SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #73

September 15, 2006

A special invitation: You'll recall last year we had to move SANS' big fall training program to Los Angeles from New Orleans because of Hurricane Katrina. We went to see New Orleans this summer and were amazed how much the city has come back - hotels, restaurants, Bourbon Street, the waterfront, all of it. We decided to run a special SANS conference in November, and we hope everyone who has ever enjoyed New Orleans will come back with us. To make it worth your while, Eric Cole himself will be teaching an updated SANS Security Essentials program; Ed Skoudis (the nation's top malware expert) will be teaching the hacker exploits track, Jason Fossen (just an amazing teacher) will be teaching Windows Security. We'll also have Security Leadership training for anyone who needs DoD 8570 management certification, and a phenomenal course on securing wireless. It's November 14-21. Please join us in saluting New Orleans and enjoying the best possible SANS training in one of America's great cities.
Details: http://www.sans.org/neworleans06/event.php

Alan

---

TOP OF THE NEWS

DHS Releases Report on February Cyber Storm Exercise
Pair Indicted for Filing Phony Medicare Claims with Stolen Patient Information
California AG Has Evidence for Indictments in HP Case; Dunn to Step Down

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES
Two Men Receive Prison Sentences in Zotob Case
SPYWARE, SPAM & PHISHING
Microsoft Wins Civil Suit Against UK Spammer
Earthlink Awarded US$11 Million Judgment in CAN-SPAM Case
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Microsoft Releases Three New Security Bulletins and Revised IE Bulletin, but No Patch for Word 2000 Flaw
Apple Issues QuickTime Update to Address Seven Flaws
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Missing Tapes Hold Data on British Columbian Citizens
Stolen Univ. of Minnesota Laptops Hold Student Data
Bank of Montreal Laptop Stolen
Missing Laptop Prompts Security Review

---

****************** Sponsored By Fiberlink Communications ****************

The Hack is Back! In Fiberlink's new on-demand video/companion guide, our ethical hacker demonstrates four advanced hacks using techniques used to target mobile endpoints and the corporate network. Learn about the changing security landscape, current hacking techniques used to exploit vulnerabilities on mobile systems, and fundamental security strategy changes that can protect your mobile enterprise from attack.
http://www.sans.org/info.php?id=1345
*************************************************************************

Network Security 2006 (Las Vegas, Oct. 1-8) is the only place to find all 20 of SANS highest rated teachers. How Good Are The Courses at SANS Network Security 2006? Ask the alumni.
++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines
++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA
++ "This program provided the opportunity to learn from many of the people who are defining the future direction of information technology" - - Larry Anderson, Computer Sciences Corp.
++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - - David Ritch, Department of Defense
See: http://www.sans.org/ns2006/caag.php
***********************************************************************

---

TOP OF THE NEWS

DHS Releases Report on February Cyber Storm Exercise (13 September 2006)

The US Department of Homeland Security (DHS) has released a report detailing the findings of its Cyber Storm exercise that took place in February 2006. It was designed to simulate events requiring the need for coordination between public and private entities in the face of a major cyber attack or natural disaster. The exercise simulated the effects an attack could have on a variety of critical infrastructure elements, and was designed to simulate cascading events. DHS said the exercise provided valuable information about the ability of numerous public and private organizations to work together in the face of disaster. According to the report, the public and private sectors need to improve the coordination of their communication regarding multiple events.
-http://www.eweek.com/print_article2/0,1217,a=188583,00.asp
-http://www.dhs.gov/dhspublic/display?content=5827
-http://www.dhs.gov/interweb/assetlibrary/prep_cyberstormreport_sep06.pdf
[Editor's Note (Schultz): A seven-month delay between the time the exercise was held and the time the report became available seems excessive--perhaps one indicator of what is wrong in cooperation between the private and public sectors.
(Northcutt): Nice job on the report, well worth your time to read it then think about your own DR/BCP processes. The conclusion is not surprising, in a major event of any sort, communication is always the problem. In a real event, the telephone system usually fails due to overload. So what are the simple things you can plan to do in advance?
- - Shared, password protected, voicemail box on your PBX so critical staff can leave information for one another
- - Family radios, these are great, we use them at conferences all the time, more channels is better
- - Web server with static pages (remember those) password protected for updates in bandwidth challenged conditions
- - Pre-assigned, trained runners and drivers to move files around by DVD or tape ( high latency, but pretty high bandwidth )
- - But most important are your ideas, if you have a good one, send it to Stephen@sans.edu]

Pair Indicted for Filing Phony Medicare Claims with Stolen Patient Information (9 September 2006)

