SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #89

November 10, 2006

TOP OF THE NEWS

Phishing Up; Bank Fraud Up, but Debit and Credit Card Losses Down
November's Patch Tuesday to Include Six Bulletins, Two Critical
Australia's Dept. of Defence Encrypting Laptops

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES
Web Site Attacker Gets Suspended Sentence
SPYWARE, SPAM & PHISHING
Citibank eMail Looked Like Phish
YouTube Videos on MySpace Bundled with Zango Adware Program
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Vietnam Upping Penalties for Software Piracy
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Mozilla Updates Fix Holes in Firefox, Thunderbird and SeaMonkey
Google Video Group Postings Infected with Worm
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
FL School District Investigating Computer Intrusion, Altered Grades
MISCELLANEOUS
Ohio Police Dept. Posts Wrong Report; Personal Information Exposed

---

******************** Sponsored By SenSage, Inc. *************************

Data collection, event log integration, reporting coverage, analysis and accessibility, the investigation process - these are just a few of the questions you need answered before you purchase a SIM solution. Find out the answers in SenSage's white paper "Top 10 Questions You Must Ask Before You Buy a SIM Solution."
http://www.sans.org/info/1784

*************************************************************************

Best Deal on the Nation's number One Rated Hands-On Security Training Tomorrow is the last day for big savings. The nation's top security teachers; 10 full tracks of hands-on, state of the art security and audit training, seven short courses; briefings on the 20 billion dollar cyber crime wave; a great expo, plus the top ten trends in cyber security for 2007.
All in Washington, DC, December 9-16
http://www.sans.org/cdieast06/event.php

*************************************************************************

---

TOP OF THE NEWS

Phishing Up; Bank Fraud Up, but Debit and Credit Card Losses Down (8, 7 & 6 November 2006)

According to statistics from the UK's Association of Payment Clearing Services (APACS), the number of phishing incidents detected in the first half of 2006 was 5,059, nearly a 1500 percent increase over the same period last year. The sharp rise also accounted for a 55 percent increase in losses to banks from online fraud, bringing that figure to GBP23 million (US$43.8 million). However, debit and credit card fraud losses fell five percent during that same period; APACS believes this is due to the increased use of chip-and-pin cards. Thieves are also turning to other methods, such as tampering with ATMs to turn them into card skimmers.
-http://news.bbc.co.uk/2/hi/business/6122116.stm
-http://www.siliconrepublic.com/news/news.nv?storyid=single7323
-http://www.silicon.com/financialservices/0,3800010364,39163887,00.htm
-http://www.itnews.com.au/newsstory.aspx?CIaNID=41882
-http://www.theregister.co.uk/2006/11/07/credit_card_fraud_stats/print.html
-http://business.timesonline.co.uk/article/0,,9558-2440184,00.html
[Editor's Note (Pescatore): It is really meaningless to focus on the number of phishing emails or virus email. It's like counting raindrops in a rainstorm - you really only care about how wet you get, not how many drops fall. We've seen fewer phishing incidents succeed, and the overall damage flatten - but the average damage per incident has increased. The attacks are definitely more targeted and going after higher value targets. ]

November's Patch Tuesday to Include Six Bulletins, Two Critical (9 November 2006)

Microsoft's security update for November will include six bulletins. Five are for Windows, and at least one has been rated critical; some of the updates will require restarts. Microsoft will also release a bulletin for XML Core Services that has been given a critical rating; these updates will require a restart. The bulletins are scheduled for release on Tuesday, November 14.
-http://www.eweek.com/print_article2/0,1217,a=193705,00.asp
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9004938&intsrc=news_ts_head
-http://www.microsoft.com/technet/security/bulletin/advance.mspx

Australia's Dept. of Defence Encrypting Laptops (7 & 6 November 2006)

The Australian Department of Defence is more than halfway through its goal of installing hard disk encryption technology on all department laptops. Defence Department staffers who did not want the technology installed on their computers were permitted to request exemptions from the department CIO. The decision to install encryption on the laptops was spurred by the publicized loss of a computer disk holding confidential information.
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=339272049-1300
61744t-110000005c
-http://australianit.news.com.au/articles/0,7204,20712903%5E15306%5E%5Enbv%5E,00.
html
[Editor's Note (Honan): A very good move by the Australian Department of Defence. However, security is only a strong as the weakest link so I hope that those granted exemptions to this scheme do not, or cannot, access sensitive data on their laptops. ]

