From: The SANS Institute (NewsBitessans.org)
Date: Tue Jan 10 2006 - 11:59:05 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The 2005 Information Security Salary and Career advancement Survey has
just been posted. Salaries are rising, but the survey also has data on
(1) which certifications matter for which security jobs, (2) what makes
security people angry, and (3) what matters for career advancement in
security. http://www.sans.org/salary2005/

Tomorrow (January 11) is the last day for saving $250 on early
registration for SANS2006 in Orlando at the end of February.

                                Alan

*************************************************************************
SANS NewsBites January 10, 2006 Vol. 8, Num.3
*************************************************************************

TOP OF THE NEWS
  US$11.2 Billion Judgment in Spam Case is Largest Ever
  SANS Institute Survey Finds GIAC and Vendor-Specific Certifications
     Offer Stronger Hands-On Skill Sets

THE REST OF THE WEEK'S NEWS
  ARRESTS, CONVICTIONS AND SENTENCES
    eBay Account Hijacker Indicted
  SPYWARE, SPAM & PHISHING
    US Supreme Court Refuses to Hear Appeal in eMail Blocking Case at
       University of Texas
    Anti-Spyware Scammers Settle FTC Charges
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    SonyBMG Settlement Deal Receives Preliminary Approval
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Two More WMF Flaws Surface
    Microsoft Says January's Patch Tuesday Will Address Two Critical
       Flaws
    Oracle Database Worm Spreading
  MISCELLANEOUS
    Microsoft Shutters Chinese Blogger's Site
  CORRECTION/CLARIFICATION
    Bank of America Deploys Two-Factor Authentication
  
******************* Sponsored by Bindview ******************************
New whitepaper from IDC: Optimizing Your IT Controls Environment for
Compliance with Multiple Regulations
This new white paper from IDC examines efforts to manage compliance for
a growing number of multiple regulations and standards. Learn how new
solutions from Symantec have identified a common set of controls that
cross many major regulations and standards, and how businesses can use
these solutions to map controls to regulations. Download now!
http://www.sans.org/info.php?id=979
*************************************************************************
Highlighted Training Program of the Week:
SANS has finally found a good course on secure programming. Here's what
some early students said:
>>"This course covers all of the major vulnerabilities in a hands on
fashion -- it puts you in the hacker's swivel chair." Cheryl Marlin,
NOAA
>>"Great, if a bit scary. Good grounding in techniques used by hackers
and how to protect yourself against them." Ed Jamerzek, Software
Manager, DayJet

Course information: http://www.sans.org/sans2006/description.php?tid=347
Also Secure .NET programming: http://www.sans.org/sans2006/description.php?tid=250

These are two of 36 immersion training programs at SANS 2006 - the
largest and most effective security training conference and tools
exposition ever assembled.
http://www.sans.org/sans2006/
*************************************************************************

TOP OF THE NEWS
 -- US$11.2 Billion Judgment in Spam Case is Largest Ever
(9 January 2006)
Robert Kramer, the owner of an Iowa-based Internet services company, has
been awarded a US$11.2 billion judgment against spammer James McCalla
who is also prohibited from accessing the Internet for three years.
Kramer won a US$1 billion judgment against other spammers in December
2004, at that time the largest spam judgment ever recorded.
http://www.computerworld.com/printthis/2006/0,4814,107598,00.html
http://www.wired.com/news/politics/1,69966-0.html
Story about Dec. '04 judgment:
http://www.computerworld.com/printthis/2004/0,4814,98421,00.html
http://www.computerworld.com/printthis/2006/0,4814,107598,00.html
http://www.wired.com/news/politics/1,69966-0.html
Story about Dec. '04 judgment:
http://www.computerworld.com/printthis/2004/0,4814,98421,00.html
[Editor's Note (Schultz): This judgment constitutes an extremely
significant event in the war against spam, yet I doubt whether Kramer
will actually be able to collect much if any money at all.]

 --SANS Institute Survey Finds GIAC and Vendor-Specific Certifications
    Offer Stronger Hands-On Skill Sets
(9 January 2006)
A SANS/Certification Magazine/UNIX Review/Sysadmin Magazine survey of
4250 security professionals found that people holding certifications
from the Computing Technology Industry Association (CompTIA), the
International Information Systems security Certification Consortium
(ISC)2, and the Information Systems Audit and Control Association
(ISACA) do not feel that their training provides them strong advantages
in dealing with "hands-on security jobs." Those same people reported
that vendor-specific certifications and the SANS Institute's Global
Information Assurance Certification (GIAC) provide certification holders
with stronger skills to "protect computer systems." The three
organizations named above say their certifications, all of which are
vendor-neutral, emphasize different skills.
http://www.fcw.com/article91890-01-09-06-Web
The full survey is posted at http://www.sans.org/salary2005/ [Editor's
Note (Schmidt): FULL DISCLOSURE, I am on the board of ISC2 and the IT
Governance Institute Advisory Panel (ISACA) and I agree that there is a
definite difference between hands on technical training and a higher
level that Auditors, Managers and Executive use, this does not make them
bad, just different. That is why we have a pilot's license for those of
us who are pilots and an A&P (airframe and power plant) license for
those who make sure the planes are safe to fly.]

