Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VIII - Issue #45

June 06, 2006

TOP OF THE NEWS

US Officials Want ISPs to Retain Two Years of Data
Lost Ernst & Young Laptop Contained Hotels.com Customer Data
Wen Ho Lee to Receive Settlement in Privacy Suit

THE REST OF THE WEEK'S NEWS

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Swedish Police Close Down PirateBay Web Site
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Flaws in Older Mozilla Products Could Allow Arbitrary Code Execution
HP Pulls Funlove-Infected Printer Driver
Microsoft Looking Into Reported Windows Flaw
Circuit City Removes Malware from Support Site
MISCELLANEOUS
Manchester (UK) Police Won't Investigate Ransomware Case
Trial Set for Alleged Paine Webber Attacker
WestJet Apologizes, Agrees to Settlement in Air Canada Intrusion Case


******** Sponsored By Check Point Software Technologies, Inc. **********

VoIP deployment promises efficiency, flexibility, and savings. However, telecom worms, theft of service, data breaches, service interruptions, and other risk factors can create an IT management nightmare that's expensive to fix. But these potential risks shouldn't be barriers to VoIP adoption and implementation. Learn how to ensure your network is secure once VoIP is deployed.

http://www.sans.org/info.php?id=1182

*************************************************************************

TRAINING UPDATE
Like gold hidden in rocks, a number of surprising security assets have been discovered hiding in log data - in logs you might not be keeping. More than a dozen users from banks, hospitals, manufacturers, and government will be sharing their discoveries at the Log Management Summit July 12-14 in Washington, DC. And in the same hotel, you can attend any of 16 SANS immersion training courses, taught by the world's best instructors. You'll also be allowed to attend insider briefings on new developments in malware and other security innovations. That's SANSFIRE 2006, July 5-12.

Log Management Summit information: http://www.sans.org/logmgtsummit06
SANSFIRE 2006 information: http://www.sans.org/sansfire06

*************************************************************************

TOP OF THE NEWS

US Officials Want ISPs to Retain Two Years of Data (2 & 1 June 2006)

In an effort to combat child pornography and terrorism, US Attorney General Alberto Gonzales and FBI Director Robert Mueller have asked Internet companies to retain data on people's web activity for as long as two years. Justice Department spokesman Brian Roehrkasse said the government must have proper legal authority to obtain the records, which would include Internet searches and email traffic, but not the contents of the email.
-http://www.usatoday.com/tech/news/internetprivacy/2006-05-31-internet-records_x.
htm

-http://www.itnews.com.au/print.aspx?CIID=38491&SIID=35
-http://www.theregister.co.uk/2006/06/01/feds_need_ip_data/print.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9000888&taxonomyId=17

-http://www.zdnetasia.com/news/internet/printfriendly.htm?AT=39364959-39001260c

Lost Ernst & Young Laptop Contained Hotels.com Customer Data (1 June 2006)

Hotels.com says Ernst & Young has informed them that a laptop computer stolen from an employee contained data belonging to 243,000 Hotels.com customers. Hotels.com and Ernst & Young, the company's outside auditor, sent a joint letter notifying those affected by the data security breach. A number of Ernst & Young laptops have been reported stolen this year, affecting employees of Sun, IBM and other companies. It is not known if the Hotels.com data were on one of these computers or if there has been another theft.
-http://www.theregister.co.uk/2006/06/01/ey_hotels_laptop/print.html
[Editor's Note (Schultz): It sounds as if Ernst & Young needs to go back to the proverbial drawing board when it comes to securing laptops, as shown by the rash of thefts of Ernst & Young laptops.
(Grefer): Always use a cable lock with laptop computers. They can be broken, but they virtually eliminate the risk of crimes of opportunity.
(Honan): This story, and other recent ones of similar nature, show that many external companies do not treat their clients' information with the care they should. Companies should start to look at their contracts with external companies and ensure that security requirements, with corresponding penalties, are clearly stated. ]

