Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VIII - Issue #37

May 09, 2006


In case you were wondering who writes those the editorial comments in NewsBites, we included very brief descriptions of the editors at the end of this issue.

And please help fix the nearly overwhelming problem of programmers who don't know how to write safe code. What you can do right now is make sure all the web programmers (and their bosses) who work at your organization know about the great course on secure programming at SANSFire (called Writing Secure Web Applications). Here's how students describe it:
"Great, if a bit scary. Good grounding in techniques used by hackers and how to protect yourself against them." Ed Jamerzek, Software Manager, DayJet

"Great Course. Validates programming practices you currently use but points out many you never thought of." Tina Rogerson, SAIC

"This course covers all of the major vulnerabilities in a hands-on fashion -- it puts you in the hacker's swivel chair." Cheryl Marlin, NOAA

Registration information for that course:
http://www.sans.org/sansfire06/description.php?tid=394
And for all of SANSFIRE: http://www.sans.org/sansfire06/index.php

Alan

TOP OF THE NEWS

Californian Pleads Guilty to Damaging Computers at Seattle Hospital
UK Government to Challenge DDoS Acquittal
Trojan Goes After Online Game Account Information

THE REST OF THE WEEK'S NEWS

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Free Peers to Pay US$30 Million to Avoid Legal Action from RIAA
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Releases Patches on Patch Tuesday
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Redirected Traffic from Revenge Attack Against Anti-Spam Tool Took Down Blog Sites
Chip and Pin Payments Halted at Some UK Shell Stations
Missing Wells Fargo Computer Contains Customer Data
MISCELLANEOUS
Idaho Power Drives Sold on eBay Not Adequately Scrubbed
Botmaster Sentenced To Nearly 5 Years In Prison


***************** Sponsored By Blue Coat Systems, Inc. ******************

SSL VPNs: Lesson Learned
Sponsored by: Blue Coat

Learn how to get the most out of SSL VPNs. Honest, technical, and to-the-point, this eBooklet, by analyst Don Jones, discusses what SSL VPNs promised, how they originally failed to deliver, and why the technology is making comeback. He'll answer your questions, explains the technology, and set you on the path to success. Learn more.
http://www.sans.org/info.php?id=1141

*************************************************************************

TOP OF THE NEWS

Californian Pleads Guilty to Damaging Computers at Seattle Hospital (5 May 2006)

Christopher Maxwell of California has pleaded guilty to computer fraud and intentionally damaging a protected computer by launching an attack that attempted to install adware on vulnerable machines. Maxwell used powerful computers at universities in California and Michigan to launch the attack, which occurred in January 2005 and affected US Department of Defense (DoD) computers as well as the computer network of Northwest Hospital and Medical Center in Seattle. Maxwell faces a jail sentence of up to 15 years when he is sentenced in August and has agreed to pay US$252,000 in compensation to the hospital and the DoD.
-http://www.theregister.co.uk/2006/05/05/hospital_zombie_attack/print.html
-http://www.mercurynews.com/mld/mercurynews/news/breaking_news/14508386.htm
-http://news.com.com/2102-7348_3-6069238.html?tag=st.util.print
[Editor's Note (Schultz): This is a particularly noteworthy conviction. Maxwell's actions even caused outages at a hospital; his punishment clearly fits his crimes. His conviction should serve as a major deterrent to at least some of the computer criminal community. ]

UK Government to Challenge DDoS Acquittal (4 May 2006)

The UK government will this week challenge a ruling that saw a teenager accused of launching a denial-of-service attack on his former employer acquitted because the UK's Computer Misuse Act (CMA) does not have a provision criminalizing that act. The Crown Prosecution Service (CPS) plans to argue that deliberate attacks, such as a distributed denial-of-service (DDoS) attack, should be considered unauthorized modification to a system and therefore illegal under CMA.
-http://www.vnunet.com/computing/news/2155257/email-attack-ruling-disputed
[Editor's Note (Honan): The original ruling in November 2005 has already prompted a review of the UK's Computer Misuse Act. At the end of January 2006, the UK Government published the Police and Justice Bill, Part 5, which contains a number of new provisions to deal with computer crime. This bill includes provisions specifically relating to denial of service attacks by making it an offence to "impair the operation of a computer". ]

Trojan Goes After Online Game Account Information (8/2 May 2006)

The PWS.Win32.WOW.x Trojan horse program seeks user names and passwords for the online game "World of Warcraft." Once attackers have the means to access an account, they have the ability to transfer virtual goods to another account. Although the game's publisher has forbidden the sale of virtual goods for money there is a black market for them on the Internet. The program spreads through peer-to-peer file sharing, pop-ups and email attachments and tries to disable security software on computers it infects.
-http://www.informationweek.com/news/showArticle.jhtml?articleID=187002835
-http://www.theregister.co.uk/2006/05/08/wowcraft/print.html


************************ Sponsored Links: *****************************

1) "Top 10 Guide to Evaluating SIM Solutions" Many factors go into buying a SIM solution - Discover the best practices
http://www.sans.org/info.php?id=1142

2) Stop spyware!
Try Webroot Spy Sweeper Enterprise for free and assess your spyware risk exposure
http://www.sans.org/info.php?id=1143

