SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #91

November 17, 2006

Heads up:

SANS 2007 (SANS' biggest annual conference, San Diego Mar. 29-Apr. 6) just opened for registration. SANS annual conferences stand out from all other programs because of the multitude of learning opportunities in one place (51 courses and lots of exhibits and BOFs) http://www.sans.org/sans2007/

These comments from past SANS conference attendees will give you a picture of the program:

"Fantastic! Ton's of information. My mind is now Jello- I'll be back next year." Kurt Danielson, National Marrow Donor Program

"My 4th SANS conference! Each time the instructors are top-notch and I come away amazed and educated." Bill Wildprett, Washington State CTED

"Better, more densely packed, value than any other program I've attended...even undergrad and graduate courses." Mark Laughlin, RT Communications

"This conference really taught me the skills I needed to immediately improve the processes where I work." Karissa Truitt, AT&T Government Solutions

If you don't want to wait for March, try these great venues:

Washington DC, Dec. 9 (16 courses) http://www.sans.org/cdieast06/
Orlando Bootcamp, Jan. 13 (25 courses): http://www.sans.org/bootcamp07/
Or San Jose, Phoenix, Prague, or Brisbane (5 or 6 courses)

See complete list of more than 70 upcoming programs in cities around the world at http://www.sans.org/training_events/?ref=1433

---

TOP OF THE NEWS

SANS Top 20 Internet-Based Attack Targets
478 IRS Laptops Lost or Stolen Over Four-Year Period
New Anti-Fraud Law Closes Loopholes

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES
Four Arrested in Spain Used Trojan for Blackmail and Fraud
Former Source Media Exec Charged with Cyber Intrusion
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Five of Six Microsoft Bulletins Address Critical Flaws
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Michigan Banks Replace Credit Cards Following Spike in Fraud
Missing Laptop Holds Nationwide Building Society Customer Data
Connors College Stolen Laptop is Recovered
MISCELLANEOUS
Security Software Firm, Guidance, Reaches Settlement with FTC
Using the Performance Review Process to Develop Employee's IT Skills
BONUS SECTION: CLICK FRAUD
Companies to Demand Third-Party Audits to Check for Click Fraud

---

*************** Sponsored By Core Security Technologies *****************

WIN a $250 BestBuy gift card from Core Security Technologies! Listen to the joint Gartner and SANS webcast as they discuss the future of information security. Register here http://www.sans.org/info/1819

View the webcast and automatically be entered into a drawing for a $250 gift card from Core Security Technologies!

*************************************************************************

---

TOP OF THE NEWS

SANS Top 20 Internet-Based Attack Targets (16 & 15 November 2006)

SANS has released its Top 20 Internet-based attack vectors rankings. Important trends in threats include targeted attacks, such as zero-day attacks and spear phishing, and evidence that governments are employing people to conduct cyber espionage. Also of concern are attacks on Internet-based phone systems and exploitation of security holes in web-based applications. The Full Report:
-http://www.sans.org/top20/
-http://www.eweek.com/print_article2/0,1217,a=194109,00.asp
-http://www.techweb.com/article/printableArticle.jhtml;?articleID=194400284&s
ite_section=700028
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9005079&taxonomyId=17&intsrc=kc_top
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61967930-39000005c

478 IRS Laptops Lost or Stolen Over Four-Year Period (15 November 2006)

Documents obtained under the Freedom of Information Act (FOIA) indicate that between 2002 and 2006, 478 laptop computers were lost or stolen from the US Internal Revenue Service (IRS). Of the missing computers, 112 held sensitive taxpayer data, including Social Security numbers (SSNs). In January, the IRS plans to begin using technology "that will encrypt all information on the hard drives" of laptops. Employees will also be issued cables to physically secure their machines.
-http://www.wtopnews.com/index.php?nid=428&sid=975026
[Editor's Note (Schultz): Nearly 500 lost or stolen computers is completely unacceptable. The only consolation is that the IRS is moving in the right direction in addressing this problem.
Guest Editor Comment (Hightower-Pierce): For a running tally of reported data breaches, see:
-http://www.privacyrights.org/ar/ChronDataBreaches.htm
-http://attrition.org/dataloss/
To make a FOIA request, guidance is available at:
-http://www.usdoj.gov/oip/index.html]

