed by the employee. Progressive officials became aware of the situation following a complaint from one of the people affected by the security breach who said she had been contacted by a Progressive agent regarding her property. The incident underscores the importance of establishing internal security controls.-http://www.computerworld.com/printthis/2006/0,4814,110303,00.html
STATISTICS, STUDIES & SURVEYS
CISOs Reasons for Investing in IT Security Software (6 April 2006)
A Merrill Lynch & Co. Inc. survey of 50 chief information security officers (CISOs) found regulatory compliance tops the list of "reasons driving demand for security software." Seventy-eight percent of the CISOs said less than 10 percent of their IT budgets are given over to security software and infrastructure. That figure is expected to increase an average of 11.4 percent over the next 18 months.-http://www.informationweek.com/story/showArticle.jhtml?articleID=184429550
[Editor's Note (Boeckman): While it is good see that CISO's are recognizing the importance of investing in security, it is equally important to note that low cost improvements can be made by leveraging open source products and establishing better business practices and guidelines that do not tolerate poor security practices.
(Northcutt): In 2003 Gartner reported IT Security spending had risen to above 5% in most industries. Now in 2006 this new survey ways less than ten percent and increasing. I wonder what price point it takes for people to get excited about fixing the root cause of the problem (bad software) instead of trying to put another set of Band-Aids on the patient.
-http://www3.gartner.com/5_about/press_releases/pr3june2003b.jsp]
MISCELLANEOUS
Domain Name Registrar Confident Flaw Did Not Compromise Customer Data (7 April 2006)
Domain name registrar DiscountDomainRegistry.com says it fixed a security hole that exposed customer data shortly after being alerted to the problem. DiscountDomainRegistry.com CEO Alex Brecher says the company is certain that customer data was not compromised. The exposed database contained credit card numbers, usernames and passwords.-http://www.networkworld.com/news/2006/040706-registrars-database-exposed-data.ht
ml
Web Services' Flexibility Can Present Unintended Vulnerabilities (7 April 2006)
Speaking at a recent conference, Alex Stamos described how web services technologies present unprotected vectors of attack for cyber criminals. Web services are applications that are able to interact with a variety of types of software. While portability and cross-platform capability are appealing features, they also have the potential to "create situations that may not have been anticipated by the software developers." The inadvertently created vulnerabilities could be exploited to gather data and to launch denial-of-service attacks.-http://www.computerworld.com/printthis/2006/0,4814,110321,00.html
===end===
NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/