SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #3

January 10, 2006

The 2005 Information Security Salary and Career advancement Survey has just been posted. Salaries are rising, but the survey also has data on (1) which certifications matter for which security jobs, (2) what makes security people angry, and (3) what matters for career advancement in security. http://www.sans.org/salary2005/

Tomorrow (January 11) is the last day for saving $250 on early registration for SANS2006 in Orlando at the end of February.

Alan

---

TOP OF THE NEWS

US$11.2 Billion Judgment in Spam Case is Largest Ever
SANS Institute Survey Finds GIAC and Vendor-Specific Certifications Offer Stronger Hands-On Skill Sets

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
eBay Account Hijacker Indicted
SPYWARE, SPAM & PHISHING
US Supreme Court Refuses to Hear Appeal in eMail Blocking Case at University of Texas
Anti-Spyware Scammers Settle FTC Charges
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
SonyBMG Settlement Deal Receives Preliminary Approval
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Two More WMF Flaws Surface
Microsoft Says January's Patch Tuesday Will Address Two Critical Flaws
Oracle Database Worm Spreading
MISCELLANEOUS
Microsoft Shutters Chinese Blogger's Site
CORRECTION/CLARIFICATION
Bank of America Deploys Two-Factor Authentication

---

******************* Sponsored by Bindview ******************************
New whitepaper from IDC: Optimizing Your IT Controls Environment for Compliance with Multiple Regulations

This new white paper from IDC examines efforts to manage compliance for a growing number of multiple regulations and standards. Learn how new solutions from Symantec have identified a common set of controls that cross many major regulations and standards, and how businesses can use these solutions to map controls to regulations. Download now!
http://www.sans.org/info.php?id=979

*************************************************************************
Highlighted Training Program of the Week:
SANS has finally found a good course on secure programming. Here's what some early students said:

"This course covers all of the major vulnerabilities in a hands on fashion -- it puts you in the hacker's swivel chair." Cheryl Marlin, NOAA

"Great, if a bit scary. Good grounding in techniques used by hackers and how to protect yourself against them." Ed Jamerzek, Software Manager, DayJet

Course information: http://www.sans.org/sans2006/description.php?tid=347
Also Secure .NET programming: http://www.sans.org/sans2006/description.php?tid=250
These are two of 36 immersion training programs at SANS 2006 - the largest and most effective security training conference and tools exposition ever assembled.
http://www.sans.org/sans2006/index.php

*************************************************************************

---

TOP OF THE NEWS

US$11.2 Billion Judgment in Spam Case is Largest Ever (9 January 2006)

Robert Kramer, the owner of an Iowa-based Internet services company, has been awarded a US$11.2 billion judgment against spammer James McCalla who is also prohibited from accessing the Internet for three years. Kramer won a US$1 billion judgment against other spammers in December 2004, at that time the largest spam judgment ever recorded.
-http://www.computerworld.com/printthis/2006/0,4814,107598,00.html
-http://www.wired.com/news/politics/1,69966-0.html
Story about Dec. '04 judgment:
-http://www.computerworld.com/printthis/2004/0,4814,98421,00.html
[Editor's Note (Schultz): This judgment constitutes an extremely significant event in the war against spam, yet I doubt whether Kramer will actually be able to collect much if any money at all. ]

SANS Institute Survey Finds GIAC and Vendor-Specific Certifications Offer Stronger Hands-On Skill Sets (9 January 2006)

A SANS/Certification Magazine/UNIX Review/Sysadmin Magazine survey of 4250 security professionals found that people holding certifications from the Computing Technology Industry Association (CompTIA), the International Information Systems security Certification Consortium (ISC)2, and the Information Systems Audit and Control Association (ISACA) do not feel that their training provides them strong advantages in dealing with "hands-on security jobs." Those same people reported that vendor-specific certifications and the SANS Institute's Global Information Assurance Certification (GIAC) provide certification holders with stronger skills to "protect computer systems." The three organizations named above say their certifications, all of which are vendor-neutral, emphasize different skills.
-http://www.fcw.com/article91890-01-09-06-Web
The full survey is posted at
-http://www.sans.org/salary2005/
[Editor's Note (Schmidt): FULL DISCLOSURE, I am on the board of ISC2 and the IT Governance Institute Advisory Panel (ISACA) and I agree that there is a definite difference between hands on technical training and a higher level that Auditors, Managers and Executive use, this does not make them bad, just different. That is why we have a pilot's license for those of us who are pilots and an A&P (airframe and power plant) license for those who make sure the planes are safe to fly. ]

