SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #9

January 31, 2006

The CME-24 worm is really as bad as the news stories make it out to be.
SANS Internet Storm Center has records of more than 300,000 victims. If
their ISPs don't let them know about the problem they will lose most of
their key files. This may be a good chance to see whether the courts
will find ISPs and other network owners liable for not protecting their
customers when they knew in advance that the customers' data was at
risk.

Alan

---

TOP OF THE NEWS

UK ISP Notifying Users Who May be Infected by Nyxem
Credit Card Details Allegedly Stolen from RI State Government Site
Spammer Fined US$5 Million

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
Man Gets Two Years in Prison for Selling Windows Source Code
Japanese Police Arrest Man on Spyware Charges
Alleged AOL Phisher Arrested
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
DHS Will Restrict Access to Critical Infrastructure Database
POLICY & LEGISLATION
Proposed Legislation Aimed at Fighting the Sale of Wireless Customer Phone Records
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
ISPs Ordered to Divulge Identities of Alleged File Sharers
Canadian Record Label Will Fund Family's Defense in File Sharing
Men Ordered to Pay Penalties in File Sharing Case
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Cisco Addresses Flaws in VPN Concentrators and IOS
Winamp has Zero-Day Vulnerability
MISCELLANEOUS
Google CEO Defends China Decision; Google and Others Asked to Appear at Human Rights Hearings
Apple's Move to Intel Processors Could Open Machines to Attacks
Vista's Two-Way Firewall Will Give Admins More Control
UPDATE
Ameriprise Laptop Theft Update - Culpable Employee Fired

---

************************** Sponsored by Symantec ************************

Free Security Compliance Reality Check

Run a quick check of your IT security compliance for specific regulations with this FREE Compliance Assessment Tool. You'll get a "compliance score" as an example of how Symantec solutions can help you monitor and report on compliance---all through a single compliance architecture for managing multiple regulations. Download now! http://www.sans.org/info.php?id=1005

*************************************************************************
Security Training Opportunities in the Next Four Weeks
SANS 2006 in Orlando (Feb 24- March 4) 36 tracks of extraordinary training - the best instructors in the world, and a great security tools exposition. Lots of people are bringing their families to Orlando to join them at the end of the program. Plus: San Francisco, Phoenix, St. Louis, Brisbane, Tokyo, Ottawa Or you can take SANS training anytime, anywhere with the new SANS On Demand.
Details on these and other programs: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

UK ISP Notifying Users Who May be Infected by CME 24 (Blackmal, Nyxem, etc.) (30/27 January 2006)

UK Internet Service Provider (ISP) Easynet is notifying customers whose computers may be infected by the CME-24 worm. CME-24 makes infected computers visit an online counter; the ISP is monitoring the counter traffic and sending warnings to users whose computers visit the counter website. CME-24 carries a malicious payload; on February 3, it is programmed to destroy files on infected PCs.
-http://www.zdnet.co.uk/print/?TYPE=story&AT=39249660-39020375t-10000025c
-http://news.bbc.co.uk/1/hi/technology/4661582.stm
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39308105-39000005c
[Guest Editor's Notes: Ed Skoudis points us to the new Common Malware Enumeration Site for a list of all the names of this beast:
-http://cme.mitre.org/news/index.html#20060124a]

Swa Frantzen writes: Since all AS (network) owners who have valid contact details on file got a pointer to a list of their infected IP addresses. That means all responsible ISPs have received notification of all their customers who should be notified.
-http://isc.sans.org/diary.php?storyid=1073
(Honan): Credit must be given to Easynet for this move. The online community would be more secure if more ISPs took similar proactive measures to notify users of viral infections.
(Paller): This is a great opportunity to establish a financial liability precedent for negligence by ISPs and system owners. The ISPs have several days to inform and protect their customers as does every other large network owner such as government agencies, academic institutions and large companies. If you learn of anyone who is damaged by this worm, please connect them with me (paller@sans.org) and we will work together to make sure that ISPs and network owners who are in a position to protect their users understand that not providing such protection will be considered negligence and carry penalties. ]

