SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #59

July 28, 2006

TOP OF THE NEWS

Exploit Code for Two (Three?) Windows Flaws Published
UK Government Considers Increasing Penalties for ID Thieves
KaZaA Settles Lawsuits, Agrees to Move to Legitimate Business Model

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Two Cal State Northridge Students to be Arraigned on Charges of Illegal Computer Access
Private Investigator Arrested at Hacker Conference
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
Laptops Stolen from Navy Recruitment Offices in New Jersey
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Lawsuits Against Software Pirates Decrease Illegal Software for Sale on eBay
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Netscape.com Defaced
FormSpy and Downloader.Bancos Trojan Horse Programs
Mozilla Releases Firefox Update
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
Missing Laptop Holding 540,000 NY State Workers' Data Found
Deloitte & Touche Employees Told of Possible Data Compromise
STANDARDS & BEST PRACTICES
CIO Council Releases Tested Version of FEA Security and Privacy Profile

---

**************** Sponsored By Prism Microsystems, Inc. ******************

Log management experts agree, the most important log reports include: Attempts to gain access through existing accounts, Failed file or resource access attempts, Unauthorized changes to users, groups or services. Get all three with one click tracking of user activity in your enterprise with the new "User Analysis" feature in EventTracker.
http://www.sans.org/info.php?id=1243

*************************************************************************

Summer Security Training Extravaganza

Over the next two months, you may attend one or more of 50 SANS courses in 20 cities on four continents. And if you cannot make those events, because of travel restrictions, you may attend live SANS courses with the best teachers in the world, without leaving your home. You can even take SANS courses online at your own schedule. Attendance at SANS educational events is experiencing the largest growth spurt in half a decade. Pick your class and register early to get a seat.
http://www.sans.org/index.php

*************************************************************************

---

TOP OF THE NEWS

Exploit Code for Two (Three?) Windows Flaws Published (26 July 2006)

Exploit code for two Windows flaws has been published on the Internet. The first exploits a flaw in the Windows Dynamic Host Configuration Protocol and could be used to take control of vulnerable systems. Microsoft released a patch for the flaw on July 11 (MS06-036). The second exploit is proof-of-concept code and exploits a flaw in the Windows "mailslot" component. There is some disagreement as to whether this is a flaw addressed on July 11 (MS06-035) or a new flaw. Microsoft says it appears to be for a variant of the patched flaw and therefore may release an additional patch to fix it. While the flaw addressed in the security update could be exploited to spread a worm, the proof-of-concept code is designed to crash vulnerable computers.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39378074-39000005c
Internet Storm Center: ISC:
-http://isc.sans.org/diary.php?storyid=1502
ISC:
-http://isc.sans.org/diary.php?storyid=1509
[Editor's Note (Ullrich): The DHCP vulnerability is very serious! In particular if you have to use your laptop in untrusted environments (conferences or airports) you have no choice but to trust the first DHCP server to respond. No firewall will protect you in this case. Good news however: The exploit published is not very reliable and causes the system under attack to reboot multiple times, which may alert the user not to connect to the network. Remember also: A VPN will *not* protect the DHCP.
(Guest Editor, Donald Smith): Actually exploits for THREE flaws (MS06-034, MS06-035, and MS06-036) have been publicly. More information on those exploits and vulnerabilities is available in the original Storm Center diary entries for them.
-http://isc.sans.org/diary.php?storyid=1473
-http://isc.sans.org/diary.php?storyid=1471
-http://isc.sans.org/diary.php?storyid=1472
Identical exploits appear to have been released via milw0rm and a Russian exploit site. ]

UK Government Considers Increasing Penalties for ID Thieves (25 July 2006)

The UK government is considering amending the Data Protection Act to establish more stringent penalties for those convicted of identity theft. Currently, Data Protection Act violations are punishable by fines; the proposed amendment would impose jail sentences of up to two years. "The Department for Constitutional Affairs (DCA) will undertake a public consultation on the new sentencing proposals" through October 30, 2006.
-http://software.silicon.com/security/0,39024655,39160771,00.htm

KaZaA Settles Lawsuits, Agrees to Move to Legitimate Business Model (27 July 2006)

KaZaA has agreed to pay US$115 million in damages to Universal Music, Sony BMG, EMI and Warner Music to settle a dispute regarding illegal downloads; the company has also agreed to pay a lesser sum to motion picture companies. KaZaA will implement filtering technology to prevent its software from being used to share content in violation of copyright law and has committed to moving to a legitimate digital download business model.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9002047
-http://www.pcworld.com/news/article/0,aid,126590,00.asp
-http://www.usatoday.com/tech/news/2006-07-27-kazaa_x.htm

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Two Cal State Northridge Students to be Arraigned on Charges of Illegal Computer Access (27 & 26 July 2006)

Two California State University Northridge students will be arraigned on August 21 on several charges stemming from allegations they broke into a professor's computer. Jennifer Ngan and Lena Chen allegedly altered grades for themselves and roughly 300 other students. The accused also ordered a variety of items to be sent to the professor's home. They each face up to one year in prison.
-http://www.techweb.com/wire/security/191501893;jsessionid=E5DX42YGUKZ54QSNDLOSKH
0CJUNN2JVN
-http://www.latimes.com/news/local/la-me-hackers26jul26,0,7988497.story?coll=la-s
tory-footer

Private Investigator Arrested at Hacker Conference (25 July 2006)

Private investigator Steven Rombom was arrested in New York City on Saturday, July 21, shortly before he was scheduled to speak at a hacker convention. The complaint against Rombom alleges he impersonated a federal investigator to help a client who wanted to find a government informant. Rombom appeared in court on Tuesday July 25, and was released on his own recognizance. He is scheduled to reappear in court on August 7.
-http://blog.washingtonpost.com/securityfix/2006/07/fbi_charges_hope_speaker_with
_1.html
-http://www.washingtonpost.com/wp-dyn/content/article/2006/07/24/AR2006072401196.
html
-http://www.theregister.com/2006/07/25/hope_arrest_charges/print.html

