From: The SANS Institute (NewsBitessans.org)
Date: Tue Jan 24 2006 - 13:57:38 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Flash Report:
SANS Internet Storm Center has found that more than 500,000 personal
computers have been infected by the 'Grew' worm (it goes by a number of
different names, e.g. 'Nyxem'). On February 3rd, it will delete all
documents (Word, Excel and a number of others). Make sure your mom and
your kids (and everyone else who may call you when they lose data) to
update their AV signatures and run a full scan. "Update now or all your
files may get lost." A special Storm Center website on the problem:
http://isc.sans.org/blackworm

This site will be updated more information is discovered.
                                    Alan
*************************************************************************
SANS NewsBites January 24, 2006 Vol. 8, Num. 7
*************************************************************************

TOP OF THE NEWS
  FBI Study Pegs Cyber Crime Losses at $67 Billion
  Online Banking Fraud Tripled in UK; Banks Asked To Improve Security
  Google Refusing to Comply with Government Request for Search Data
  Lawsuits Have Not Put a Dent in Illegal Downloading

THE REST OF THE WEEK'S NEWS
  ARRESTS, CONVICTIONS AND SENTENCES
    Eight Arrested in Connection with Phishing Ring
    Guilty Plea in Botnet Case
  SPYWARE, SPAM & PHISHING
    Center for Democracy and Technology Files Adware Complaints with FTC
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Heap Overflow in KDE Desktop Environment
    Nyxem Worm Aims to Overwrite Files
    Symbian Trojans Detected
  ATTACKS & INTRUSIONS & DATA THEFT
    E*Trade Will Cover On-Line Fraud Costs for Customers

************************* Sponsored by Permeo ***************************
New security ebook on Information Theft Prevention

In The Definitive Guide to Information Theft Prevention, security author
Dan Sullivan provides advice on information protection and privacy
regulations; how to tackle threats from unmanaged devices; how to secure
managed devices; and how to leverage new security technologies. This
guide also discusses risk management, incident responses and emerging
best practices around information security.
Download Chapter 1 now! http://www.sans.org/info.php?id=996
*************************************************************************
Security Training Opportunities in the Next Four Weeks

SANS 2006 in Orlando (Feb 24- March 4) 36 tracks of extraordinary
training - the best instructors in the world, and a great security tools
exposition. Lots of people are bringing their families to Orlando to
join them at the end of the program.
Plus: San Francisco, Phoenix, St. Louis, Brisbane, Tokyo, Ottawa
Or you can take SANS training anytime, anywhere with the new SANS On Demand.
   Details on these and other programs: www.sans.org
*************************************************************************

TOP OF THE NEWS
 --FBI Study Pegs Cyber Crime Losses at $67 Billion
(19 January 2006)
An FBI study of 2,066 firms found that 90%% had experienced cyber crime
events and 64% had experienced financial losses from such events. Worms
and viruses caused the most damage despite defenses most organizations
had put in place. Average losses were $24,000.
http://news.com.com/2100-7349_3-6028946.html

 --Bank Fraud Tripled in UK and Banks Asked To Improve Security
(23 January 2006)
The Financial Services Authority (FSA) in the United Kingdom has called
on banks to increase security measures to protect customer accounts. FSA
reports that online bank fraud tripled in the first half of 2005 compard
with the same period in 2004. Lloyds issued 30,000 seurity devices to
customers in a pilot project.
http://news.bbc.co.uk/2/hi/business/4637226.stm