---

************************ Sponsored Links: *****************************

1) SANS Secure Storage & Encryption Summit focuses on fighting the most common threats to data.
http://www.sans.org/info/1785

2) FREE WEBCAST: Best Practices For A Robust Vulnerability Management Lifecycle Program
Click here to register: http://www.sans.org/info/1786

3) "Where is your privacy data and IP going? Find out! Download your free Info-Protection kit!"
http://www.sans.org/info/1787

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES

Web Site Attacker Gets Suspended Sentence (8 November 2006)

The man who broke into and defaced four profiles on the loveandfriends.com dating web site, then threatened to delete the company's entire database unless he was paid, will not go to jail. Matthew Byrne pleaded guilty to unauthorized modification of a computer contrary to section three of the UK's Computer Misuse Act. He was given an eight-month sentence, suspended for two years and two years of supervision. Extortion charges against Byrne were dropped. When police initially tracked Byrne down, a search of his home provided evidence that he is also the author of the Mirsa-A and Mirsa-B mass-mailing worms.
-http://www.theregister.co.uk/2006/11/08/dating_site_hacker_sentenced/print.html
[Editor's Note (Schultz): The sentence in this case does not by any means come close to fitting the crime. Count on the fact that many would-be perpetrators of computer crime will be enboldened by the pseudo-punishment that Mr. Byrne has received. ]

SPYWARE, SPAM & PHISHING

Citibank eMail Looked Like Phish (9 November 2006)

Citibank Australia sent its customers an email explaining a new online banking sign on procedure, but the email was mistaken for a phishing attack. The message asked customers to log on to the Citibank web site and provide their credit card numbers and ATM PINs for authentication. Citibank's security policy states "Customers should understand that Citibank will never send emails to customers to verify personal and/or account information ... . It is important you disregard and report emails which ... request any customer information ... ." A spokesperson said Citibank did not contradict its policy with the email because customers were told to type in the URL and the only link in the message was to the privacy policy. Citibank's technical and fraud departments will investigate the situation.
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=339272126-1300
61744t-110000005c
[Editor's Note (Schultz): Citibank seems to be missing several key points. First, this bank is in effect setting up its customers to become victims of future phishing attacks. Second, the fact that the only link was to Citibank's privacy policy doesn't make a bit of difference to customers.
(Honan): When are companies going to learn that users are not computer experts and need to be communicated to in a clear and consistent manner that they understand. Sending conflicting messages simply undermines their faith in the ability of organisations to protect their finances and personal data. It would be interesting to know if there was any representative from the bank's security department at the meeting that decided to send this email and if so, what their input was. ]

YouTube Videos on MySpace Bundled with Zango Adware Program (8 November 2006)

An unspecified number of MySpace user pages contain YouTube videos that are bundled with a Zango adware installer. Users who want to see the videos are sent to a site called Yootube.com, unrelated to YouTube, where they are asked to accept an end-user license agreement (EULA) before watching the video. If the EULA is accepted, Zango Cash attempts to install on the computer while the video is downloading. Last week, Zango settled US Federal Trade Commission (FTC) charges stemming from complaints about surreptitiously downloaded adware; under the terms of the agreement, Zango will pay a US$3 million fine and ensure that its software is installed only with users' permission.
-http://www.theregister.co.uk/2006/11/08/fake_myspace_vid_installs_zango/print.ht
ml
[Editor's Note (Grefer): Zango is the result of a merger of notorious adware company 180solutions and toolbar maker Hotbar. The FTC says that Zango installed the likes of 180Search Assistant, Zango Search Assistant, N-Case and Seekmo by exploiting security vulnerabilities. The settlement is open for public comment until December 3rd. The complaint that started this all was originally filed in January by the Center for Democracy and Technology (CDT).
-http://news.zdnet.com/2102-9588_22-6132364.html
-http://www.ftc.gov/os/caselist/0523130/0523130analysis061103.pdf
-http://www.cdt.org/privacy/20060123180complaint.pdf]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Vietnam Upping Penalties for Software Piracy (9 & 8 November 2006)

