SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #84

October 24, 2006

TOP OF THE NEWS

E-Trade Loses $18 Million To Cyberfraud In Last 90 Days; Industry-Wide Outbreak
FBI Investigating Diebold Source Code Leak
Judge Denies Request to Suspend Spamhaus.org Domain

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES
Former Drug Squad Detective Gets Seven Years for Sharing Information with Dealer
Nine Sentenced for Piracy in China
Sweden's First Music File-Sharing Conviction
Man Draws Five-Year Sentence for Stealing Credit Card Data from US Army Computers
Murderer Will Release Encryption Key to Unlock His Journal
SPYWARE, SPAM & PHISHING
Los Angeles Boy Scouts Can Earn "Respect Copyrights" Activity Patch
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Hong Kong IFPI Sends Cease and Desist Letters to 38 Alleged File Sharers
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
SpamThru Trojan Uses Anti-Virus to Stake its Claim
Remotely Exploitable Overflow Flaw Fixed in Opera 9.02
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
NAB Warns Customers to Look Out for Phishing eMail After DDoS Attack
Three More Cases of Missing Laptops
T-Mobile Employees' Data Missing
Minneapolis-St. Paul Area OB Patient Data on Stolen Computer
Stolen Laptop Holds Data on 200 University of Minnesota Students
MISCELLANEOUS
Firefox 2.0 Out a Day Early
Robberies and Street Crime Rise Could be Due to Gadgets

---

********************** Sponsored By Symark Software *********************

Security and compliance go hand-in-hand. How can you meet compliance requirements and guard against unauthorized access or theft of data? Learn how PowerBroker, the most widely used solution for systems administration and controlling Unix/Linux root privileges, helps you meet data privacy and compliance requirements. Download the FREE White Paper " PowerBroker vs. sudo."
http://www.sans.org/info/1580

*************************************************************************

Three Great SANS Training Conferences Coming Up (and a $1,000 challenge) San Jose, New Orleans and Washington DC. Shon Harris and Eric Cole will be teaching the CISSP prep courses in San Jose and DC respectively. We'll pay a $1000 prize to any person who is the first to identify a higher rated CIISP prep teacher than Eric and Shon. In DC, Ed Skoudis will be teaching Hacker Exploits, Jason Fossen will be teaching Windows Security, Stephen Northcutt will be teaching comprehensive security management, Josh Wright will be teaching Wireless Security, Mike Poor will be teaching Intrusion Detection, Rob Lee will be teaching Forensics and there are more. The same $1000 challenge goes for every one of them. The faculty sets SANS apart. You have simply never had a better teacher of these topics. Many of those same teachers will also be in New Orleans.

That's why more than 8,000 students have written comments like this one: ++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines

+++ New Orleans: Nov. 14-21, http://www.sans.org/neworleans06/event.php
+++ San Jose: Dec. 4-9 http://www.sans.org/siliconvalley06/index.php
+++ Washington DC: Dec. 9-16 http://www.sans.org/cdieast06/event.php

*************************************************************************

---

TOP OF THE NEWS

E-Trade Loses $18 Million To Cyberfraud In Last 90 Days; Industry-Wide Outbreak (October 24 2006)

Hackers have radically increased their attacks on online brokerage accounts, making millions of dollars of unauthorized trades. The fourth largest online brokerage, E-Trade Financial reported that organized groups in Eastern Europe and Thailand are responsible for losses exceeding $18 million in the last three months alone. Customer account fraud has also been reported by TD Ameritrade, the third largest online broker.
-http://www.washingtonpost.com/wp-dyn/content/article/2006/10/23/AR2006102301257.
html

FBI Investigating Diebold Source Code Leak (21 & 20 October 2006)

