SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #97

December 08, 2006

Two notes and a correction:

1. The first two stories this week, from Korea and the UK, reflect early signs of one of the biggest emerging issues in cybersecurity: cyber fraud against banks with the some of the stolen money being used to buy the bombs that are killing US and UK soldiers and civilians of all nationalities around the world. Like their UK counterparts, US financial institutions hide most of the losses from the public and from government agencies that have oversight responsibility.

2. Opportunity to make a difference in reducing the number of security vulnerabilities in applications: The National Secure Programming Skills Assessment is a national examination that will be rolled out in the spring of 2007 to allow government and industrial employers to measure how well their programmers know how to avoid security errors in code they write. If this is an area in which you have deep knowledge, your help is needed in expanding the question bank. You'll also earn some money. If interested, email spa@sans.org today.

3. Correction: Secure Computer, not Secure Computing, was the company that paid $1 million in fines for SPAM.

Alan

---

TOP OF THE NEWS

Korean Financial Service Providers Required to Insure Accounts
UK Financial Institutions Not Reporting Online Fraud

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Man Behind Akamai DDoS Attack Pleads Guilty
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Sailor Draws 12 Years for Passing Classified Data to Foreign Governments
SPYWARE, SPAM & PHISHING
Complaint Alleges Site Downloads Malware Surreptitiously
European Commission Call to Arms Against SPAM
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Attacks Exploit Zero-Day Vulnerability in Word
MySpace Asks Apple for Help Fixing QuickTime Video Problem
Vulnerability Discovered in ATM System
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Student Charged with Stealing Data from Staff Computers
Stolen Computer Holds WV Army Nat'l Guard Data
STATISTICS, STUDIES & SURVEYS
IT Security Key to Compliance - Study

---

********************** Sponsored By Beta Systems ************************

Beta Systems' Identity Management Suite facilitates access to corporate information assets through its ability to streamline security processes and reduce help desk costs. For an overview of the SAM Jupiter(R) Identity Management solution -- and topics such as provisioning, single sign-on, and role-based administration -- visit http://www.sans.org/info/2321 for a FREE whitepaper.

*************************************************************************

Just 12 more days for the special savings on rooms (with Internet included) at the Disney Swan Hotel for SANS Security Bootcamp in January in Orlando. Even if you haven't gotten final approval for attending, it makes sense to make a hotel reservation now and cancel it if your employer doesn't allow you to come.

Orlando Jan. 13 (25 courses): http://www.sans.org/bootcamp07/

*************************************************************************

---

TOP OF THE NEWS

Korean Financial Service Providers Required to Insure Accounts (5 December 2006)

Beginning in January 2007, "financial service providers
[in South Korea ]
will be required to insure customers' accounts to cover financial damage caused by hackers and financial accidents." The country's Financial Supervisory Service (FSS) will require organizations to have policies that cover damages of between 100 million and 2 billion won (US$109,400 and US 2.19 million), depending on what sort of business each conducts.
-http://times.hankooki.com/lpage/biz/200612/kt2006120519175511870.htm
[Editor's Note (Liston): Regulatory compliance to security standards too often becomes a matter of filling in a checkbox on a form. On the other hand, requiring financial services providers to insure against financial damage will, in effect, turn insurance providers into compliance auditors. Those financial services providers who follow sound security procedures will be a better risk, and therefore see more favorable insurance rates.
(Honan): Financial and economic drivers such as this will be a major reason, rather than compliance, in forcing businesses to take a good hard look at their information security. ]

UK Financial Institutions Not Reporting Online Fraud (5 December 2006)

A Metropolitan Police officer giving evidence to the all-parliamentary group on identity fraud told British Members of Parliament (MPs) that financial institutions are not reporting online fraud. Detective Superintendent Russell Day attributed the reluctance to two factors: the financial institutions' lack of confidence in the police's ability to deal with the crimes and their concerns about what effect attack disclosures would have on their reputations. Det. Supt. Day's comments indicate the cost of ID theft in the UK could be much higher than the estimated GBP 1.7 billion (US$3.34 billion) annually.
-http://money.guardian.co.uk/news_/story/0,,1964117,00.html
[Editor's Note (Honan): This problem is a double edged sword. Institutions not reporting fraud because of a lack of confidence in the police's ability to deal with the crimes results in the police having no hard data to justify budget spend and requests for additional resources. This quickly becomes a self perpetuating cycle in which the institutions, the police and ultimately the consumer all lose and the only people who win are the criminals. It also reinforces the argument that the EU needs to introduce mandatory breach disclosure notification legislation so the true scale of the problem can be realised. ]