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

Laptops Stolen from Navy Recruitment Offices in New Jersey (27 & 26 July 2006)

The US Navy has acknowledged the theft of two laptop computers used to store personal information of 31,000 recruiters and prospective recruits. The computers were stolen from two separate Navy recruitment offices in New Jersey in June and early July. Navy personnel did not learn of the thefts until the middle of July, although police were notified earlier.
-http://www.washingtonpost.com/wp-dyn/content/article/2006/06/26/AR2006062601103.
html

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Lawsuits Against Software Pirates Decrease Illegal Software for Sale on eBay (25 July 2006)

The Software & Information Industry Alliance (SIIA) says there was a noticeable decrease in the number of pirated software items offered for auction on eBay following lawsuits against three pirate groups. SIIA tracked the number of listings for illegal copies of software on the auction web site for 30 days following the announcement of the lawsuits.
-http://www.vnunet.com/vnunet/news/2161041/siia-legal-attack-drives

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Netscape.com Defaced

Visitors to Netscape.com were greeted with a four letter curse word and under that display was a reference to Digg. Netscape and Digg have been engaged in mud slinging.
-http://www.theregister.com/2006/07/26/digg_versus_netscape/

FormSpy and Downloader.Bancos Trojan Horse Programs (27, 26 & 21 July 2006)

The FormSpy Trojan horse program installs itself as a Firefox extension. It infects only computers that have already been infected by the Downloader-AXM Trojan. FormSpy is designed to gather sensitive data, including credit card and bank account numbers.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39378305-39000005c
-http://www.betanews.com/article/Trojan_Hides_Itself_as_Firefox_Extension/1153934
797
Another Trojan horse program, called Downloader.Bancos, has been spreading in the guise of an attachment that claims to be a "detailed invoice" for an anti-spyware subscription. Users' computers become infected if they open the attachment.
-http://www.pcw.co.uk/vnunet/news/2160921/anti-spyware-trojan-hits-uk
-http://www.securitypronews.com/news/securitynews/spn-45-20060721ScamEMailImperso
natesSpysoftCentral.html
[Editor's Comment (Northcutt): I am not sure that Downloader is going to be a big deal. McAfee's website gives you the core information about the FormSpy attack and the indications you might be infected:
-http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=140256&
;affid=102
(Boeckman): It seems the spyware people show more innovation and creativity then most commercial software developers. ]

Mozilla Releases Firefox Update (27 July 2006)

On July 26, Mozilla released an update for its Firefox web browser, Firefox 1.5.0.5, to remedy a dozen flaws, seven of which are rated "critical." Mozilla has issued advisories for each of the vulnerabilities. The critical flaws include crashes with evidence of memory corruption, a privilege escalation flaw, JavaScript engine vulnerabilities and a memory corruption flaw in the way simultaneous XPCOM events are handled. Internet Storm Center Data:
-http://isc.sans.org/diary.php?storyid=1515
-http://isc.sans.org/diary.php?storyid=1517
News Articles:
-http://news.com.com/2102-1002_3-6099254.html?tag=st.util.print
-http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox1.5.0
.5

ATTACKS & INTRUSIONS & DATA THEFT & LOSS

Missing Laptop Holding 540,000 NY State Workers' Data Found (26 July 2006)

A laptop computer containing personal information of 540,000 New York state workers has been found after it was discovered to be missing on May 9. The computer belongs to the New York Special Funds Conservation Committee, but was in the offices of CS Stars, a Chicago-based data management company, when it was lost or stolen. The FBI is investigating the computer's disappearance and conducting analysis on the recovered machine. CS Stars last week sent letters to people whose data were on the computer; they were each offered one year of credit monitoring and US$25,000 in identity theft insurance. Although the machine disappeared on May 9, the employee who noticed it missing did not inform his company until June 19. The company conducted an internal investigation and reported the missing computer to the state agency on June 29. The FBI was alerted on June 30.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9002031

Deloitte & Touche Employees Told of Possible Data Compromise (26 & 25 July 2006)

A laptop computer stolen from the locked car of a Deloitte & Touche employee held personal data belonging to approximately 12,000 current and former Armstrong World Industries employees. The data on the computer includes names, Social Security numbers (SSNs) and salary and wage information. Armstrong, which manufactures floors, ceilings and cabinets, has sent a letter to affected employees informing them of the theft and suggesting they keep a close eye on their financial accounts. Armstrong also said there has been no evidence the data were used. Deloitte & Touche conducts internal audits for Armstrong.
-http://www.thestate.com/mld/thestate/business/15122637.htm
-http://local.lancasteronline.com/4/24293
[Editor's Note (Grefer): Repeat after me: "A cable lock goes a long way!" Note the absence of any mention of data encryption. ]

STANDARDS & BEST PRACTICES

CIO Council Releases Tested Version of FEA Security and Privacy Profile (25 & 24 July 2006)

The CIO Council's Federal Enterprise Architecture Security and Privacy Profile (FEA SPP) suggests best practices for government agencies to protect data shared with others. The document also offers ideas for integrating security and privacy requirements into technology purchases. This is the third version of FEA SPP. It was tested and modified over a four-month period at the Justice Department and the Department of Housing and Urban Development.
-http://www.fcw.com/article95390-07-25-06-Web
-http://www.gcn.com/online/vol1_no1/41450-1.html

---

==end==

The Editorial Board of SANS NewsBites

We welcome Johannes Ullrich, Chief Technology Officer of the Internet Storm Center, to the Editorial Board

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/