SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #90

November 14, 2006

Heads up:

SANS 2007 (SANS' biggest annual conference, San Diego Mar. 29-Apr. 6) just opened for registration. SANS annual conferences stand out from all other programs because of the multitude of learning opportunities in one place (51 courses and lots of exhibits and BOFs)
http://www.sans.org/sans2007/

These comments from past SANS conference attendees will give you a picture of the program:

"Fantastic! Ton's of information. My mind is now Jello- I'll be back next year" Kurt Danielson, National Marrow Donor Program

"My 4th SANS conference! Each time the instructors are top-notch and I come away amazed and educated." Bill Wildprett, Washington State CTED

"Better, more densely packed, value than any other program I've attended...even undergrad and graduate courses." Mark Laughlin, RT Communications

"This conference really taught me the skills I needed to immediately improve the processes where I work." Karissa Truitt, AT&T Government Solutions

If you don't want to wait for March, try these great venues:

Washington DC, Dec. 9 (16 courses) http://www.sans.org/cdieast06/
Orlando Bootcamp, Jan. 13 (25 courses): http://www.sans.org/bootcamp07/
Or San Jose, Phoenix, Prague, or Brisbane (5 or 6 courses)

See complete list of more than 70 upcoming programs in cities around the world at http://www.sans.org/training_events/?ref=1433

---

TOP OF THE NEWS

Man Draws Ten-Year Sentence for Sending Trojans, Blackmailing Minors
Singapore Teen Faces Three Years in Jail for Wireless Piggybacking
Denial-of-Service Now Punishable by 10 Year Sentence in UK
Judge Shuts Down Alleged Spyware and Malware Purveyors

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES
Former Muvico Employee Indicted for Cyber Attack
SPYWARE, SPAM & PHISHING
NZ ISP Hit With Image-Based Spam Attack
Phishers Spoofing Social Security Administration
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Hertz Employee Information Found on Computer at Former Employee's Home
LANL Contractor Loses Disk with Employee Information
Skimmers Target Gasoline Pumps in Southern California
Arrests in Seoul Phone Sex Hacking Case
STATISTICS, STUDIES & SURVEYS
Survey Estimates 49 Million US Adults Received Data Breach Notifications

---

*********************** Sponsored By Imperva Inc. ***********************

Top 10 Database Attacks and How to Stop Them - Free White Paper plus On-line attacks and insider abuse of critical data is costly in fines and more. See the most recent in database attacks and how to defend against them. Learn the latest techniques in our On-Demand Webinar and White Paper today.
http://www.sans.org/info/1799

*************************************************************************

---

TOP OF THE NEWS

Man Draws Ten-Year Sentence for Sending Trojans, Blackmailing Minors (10 November 2006)

A UK man has been sentenced to 10 years in prison for tricking adolescent girls into downloading a Trojan horse program and taking control of their computers. Adrian Ringland also "pressured his victims to send nude photos of themselves." He would then use the photos to blackmail the girls into sending more pictures. Ringland's arrest was the culmination of an investigation that involved the Royal Canadian Mounted Police, the FBI, the UK's Serious Organized Crime Agency and Microsoft.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9004978&taxonomyId=17&intsrc=kc_top
-http://www.theregister.co.uk/2006/11/10/trojan_pervert_jailed/print.html

Singapore Teen Faces Three Years in Jail for Wireless Piggybacking (10 November 2006)

A teenager in Singapore faces up to three years in prison for gaining unauthorized access to someone else's home wireless network. If convicted, Garyl Tan Jia Luo could also face a fine of as much as S$10,000 (US$6,414). He will appear in court this week.
-http://www.iht.com/articles/ap/2006/11/11/asia/AS_GEN_Singapore_Internet_Charges
.php
[Editor's Note (Schultz): sentence of three years in prison for piggybacking off of someone else's wireless network seems like an unduly harsh punishment, especially considering all the cases in which someone who has broken into other computers has received only a suspended sentence. Guest Editor Note (Tower-Pierce): You can find Singapore's Computer Misuse Act here:
-http://www.ida.gov.sg/idaweb/pnr/infopage.jsp?infopagecategory=infoecon:pnr&
versionid=1&infopageid=I234
-http://agcvldb4.agc.gov.sg/]

Denial-of-Service Now Punishable by 10 Year Sentence in UK (12 & 10 November 2006)