---

*********************** Sponsored Links: ******************************

1) Download FREE white paper and learn how Check Point's UTM solutions simplify your network security.
http://www.sans.org/info/2326

2) Make your organization an unwanted target for phishers. FREE report shows you how.
http://www.sans.org/info/2331

3) Upcoming SANS Webcast,Thursday, December 14 at 1:00 PM EDT (1800 UTC/GMT) WhatWorks in Log Management: Streamlining Log Management at a U.S.Government Agency
http://www.sans.org/info/2336

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Man Behind Akamai DDoS Attack Pleads Guilty (7 December 2006)

John Bombard has pleaded guilty to two counts of intentionally accessing a protected computer without authorization. Bombard broke into computer systems at Columbia University (NY) and Bucknell University (PA) in June 2004 as part of a scheme to launch a distributed denial-of-service (DDoS) attack against Akamai Technologies. When he is sentenced in early March, Bombard faces a US$100,000 fine and up to two years in prison followed by one year of supervised release.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9005759&source=rss_topic17
[Editor's Note (Honan): This story is a prime example of why everyone, no matter what industry they are in or how big their computer systems are, needs to ensure their systems are secure. This is to not only protect themselves but also to protect their on-line neighbours from attack. The argument "sure I am too small for anyone to hack into my systems" no longer, and indeed never did, holds water.)

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Sailor Draws 12 Years for Passing Classified Data to Foreign Governments (6 December 2006)

Naval Petty Officer 3rd Class Ariel J. Weinmann was sentenced to 12 years in prison for stealing a laptop computer and providing classified data to a foreign government. Weinmann was also dishonorably discharged; it was only through a plea agreement that he avoided life in prison without parole
-http://www.msnbc.msn.com/id/16081717/

SPYWARE, SPAM & PHISHING

Complaint Alleges Site Downloads Malware Surreptitiously (7 & 6 December 2006)

The Center for Democracy and Technology (CDT) and StopBadware.org plan to file a complaint with the Federal Trade Commission (FTC) alleging that FastMP3Search.com.ar installs malware on people's computers when they believe they are installing a plug-in to download MP3 files. The complaint alleges the download disables the Windows Firewall, changes homepage settings and otherwise affects users' computers. The downloads are made without users' consent and are difficult to remove.
-http://www.scmagazine.com/uk/news/article/608841/anti-spyware-groups-target-sham
-music-website/
-http://news.com.com/2102-7348_3-6141621.html?tag=st.util.print

European Commission Call to Arms Against SPAM (28 & 27 November 2006)

Viviane Reding, European Commissioner for Information Society and Media, has called on governments, regulators, ISPs and businesses to work together to reduce the amount of SPAM originating both within and outside of the European Union (EU). The Commissioner cited the efforts of the Dutch authorities that resulted in an 85% reduction in SPAM stemming from Holland. She called on all concerned to enforce existing EU legislation and to use filters to reduce the amount of SPAM.
-http://www.zdnet.co.uk/misc/print/0,1000000169,39284908-39001093c,00.htm
-http://www.theregister.co.uk/2006/11/27/eu_spam_war/print.html
[Editor's Note (Schmidt): While I am still not getting SPAM in my inbox thanks to an inexpensive filtering tool bar application, my SPAM folder is at a high I have not seen in 2 years. As long as people respond to these stupid stock emails people will make money. More people need to go to jail over these as well as stop trading the stock cited in the SPAM so it is not profitable will reduce this. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Attacks Exploit Zero-Day Vulnerability in Word (7, 6 & 5 December 2006)

Attacks exploiting a zero-day vulnerability in Microsoft Word, have been detected. The vulnerability allows attackers to execute code remotely. To exploit the flaw, attackers need to trick users into opening maliciously crafted Word files. Users are urged to exercise caution if they receive unsolicited Word documents from both trusted and untrusted sources. The flaw affects many versions of Word including some for Mac.
-http://www.usatoday.com/tech/news/computersecurity/2006-12-07-word-hole_x.htm?cs
p=34
-http://www.theregister.co.uk/2006/12/06/unpatched_word_flaw/print.html
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61972941-39000005c
-http://www.informationweek.com/news/showArticle.jhtml?articleID=196602038
-http://www.microsoft.com/technet/security/advisory/929433.mspx