Former Maryland legislator Cheryl C. Kagan received a package at her office containing three computer disks holding source code for Diebold's Ballot Station and Global Election Management System (GEMS) programs. Kagan is a known critic of electronic voting. An anonymous letter indicated the disks were from the Maryland State Board of Elections. The FBI is investigating the disks' provenance. The disk labels indicate the software contained on them is a version no longer used in voting machines in Maryland, although a different version of one of the programs is used in other jurisdictions in the US. "The Washington Post obtained copies of the disks Wednesday and allowed Avi Rubin, a computer science professor at Johns Hopkins University, along with a colleague and a graduate student, to review the software on the condition that they make no copies of it." On Friday, October 20, the Post agreed to return the disks to Diebold. (Please note the Washington Post web site requires free registration)
-http://www.washingtonpost.com/wp-dyn/content/article/2006/10/19/AR2006101901818_
pf.html
-http://www.washingtonpost.com/wp-dyn/content/article/2006/10/20/AR2006102001542_
pf.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9004339
[Editor's Note (Schultz): I keep wondering when those who think that everything in the world of electronic voting is just fine and dandy are going to wake up to reality. Perhaps this news item will help. ]

Judge Denies Request to Suspend Spamhaus.org Domain (23 & 20 October 2006)

A judge has denied e360 Insight's request that Spamhaus's domain be suspended after the UK-based anti-spam organization ignored a default judgment requiring it pay e360 US$11.7 million in compensation for placing the company on its spam blacklist. Spamhaus was also ordered to post a public apology to e360 and remove it from the blacklist. Spamhaus decided to appeal when e360 filed a request to suspend the Spamhaus.org domain. The judge denied the request, writing that "suspension would cut off all lawful online activities of Spamhaus ..., not just those that are in contravention of this court's order." The Court also noted that because there is no indication that either ICANN or
[Canadian registrar ]
Tucows acted "in concert" with Spamhaus, it was inappropriate to make them "parties to the case."
-http://www.theregister.co.uk/2006/10/20/spamhaus_domain_pull_request_refused/pri
nt.html
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39284264-39020651t-10000022c
Default ruling:
-http://www.spamhaus.org/archive/legal/Kocoras_order_to_Spamhaus.pdf
e360 Insight Proposed Order:
-http://www.spamhaus.org/archive/legal/e360/kocoras_order_6_10.pdf
Judge's denial of request:
-http://www.icann.org/legal/spamhaus/denial-proposed_order-19oct06.pdf

---

************************ Sponsored Link: ******************************

1) Fast-track SOX database audit and regulatory compliance with Imperva - Download whitepaper "What Auditors Want"
http://www.sans.org/info/1581

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES

Former Drug Squad Detective Gets Seven Years for Sharing Information with Dealer (24 & 23 October 2006)

A Victorian (Australia) County Court judge has sentenced former drug squad detective Mathew Bunning to nearly seven years in jail for providing a drug dealer with information about police investigations. Bunning became addicted to morphine following a back injury. He received gifts from the dealer for letting her know about covert operations in advance. Bunning used a program that figured out colleagues' passwords and used them to access the information he shared with the dealer.
-http://www.australianit.news.com.au/articles/0,7204,20629711%5E15319%5E%5Enbv%5E
,00.html
-http://www.news.com.au/story/0,23599,20632802-2,00.html

Nine Sentenced for Piracy in China (20 October 2006)

Nine people in China have received prison sentences for activity related to digital piracy. Four of the people received 13-year sentences for producing and selling bootlegged material. Another individual was sentenced to two years in prison for selling pirated software and DVDs. Fines ranged from 40,000 yuan (US$5,000) to 200,000 yuan ($25,000).
-http://www.usatoday.com/tech/news/2006-10-20-china-crackdown_x.htm

Sweden's First Music File-Sharing Conviction (19 October 2006)

An unnamed Swedish man is the first person in his country to be convicted of making copyrighted songs available for sharing over the Internet. The man was fined 20,000 kronor (US$2,727) for making four songs available for downloading. The International Federation of the Phonographic Industry (IFPI) alleged the man had made 13,000 songs available, but prosecutors had evidence linking the man to only four of the songs. The case is also the first music piracy case to be tried in Sweden; the country recently adopted stricter music file-sharing laws.
-http://www.smh.com.au/news/Technology/First-Swede-convicted-of-sharing-music-fil
es-online/2006/10/19/1160851006765.html

Man Draws Five-Year Sentence for Stealing Credit Card Data from US Army Computers (19 October 2006)