************************* Sponsored Links: ******************************

1) SANS On Demand - Limited Time Offer! 1st 150 registrants receive a
30% discount off the online course of their choice.
http://www.sans.org/info.php?id=980

2) Free SANS Webcast - Internet Storm Center: "Threat Update" webcast
Wednesday, January 11 at 1:00 PM EST (1800 UTC/GMT)
http://www.sans.org/info.php?id=981

*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
 --eBay Account Hijacker Indicted
(6 January 2006)
Sean Galvez of Boston, Massachusetts has been indicted on once count of
larceny and 10 counts of unauthorized access to a computer and identity
fraud for breaking into more than 40 eBay accounts and accumulating
charges totaling US$32,000. The Massachusetts Attorney General's office
is still trying to determine how Galvez obtained access to the accounts.
Galvez allegedly changed the passwords and gathered credit card
information. Galvez is scheduled to be arraigned on January 18, 2006 and
faces up to five years in state prison if convicted of the charges
against him.
http://www.eweek.com/print_article2/0,1217,a=168683,00.asp
[Editor's Note (Schmidt): Just keep building those jails maybe one day
the criminals will learn the old phrase: "you do the crime, be prepared
to do the time" Now if we could roll out 2 factor authentication we
might further reduce the number of victims. Increasingly the state AGs
are taking these criminals on and taking them down.]

SPYWARE, SPAM & PHISHING
 --US Supreme Court Refuses to Hear Appeal in eMail Blocking Case at
    University of Texas
(9 January 2006)
The US Supreme Court has declined to hear an appeal from White Buffalo
Ventures, a company that maintained it was within its rights to send
unsolicited email to University of Texas students. After students
complained about the unsolicited email, the university asked White
Buffalo to stop sending the messages; when it did not comply with the
cease and desist order, the school blocked email from the company's IP
address. White Buffalo obtained UT email addresses by filing a Freedom
of Information Act request and maintained that federal laws allowing
commercial email to be sent under certain circumstances "superscded the
university's anti-spam policy." The appeals court upheld an initial
ruling made by a federal trial court in western Texas that CAN-SPAM does
not supersede university policy.
http://www.msnbc.msn.com/id/10776916/
http://news.com.com/2102-7350_3-6024658.html?tag=st.util.print
[Editor's Note (Pescatore) It is good to see the Supreme Court uphold
our right not to have to listen to other's free speech. Just because you
are allowed to say it doesn't mean I have to let it fill my inboxes.]

 --Anti-Spyware Scammers Settle FTC Charges
(6 January 2006)
The makers of SpywareAssassin and Spykiller have settled charges brought
by the US Federal Trade Commission (FTC) that they tricked people into
believing their systems were infected with spyware so they would
purchase their products. The companies have agreed to pay back more than
US$2 million they made through their scheme. The companies allegedly
told people they had run scans on their computers and that they needed
the products to remove the malicious software they found. The civil
lawsuits filed by the FTC allege that there were no such malicious
programs on the computers they claimed to have scanned.
http://www.techweb.com/wire/175802142
[Editor's Note (Pescatore): The FTC continues to use existing
legislation to implement privacy enforcement actions. I hope this early
action against spyware software companies trying to ripoff consumers
shows they will continue to focus on this area.]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --SonyBMG Settlement Deal Receives Preliminary Approval
(9/5 January 2006)
A federal judge has given preliminary approval to a settlement deal
regarding Sony BMG's flawed digital rights management (DRM) technology.
Now people who have purchased certain music CDs from SonyBMG may add
their names to class-action lawsuits. The Electronic Frontier Foundation
(EFF) says the next step is to make sure consumers know what is
available to them and how they can get it. The court has ordered SonyBMG
to start placing notices in newspapers and on line by February 15, 2006.
Consumers have until May 1, 2006 to submit a claim. In a related story,
the EFF has written an open letter to EMI Music asking for legal
protections for researchers who look into the company's copy protection
technologies and bring vulnerabilities to light. EFF points out that
while legitimate researchers may feel threatened by legal repercussions,
cyber criminals will likely feel no compunction about scouring the
technologies for vulnerabilities.
http://www.techweb.com/wire/175802774
http://www.internetnews.com/security/print.php/3575441
EFF Open Letter to EMI Music:
http://www.eff.org/IP/DRM/emi.pdf
Settlement FAQ from EFF:
http://www.eff.org/IP/DRM/Sony-BMG/settlement_faq.php