---

************************* Sponsored Links: ******************************

1) SANS On Demand - Limited Time Offer! 1st 150 registrants receive a 30% discount off the online course of their choice. http://www.sans.org/info.php?id=980

2) Free SANS Webcast - Internet Storm Center: "Threat Update" webcast Wednesday, January 11 at 1:00 PM EST (1800 UTC/GMT) http://www.sans.org/info.php?id=981

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

eBay Account Hijacker Indicted (6 January 2006)

Sean Galvez of Boston, Massachusetts has been indicted on one count of larceny and 10 counts of unauthorized access to a computer and identity fraud for breaking into more than 40 eBay accounts and accumulating charges totaling US$32,000. The Massachusetts Attorney General's office is still trying to determine how Galvez obtained access to the accounts. Galvez allegedly changed the passwords and gathered credit card information. Galvez is scheduled to be arraigned on January 18, 2006 and faces up to five years in state prison if convicted of the charges against him.
-http://www.eweek.com/print_article2/0,1217,a=168683,00.asp
[Editor's Note (Schmidt): Just keep building those jails maybe one day the criminals will learn the old phrase: "you do the crime, be prepared to do the time" Now if we could roll out 2 factor authentication we might further reduce the number of victims. Increasingly the state AGs are taking these criminals on and taking them down. ]

SPYWARE, SPAM & PHISHING

US Supreme Court Refuses to Hear Appeal in eMail Blocking Case at University of Texas (9 January 2006)

The US Supreme Court has declined to hear an appeal from White Buffalo Ventures, a company that maintained it was within its rights to send unsolicited email to University of Texas students. After students complained about the unsolicited email, the university asked White Buffalo to stop sending the messages; when it did not comply with the cease and desist order, the school blocked email from the company's IP address. White Buffalo obtained UT email addresses by filing a Freedom of Information Act request and maintained that federal laws allowing commercial email to be sent under certain circumstances "superscded the university's anti-spam policy." The appeals court upheld an initial ruling made by a federal trial court in western Texas that CAN-SPAM does not supersede university policy.
-http://www.msnbc.msn.com/id/10776916/
-http://news.com.com/2102-7350_3-6024658.html?tag=st.util.print
[Editor's Note (Pescatore) It is good to see the Supreme Court uphold our right not to have to listen to other's free speech. Just because you are allowed to say it doesn't mean I have to let it fill my inboxes. ]

Anti-Spyware Scammers Settle FTC Charges (6 January 2006)

The makers of SpywareAssassin and Spykiller have settled charges brought by the US Federal Trade Commission (FTC) that they tricked people into believing their systems were infected with spyware so they would purchase their products. The companies have agreed to pay back more than US$2 million they made through their scheme. The companies allegedly told people they had run scans on their computers and that they needed the products to remove the malicious software they found. The civil lawsuits filed by the FTC allege that there were no such malicious programs on the computers they claimed to have scanned.
-http://www.techweb.com/wire/175802142
[Editor's Note (Pescatore): The FTC continues to use existing legislation to implement privacy enforcement actions. I hope this early action against spyware software companies trying to ripoff consumers shows they will continue to focus on this area. ]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

SonyBMG Settlement Deal Receives Preliminary Approval (9/5 January 2006)

A federal judge has given preliminary approval to a settlement deal regarding Sony BMG's flawed digital rights management (DRM) technology. Now people who have purchased certain music CDs from SonyBMG may add their names to class-action lawsuits. The Electronic Frontier Foundation (EFF) says the next step is to make sure consumers know what is available to them and how they can get it. The court has ordered SonyBMG to start placing notices in newspapers and on line by February 15, 2006. Consumers have until May 1, 2006 to submit a claim. In a related story, the EFF has written an open letter to EMI Music asking for legal protections for researchers who look into the company's copy protection technologies and bring vulnerabilities to light. EFF points out that while legitimate researchers may feel threatened by legal repercussions, cyber criminals will likely feel no compunction about scouring the technologies for vulnerabilities.
-http://www.techweb.com/wire/175802774
-http://www.internetnews.com/security/print.php/3575441
EFF Open Letter to EMI Music:
-http://www.eff.org/IP/DRM/emi.pdf
Settlement FAQ from EFF:
-http://www.eff.org/IP/DRM/Sony-BMG/settlement_faq.php