Matthew R. Decker has been sentenced to five years in federal prison for breaking into US Army computers and stealing credit card account information. A search of Decker's apartment indicated he used between 250 and 300 credit card accounts fraudulently; the charges totaled $12,557. In a plea deal agreed upon earlier this year, Decker pleaded guilty to one count of accessing a protected computer and one count of possession of unauthorized credit card account access devices. The US Army spent US$25,000 to assess damage caused by the intrusions and to restore data and programs, according to US Attorney Eric Melgren.
-http://www.wvec.com/sharedcontent/APStories/stories/D8KRUG782.html

Murderer Will Release Encryption Key to Unlock His Journal (19 October 2006)

US Federal attorneys have reached a plea deal with a confessed murderer, kidnapper and sex offender that will give his attorney the key needed to decrypt the journal he kept on his computer detailing his actions. The man's laptop computer has been at FBI headquarters for more than a year, but the FBI has had no success breaking the PGP encryption.
-http://www.vnunet.com/vnunet/news/2166828/kidnapping-murder-suspect

SPYWARE, SPAM & PHISHING

Los Angeles Boy Scouts Can Earn "Respect Copyrights" Activity Patch (23, 22 & 21 October 2006)

Thanks to new curriculum developed by the Motion Picture Association of America (MPAA), Los Angeles (CA) area boy scouts now have the opportunity to earn a "Respect Copyrights" activity patch. To earn the patch, the scouts must learn copyright law basics, be able to identify five types of copyrighted work and three methods of stealing copyrighted content. They must also select an activity from a list including creating a public service announcement discouraging piracy and "visiting a movie studio to see how many people can be harmed by film piracy." There are plans to expand the program to additional California Boy Scout councils next year if it proves successful. An activity patch is not required for advancement within the Scouts organization.
-http://www.theage.com.au/news/digital-music/scouts-against-intellectual-property
-theft/2006/10/21/1160851172265.html
-http://www.theregister.co.uk/2006/10/23/scouts_copyright/print.html
-http://www.latimes.com/news/local/la-me-scouts21oct21,0,6146565.story?coll=la-ho
me-headlines
[Editor's Note (Schultz): This is a fascinating development as far as security training and awareness goes. At the same time, however, as the LA Times article says, the fact that LA Boy Scouts can earn an activity badge for knowing about copyright laws and copyright violations does not in the least bit mean that teenagers' mentality towards copyrighted music and other material will be changed as a result. ]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Hong Kong IFPI Sends Cease and Desist Letters to 38 Alleged File-Sharers (18 October 2006)

The International Federation of the Phonographic Industry (IFPI) Hong Kong group has sent cease and desist letters to 37 individuals who allegedly uploaded copyrighted music to the Internet for file sharing. An IFPI executive estimates the lost revenue due to the uploaded music is HK$480,000 (US$61,684). The suspected file-sharers face legal action if they do not pay compensation averaging HK$33,000 (US$4,240) within two weeks.
-http://www.smh.com.au/news/Technology/Hong-Kongs-recording-industry-launches-mor
e-legal-action-againstmusic-pirates/2006/10/18/1160850993419.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

SpamThru Trojan Uses Anti-Virus to Stake its Claim (23 & 20 October 2006)

In an effort to retain computer resources for its own use, the SpamThru Trojan horse installs a pirated copy of an anti-virus program on computers it infects. Once installed, the program begins scanning the computer and deletes any competing malware at the next Windows reboot. The Trojan, which is used to send spam for a pump-and-dump stock scam, communicates via peer-to-per technology; this means that even if the control server is shut down, the person launching the spam attack needs to control just one peer to let the others know the location of a new control server.
-http://www.techweb.com/wire/security/193401406
-http://www.theregister.co.uk/2006/10/23/spamthru_trojan/print.html
-http://www.eweek.com/article2/0,1895,2034680,00.asp

Remotely Exploitable Overflow Flaw Fixed in Opera 9.02 (20 & 19 October 2006)