 --Google Refusing to Comply with Government Request for Search Data
(23/20/19 January 2006)
Google is resisting government requests for data on its search engine
usage. The two requests the government has made are for a random sample
of 1 million web site addresses in its search engine index and for the
text of all queries made on the search engine during a specific week.
The government maintains it needs the records from Google to prepare its
defense in a lawsuit brought by the American Civil Liberties Union. The
lawsuit challenges the Child Online Protection Act (COPA) on the grounds
that it violates the First Amendment. The government wants the
information to help support its claim that COPA is stronger than
Internet content filtering in efforts to prevent minors from accessing
pornographic Internet content. Google believes the government's demand
for information is overreaching. Other search engine operators,
including Microsoft's MSN and Yahoo, have complied with the government's
request for search data. Both say no personal information was revealed.
http://www.infoworld.com/article/06/01/19/74616_HNgoogle_1.html
http://www.computerworld.com.au/index.php/id;514585818;fp;16;fpid;0
http://www.eweek.com/print_article2/0,1217,a=169742,00.asp
http://technology.timesonline.co.uk/article/0,,20411-2002169,00.html
[Editor's Note (Grefer): People concerned about having their
originating IP address revealed might consider services of an
anonymizing proxy server and/or network, such as "tor" - The Onion
Router. Expect slower response time using an anonymizing service. See
http://tor.eff.org/

 --Lawsuits Have Not Put a Dent in Illegal Downloading
(20 January 2006)
The International Federation of the Phonographic Industries (IFPI) says
that despite thousands of legal cases regarding illegal file sharing
being brought to the courts, "the level of file sharing has remained the
same for two years." Although IFPR chairman John Kennedy sees the fact
that piracy has not increased as a victory of sorts, he also believes
that the number of court cases brought against illegal file sharers
needs to increase in order to reduce the level of piracy.
http://news.bbc.co.uk/2/hi/entertainment/4627368.stm
[Editor's Note (Schultz): Although perhaps lawsuits have not supressed
illegal downloading so far, I believe that if the entertainment industry
keeps initiating court cases, sooner or later the user community will
get the message that illegal downloading produces undesirable
consequences. At the same time, however, the entertainment industry
needs to also keep pursuing other approaches (such as it has). It needs
to continue putting pressure on organizations that develop and
distribute peer-to-peer file sharing programs as well as to develop
built-in copyright protection mechanisms, provided of course that these
mechanisms are not like the draconian one that Sony recently tried.]

********************* Sponsored Links: **********************************
1) Free webcast: Stop network attacks with intrusion prevention system.
Featuring Gartner and a customer.
http://www.sans.org/info.php?id=997

2) " Top 10 Database Vulnerabilities" whitepaper - What they are, how
they work & how to stop them.
http://www.sans.org/info.php?id=998

3) ALERT: YOU vs Sober/Zotob/Bagle Variants? Is Your Internal Network
Safe? Download FREE White Paper "Zotob: Zero-Hour Detection and
Response"
http://www.sans.org/info.php?id=999
*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
 --Eight Arrested in Connection with Phishing Ring
(23 January 2006)
Eight people have been arrested in Bulgaria on charges they are involved
with a group responsible for sending a phishing email. The group
allegedly operated a number of phony Microsoft web sites; the phony
email was sent with addresses spoofed to appear they came from Microsoft
billing account management. Recipients were asked to divulge credit
card information that ring members allegedly used to buy goods and make
wire transfers.
http://www.techweb.com/wire/177102753
[Editor's Note (Kreitner): It's refreshing to see an organization take
responsibility on its own initiative to be accountable for the
well-being of its customers, just because it's the right thing to do,
instead of avoiding accountability by hiding behind a heap of disclaimer
language.
(Schultz): E*Trade has done the right thing. Unless users have been
negligent in some way (e.g., by giving up their login credentials to
others), financial institutions and brokerages should reimburse
customers who are victimized by online fraud. South Korea recently
passed a law with these provisions; it is now time for other countries
such as the US and UK to do the same.
(Honan): This positive and proactive step from E*Trade demonstrates how
information security can be used as a competitive advantage rather than
a hindrance.]