Isis Machado and Fernando Ferrer, Jr. were indicted on charges of conspiracy to commit computer fraud, conspiracy to commit identity theft and conspiracy to wrongfully disclose individually identifiable health information as well as charges related to fraud in connection with computers and violations of the Health Insurance Portability and Accountability Act (HIPAA). Machado and Ferrer allegedly conspired to steal personal medical information belonging to more than 1,100 Cleveland Clinic Florida patients and using it to make more than US$2.8 million in phony Medicare claims. The Cleveland Clinic has sent letters to patients whose data were stolen. If convicted of charges against them, Machado and Ferrer could each face up to 10 years in prison and fines of up to US$250,000.
-http://www.sun-sentinel.com/news/local/southflorida/sfl-dfraud09sep09,0,2612716,
print.story?coll=sfla-home-headlines

California AG Has Evidence for Indictments in HP Case; Dunn to Step Down (13 & 12 September 2006)

A spokesman for California Attorney General Bill Lockyer says the state has sufficient evidence to indict individuals at Hewlett Packard (HP) and contractors hired by the company in connection with the apparent use of pretexting to obtain phone records of journalists and HP board members. The Massachusetts attorney general's office has confirmed that it is working with California on the case, but has not said why. It is possible that this is because the private investigation firm hired to obtain the information is in Massachusetts. HP chairwoman Patricia Dunn will step down from her position on January 18, 2007, but will remain on the board. In a related story, George Keyworth, who has admitted to being the source of the leak that prompted the investigation, has resigned from HP's board of directors.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9003253
(Please note this site requires free registration)
-http://www.washingtonpost.com/wp-dyn/content/article/2006/09/13/AR2006091301830_
pf.html
-http://www.theregister.co.uk/2006/09/12/hp_keyworth_out/print.html

---

********************* Sponsored Links: ********************************

1) SANS WhatWorks webcast 9/21 at 1pm-2pm EDT, "Messaging Application Gateway Security with Baptist Health System"
http://www.sans.org/info.php?id=1346

2) The Process Control & SCADA Security Summit, September 28 - 30, is a must-attend event for the technical and procurement managers of any organization that relies on automated industrial control systems and for the system integrators and system vendors that support them.
http://www.sans.org/info.php?id=1347

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES

Two Men Receive Prison Sentences in Zotob Case (13 September 2006)

Two Moroccan men have been given prison sentences for their activities related to the Zotob worm that was released in August 2005 and infected computer systems at the New York Times, the Associated Press, ABC and CNN as well as the US Immigration and Customs Enforcement bureau. Farid Essebar received a two-year sentence while Achraf Bahloul received a one-year sentence. Attorneys for the men plan to appeal.
-http://www.smh.com.au/news/Technology/Morocco-jails-authors-of-the-devastating-Z
otob-virus/2006/09/13/1157827021119.html
-http://www.theregister.co.uk/2006/09/13/zotob_perps_jailed/print.html

SPYWARE, SPAM & PHISHING

Microsoft Wins Civil Suit Against UK Spammer (13 September 2006)

Microsoft has won a civil suit against a spammer in the UK. A court has ordered Paul Fox to pay GBP45,000 (US$85,000) for violations of the terms and conditions of use of Microsoft's Hotmail service, which prohibit anyone from delivering spam to Hotmail customers. The case was not pursued under UK spam laws because they are limited in scope.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39283259-39020375t-10000025c
-http://www.theregister.co.uk/2006/09/13/ms_sues_british_spammer/print.html

Earthlink Awarded US$11 Million Judgment in CAN-SPAM Case (13 September 2006)

Nevada-based bulk emailer KSTM LLC has been ordered to pay Earthlink US$11 million for sending spam to Earthlink customers. The judgment from a federal court in Atlanta also prohibits the firm from spoofing the "from" fields in email, hiding the sender's identity, selling email addresses and accessing or obtaining Earthlink accounts. The suit was brought under the CAN-SPAM Act. Earthlink has won more than US$200 million in judgments against spammers over the last 10 years.
-http://www.theregister.com/2006/09/13/earthlink_nevada_spammer_judgment/print.ht
ml
[Editor's Note (Northcutt): The real question is how much money they have actually collected, but they certainly are working hard using the CAN-SPAM legal tool. Visit
-http://www.earthlink.net/about/press/category/#memberexperience
and then use find on the keyword "spam" for further information.
(Schultz): It is wonderful that Earthlink is winning court cases against spammers. At the same time, however, I very much agree with the commentary in the full version of this news item at
-http://www.theregister.com/2006/09/13/earthlink_nevada_spammer_judgment/print.ht
ml
. Much of the money that Earthlink has "won" has not ended up in its hands. Many if not most spammers cannot pay even a fraction of the money they have been ordered to pay.]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Microsoft Releases Three New Security Bulletins and Revised IE Bulletin, but No Patch for Word 2000 Flaw (14, 13 & 12 September 2006)