Opera has issued a security advisory addressing a remotely exploitable URL parsing heap overflow vulnerability in its browser that could allow attackers to execute code on or crash vulnerable browsers. The flaw affects Opera Versions 9.0 and 9.01 on Windows and Linux; version 8.x is not affected. Opera recommends that users upgrade to version 9.02.
-http://www.securityfocus.com/brief/334
-http://www.theregister.co.uk/2006/10/19/opera_security_bug/print.html
-http://www.opera.com/support/search/supsearch.dml?index=848
-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=424

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

NAB Warns Customers to Look Out for Phishing eMail After DDoS Attack (20 October 2006)

After the National Australia Bank (NAB) became the target of a distributed denial-of-service (DDoS) attack last week, the bank issued a warning to its customers about phishing emails. An NAB spokesperson said the bank is concerned that phishers could exploit the situation by luring customers to spoofed NAB sites. NAB customers were targeted by a phishing attack in September.
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=339271790-1300
61744t-110000005c

Three More Cases of Missing Laptops

T-Mobile Employees' Data Missing (20 October 2006)

A laptop computer holding Social Security numbers (SSNs) of as many as 43,000 current and former T-Mobile USA employees disappeared from a T-Mobile employee's checked airplane luggage. T-Mobile has sent letters to everyone whose data were on the computer; the company is offering them one year of free credit monitoring.
-http://www.oregonlive.com/business/oregonian/index.ssf?/base/business/1161323496
316290.xml&coll=7

Minneapolis-St. Paul Area OB Patient Data on Stolen Computer (20 October)

A laptop stolen from the car of an Allina Hospitals and Clinics nurse holds data on approximately 14,000 individuals who have participated in the obstetric home-care program since June 2005.
-http://www.startribune.com/462/story/754898.html

Stolen Laptop Holds Data on 200 University of Minnesota Students (20 October 2006)

A laptop computer stolen from a University of Minnesota faculty member while traveling in Spain holds personally identifiable student data. The computer belongs to the art department. In September, the university acknowledged the theft of two Institute of Technology laptops that held student data.
-http://www.twincities.com/mld/twincities/news/local/15801934.htm

[Editor's Note (Grefer): Encryption might have helped to minimize the egg-in-the-face factor of these incidents. (Paller) If you are considering encryption tools, the best place to find out what works, from users, is the Secure Storage and Encryption Summit in Washington December 6-7 (www.sans.org/mvlean06)
(Honan): With the recent airline security alerts and the risk of checked in luggage going missing, organisations need to reassess how employees bring laptops, and more importantly sensitive data, on business trips. Companies should explore keeping sensitive data on secure portable drives separate from the actual laptop. In the event the laptop is stolen, the data will not be lost and the employee can be up and running again as soon as a replacement computer is available. ]

MISCELLANEOUS

Firefox 2.0 Out a Day Early (23 & 20 October 2006)

The final version of Mozilla's Firefox 2.0 web browser was available on the company's FTP servers on Monday, October 23, a day before its scheduled official release. The public launch page is not yet up. A preview version of the browser, Release Candidate 3, was posted for download on October 16. The release follows close on the heels of that of Microsoft's Internet Explorer (IE) 7. Firefox 2.0 has integrated anti-phishing controls as well as RSS and XML feed viewing capabilities.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9004367&intsrc=news_ts_head
-http://www.techweb.com/wire/software/193401407
-http://www.theregister.co.uk/2006/10/23/firefox2_release_imminent/print.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9004314

Robberies and Street Crime Rise Could be Due to Gadgets (20 October 2006)

The UK Home Office believes an increase in street crime and robberies could be attributed to the proliferation of electronic devices people carry now: mobile phones, MP3 players, Blackberries and other devices are highly desirable. Crime overall is relatively stable, according to Home Office statistics.
-http://technology.timesonline.co.uk/article/0,,20409-2413107,00.html
[Editor's Note (Schultz): The UK Home Office's belief is entirely reasonable. Technology invariably aids both the good and the bad elements of society.
(Northcutt): This is an interesting story and idea, but I think our British geek friends can relax. If you look closely at the data from the Home Office, from 2001 through October 2006, race and drinking appear to be the primary factors that increase your probability of being mugged, not the gadgets you carry:
-http://www.blink.org.uk/docs/homeoffice/r237.pdf
-http://www.homeoffice.gov.uk/about-us/news/crime-stats-summer]

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/