 --Guilty Plea in Botnet Case
(23 January 2006)
Jeanson James Ancheta has pleaded guilty in Los Angeles federal court
to charges stemming from having taken control of hundreds of thousands
of computers, establishing a zombie network and offering the use of its
services to send spam and launch distributed denial of service (DDoS)
attacks for a fee. A plea agreement in the case, which has not yet
received a judge's approval, would give Ancheta a prison sentence of
four to six years, have him forfeit US$58,000 in profit and a BMW and
pay US$19,000 in restitution. Sentencing is scheduled for May 1.
http://www.msnbc.msn.com/id/10993580/

SPYWARE, SPAM & PHISHING
 --Center for Democracy and Technology Files Adware Complaints with FTC
(23 January 2006)
The Center for Democracy and Technology (CDT) has filed two complaints
with the Federal Trade Commission (FTC) against 180solutions, a
web-based marketer CDT claims is tricking people into downloading
adware. The complaints accuse 180solutions of unfair and deceptive
business practices. CDT deputy director Ari Schwartz says "there are
many cases where there is no notice and consent [to download the adware
and] there are others where there is deceptive notice and consent."
http://www.computerworld.com/printthis/2006/0,4814,107983,00.html
http://blogs.washingtonpost.com/securityfix/2006/01/ftc_urged_to_su.html
Links to the text of the complaints available on the CDT website:
http://www.cdt.org/
[Editor's Note: A previous SANS NewsBites item stated that 180solutions
has sued F-Secure because F-Secure labels 180solutions' software as
spyware.
(Shpantzer): Ben Edelman's meticulous research on adware and the
mechanics of affiliate marketing is a great resource for people who want
to understand this complicated issue. 180solutions is covered on
Edelman's site here: http://www.benedelman.org/news/010906-1.html]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Heap Overflow in KDE Desktop Environment
(23 January 2006)
A heap based buffer overflow vulnerability in the KDE desktop
environment could be exploited to crash programs that use kjs, a
Javascript interpreter used in the Konqueror browser and "other parts
of KDE." The flaw affects versions 3.2.0 to 3.5.0 of kjs. Fixes are
available from various vendors; KDE released a patch last week.
http://www.techworld.com/security/news/index.cfm?RSS&NewsID=5217
KDE Advisory: http://www.kde.org/info/security/advisory-20060119-1.txt

 --Nyxem Worm Aims to Overwrite Files
(22/20/19 January 2006)
The Nyxem worm, also known as the Kama Sutra worm, carries a malicious
payload that corrupts a wide variety of Microsoft documents. Nyxem
arrives as an attachment and tries to delete security software. It also
contains code that overwrites data in a wide variety of files.
http://www.techweb.com/wire/177102371
http://www.theregister.co.uk/2006/01/19/kama_sutra_worm/print.html
http://blogs.washingtonpost.com/securityfix/2006/01/kama_sutra_worm.html

 --Symbian Trojans Detected
(23/20 January 2006)
A handful of Trojans that infect Symbian-based smart phone devices have
been identified since the first of the year. The Sendtool Trojan places
a tool on infected devices that can be used to send other malware to
more devices via Bluetooth. The Pbstealer Trojan sends personal data
from address books, calendars and task lists on infected devices to
other Bluetooth-enabled devices. The Cdropper Trojan tries to install
variants of the Cabir and Locknut viruses on infected devices. The
Booton Trojan reportedly places corrupted components on phones it
infects which makes it harder to restart the phone.
http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39234230-2000061744t-10000005c
http://www.eweek.com/print_article2/0,1217,a=169727,00.asp
[Editor's Note (Shpanzer): It's bad enough to have your smartphone
infected (potentially making the phone an eavesdropping device, etc.)
My main concern is that the infection can spread to the rest of the
corporate network from the inside, once the phone is synced with the
PC.]

ATTACKS & INTRUSIONS & DATA THEFT
 --E*Trade Will Cover On-Line Fraud Costs for Customers
(18 January 2006)
E*Trade says it will reimburse its customers if they are victimized by
online fraud. In general, online brokerages place the responsibility
for security squarely on the shoulders of the investors. The Securities
and Exchange Commission has not issued guidelines for investment firms
regarding data security; last year the Federal Financial Institutions
Examination Council set data security guidelines for banks.
http://news.com.com/2102-1029_3-6028006.html?tag=st.util.print

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFD1n8h+LUG5KFpTkYRAjAfAJ93zYkaapQVjIeTYruFcsUNj1Ew+wCeJhOm
KxVJv/EVEPN/sPDGqrtEs98=
=a7gn
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]