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Two More WMF Flaws Surface (9 January 2006)

Information about two more vulnerabilities in the way the Windows graphics rendering engine handles Metafile (WMF) images has been published on the Internet. The more recently disclosed flaws are not as severe as the flaw for which Microsoft issued an out-of-cycle patch last week. In the wake of the recently patched WMF flaw, Microsoft says it will carefully examine its code to catch similar vulnerabilities. The company will also update its development process to prevent the occurrence of such problems in the future. Microsoft released a patch for the WMF vulnerability just ten days after it was disclosed, the shortest turnaround time yet for a Microsoft patch.
-http://www.computerworld.com/printthis/2006/0,4814,107604,00.html
-http://www.eweek.com/print_article2/0,1217,a=168837,00.asp
[Editor's Note (Pescatore): First reports say these vulnerabilities only enable denial of service attacks but show the "swarming" effect that happens when a new vulnerable area is found in software. ]

Microsoft Says January's Patch Tuesday Will Address Two Critical Flaws (6 January 2006)

Microsoft says it will release two bulletins for critical flaws on Tuesday January 10, the scheduled date for the company's monthly security update. Microsoft issued an out-of-cycle patch for the Windows Metafile (WMF) flaw on Thursday, 5 January. The updates will address critical flaws in Windows and Microsoft Office and Exchange. Both patches could require users to restart their software. On that date, Microsoft also plans to release an updated version of its Microsoft Windows Malicious Software Removal Tool as well as a handful of non-security high priority updates.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39303172-39000005c
-http://www.microsoft.com/technet/security/bulletin/advance.mspx

Oracle Database Worm Spreading (6 January 2006)

A variant of an exploit that targets Oracle databases has been spreading. This exploit renames the log file, enabling it to create a new database account and manipulate the situation so that the malicious code executes the next time the user connects to the database. The previous version spread through default usernames and passwords.
-http://www.crn.com/sections/breakingnews/breakingnews.jhtml?articleId=175802330
[Editor's Note: (Boeckman): The widespread worms affecting Microsoft SQL Server demonstrate that it is a bad idea to expose a database sever to the Internet, even if the vendor claims it is "unbreakable". This story is an indication that many organizations still expose their database servers to the Internet. ]

MISCELLANEOUS

Microsoft Shutters Chinese Blogger's Site (6 January 2006)

Microsoft has shut down a Chinese blogger's site at the request of Chinese authorities. The blog was shut down because it violated Microsoft's code of conduct requiring users to comply with local laws. China has strict rules about what content may be posted to the Internet; Microsoft's blog tool in China filters terms such as "democracy" and "human rights." The Chinese government pays close attention to content posted to the Internet and deletes postings it considers to be critical of the government.
-http://www.cnn.com/2006/WORLD/asiapcf/01/06/china.blog.shutdown.ap/index.html
(New York Time site requires free registration)
-http://www.nytimes.com/2006/01/06/technology/06blog.html

Correction/Clarification

In our last edition, we ran the following story: - Bank of America Deploys Two-Factor Authentication (4 January 2006)

Bank of America has deployed two-way, two-factor authentication to customers in 48 of the 50 states. The scheme uses an image, a phrase and challenge questions to let customers know they are interacting with the authentic banking site and not a phishing web site. The new authentication scheme will become mandatory in 2006; Idaho and Washington state are set to get the technology sometime this year.
-http://www.techweb.com/wire/security/175801173%3Bjsessionid=E4PL4VCFYN1U0QS
Brent Stackhouse, GSEC/GCIH,wrote in with the following comment: "SiteKey, while an improvement over password-based online authentication systems, especially as an anti-phishing mechanism, should not be confused with traditional two-factor authentication. Using a personal computer as the 'something-you-have' disregards that they can be stolen, are often used by more than one person (all with administrative access), and are often infected with phone-home, key-logging spyware."

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/