SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #93

November 24, 2006

We welcome Ed Skoudis and Tom Lister to the Editorial Board. Few people in the world have deeper understanding of the current state of cyber attacks.
Alan

---

TOP OF THE NEWS

Russian Spies Seeking Current Technology Secrets
Panel Says SWIFT Breached EU Data Protection Laws
Related Story

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Microsoft Suits Target 129 Alleged Phishers
Two Companies Settle FTC Spyware Charges
SPYWARE, SPAM & PHISHING
Phishers Use Malaysian Government Computers to Whitewash Emails
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Vulnerability in Firefox 2.0 and IE7 Could be Exploited to Steal Login Credentials
Memory Corruption Flaw in Mac OS X
LAPTOPS
Two Arrested in Connection with DOT OIG Laptop Theft
Stolen Laptops Hold Scotland Yard Officers' Financial Data
Stolen Laptop Holds Ontario Science Centre Member Data
STATISTICS, STUDIES & SURVEYS
Anti-Phishing Toolbars Not Doing Their Job

---

*************************** Sponsored By SANS **************************

Security professionals will find out how to keep their bosses from being embarrassed on the front page of the paper and how to fight the most common threats to data at rest at the SANS Secure Storage & Encryption Summit, December 6-7.
http://www.sans.org/info/1926

*************************************************************************

SANS 2007 (SANS' biggest annual conference, San Diego Mar. 29-Apr. 6) just opened for registration. SANS annual conferences stand out from all other programs because of the multitude of learning opportunities in one place (51 courses and lots of exhibits and BOFs)
http://www.sans.org/sans2007/

"Fantastic! Ton's of information. My mind is now Jello- I'll be back next year" Kurt Danielson, National Marrow Donor Program "My 4th SANS conference! Each time the instructors are top-notch and I come away amazed and educated." Bill Wildprett, Washington State CTED "This conference really taught me the skills I needed to immediately improve the processes where I work." Karissa Truitt, AT&T Government Solutions

Or: Washington DC, Dec. 9 (16 courses) http://www.sans.org/cdieast06/
Orlando Bootcamp, Jan. 13 (25 courses): http://www.sans.org/bootcamp07/
Or San Jose, Phoenix, Prague, or Brisbane (5 or 6 courses)
See complete list of more than 70 upcoming programs in cities around the world at http://www.sans.org/training_events/?ref=1433

*************************************************************************

---

TOP OF THE NEWS

Russian Spies Seeking Current Technology Secrets (18 November 2006)

Russian spies are seeking to close the "20-year technology gap" between their own capabilities and those of other countries. Alleged spies in Canada, Eastern Europe, Japan and the US have been under surveillance, arrested and deported for allegedly attempting to steal high-tech information. Current estimates put the number of Russian spies in the US at 100; there are an estimated 40 Russian spies in Britain.
-http://www.theglobeandmail.com/servlet/story/LAC.20061118.SPIES18/TPStory/Nation
al

-http://www.computerweekly.com/Articles/2006/11/21/220089/Foreign+intelligence+ag
ents+hacking+UK+businesses%2c+government.htm
[Editor's Note (Honan): A related story about Chinese theft of secrets: "China Bought Bomber Secrets"
-http://washingtontimes.com/national/20061123-122450-1979r.htm]

Panel Says SWIFT Breached EU Data Protection Laws (23 November 2006)

A banking consortium known as SWIFT (the Society for Worldwide Interbank Financial Telecommunications) breached European Union (EU) data protection rules when it allowed the US government to access financial transaction records, according to an EU panel. European law forbids companies from transferring confidential personal data to other countries without assuring that country provides sufficient protection for those data. The US does not meet the EU's criteria. The US government began requesting access to the data following the September 11 attacks.
-http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/11/23/MNGQLMIT671.DTL&a
mp;type=printable

-http://euobserver.com/9/22937
[Editor's Note (Schultz): If you read the full news item, you'll also find that SWIFT is vigorously defending what it has done, saying that sharing this information saved lives and that SWIFT was rigorous in safeguarding the information it shared. At the same time, however, it sounds as if the EU is not inclined to listen to what SWIFT is saying. ]

In a related story

US and EU senior officials have begun talks in an effort to establish common data privacy guidelines.
-http://www.itnews.com.au/newsstory.aspx?CIaNID=42566

---

************************* Sponsored Link: *****************************

1) Don't let phishing ruin the holidays for you and your customers. Get the facts in this FREE REPORT.
http://www.sans.org/info/1931

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Microsoft Suits Target 129 Alleged Phishers (23 & 22 November 2006)

Microsoft has taken legal action against 129 individuals in Europe and the Middle East for phishing-related activity. Fifty of the cases are in Turkey. The suits are part of the software company's Global Phishing Enforcement Initiative, which was launched in March. Settlements from actions taken through the initiative have ranged from fines of 1,000 Euros (US$1,295) to a 30-month jail term for a man in Turkey.
-http://www.vnunet.com/vnunet/news/2169352/microsoft-takes-action-against
-http://www.theregister.co.uk/2006/11/23/ms_anti-phishing_campaign_update/print.h
tml
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9005374&source=rss_topic17

Two Companies Settle FTC Spyware Charges (21 November 2006)

Odysseus Marketing, Inc. and its principal, Walter Rines, have agreed to settle US Federal Trade Commission (FTC) charges that they violated federal law by dealing in software that installs itself on users' computers surreptitiously and changes their settings. John Robert Martinson, principal of Mailwiper, Inc. and its successor, Spy Deleter, Inc., has also agreed to settle FTC charges for downloading spyware onto people's computers, then pestering them with pop-up advertisements urging them to buy products that claimed to address the spyware problems.
-http://www.ftc.gov/opa/2006/11/seismicodysseus.htm