MySpace Asks Apple for Help Fixing QuickTime Video Problem (6 & 5 December 2006)

MySpace.com has asked Apple to update its QuickTime media player software because a maliciously crafted QuickTime video is being used to alter MySpace user profiles. When a MySpace user views the video, it adds itself to that user's page and replaces links in the user's profile with links to phishing sites.
-http://www.zdnetasia.com/news/security/0,39044215,61972663,00.htm
-http://www.usatoday.com/tech/products/cnet/2006-12-05-myspace-worm_x.htm
[Editor's Note (Pescatore): The distribution of the Apple QuickTime patch through MySpace is pointing out the risks of third party patches. While there is a legitimate Apple patch, MySpace users get a message to go to a MySpace page which tells them to ignore an Internet Explorer security warning and install a new QuickTime. This looks just like a phishing or malware scam, since there is no way to determine if this is legitimate or just another scam or worm being run through MySpace. Make sure you talk to your kids about MySpace, Xanga and FaceBook - they will teach you a lot about how insecure they all are and how suspicious kids are. ]

Vulnerability Discovered in ATM System (30 November 2006)

Israeli researchers claim a vulnerability exists in the way ATM networks transport PIN numbers. The report highlights how an attacker with access to the ATM network could intercept PIN numbers in transit. Many within the financial industry believe the difficulty in implementing the attack will mitigate the risk posed by this vulnerability.
-http://redtape.msnbc.com/2006/11/researchers_who.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Student Charged with Stealing Data from Staff Computers (5 December 2006)

University of Wisconsin-Whitewater student Michael W. Mraz Jr. has been charged with two felony computer crimes and burglary for allegedly breaking into four university staff members' computers as well as installing keystroke logging software and gaining access to sensitive data. Mraz allegedly downloaded the software onto the computers from his flash drive. The data were allegedly collected between March 20 and May 10 of this year and include answers to an exam, discussions of student disciplinary situations and information about a police investigation. Mraz will be arraigned on December 15; he faces up to 19 years in prison if he is convicted on all charges.
-http://www.gazetteextra.com/mraz120506.asp

Stolen Computer Holds WV Army Nat'l Guard Data (5 December 2006)

All members of West Virginia's Army National Guard 130th Airlift Wing have been notified that their personal information, including names, Social Security numbers (SSNs) and birthdates, was on a laptop computer stolen from a unit member. The FBI, the Office of Special Investigations and the Naval Criminal Investigative Service have been notified of the theft.
-http://wowktv.com/story.cfm?func=viewstory&storyid=17093

STATISTICS, STUDIES & SURVEYS

IT Security Key to Compliance - Study (4 December 2006)

A study issued by the IT Policy Compliance Group claims organizations that focus on improving their IT security using automated functions and regular auditing of systems and data security have a better chance of meeting their compliance obligations. The report states that organizations spending US$1 for every US$30,000 in revenue, assets under management, or agency budget are most successful at meeting compliance demands; organizations spending US$1 on every US$90,000 were found to be lagging in compliance. The report recommends allocating more than 10 percent of the overall IT budget for compliance spending. The IT Policy Compliance Group was formed last year by the Computer Security Institute, the Institute of Internal Auditors, and Symantec and was formerly known as the Security Compliance Counsel.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=196601378
[Editor's Note (Pescatore): There are some wild numbers being thrown around here. $1 out of every $30,000 in revenue works out to be about $10,000 for a $300M company, that's a factor of 100 off. A typical $300M company will spend on the order of 7% of revenue on IT ($21M) and 6% of IT on security - $1.2M. Whether 10% of IT spent on compliance is optimal or not depends on the definition of compliance, of course, but more importantly just spending more on doing the wrongs things just never seems to work.
(Liston): Liston - "Spending targets" like this are incredibly misleading. Spending X% unwisely won't get you any closer to compliance or security. (Kreitner) I hope people don't focus on these budget numbers, because just spending money has never been a wise road to success in anything. The important point here is that compliance with most regulations and standards will be a natural by-product of a well run, performance-oriented enterprise, with regard to IT security as well as other areas of enterprise performance. In other words, focus on the performance and compliance will tend to follow; don't focus on compliance and work backwards into performance.
(Honan): At long last we can demonstrate that compliance does not result in good security, but that good security does result in compliance. ]

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/