(Grefer): I hope the IRS as well as our readers, will opt for cable locks with an numeric lock, rather than those with round keys, since the latter can easily be opened using a large plastic straw or small pipe or hose forced over the core to turn the locking mechanism. ]

New Anti-Fraud Law Closes Loopholes (14 November 2006)

The Fraud Act 2006 will take effect next year in England and Wales. The new law closes gaps in earlier laws regarding fraud that do not address current technologies. For instance, under the old law, people found in possession of files intended for use in a phishing attack could not be prosecuted for fraud. Under the new Fraud Act, individuals can be tried for a general offense of fraud; convictions can bring sentences of up to 10 years in prison.
-http://www.theregister.co.uk/2006/11/14/fraud_act_outlaws_phishing/print.html

---

************************ Sponsored Links: ****************************

1) Tool Talk Webcast - Learn how Check Point VPN-1 gateways simplify VPN creation, deployment and management. http://www.sans.org/info/1820

2) Don't let phishing ruin the holidays for you and your customers. Get the facts in this FREE REPORT. http://www.sans.org/info/1821

3) "Top 10 Questions You Must Ask Before Purchasing a SIM Solution"-a must-read for SIM shoppers. http://www.sans.org/info/1822

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS & SENTENCES

Four Arrested in Spain Used Trojan for Blackmail and Fraud (16 November 2006)

Police in Spain have arrested two 17-year-olds for creating a Trojan horse program that they used to take control of webcams at a college. They then allegedly used the footage they collected to blackmail other individuals. Two adults were also arrested for allegedly using a Trojan horse program based on the same strain of malware to steal data that they subsequently used to commit credit card fraud.
-http://www.theregister.co.uk/2006/11/16/webcam_trojan_scam/print.html
[Editor's Note (Pescatore): This is sort of a dramatic demonstration of how threats have changed. Five years ago, 17 year old boys hacking web cams would be doing so to watch 17 year old girls in various states of undress. Now they are doing it to make money. Imagine how unfunny the 2010 sequel to the movie "Animal House" is going to be... ]

Former Source Media Exec Charged with Cyber Intrusion (15 November 2006)

Stevan Hoffacker has been charged with one count of unauthorized access to a protected computer network for breaking into his former employer's computer system. Hoffacker, who at one time was director of information technology and then VP of technology at Source Media Inc., allegedly accessed the company's computer system, then warned several people that their jobs may be in danger. If convicted of the charges against him, Hoffacker could face up to five years in prison.
-http://www.msnbc.msn.com/id/15739188/
[Guest Editor Comment (Tower-Pierce): The text to the Computer Fraud and Abuse Act (CFAA), the key federal statute that deals with unauthorized access can be found at:
-http://www.usdoj.gov/criminal/cybercrime/1030NEW.htm.
As a result of 2001 amendments under the USA PATRIOT Act, the CFAA has become an easier tool for prosecutors to use. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Five of Six Microsoft Bulletins Address Critical Flaws (15 November 2006)

Five of the six security bulletins released by Microsoft on Tuesday, November 14 address critical vulnerabilities. Two of the vulnerabilities have already been actively exploited - the XML Core Services flaw and an Internet Explorer (IE) remote code execution flaw. The other three flaws lie in Macromedia Flash Player version 6 from Adobe, Workstation Service and Windows Remote Agent component. A sixth bulletin addresses a vulnerability in client service for NetWare that received a severity rating of "important." Internet Storm Center posted what is probably the best and easiest-to-understand analysis of the Microsoft bulletins:
-http://isc.sans.org/diary.php?storyid=1855
-http://www.theregister.co.uk/2006/11/15/nov_patch_tuesday/print.html
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61967637-39000005c
-http://www.us-cert.gov/cas/techalerts/TA06-318A.html
-http://www.microsoft.com/technet/security/bulletin/ms06-nov.mspx

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Michigan Banks Replace Credit Cards Following Spike in Fraud (15 November 2006)

A number of banks and credit unions in Michigan have replaced more than 1,500 credit and debit cards due to increased fraud. Wesco, an area convenience store and gas station chain, says that card transactions that took place between July 25 and September 7 of this year may have been compromised. The US attorney's office and the Secret Service are investigating the problem.
-http://www.zdnetasia.com/news/security/0,39044215,61967665,00.htm

