SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #58

July 25, 2006

TOP OF THE NEWS

US Government Agencies Offer Free Cybersecurity Protection Classes
IRS Warns Taxpayers of E-Mail Scam Using US Treasury Payment Systems
Civil Liberty and Technology Companies Appeal ISP Wiretapping Demand
Hackers Striking Databases In Record Numbers

THE REST OF THE WEEK'S NEWS

STANDARDS, POLICY & LEGAL
FBI needs 'digital Enron' to fight cybercrime
SPYWARE, SPAM & PHISHING
The State Of Spam
ARRESTS, CHARGES & CONVICTIONS
US Hopes To Extradite Webmaster On Internet Terror Charges
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Fake Google Web site hides Trojan horse
Security Sector Rethinks Common Virus Names
Cisco Patches Security-Monitoring System
No Compensation For 'Responsible Disclosure': Microsoft
STATISTICS, STUDIES & SURVEYS
Security Spending Depends On Past Investment, Says Gartner

---

******** Sponsored By Check Point Software Technologies, Inc. **********

Download FREE white paper and learn how Check Point's UTM solutions simplify security deployment by integrating proven security functions, including firewall, intrusion prevention, antivirus, anti- spyware, Web application firewall, endpoint security enforcement, and IPSec and SSL VPN connectivity. These solutions eliminate the need for many standalone security solutions, and provide universal updateability, centralized management and reporting.
http://www.sans.org/info.php?id=1239

*************************************************************************

Summer Security Training Extravaganza

Over the next two months, you may attend one or more of 50 SANS courses in 20 cities on four continents. And if you cannot make those events, because of travel restrictions, you may attend live SANS courses with the best teachers in the world, without leaving your home. You can even take SANS courses online at your own schedule. Attendance at SANS educational events is experiencing the largest growth spurt in half a decade. Pick your class and register early to get a seat.
http://www.sans.org/index.php

*************************************************************************

---

TOP OF THE NEWS

US Government Agencies Offer Free Cybersecurity Protection Classes (20 July 2006)

Idaho National Laboratory (INL) researchers will demonstrate SCADA cybersecurity attacks as part of a series of free classes designed to teach engineers and IT professionals how to protect the systems that control the critical infrastructure of the United States and its allies. The courses are part of an international cybersecurity summit in Las Vegas Sept. 28-30. The U.S. Department of Energy and U.S. Department of Homeland Security will sponsor the classes. INL is the home of the SCADA Test Bed and hosts the researchers who study how attackers can penetrate the control systems at nuclear power plants, dams, pipelines, and other critical facilities.
-http://www.foxnews.com/wires/2006Jul19/0,4670,CybersecurityProtection,00.html
Registration (courses and Summit)
-http://www.sans.org/scadasummit_fall06/
[Editor's Note (Paller): The initiative being sponsored by DHS and DoE (and being led by Will Pelgrin of New York State and Mike Assante of INL) is the nation's most promising development in cybersecurity of the critical infrastructure. The project has already delivered procurement specifications that all utilities and other control system buyers can use (two are using them now) to ensure the vendors deliver best-of-breed security built into their control systems. More than 75 IT security and security engineers from utilities and pipelines and government owners of critical infrastructure registered for the courses and for the Summit (where the procurement specs will be released and taught) in the first 48 hours. The courses will be sold out within a few weeks, the Summit soon thereafter. If you work with security of control systems, and care about being at the forefront of your field, you dare not miss this meeting. ]

IRS Warns Taxpayers of E-Mail Scam Using US Treasury Payment Systems (24 July 2006)

Fake e-mail messages containing several misspellings and purporting to be from a fictitious IRS organization are circulating. They claim that someone has enrolled the recipient's credit card in the US Treasury's Electronic Federal Tax Payment System and has tried to use the credit card to pay taxes. The messages instruct recipients to click on a link to recover the money, but the link takes them to a malicious Web page that tries to gather sensitive personal information. This scam is one of more than 100 since last November. in which perpetrators have tried to impersonate the IRS in attempts to fool victims into divulging personal and/or financial information or into downloading malicious code.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=
9001961&source=NLT_PM&nlid=8
[Editor's Note (Tan): Cybercrimimals are starting to time their attacks to persuade users to fall into their trap. Before April 15, there was a scam on tax filing. Now we see another one on tax payment.
-http://www.websense.com/securitylabs/alerts/alert.php?AlertID=436
-http://www.pcworld.com/news/article/0,aid,125155,00.asp]