3) Learn about Botnets, Rootkits and RATs from the MX Logic White Paper,
"Malicious Intrusion Techniques."
http://www.sans.org/info.php?id=1146

***********************************************************************

THE REST OF THE WEEK'S NEWS

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Free Peers to Pay US$30 Million to Avoid Legal Action from RIAA (5 May 2006)

Free Peers Inc., the company that ran the BearShare file sharing service, has agreed to stop operating unlicensed online music services and "to pay US$30 million to avoid action from the music industry." Free Peers was one of seven companies threatened with legal action from the Recording Industry Association of America (RIAA) unless they ceased their activity.
-http://news.bbc.co.uk/2/hi/entertainment/4976902.stm

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Microsoft Releases Patches on Patch Tuesday (5 May 2006)

On Tuesday, May 9, Microsoft released three security bulletins that address vulnerabilities in Microsoft Windows and Microsoft Exchange. At least two of the flaws have been given a "critical" rating; Microsoft did not specify exactly how many flaws the bulletins will address. Some of the fixes may require restarts.
-http://www.scmagazine.com/uk/news/article/557843/three+patches+due+microsoft+tue
sday/

ATTACKS & INTRUSIONS & DATA THEFT & LOSS

Redirected Traffic from Revenge Attack Against Anti-Spam Tool Took Down Blog Sites (8/5 May 2006)

A distributed denial-of-service (DDoS) attack that made thousands of blogs inaccessible has been attributed to a retribution attack against Blue Security, a company that provides a service that launches denial-of-service attacks against suspected spammers. Blue Security dealt with the deluge of traffic by redirecting it to its blog host, Six Apart.
-http://www.vnunet.com/vnunet/news/2155504/blue-security-under-seige
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39357282-39000005c
-http://www.informationweek.com/blog/main/archives/2006/05/blue_security_s.html
[Editor's Note (Pescatore): This is sort of like running your rain gutters onto your neighbor's yard to keep your own basement from flooding. Of course Six Apart ought to have much better sump pumps - anyone whose revenue is completely dependent on keeping their customer's blog sites up and running should have been spending on denial of service prevention services. ]

Chip and Pin Payments Halted at Some UK Shell Stations (6 May 2006)

Shell has stopped accepting chip and pin payments at 600 of its fuel stations in the UK after learning that thieves misused the system to steal approximately GBP 1 million (US$1.86 million) from customer accounts. Eight people have been arrested in connection with the scheme, which is reportedly limited to the Shell chain. Customers will still be able to pay for purchases by swiping their cards and providing their signatures.
-http://news.bbc.co.uk/1/hi/england/4980190.stm

Missing Wells Fargo Computer Contains Customer Data (5 May 2006)

Wells Fargo has acknowledged that a computer containing personal data belonging to current and prospective mortgage customers is missing. The computer was being delivered from one facility to another by a global shipping company. Wells Fargo says there is no evidence the data, which includes names, Social Security numbers and mortgage loan numbers, has been misused.
-http://news.com.com/2102-7348_3-6069367.html?tag=st.util.print

MISCELLANEOUS

Idaho Power Drives Sold on eBay Not Adequately Scrubbed (4 May 2006)

Idaho Power Co. is trying to track down old company hard drives that were sold on eBay without going through prescribed scrubbing procedures. The data on the drives includes memos, customer correspondence and confidential employee data. Idaho Power recycles old drives through a salvage vendor. The power company has launched a private investigation into why scrubbing procedures were not followed. Idaho Power requires that their discarded drives be destroyed or scrubbed to US Department of Defense standards. Companies that do not properly scrub memory devices risk violating regulations in addition to the embarrassment of exposing confidential data. According to a Gartner survey, approximately 30 percent of organizations use third party companies to dispose of PCs and servers they are no longer using. Idaho Power says it will now destroy old drives rather than recycle them.
-http://www.computerworld.com/securitytopics/security/story/0,10801,111148,00.htm
l

[Editor's Comment (Northcutt): Great reminder. Most organizations have policy concerning data destruction. Some even have procedures. The wise ones test for compliance! A nice paper on legislation concerning such things can be found here:
-http://www.csileasing.com/WhitePaperLegislation&PCDisposal.pdf]

(Schmidt): Here comes my broken record again: ENCRYPT, ENCRYPT, ENCRYPT!!! Not "wiping" (they call scrubbing) it is bad enough, but depending on 3rd parties to do this just invites mistakes. At least if the data is encrypted there will be less risk.

Botmaster Sentenced To Nearly 5 Years In Prison (8 May, 2006)

Jeanson James Ancheta, a member of the "Botmaster Underground" pleaded guilty in January to federal charges of conspiracy, fraud and damaging U.S. government computers. He was given a 57 month sentence, the longest sentence for spreading computer viruses, according to federal prosecutors.
-http://ct.enews.cioinsight.com/rd/cts?d=188-336-1-20-148108-42789-0-0-0-1


===end===

NewsBites Editorial Board:

Eugene Schultz, Ph.D., is the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He also founded the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Brian Honan is an independent security consultant based in Dublin, Ireland,

Chuck Boeckman is Lead Network Security Engineer supporting the US Transportation Command, responsible for the security of global military transportation command and control systems.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/