Credit Card Details Allegedly Stolen from RI State Government Site (27 January 2006)

A Rhode Island government web site, www.RI.gov, was reportedly the target of cyber thieves, who stole credit card information belonging to people who had conducted online business with Rhode Island state agencies. Cyber criminals bragged of their exploits several weeks ago on a Russian-language web site. Attackers breached the security of a server database and stole encrypted credit card data. A spokesperson for the web site said they comply with the payment card Industry's Data Security Standards, meaning they do not store complete credit card information. The breach was discovered through routine security procedures; measures have been taken to close the hole the thieves exploited.
-http://www.fcw.com/article92132-01-27-06-Web

-http://www.msnbc.msn.com/id/11064775/
[Editor's Note (Boeckman): While it is important to go after the criminals responsible for these acts, it is also important to hold the decision makers in Government and business accountable for practicing such poor risk management.
(Paller): This story doesn't make sense. Either easily unencrypted credit card numbers were stolen and the PCI standard failed in this case, or the PCI standard was OK and the criminals are lying. To maintain the credibility of the PCI standard (drafted primarily by VISA), this issue of possible PCI failure needs to be clarified so it can be corrected right away, if necessary. I hope the VISA people will write to us to resolve this. If they do we'll share the resolution in the next issue. ]

Spammer Fined US $5 Million (26 January 2006)

A federal judge has ordered Christopher William Smith to pay America Online (AOL) more than US$5 million in damages and legal fees for sending billions of spam messages. AOL filed a lawsuit against Smith in 2004 under the CAN-SPAM Act. Smith is also awaiting trial on criminal charges of violating federal drug laws.
-http://www.usatoday.com/tech/news/computersecurity/2006-01-26-aol-spam-case_x.ht
m

---

******************** Sponsored Links: *********************************

1) StillSecure wants your feedback on network security drivers. 1 in 50 receive an iPod Video. http://www.sans.org/info.php?id=1006

2) Messaging Security, It's More Than Just E-Mail - CipherTrust Road Show http://www.sans.org/info.php?id=1007

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES

Man Gets Two Years in Prison for Selling Windows Source Code (27 January 2006)

William Genovese Jr. has been sentenced to two years in prison for selling source code for Windows 4.0 and 2000. Genovese pleaded guilty last year to one count of unlawful distribution of trade secrets. Genovese has a dozen prior criminal convictions, including three for computer-related crime. Following completion of his prison term Genovese will serve three years of supervised release and will have programs installed on his computer to monitor his Internet activity.
-http://www.computerworld.com/printthis/2006/0,4814,108144,00.html
-http://www.wired.com/news/technology/1,70106-0.html

Japanese Police Arrest Man on Spyware Charges (27 January 2006)

Police in Japan have arrested Atsushi Takewaka, who is suspected of developing spyware that he and an alleged co-conspirator used to steal Internet banking passwords. Takewaka allegedly developed the spyware at the request of Kiichi Hirayama, who sent CD-ROMs to targeted companies that installed the spyware on their computers. Takewaka and Kiichi Hirayama allegedly used the stolen passwords to withdraw money from bank accounts. The pair is also believed to be responsible for the theft of an online banking password belonging to a Kawasaki, Japan jewelry store.
-http://www.computerworld.com/printthis/2006/0,4814,108130,00.html

Alleged AOL Phisher Arrested (27/26 January 2006)

The US Attorney's Office in Los Angeles has announced the arrest of Jeffrey Brett Goodin, who allegedly used a phishing scheme to trick America Online (AOL) users into divulging their credit card details. The phony email messages asked AOL users to update their billing information and directed them to fraudulently constructed sites where the financial data were harvested. Goodin then used the information he stole to make fraudulent charges on credit and debit cards. Goodin faces charges of wire fraud and unauthorized use of an access device. If convicted, he could face up to 30 years in federal prison.
-http://news.com.com/2102-7349_3-6031924.html?tag=st.util.print
-http://www.computerworld.com/printthis/2006/0,4814,108134,00.html