A new UK law makes denial-of-service (DoS) a crime punishable by up to ten years in prison. The Police and Justice Act 2006 became law in the last week. The Act expands the 1990 Computer Misuse Act (CMA) to include penalties for individuals who commit unauthorized modification of computer material. The modification was deemed necessary when David Lennon was initially cleared of charges stemming from a denial-of-service (DoS) attack he conducted against his former employer. Lennon's attorney successfully argued that the CMA criminalized unauthorized modification of a system and the emails were an authorized modification because email servers are designed to receive email. The ruling was eventually overturned and Lennon was sentenced to two months of electronically monitored curfew. Denial-of-service convictions face a maximum sentence of ten years; those convicted of providing or creating software and tools that enable cyber attacks now carry a maximum sentence of two years, up from six months. It is now an offense "to impair the operation of a computer."
-http://www.theregister.co.uk/2006/11/12/uk_bans_denial_of_service_attacks/print.
html
-http://software.silicon.com/security/0,39024888,39163990,00.htm
-http://www.zdnet.co.uk/misc/print/0,1000000169,39284670-39001093c,00.htm
[Editor's Note (Grefer);
(Grefer): The law unintended consequences ... a lot of tools used in information security could be abused for cyber attacks and as such providing and/or creating them apparently was outlawed in the UK. Similarly one has to wonder what would happen if a faulty patch provided by a software manufacturer were "to impair the operation of a computer." ]

Judge Shuts Down Alleged Spyware and Malware Purveyors (13 November 2006)

A US District Court judge in Nevada has issued a temporary restraining order against ERG Ventures LLC and an affiliate for allegedly downloading spyware and other malware onto users' computers without their knowledge. An FTC complaint seeks a permanent restraining order against both ERG and its affiliate. Users were promised free screensavers and video files, but had Media Motor downloaded onto their computers surreptitiously. Once installed, Media Motor downloaded more malware onto the infected computer. The malware caused a number of problems, including changing users' home pages, adding difficult-to-remove toolbars that display pop-ups and disabling anti-spyware and anti-virus software. The FTC charges the entities in the case have violated the FTC Act, which forbids unfair and deceptive practices.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9005016&taxonomyId=17&intsrc=kc_top

---

************************** Sponsored Links: ***************************

1) ALERT: How do you protect what you can't see? Stop protecting while blind. Gain network visibility now. Download FREE White Paper "Network Behavior Analysis (NBA) in the Enterprise."
http://www.sans.org/info/1800

2) Source Code Analysis VS Black Box Testing: Why you must have both - SPI Dynamics White paper
http://www.sans.org/info/1801

3) Using Real-Time Log Analysis to Defend Against Network Attacks and Insider Abuse - Live Webinar
http://www.sans.org/info/1802

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES

Former Muvico Employee Indicted for Cyber Attack (9 November 2006)

A man indicted for breaking into the Muvico Theaters' computer system has been indicted. The intrusion caused disruptions preventing the sale of online tickets and the processing of credit card purchases at six theater locations. Joseph Harlen Shook was released on US$100,000 bail; Shook was the company's director of information technology until his position was eliminated several months before the attack. If convicted of all charges against him, Shook could face up to ten years in prison and a fine of US$250,000. Investigators were able to match the ID number of the device used to break into the system with that of a wireless adapter found in Shook's possession. The attack occurred in May 2006. No customer data were compromised.
-http://www.sun-sentinel.com/business/local/sfl-zmuvico09nov09,0,843055.story?col
l=sfla-business-headlines
[Editor's Note (Skoudis): It sounds like they got him based on his wireless card MAC address. While MAC addresses are easily spoofed, some clueless wireless attackers forget or don't know to make this change. We need to maximize our advantages from their mistakes, so make sure your wireless systems are logging source MAC addresses.
(Honan): In the event of a hostile termination of an employee's contract make sure you conduct a thorough review of the systems they had access to and ensure any access they had has been revoked. Remember those you trust the most are those that will hurt you the most.
(Grefer): While it is even more important in case of a termination by the employer, similar diligence should be applied in cases of voluntary departure from the company, as well. ]

SPYWARE, SPAM & PHISHING

NZ ISP Hit With Image-Based Spam Attack (9 November 2006)