Wen Ho Lee to Receive Settlement in Privacy Suit (3 June 2006)

Wen Ho Lee, who lost his job as a nuclear scientist at Los Alamos National Laboratory in 1999 when information leaked to the press indicated he was under investigation for espionage, will receive in excess of US$1.6 million from the US government and news agencies. Although Lee was suspected of espionage, no charges were ever filed. Lee filed a lawsuit that same year, alleging "that officials ... disclosed to the news media that he was under investigation for spying for China while working at Los Alamos." The lawsuit sought the names of the journalists' sources; the government is prohibited "from releasing protected information from employees' personnel files." The news organizations, including the New York Times, The Washington Post and the Los Angeles Times were reluctant to pay the settlement, but determined it was the only way they could be sure to protect their sources.
-http://www.washingtonpost.com/wp-dyn/content/article/2006/06/02/AR2006060201060_
pf.html



************************ Sponsored Links: *****************************

1) Stop spyware! Try Webroot Spy Sweeper Enterprise for free and assess your spyware risk exposure: http://www.sans.org/info.php?id=1183

2) Free CipherTrust Webcast with Gartner's Peter Firstbrook: Protect Your Email From the Bad Guys: http://www.sans.org/info.php?id=1184

*************************************************************************

THE REST OF THE WEEK'S NEWS

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Swedish Police Close Down PirateBay Web Site (2 & 1 June & 31 May 2006)

Swedish law enforcement officials have shut down a web site that has been the subject of numerous complaints that it facilitates digital content piracy. Earlier this year, Pirate Bay operators said they were not violating copyright law because they merely pointed to music, movie and software files and did not supply the pirated content. Police detained three people for questioning and seized computer equipment following raids at 10 locations. A message on the Pirate Bay web site indicates they hope to seek compensation from Swedish authorities if it can be shown that they are not guilty of violating anti-piracy laws. A subsequent denial-of-service attack launched on the Swedish national police web site may be retaliation for shutting down of Pirate Bay.
-http://www.latimes.com/technology/la-fi-piratebay1jun01,1,4095608.story?coll=la-
mininav-technology

-http://news.bbc.co.uk/2/hi/technology/5036268.stm
-http://today.reuters.co.uk/news/newsArticle.aspx?type=internetNews&storyID=2
006-05-31T181414Z_01_L31264277_RTRIDST_0_OUKIN-UK-SWEDEN-PIRACY.XML&archived
=False

-http://www.theregister.co.uk/2006/06/02/piratebay_seeks_compensation/print.html
-http://www.smh.com.au/news/Technology/Swedish-police-Web-site-shut-down-by-hacke
r-attack/2006/06/02/1148956542415.html

-http://news.bbc.co.uk/2/hi/technology/5041848.stm

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Flaws in Older Mozilla Products Could Allow Arbitrary Code Execution (5 & 2 June 2006)

The United States Computer Emergency Readiness Team (US-CERT) has warned of multiple vulnerabilities in older Mozilla products, including SeaMonkey, the Firefox web browser and the Thunderbird email client. The vulnerabilities include privilege escalation flaws, a buffer overflow flaw and multiple memory corruption flaws, all of which could be exploited to execute arbitrary code. Exploits could also cause denial-of-service or allow local information disclosure. Users should upgrade now to newer versions of the software.
-http://www.us-cert.gov/cas/techalerts/TA06-153A.html
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39364956-39000005c
[Editor's Note (Boeckman): While Firefox does not have a very good track record with vulnerabilities, you have to give the development team credit for getting patches out quickly. ]

HP Pulls Funlove-Infected Printer Driver (2 June 2006)

A printer driver on Hewlett-Packard's web site was recently found to be infected with the Funlove virus. The driver was removed. The same malware infected HP drivers in December 2000.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9000907&taxonomyId=17