Civil Liberty and Technology Companies Appeal ISP Wiretapping Demand (24 July 2006)

A civil liberties coalition has asked the U.S. Court of Appeals to review a June two to one decision forcing ISPs to rewire their networks in order to create backdoors to facilitate government wiretapping. They argue that the ruling far surpasses what federal law permits, while the FBI claims the need for standardized broadband intercept capabilities is especially urgent. The June ruling calls for ISPs to require their networks to follow rules for enabling eavesdropping by May 2007.
-http://management.silicon.com/government/0,39024677,39160640,00.htm

Hackers Striking Databases In Record Numbers (19 July 2006)

A firm that monitors security at 1,300 client organizations reports its clients' databases are experiencing more than 8,000 SQL Injection attacks per day. That is nearly a six-fold increase from earlier in 2006. Attacks were detected coming from computers in Russia, China, Brazil, Hungary and Korea. These attacks are specifically crafted for the target organizations.
-http://www.infoworld.com/article/06/07/19/HNsqlattacks_1.html
[Editor's Note (Ullrich): Securing web based access to database is the hardest problem security professionals face. Open access to an e-commerce website is critical. However, this website is also the gateway to a companies crown jewels: Customer information, orders, inventories and more. The only thing controlling access to this treasure is a complex custom application. Moving at Internet speed, first to marked usually trumps security when it comes to developing these applications. ]

---

*********************** Sponsored Links: ******************************

1) ALERT: Secure your INTERNAL network. Stop protecting in the dark. Gain network visibility now. Download FREE White Paper "Network Behavior Analysis (NBA) in the Enterprise."
http://www.sans.org/info.php?id=1240

2) Using Real-Time Log Analysis to Defend Against Network Attacks and Insider Abuse - Live Webinar
http://www.sans.org/info.php?id=1241

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

STANDARDS, POLICY & LEGAL

FBI Needs 'Digital Enron' To Fight Cybercrime (21 July 2006)

A "digital Enron" is what the FBI says it needs to force the hand of legislators to make reforms to effectively battle online criminals. While awareness is increasing, it takes a great deal of evidence to get a search warrant to uncover evidence of a crime that took only seconds to commit. The FBI claims it will take a major newsworthy cybercrime case in which many people lose a lot of money, to make legislators understand the danger and move forward accordingly.
-http://www.ecommercetimes.com/story/51940.html
-http://www.vnunet.com/vnunet/news/2160793/curbing-cyber-crime-requires
[Editor's Note (Northcutt): Both articles are short on substance, but there are a couple of zingers in there, my favorite is: "Consumers, in the meantime, are carrying the burden if they become the victim of key-loggers, because they have technically given up their log-in and password information voluntarily."
(Pescatore): Big sigh. I sure hope we don't need a big bank robbery to have the FBI battle bank robbers. Existing laws and court rulings already provide many justifications for legal searches without court warrants and the PATRIOT act already gave the 4th amendment a thorough pummeling. I think we are just as likely to have a cyber-Watergate as we are to have a cyber-Enron - much of the privacy legislation we have today was driven by the government abuse of surveillance that came to light back then. ]

SPYWARE, SPAM & PHISHING

The State Of Spam (20 July 2006)

Nearly five billion pieces of spam are blocked every day between the efforts of AOL and Microsoft which represents 95 percent of SPAM traffic, but that still leaves about 5 percent that gets through. The Messaging Anti-Abuse Working Group says spam accounted for about 80 percent of all the e-mail traffic on the Internet during the first three months of 2006. IBM is reporting that phishing now accounts for one in every three hundred email messages. The article includes lots more information about spam and phishing and what can and cannot be done to fight back.
-http://www.informationweek.com/security/showArticle.jhtml?articleID=190600156

ARRESTS, CHARGES & CONVICTIONS

US Hopes To Extradite Webmaster On Internet Terror Charges (21 July 2006)