To demonstrate its commitment to being included in the World Trade Organization (WTO), Vietnam has indicated that it plans to raise fines for pirated software. The country's Ministry of Culture and Information is developing a decree that would raise the cap on piracy fines from the current 100 million dong (US$6217) to as much as five times the value of the pirated software for companies found to be violating copyright. The software piracy rate in Vietnam is estimated to be as high as 90 percent. Vietnam was invited to join the WTO on November 7.
-http://www.smh.com.au/news/Technology/Piracy-Fines-to-Increase-in-Vietnam/2006/1
1/09/1162661782362.html#
-http://www.economist.com/agenda/displaystory.cfm?story_id=8133733
-http://www.wto.org/english/thewto_e/acc_e/a1_vietnam_e.htm

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Mozilla Updates Fix Holes in Firefox, Thunderbird and SeaMonkey (9 & 7 November 2006)

Mozilla has released updates to address security flaws in Firefox, Thunderbird and SeaMonkey. The flaws could be exploited to circumvent security restrictions, launch cross-site scripting attacks and compromise unpatched systems. Mozilla says it will support Firefox 1.5 through April 2007. The updated versions are Firefox 1.5.0.8, Thunderbird 1.5.0.8 and SeaMonkey 1.0.6. The flaws do not affect Mozilla's newly released Firefox 2.0.
-http://news.com.com/2102-1002_3-6133821.html?tag=st.util.print
-http://www.theregister.co.uk/2006/11/09/firefox_seamonkey_update/print.html
-http://www.us-cert.gov/cas/techalerts/TA06-312A.html
-http://www.mozilla.org/security/announce/2006/mfsa2006-65.html
-http://www.mozilla.org/security/announce/2006/mfsa2006-66.html
-http://www.mozilla.org/security/announce/2006/mfsa2006-67.html
[Editor's Note (Pescatore): Extending vulnerability management out to open source software products is a weak spot for many enterprises. Knowing where you have these products in use is the first step, making sure they are configured correctly and are patched can only happen after you know that. I've seen a lot of enterprises using open source discovery tools to deal with potential licensing issues - the vendors need to extend those products to provide configuration compliance and vulnerability assessment.
(Northcutt): I went ahead and upgraded to Firefox 2.0; very nice, greater security and they just keep making it better, give it a try! ]

Google Video Group Postings Infected with Worm (9 & 8 November 2006)

Some postings to a Google Video email group may have been contaminated with the W32/Kasper.A or Kama Sutra mass-mailing worm. The suspect postings have been deleted, but Google recommends that people who may have received the worm in email or downloaded it from the group web site run anti-virus software. The Google Video e-mail group has approximately 50,000 members. Google has posted an apology on the web site and says they are taking steps to prevent a repeat incident.
-http://news.com.com/2102-7349_3-6133829.html?tag=st.util.print
-http://www.theregister.co.uk/2006/11/09/google_kam_sutra_worm_snafu/print.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9004913&intsrc=news_list
-http://groups-beta.google.com/group/Google-Video-blog/browse_frm/thread/ef2e972f
3546970b/d1caab0d4e89fd00?hl=en#d1caab0d4e89fd00
[Editor's Note (Pescatore): This is one of the reasons why Web 2.0 needs Security 101: Apologizing to your customers for downloading malware onto their computers is not a good long term business strategy.]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FL School District Investigating Computer Intrusion, Altered Grades (4 November 2006)

The Broward County (FL) School District and the Broward County Sheriff's Office have launched an investigation to determine if a student accessed the Cooper City high school computer system without authorization and changed grades. At least one student was being questioned in connection with the incident. Whoever altered the grades could also have changed attendance and community service records. Because misuse of district technology is a felony in Broward County, if a student is found to be responsible, he or she could face criminal charges as well as suspension or expulsion.
-http://www.miami.com/mld/miamiherald/news/local/states/florida/counties/broward_
county/15926507.htm
-http://www.tampabays10.com/news/local/article.aspx?storyid=43000
-http://www.orlandosentinel.com/technology/orl-hackers0506nov05,0,311644.story?co
ll=orl-technology-headlines

MISCELLANEOUS

Ohio Police Dept. Posts Wrong Report; Personal Information Exposed (6 November 2006)

On October 21, the Bowling Green Ohio police department posted the wrong version of a report to its police blotter web site. Normally, the posted report has personally identifiable information edited out, but this version, known as an end of day report, exposed the birth dates, Social Security numbers (SSNs), driver's license numbers and other data of every individual Bowling Green police came in contact with that day. The incident is blamed on human error. The information is no longer available on the police department's site and a cached version of the report was removed from Google servers.
-http://redtape.msnbc.com/2006/11/cops_errant_cli.html

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/