Missing Laptop Holds Nationwide Building Society Customer Data (14 & 12 November 2006)

The UK's Financial Services Authority is investigating the theft of a laptop that holds Nationwide Building Society customer data. The computer was stolen from an employee's home in August. The company said the data do not include PINs, passwords or financial transaction information, but has not specified what data are on the computer or how many people are affected by the breach. Nationwide has begun the process of notifying its 11 million customers of the theft.
-http://software.silicon.com/security/0,39024888,39164041,00.htm
-http://business.timesonline.co.uk/article/0,,8209-2449656,00.html
[Editor's Note (Honan): The laptop was stolen in August and nearly three months later the Nationwide Building Society is now alerting customers!! This story is another strong case in favour of the EU introducing breach disclosure legislation. ]

Connors College Stolen Laptop is Recovered (November 2006)

A Connors State College student is under investigation regarding a laptop that was stolen from the Warner, Oklahoma school. The computer has been recovered. The laptop holds personally identifiable information of Connors State students and 22,500 individuals who receive Oklahoma Higher Learning Access Program scholarships.
-http://www.kten.com/global/story.asp?s=5679797&ClientType=Printable

MISCELLANEOUS

Security Software Firm, Guidance, Reaches Settlement with FTC (16 November 2006)

Security firm Guidance Software has reached a settlement with the US Federal Trade Commission (FTC) over a complaint regarding a computer intrusion that compromised the personally identifiable information of approximately 3,800 Guidance customers. The FTC noted Guidance "failure to take reasonable security measures to protect sensitive customer data contradicted security promises made on its Web site and violated federal law." According to the terms of the agreement, Guidance will establish a "comprehensive information-security program" and submit to biannual audits by third-party professionals for the next 10 years.
-http://news.com.com/2102-7350_3-6136165.html?tag=st.util.print
[Guest Editor's Comment (Tower-Pierce): The FTC case file, including a copy of the complaint listing FTC allegations against Guidance Software and the agreement containing the consent order, is found at:
-http://www.ftc.gov/os/caselist/0623057/index.htm.
The FTC press release summarizing the settlement is found at:
-http://www.ftc.gov/opa/2006/11/guidance.htm.]

Using the Performance Review Process to Develop Employee's IT Skills (14 November 2006)

Forward thinking organizations use the performance review process to tune employee development to ensure they are acquiring the hot skills they need to be fully useful to meet the organization's needs. To identify future hot skills leaders in organizations, turn to resources like Gartner and SANS' Future Vision and Decisions Summit (
-http://www.sans.org/visionsdecisions07/).
-http://www.sans.edu/resources/MeasuringEmployeePerformance.pdf
[Editor's Note (Honan): The performance review process can also be a great place to reinforce your Acceptable Usage Policy by having staff resign the policy at each review. This ensures the AUP is not something signed by an employee when they join the company and subsequently forgotten about. ]

BONUS SECTION: CLICK FRAUD

Companies to Demand Third-Party Audits to Check for Click Fraud

Last week a group of companies including Kimberly-Clark, Colgate-Palmolive and Ford Motor told The New York Times that by the middle of 2007 they will demand online publishers hire auditors to check their ad and viewer counts." They and thousands of others are victims of "click fraud" in which clicks on online advertising does not come from genuine interest in the ad. Click fraud makes money for the web site but doesn't do any good for the advertiser.
-http://www.smh.com.au/news/biztech/click-fraud-threatens-online-river-of-gold/20
06/11/06/1162661616360.html
[Editor's Note (Pescatore): No surprise here. The print advertising industry has had audit bureaus since the Gutenberg days, as there is always a temptation for any publisher to overstate the reach of any advertising. The Internet did not change that - it actually made that problem worse. There is an old quote from John Wanamaker, the father of department stores: "Half my advertising budget is wasted, I just can't tell which half." Without some rigor from the Internet advertising vendors, the 2007 version of that quote will replace 'half' with '90%'. Guest Editor's Comment
(Tower-Pierce): Wikipedia's Click Fraud entry offers a good starting point for background reading on Click Fraud, including links to statutes under which this type of fraud may be prosecuted and recent articles on the topic.
-http://en.wikipedia.org/wiki/Click_fraud]

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/