New Zealand Internet service provider (ISP) Ihug has reportedly fixed a spam problem that delayed email for approximately 20,000 customers. The image-based spam bypassed filters and overwhelmed Ihug's system. An Ihug spokesperson said the company has installed new software to help their systems recognize image-based spam; Ihug also installed eight new mail servers.
-http://www.nzherald.co.nz/section/story.cfm?c_id=5&objectid=10409822

Phishers Spoofing Social Security Administration (7 November 2006)

The US Social Security Administration is warning that phishers are sending email purporting to be from the SSA regarding next year's benefits. The email tells recipients they have to update their personal data or their account could be suspended indefinitely. A link provided in the email sends users to a site designed to look like the SSA site, where they are asked to provide their names, addresses, dates of birth, Social Security Numbers (SSNs) and credit card and bank account information.
-http://money.cnn.com/2006/11/07/pf/Social_Security_email/index.htm?section=money
_latest
[Editor's Note (Northcutt): This appears to be a retread of the Feb/Mar 06 SSA Phish, if it was being used to any large degree I would expect it to show up on Millersmiles:
-http://www.millersmiles.co.uk/index.php
And the SSA press release can be found here:
-http://www.ssa.gov/pressoffice/pr/colaPhishingScam-pr-alt.pdf]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Hertz Employee Information Found on Computer at Former Employee's Home (11 November 2006)

A computer holding the names and SSNs of most US Hertz employees was found at a former employee's home. The FBI is involved in the case. All those affected by the data security breach will be notified. The former employee had access to the information as part of his job. Hertz had 22,800 workers in the US as of June 2006.
-http://www.sltrib.com/business/ci_4642128
-http://www.app.com/apps/pbcs.dll/article?AID=/20061111/NEWS03/611110325/1007

LANL Contractor Loses Disk with Employee Information (10 November 2006)

A disk containing personally identifiable information of approximately 1,000 Los Alamos National Laboratory (LANL) contract workers is missing. The disk belongs to KSL Services and the data on the disk are that of KSL employees. A LANL spokesperson said the disk does not hold lab information. LANL was alerted that the disk was missing on November 3. This incident is apparently unrelated to the investigation stemming from the discovery of classified laboratory information at the home of an employee of a different LANL contractor.
-http://www.freenewmexican.com/news/51948.html

Skimmers Target Gasoline Pumps in Southern California (10 November 2006)

People who paid for gasoline at the pumps at four southern California gas stations may have had their bank account information stolen. Some of the information was used to create phony debit cards that were used to withdraw as much as US$502 per transaction at ATMs. There are no suspects at this time. Investigators found a skimming device attached to a machine.
-http://www.ocregister.com/ocregister/homepage/abox/article_1350521.php
-http://www.latimes.com/news/local/la-me-atm11nov11,1,1819942.story?coll=la-headl
ines-california
[Editor's Note (Northcutt): One of the best awareness tools I have seen to make people wary about where they stick their debit card is the University of Oklahoma Police Notebook:
-http://www.ou.edu/oupd/atmfake1.htm]

Arrests in Seoul Phone Sex Hacking Case (10 November 2006)

The Seoul (South Korea) Metropolitan Police Agency's Cyber Terror Response Center arrested a number of phone sex company officials and one other individual in connection with the theft of customer information from rival companies' servers. The suspects allegedly obtained information about 8.5 million of their competitor's customers and used it to send them suggestive messages. The suspects in the case used phones established in other names to send the messages. They also duplicated cell phones to avoid fees for sending text messages.
-http://english.donga.com/srv/service.php3?bicode=040000&biid=2006111063288

STATISTICS, STUDIES & SURVEYS

Survey Estimates 49 Million US Adults Received Data Breach Notifications (10 November 2006)

Results from a Harris Interactive poll suggest that 49 million adults in the US have received notification in the last three years that their personal data have been compromised. Nearly half of the notifications came from government agencies; 29 percent came from financial institutions and 12 percent from commercial companies. Eighty one percent of respondents said the breach did not have harmful results for them.
-http://www.techweb.com/wire/193700752
[Editor's Note (Schultz): If true, these statistics are downright depressing in that they show that a substantial percentage of the US population has experienced at least one personal and or financial information compromise during the past three years. (Incidentally, I have received two notifications about data security breaches involving information about me during the last year.) To the discredit of the US government, no federal legislation requiring adequate protection of such information has been passed yet, despite the growing need for such legislation. ]

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/