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Two More WMF Flaws Surface
(9 January 2006)
Information about two more vulnerabilities in the way the Windows
graphics rendering engine handles Metafile (WMF) images has been
published on the Internet. The more recently disclosed flaws are not as
severe as the flaw for which Microsoft issued an out-of-cycle patch last
week. In the wake of the recently patched WMF flaw, Microsoft says it
will carefully examine its code to catch similar vulnerabilities. The
company will also update its development process to prevent the
occurrence of such problems in the future. Microsoft released a patch
for the WMF vulnerability just ten days after it was disclosed, the
shortest turnaround time yet for a Microsoft patch.
http://www.computerworld.com/printthis/2006/0,4814,107604,00.html
http://www.eweek.com/print_article2/0,1217,a=168837,00.asp
[Editor's Note (Pescatore): First reports say these vulnerabilities
only enable denial of service attacks but show the "swarming" effect
that happens when a new vulnerable area is found in software.]

 --Microsoft Says January's Patch Tuesday Will Address Two Critical Flaws
(6 January 2006)
Microsoft says it will release two bulletins for critical flaws on
Tuesday January 10, the scheduled date for the company's monthly
security update. Microsoft issued an out-of-cycle patch for the Windows
Metafile (WMF) flaw on Thursday, 5 January. The updates will address
critical flaws in Windows and Microsoft Office and Exchange. Both
patches could require users to restart their software. On that date,
Microsoft also plans to release an updated version of its Microsoft
Windows Malicious Software Removal Tool as well as a handful of
non-security high priority updates.
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39303172-39000005c
http://www.microsoft.com/technet/security/bulletin/advance.mspx

 --Oracle Database Worm Spreading
(6 January 2006)
A variant of an exploit that targets Oracle databases has been
spreading. This exploit renames the log file, enabling it to create a
new database account and manipulate the situation so that the malicious
code executes the next time the user connects to the database. The
previous version spread through default usernames and passwords.
http://www.crn.com/sections/breakingnews/breakingnews.jhtml?articleId=175802330
[Editor's Note: (Boeckman): The widespread worms affecting Microsoft
SQL Server demonstrate that it is a bad idea to expose a database sever
to the Internet, even if the vendor claims it is "unbreakable". This
story is an indication that many organizations still expose their
database servers to the Internet.]

MISCELLANEOUS
 --Microsoft Shutters Chinese Blogger's Site
(6 January 2006)
Microsoft has shut down a Chinese blogger's site at the request of
Chinese authorities. The blog was shut down because it violated
Microsoft's code of conduct requiring users to comply with local laws.
China has strict rules about what content may be posted to the Internet;
Microsoft's blog tool in China filters the terms such as "democracy" and
"human rights." The Chinese government pays close attention to content
posted to the Internet and deletes postings it considers to be critical
of the government.
http://www.cnn.com/2006/WORLD/asiapcf/01/06/china.blog.shutdown.ap/index.html
(New York Time site requires free registration)
http://www.nytimes.com/2006/01/06/technology/06blog.html

Correction/Clarification
In our last edition, we ran the following story:
- --Bank of America Deploys Two-Factor Authentication
(4 January 2006)
Bank of America has deployed two-way, two-factor authentication to
customers in 48 of the 50 states. The scheme uses an image, a phrase and
challenge questions to let customers know they are interacting with the
authentic banking site and not a phishing web site. The new
authentication scheme will become mandatory in 2006; Idaho and
Washington state are set to get the technology sometime this year.
http://www.techweb.com/wire/security/175801173%3Bjsessionid=E4PL4VCFYN1U0QS
Brent Stackhouse, GSEC/GCIH,wrote in with the following comment:
"SiteKey, while an improvement over password-based online authentication
systems, especially as an anti-phishing mechanism, should not be
confused with traditional two-factor authentication. Using a personal
computer as the 'something-you-have' disregards that they can be stolen,
are often used by more than one person (all with administrative access),
and are often infected with phone-home, key-logging spyware."

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDw/IU+LUG5KFpTkYRApgRAJ9tRyzn4y3XMmhPRaI1JW4lBqQfuwCgmKgb
YkdrCe9pZis30mjxGPqOiWs=
=GYaZ
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]