Microsoft released three security bulletins on Tuesday, 12 September. The only one of the three bulletins that had a severity rating of "critical" addresses a file parsing flaw in Microsoft Publisher that could be exploited to give attackers complete access to vulnerable PCs. On the same day, Microsoft released a third version of MS06-042, an update to address a vulnerability in Internet Explorer (IE). The original update caused problems for certain users and introduced two new vulnerabilities into IE. A second version of the update addressed one of the vulnerabilities; the version released this week addresses the other. Microsoft has still not issued a fix for a vulnerability in Microsoft Word that is already being actively exploited.
-http://www.itnews.com.au/newsstory.aspx?CIaNID=36913
-http://www.us-cert.gov/cas/techalerts/TA06-255A.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9003288&intsrc=news_ts_head
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61952693-39000005c
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=339270999-1300
61744t-110000005c
-http://www.microsoft.com/technet/security/Bulletin/MS06-042.mspx

Apple Issues QuickTime Update to Address Seven Flaws (13 September 2006)

Apple has fixed seven flaws in QuickTime media player in Mac OS X and Windows. The flaws include heap, buffer and integer overflows and an exception that could allow attackers to inject malicious code to vulnerable computers and take control of them. Users would need to be tricked into visiting a maliciously crafted web site for the exploit to work. Users are encouraged to download QuickTime 7.1.3.
-http://www.techweb.com/wire/193000276
-http://www.us-cert.gov/cas/techalerts/TA06-256A.html
[Editor's Note (Northcutt): Another great candidate for a Security Awareness Program Tip of the Day, but don't stop there. Flash needs an update as well! A new version of the Adobe/Macromedia Flash Player has been released to address security problems. Its as easy as 1 2 3.
1) Go to
-http://www.macromedia.com/software/flash/about/
">
-http://www.macromedia.com/software/flash/about/

. If you currently have a version of Flash Player installed, you will see a "Version Information" box in the middle of the screen. If you do not have Flash Player installed, you will see a green jigsaw puzzle piece icon and a "Click here to download plugin" link. If you have version 8.x or older, you need to update.
2) To get the new software, go to
-http://www.adobe.com
and click on the 'Get Adobe Flash Player' button. On the next web page, click 'Download Now'. Save the download to your desktop and then run it.
3) Now go back to
-http://www.macromedia.com/software/flash/about/
">
-http://www.macromedia.com/software/flash/about/

. You should now be running version 9.0.16.0.]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Missing Tapes Hold Data on British Columbian Citizens (12 September 2006)

Thirty-one computer tapes holding information about hundreds of thousands of British Columbia citizens are missing from a government facility in Victoria. The data on the tapes could be used to commit identity fraud. A confidential government report about the incident obtained by the Vancouver Sun recommends not making the tapes' disappearance public knowledge. Canadian law does not require that individuals be notified in the event of a possible data breach. The government became aware the tapes were missing in August 2005.
-http://www.canada.com/victoriatimescolonist/news/story.html?id=e1b03e3e-d043-4e6
4-9a09-415a24636751&k=71796
[Editor's Note (Schultz): Even if Canadian law does not mandate that people whose personal data are compromised, decency and ethics do. ]

Stolen Univ. of Minnesota Laptops Hold Student Data (8 September 2006)

On August 14 or 15, two laptop computers were stolen from a campus office at the University of Minnesota. The computers hold data belonging to 13,064 current and former students who entered the university as freshmen between 1992 and 2006. The data include names, birthdates, high schools attended, test scores and academic probation information. The computers also contain the Social Security numbers (SSNs) of 603 of the students. The school is making efforts to contact affected individuals to inform them of the data breach. The data were stored on a hard drive, which is "not standard operating procedure," according to a university spokesperson.
-http://www.twincities.com/mld/pioneerpress/news/local/15475291.htm

Bank of Montreal Laptop Stolen (8 September 2006)

A laptop computer stolen from an Ottawa branch of BMO Bank of Montreal holds personally identifiable data belonging to approximately 900 bank clients. The computer was stolen in May; police were notified of the theft on May 18. A bank spokesperson said there has been no evidence that the information has been used fraudulently. BMO Bank of Montreal has advised the affected customers to monitor their accounts for suspicious activity.
-http://ottsun.canoe.ca/News/OttawaAndRegion/2006/09/08/pf-1814249.html

Missing Laptop Prompts Security Review (7 September 2006)

A laptop computer stolen from the car of a Florida National Guard soldier contained no classified information, but did hold personally identifiable information belonging to as many as 100 Florida National Guard soldiers. The computer was stolen on September 5. The incident has prompted the Florida National Guard to conduct a security review.
-http://www.floridatoday.com/apps/pbcs.dll/article?AID=/20060907/BREAKINGNEWS/609
07027/1086

---

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center, to the Editorial Board.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/