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

DHS Will Restrict Access to Critical Infrastructure Database (24 January 2006)

The Department of Homeland Security (DHS) says it will take precautions to guard the security of critical infrastructure data submitted to the National Asset Database. All requests to view the database will be reviewed and access will be permitted on a "need to know" basis.
-http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=38087
[Editor's Note (Pescatore): As Ben Franklin said via Poor Richard's Almanac: "There's many a slip twixt the cup and the lips." Enforcing need to know is a big deal - the policy is easy, the controls are hard. ]

POLICY & LEGISLATION

Proposed Legislation Aimed at Fighting the Sale of Wireless Customer Phone Records (30/27 January 2006)

US Senator Chuck Schumer (D-NY) has proposed legislation that would criminalize social engineering. Under the proposed Consumer Telephone Records Protection Act of 2006, which has bi-partisan support, people who make false statements and provide false documentation to obtain subscriber phone records as well as the people who disclose that information to the data thieves could face legal action, as could those who access a subscriber's account over the Internet without authorization. In a related story, Sprint Nextel has filed two lawsuits against companies it alleges are selling confidential customer call records and data. Cingular Wireless, Verizon Wireless and T-Mobile have filed similar lawsuits.
-http://www.theregister.co.uk/2006/01/27/schumer_phone_records/print.html
-http://news.zdnet.com/2102-1035_22-6032883.html?tag=printthis
[Editor's Note (Pescatore) This type of legislation always feels good but runs into practical problems. Abused spouses, lawyers, private detectives, skip tracers, etc - all tend to have some legitimate need to obtain information using techniques that are basically social engineering. Much the way the Digital Millennium Copyright Act is used to impact legitimate actions, this type of legislation needs to be thought through. ]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

ISPs Ordered to Divulge Identities of Alleged File Sharers (30 January 2006)

The British High Court has ordered ten Internet service providers (ISPs) to provide the names, addresses and other personal details of 150 alleged illegal file sharers in the UK to the Federation Against Software Theft.
-http://news.bbc.co.uk/2/hi/technology/4663388.stm

Canadian Record Label Will Fund Family's Defense in File Sharing (27 January 2006)

Nettwerk Music Group, Canada's largest record label, says it will fund the defense of David Gruebel, who was sued by the Recording Industry Association of America (RIAA) for allegedly having music on his family computer that was downloaded in violation of copyright law. Nettwerk chief executive terry McBride said "The current actions of the RIAA are not in my artists' best interests. Litigation is a deterrent to creativity ... and it is hurting the business I love." Nettwerk has hired a Chicago-based law office to defend Greubel and has said it will pay any fines if the family loses the case. The RIAA is asking for a US$9,000 penalty, but will accept US$4,500 if it is paid within a specified time period.
-http://www.theregister.co.uk/2006/01/27/nettwerk_sues_riaa/print.html
-http://www.techweb.com/wire/177104841
[Editor's Note (Schultz): This is a bizarre development; a company in the Canadian entertainment industry is defending an American who has downloaded copyright music from an RIAA lawsuit. This kind of development will only hurt the RIAA's efforts to stop illegal downloading. At the same time, however, it is likely to help steer the RIAA to more reasonable courses of action in the future. ]

Men Ordered to Pay Penalties in File Sharing Case (27 January 2006)

The British High Court has ordered two UK men to pay penalties totaling GBP 6,500 (US$11,488) for making nearly 9,000 songs available for downloading though peer-to-peer file sharing networks. Cases are pending against the other three people. The cases were brought by the British Phonographic Industry (BPI); the defendants have also been ordered to pay the BPI's costs, pushing the total to more than GBP 20,000 (US$35,348).
-http://news.bbc.co.uk/1/hi/entertainment/4653662.stm
-http://technology.timesonline.co.uk/article/0,,20411-2012801,00.html
-http://www.theregister.co.uk/2006/01/27/uk_p2pers_fined/print.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Cisco Addresses Flaws in VPN Concentrators and IOS (30/26 January 2006)