SPYWARE, SPAM & PHISHING

Phishers Use Malaysian Government Computers to Whitewash Emails (20 November 2006)

Phishers have apparently been using computers at RxDocuments LLC, a medical transcription outsourcing company, and the Malaysian government to conduct their scams. The emails in this case appear to come from PayPal asking customers to update their accounts.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9005231&source=rss_topic82

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Vulnerability in Firefox 2.0 and IE7 Could be Exploited to Steal Login Credentials (23 November 2006)

An information disclosure flaw in both Firefox 2.0 and Internet Explorer 7 (IE7) could allow attackers to steal users' login credentials. The flaw affects the Firefox Password Manager and IE7's equivalent; URLs are not properly checked before saved user credentials are filled into web forms. Until a patch is available, Firefox users are encouraged to disable the "remember passwords for sites" option. IE7 users may be less vulnerable to exploits because the browser does not automatically fill in the information. An exploit for the flaw has reportedly been published on the Internet.
-http://isc.sans.org/diary.php?storyid=1879
-http://www.theregister.co.uk/2006/11/23/fake_login_flaw/print.html
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61969580-39000005c
[Editor's Note (Liston): Allowing browsers to cache passwords is a really bad idea. This vulnerability takes advantage of the fact that the trigger for a browser to send credentials is the *site being visited*, NOT the *site where the password FORM will be sending the data*. This vulnerability could cause huge problems on sites where users are allowed to display their own HTML (*cough*MYSPACE*cough*)
(Boeckman): It is much more likely that login credentials will be stolen through phishing, spyware or malware. While this vulnerability should be taken seriously, we need to acknowledge the fact that a username and a reusable password is not sufficient to protect anything of value. ]

Memory Corruption Flaw in Mac OS X (22 November 2006)

A memory corruption vulnerability in Apple's Mac OS X could allow attackers to gain control of fully patched systems. The problem lies in the way the AppleDiskImageController handles corrupted DMG (disk image) image structures. The vulnerability could be exploited by manipulating users into visiting maliciously crafted web sites. Until a patch is available, users are advised to disable the "open 'safe' files after downloading" option in Safari. A proof of concept has been published that would allow exploitation of this vulnerability.
-http://isc.sans.org/diary.php?storyid=1878
-http://www.theregister.co.uk/2006/11/22/mac_zero_day_bug/print.html
-http://www.eweek.com/print_article2/0,1217,a=194716,00.asp
[Editor's Note (Liston): The "open 'safe' file after downloading" option should just be disabled. Period. Like the password caching vulnerability above, it's another example of "ease of use" trumping good security practice. ]

LAPTOPS

Two Arrested in Connection with DOT OIG Laptop Theft (22 & 21 November 2006)

Two individuals have been arrested in connection with the July theft of a laptop computer belonging to the Transportation Department's Office of the Inspector General in Miami. The laptop was stolen from a locked car in a restaurant parking lot. While the laptop has not been recovered, an investigation prompted by the theft uncovered a laptop theft ring operating in the area. The computer contains sensitive, personally identifiable information for approximately 133,000 pilots, commercial truck drivers and individual driver's license holders in Florida. The thieves appear to have been targeting laptops for their resale value, not for the data they contained. Another DOT OIG laptop was stolen elsewhere in Florida earlier in April; the investigation is still underway.
-http://www.gcn.com/online/vol1_no1/42653-1.html?topic=security&CMP=OTC-RSS

-http://www.fcw.com/article96913-11-22-06-Web&printLayout
-http://www.jacksonville.com/apnews/stories/112106/D8LHN9M00.shtml

Stolen Laptops Hold Scotland Yard Officers' Financial Data (22 & 21 November 2006)

Three laptop computers stolen from the offices of LogicaCMG hold sensitive financial information belonging to more than 15,000 London Metropolitan Police officers (Met). (The Met is often called Scotland Yard, the name of its headquarters.) A Scotland Yard spokesperson said they "believe the risk of staff members falling victim to
[fraud ]
or identity theft is minimal." LogicaCMG is an outsourcing company that manages payroll and pension payments. One man has been arrested in connection with the theft.
-http://www.theregister.co.uk/2006/11/22/met_police_laptop_theft/print.html
-http://news.bbc.co.uk/1/hi/england/6171468.stm
-http://www.thisislondon.co.uk/news/article-23375377-details/Laptop+thief+lands+t
he+bank+details+of+15,000+policemen/article.do

Stolen Laptop Holds Ontario Science Centre Member Data (21 November 2006)

A laptop computer stolen from the Ontario Science Centre contains a database with members' registration data, including names, addresses and credit card information. The laptop and the database are protected with separate passwords. The computer was stolen from a locked office on September 18. The Ontario Science Centre notified affected members by letter. An investigation is ongoing.
-http://www.towncrieronline.ca/main/main.php?rootcatid=8&direction=printstory
&storyid=5847&rootsubcatid=#rootsubcatid

STATISTICS, STUDIES & SURVEYS

Anti-Phishing Toolbars Not Doing Their Job (20 November 2006)

A study of 10 anti-phishing toolbars conducted by Carnegie Mellon University researchers found that none provided effective protection from phishing web sites. The best detected just 85 percent of phishing sites; the rest identified under half of the sites. Most of the tool bars generated false positives; this can be dangerous because users may learn to ignore warnings if they are often wrong.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9005253&source=rss_topic82
-http://www.vnunet.com/vnunet/news/2169227/boffins-blast-phishing-toolbars
[Editor's Note (Liston): The whole idea of an Antiphishing toolbar seems a bit odd to me. If you know enough to know to install one, then you're probably security-minded enough not to need one... ]

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/