[Editor's Comment (Northcutt): Doctor, it hurts every time I do this. Either the trade press is wrong, or this is at least the third time this has happened. There are references to both Korean and Japanese language drivers infected with "Fun Loving Criminals". The good news is the virus isn't too damaging other than to HP's reputation for quality. The best write up I could find is here:
-http://www.symantec.com/avcenter/venc/data/w32.funlove.4099.html]

Microsoft Looking Into Reported Windows Flaw (2 June 2006)

Microsoft is investigating reports of a flaw in Windows XP and Windows Server 2003 that could cause a denial-of-service (DoS) condition and could possibly be exploited to run malicious code. There have been no reported attempts to exploit the vulnerability.
-http://news.zdnet.co.uk/internet/security/0,39020375,39272573,00.htm

Circuit City Removes Malware from Support Site (1 June 2006)

People who have visited Circuit City's support web site since May 13 could have exposed their computers to malware that attempts to install a back door if their computers were running IE without a patch issued in January of this year. The code has been removed from the site and the software updated. Circuit City will notify its registered users of situation.
-http://blog.washingtonpost.com/securityfix/2006/06/circuit_city_support_site_ser
v.html

MISCELLANEOUS

Manchester (UK) Police Won't Investigate Ransomware Case (2 June 2006)

The Greater Manchester (UK) Police (GMP) says they will not investigate the origins of ransomware that a Manchester woman inadvertently downloaded onto her computer. A GMP spokesman said the incident is considered an Internet crime and is therefore international and outside their jurisdiction; furthermore, to track down the perpetrators would require a significant amount of effort and would likely strain their resources. Some have expressed concern that the lack of effort on the part of police could encourage other cyber criminals.
-http://news.zdnet.co.uk/internet/security/0,39020375,39272579,00.htm

Trial Set for Alleged Paine Webber Attacker (1 June 2006)

Trial is set to begin for Roger Duronio, a former systems administrator for UBS PaineWebber accused of placing malicious code on company computers that deleted files and data. Duronio is facing one count of computer intrusion, one count of mail fraud and two counts of securities fraud. The government alleges Duronio orchestrated the attack to manipulate stock prices to his benefit.
-http://www.informationweek.com/story/showArticle.jhtml?articleID=188700855
[Editor's Note (Northcutt): Do you have trouble believing the "insider threat" is real? I know I do! Intuitively, I like and trust all SANS employees. PaineWebber (that changed its name, after the incident, to UBS Wealth Management USA) trusted Roger, and he had access to the running servers and the backups. It took an army of over 100 IBM consultants to get them back in operation. Losses due to inability to do trading are not published. If you have risk management responsibility you really should read this article. Duronio's alleged motive, he took a position against their stock so that when they lost millions he would gain. For more of the famous smoking guns of e-fraud, this document by the World Bank is great!
-http://wbln0018.worldbank.org/html/FinancialSectorWeb.nsf/(attachmentweb)/Capita
lMarketsandE-fraud/$FILE/Capital+Markets+and+E-fraud.pdf
]

[Editor's Note: I support Steve Northcutt's recommendation to you to read the World Bank report. Tom Kellerman, who wrote the February, 2005, report, is almost certainly the world's top expert on international financial fraud using computers. ]

WestJet Apologizes, Agrees to Settlement in Air Canada Intrusion Case (29 May 2006)

WestJet Airlines has apologized that certain members of WestJet's management team accessed a proprietary Air Canada web site and downloaded sensitive data in 2003-2004 without authorization; WestJet has also agreed to pay CAD$5.5 million (US$5 million) to cover Air Canada's investigation and litigation expenses and CAD$10 million (US$9.1 million) will go to children's charity. Air Canada filed a CAD$220 million lawsuit against WestJet in 2004. WestJet was alleged to have used the password of a former employee to access Air Canada's web site.
-http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/20060529/westjet_apology_060
529/20060529?hub=CTVNewsAt11



NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/