Cisco Systems has released an advisory warning of a denial-of-service vulnerability in its VPN 3000 Series concentrators. Cisco has workarounds and free software available to fix the flaw. The vulnerability exists in VPN 3000 concentrators running versions 4.7.0 through 4.7.2.A of the equipment software. Cisco has also released a patch for a privilege escalation vulnerability in its Internet Operating System (IOS) Authentication, Authorization and Accounting command authorization feature, affecting IOS versions 12.0T and later.
-http://www.crn.com/showArticle.jhtml?articleId=177104849&printableArticle=tr
ue
-http://www.computerworld.com/printthis/2006/0,4814,108076,00.html
-http://www.networkworld.com/news/2006/012606-cisco-vpn-flaw.html
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1161776,0
0.html
-http://www.cisco.com/warp/public/707/cisco-response-20060125-aaatcl.shtml
-http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_security_advisory
09186a00805f0147.shtml

Winamp has Zero-Day Vulnerability (30 January 2006)

A proof-of-concept exploit for a zero-day vulnerability in the Winamp 5.12 music player is circulating on the Internet. By tricking Winamp users into downloading a malicious playlist with a filename in excess of approximately 1,040 bytes, attackers could take control of vulnerable PCs. No patch is presently available.
-http://www.techweb.com/wire/177105266

MISCELLANEOUS

Google CEO Defends China Decision; Google and Others Asked to Appear at Human Rights Hearings (27 January 2006)

Google CEO Eric Schmidt said his company struggled with its decision to launch a censored version of its search engine in China. "Although we weren't wild about the restrictions, it was even worse to not try to serve those users at all." Google has been asked to appear before a Congressional Human Rights Caucus hearing on February 1 and before a session of the House of Representatives subcommittee on global human rights on February 16. Others invited to the February 16 hearing include Yahoo, Microsoft, Cisco Systems and State Department officials and representatives from press freedom watchdog groups.
-http://www.computerworld.com/printthis/2006/0,4814,108152,00.html
-http://www.computerworld.com/printthis/2006/0,4814,108128,00.html

Apple's Move to Intel Processors Could Open Machines to Attacks (26 January 2006)

Apple's decision to use Intel processors in its Macintosh computers could leave the new machines more open to attacks than those using the Motorola Power PC processors, according to security experts. The Intel x86 platform is the same platform used by Windows; attackers understand this architecture in greater depth than they do the PowerPC architecture. Furthermore, because the architecture is easier to audit for security vulnerabilities, it is also easier for exploit writers to create malicious code for the system. There are more malware tools for Intel x86 than for PowerPC. However, software flaws are "dependent" on the operating system rather than the underlying architecture.
-http://www.eweek.com/print_article2/0,1217,a=170118,00.asp
[Editor's Note (Pescatore): The key to whether Intel-based Macs will be less secure will mostly be determined by how good a job Apple did in porting the code to the new hardware and how secure their interoperability layer is for older apps. If they were sloppy or didn't think through security as part of the effort, could be significant increases in attack surface. The next biggest factor will be if the move to Intel increases Mac market share to where attacks can be profitable. The actual processor choice is a distant third. ]

Vista's Two-Way Firewall Will Give Admins More Control (26 January 2006)

Microsoft has been testing a new, two-way firewall for Windows Vista that will let system administrators have more control over applications on their networks; the firewall will filter incoming and outgoing network traffic. A consumer version of the firewall is being considered.
-http://www.techworld.com/security/news/index.cfm?RSS&NewsID=5246
[Editor's Note (Ranum): Any firewall worth a bucket of warm spit can already filter both incoming and outgoing traffic. Sheesh!! ]

UPDATE

Ameriprise Laptop Theft Update - Culpable Employee Fired

Last Friday we had a story about the theft of a laptop containing Ameriprise customer data from an employee's car. One of our readers wrote in telling us, "I was one of the victims. I received a letter from Ameriprise in which they state that the employee was not allowed to take the laptop in the field and the data should have been encrypted according to their company policy. As a result the employee was fired."

---

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/