A UK webmaster has been arrested at the behest of the US government on charges that he ran a Web site promoting "violent jihad" against the West. Syed Talha Ahsan has been accused of selling books, videotapes, audio cassettes and CD-ROMs that glorified violence and funneled money to illegal groups.
-http://www.theregister.co.uk/2006/07/21/uk_webmaster_terror_charges/
-http://news.zdnet.co.uk/communications/broadband/0,39020342,39279273,00.htm
-http://www.theage.com.au/news/Technology/British-man-indicted-on-terrorism-charg
es-over-Internet-sites/2006/07/20/1153166470199.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Fake Google Web Site Hides Trojan Horse (22 July 2006)

A fake Google Tool Bar can turn victims' machines into zombies if it is downloaded. E-mails direct users to the Web site that perfectly mimics the real Google download page where the victim is offered the fake tool.
-http://www.cio.com/blog_view.html?CID=23222
-http://www.theage.com.au/news/Technology/Google-tool-bar-seekers-tricked-into-do
wnloading-computer-virussecurity-firm/2006/07/22/1153166620984.html

Security Sector Rethinks Common Virus Names (21 July 2006)

The antivirus industry has once again proposed its Common Malware Enumeration (CME) program that aims to prevent confusion over naming major virus and worm outbreaks. Launched last October by the USCERT, it's hoped that numbering malware with non-sequential CME-numbers will avoid the confusion of having a number of different names assigned to a single piece of malicious code.
-http://www.vnunet.com/vnunet/news/2160789/security-sector-rethinks-common
[Editor's Note (Ullrich): The fundamental flaw of this system is that it attempts to number only "important" malware. Once a malware is considered important, its too late to create an identifier. Ideally, a malware identified would map back to packers and malware functionality based on a scheme to normalize malware.
(Northcutt): Whew! I hate being the naysayer, but this is doomed to fail. First, their mission statement is to reduce public confusion during a malware outbreak. However, as quaint as malware names get, W97M/TrojanDropper.Lafool.NAA gives you a lot more information at a glance than CME-135. Second, the editorial board comes down to people, and those people have to vote. The following URL,
-http://cme.mitre.org/community/board/index.html
lists companies, not people, a very bad sign. Third, this has seed money written all over it, you can often get the government to fund a prototype, but I don't see much hope for sustained funding. Forth, this is a retread. The first try was a failure to launch. Fifth, the antivirus industry has not proposed CME, Mitre has. The antivirus industry is just going along with it so they don't appear to be bad sports. Say goodbye to your tax dollars on this one.]

Cisco Patches Security-Monitoring System (21 July 2006)

Cisco has issued patches for several flaws in its Cisco Security Monitoring Analysis and Response System which could allow intruders gain remote access to systems and glean sensitive information. Cisco said it has patched CS-MARS version 4.2.1 and later, and urged customers to apply all available updates. All previous CS-MARS versions, however, are affected by the flaws.
-http://zdnet.com.au/news/security/soa/Cisco_patches_security_monitoring_system/0
,2000061744,39264226,00.htm

No Compensation For 'Responsible Disclosure': Microsoft (20 July 2006)

Microsoft's Australian chief security advisor, Peter Watson, denounced the practice of paying security researchers a fee to responsibly disclose vulnerabilities. He claimed that working closely with security researchers and other software vendors offers better ways to protect its customers. A Check Point spokesperson said that company has paid researchers for discovering vulnerabilities.
-http://www.zdnet.com.au/news/security/soa/No_compensation_for_responsi
ble_disclosure_Microsoft/0,2000061744,39264106,00.htm
[Editor's Note (Schultz): I fear that Watson's views are misguided. Microsoft, after all, does not exactly have a stellar track record for the way it deals with security researchers. Watson's terminology, namely "working closely with security researchers," thus borders on meaningless rhetoric.
(Ranum): If you're trying to get rid of cockroaches, scattering food around isn't the best strategy.]

STATISTICS, STUDIES & SURVEYS

Security Spending Depends On Past Investment, Says Gartner (24 July 2006)

Gartner VP Rich Mogull says organizations who implemented security technology effectively can safely scale back security spending to between 3 percent and 4 percent of their IT budget by 2008 so they can focus on new threats. Those that are inefficient and have skimped on security spending in the past may spend upwards of 8% of their IT budget on security and will still be investing aggressively for the next few years.
-http://computerworld.co.nz/news.nsf/mgmt/D8F165364E56FDEECC2571B20019727B

---

The Editorial Board of SANS NewsBites

We welcome Johannes Ullrich, Chief Technology Officer of the Internet Storm Center, to the Editorial Board

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/