From: The SANS Institute (NewsBitessans.org)
Date: Fri Mar 10 2006 - 13:10:57 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites March 10, 2006 Vol. 8, Num. 20
*************************************************************************

TOP OF THE NEWS
  Chinese Cyber Invaders May be After Defense Logistics
  Security Companies Join Forces to Close Trojan-Related Sites

THE REST OF THE WEEK'S NEWS
  STATISTICS, STUDIES & SURVEYS
    Survey: Operational Incidents and Staffing Issues Top CIO's List of
       Concerns
    Security and Privacy Top Federal CIO's List of IT Concerns
  SPYWARE, SPAM & PHISHING
    Attackers Sidestepping Phishing Site Closures
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Apple Patch Has Limitations
  ATTACKS & INTRUSIONS & DATA THEFT & LOSS
    Debit Card Fraud May be Linked to OfficeMax-Related Breach
    Citibank Takes Steps to Stanch Fraudulent Cash Withdrawals
  MISCELLANEOUS
    Google Settles Fraudulent Clicks Suit
    Oxford Shops Test Pilot Fingerprint Payment System
    Microsoft Says it Did Not Provide Info Leading to Chinese Web
       Journalist's Arrest
    Lloyds TSB Pleased with Two-Factor Authentication Trial

************************* Sponsored by CipherTrust **********************
Do you have PC zombies in your network? Protect yourself - get a
free evaluation using CipherTrust RADAR - Inside.
http://www.sans.org/info.php?id=1060
*************************************************************************

*************************************************************************
Upcoming Security Training in Monterey, San Diego and Washington DC

Turbo charge your security career or the careers of any of your
coworkers this spring in San Diego in early May: a dozen of SANS most
popular courses and a vendor exposition right on the harbor in San
Diego. http://www.sans.org/security06/
Or to come to Washington in July right after July 4 for the biggest SANS
Fire ever: with all 17 SANS immersion tracks and more than a dozen
special courses, a big exposition, and an inside look at how the
Internet's Early Warning System (Internet Storm Center) actually works
Bring your family for the national fireworks show.
http://www.sans.org/sansfire06

*************************************************************************

TOP OF THE NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
 --Chinese Cyber Invaders May be After Defense Logistics
(1 March 2006)
China may be funding intrusions into US Defense Department computer
systems to ferret out logistical data. Former Air Force CIO John
Gilligan says that the Defense Department's unclassified network, the
Nonsecure Internet Protocol Router Network (NIPRNet), holds a great deal
of defense logistical data. (Gilligan is now the deputy director of SRA
International's defense sector.) James Mulvenon, director of Defense
Group Inc.'s Center for Intelligence Research and Analysis, says cyber
attackers are "burrowing into really boring logistics networks"
indicating they have support from a foreign state. NIPRNet is not a
classified network; classified networks are expensive and do not allow
easy communication with the "outside world." Michael O'Hanlon, senior
fellow in foreign policy studies at the Brookings Institution says "If
there's any good news here, it's that computers are getting attacked all
the time;". In other words, network security should improve as attacks
are recognized and holes are repaired.
http://www.govexec.com/story_page.cfm?articleid=33530&printerfriendlyVers=1&
[Editor's Note (Ranum): Many "old school" practitioners have pointed out
for years that "sensitive but unclassified" networks wind up carrying
data that, in the aggregate is often more interesting than classified
data. The fact that this particular turkey is coming home to roost is
no cause for amusement, however. The DOD persists in treating
information security like a game for amateurs; it is not.]

 --Security Companies Join Forces to Close Trojan-Related Sites
(8 March 2006)
RSA Security and Panda Software have teamed up to shut down web sites
related to Trojan horse programs designed to help users steal sensitive
data that could be used to commit identity fraud. Of the five sites the
companies have shut down thus far, three sold the programs and two
allowed the programs' users to monitor the spread of the malware. The
Trojans would send the purloined data back to the attackers.
http://www.informationweek.com/security/showArticle.jhtml?articleID=181502074&subSection=Viruses+and+Patches

************************* Sponsored Links: ******************************

1) ALERT: PENETRATION TEST your Web Applications for FREE!-
WebInspect Trial Offer
http://www.sans.org/info.php?id=1061

2) SANS OnSite InfoSec Training
Your Location! Your Schedule! Lower Cost!
http://www.sans.org/info.php?id=1062

3) Two Free Webcasts Next Week - WhatWorks in Intrusion Prevention
Tuesday, March 14 at 1:00 PM EST (1800 UTC/GMT)
http://www.sans.org/info.php?id=1063 and Internet Storm Center:
"Threat Update" Wednesday, March 15 at 1:00 PM EST (1800 UTC/GMT)
http://www.sans.org/info.php?id=1064

*************************************************************************

THE REST OF THE WEEK'S NEWS

STATISTICS, STUDIES & SURVEYS
 --Survey: Operational Incidents and Staffing Issues Top CIO's List of Concerns
(9 March 2006)
[Reader beware: This story, as you'll see from John Pescatore's note
below, mischaracterizes the study.]
The IT Governance Institute's (ITGI) IT Governance Global Status Report
2006 found the most pressing IT concerns among chief executives and
chief information officers (CIOs) are operational incidents and staffing
issues; security and compliance were at the bottom of the list. This
may be due to the fact that companies have been deploying technologies
to ensure compliance with Sarbanes-Oxley and other regulations. The
nearly 700 respondents represent 22 countries.
http://www.vnunet.com/vnunet/news/2151619/security-problem-managers
http://www.itgi.org/
[Editor's Note (Pescatore) This paragraph misstates the survey. When
asked what is the most important problem to address in the next 12
months, the number one response was security - and security made the top
three when CIO's ranked their problems by severity. It was only when
asked about the past 12 months problems that security was at the bottom
on the list. It is good to see compliance dropping down the list - it
was *lowest* rated by CIOs in importance of addressing the problem. Good
to see the recognition by CIOs that compliance does not equate to
security.
(Paller) What is depressing about the journalist's mischaracterization
of the study is that the IT Governance Institute's own executive summary
of its study got it wrong, too.]

 --Security and Privacy Top Federal CIO's List of IT Concerns
(7 March 2006)
The IT Association of America's 16th Annual Federal CIO Survey found
that federal CIOs rate IT security and privacy as their most pressing
concerns. Though they believe they have made progress in these areas,
they also say protecting information and allowing people access to that
information is a stressful balancing act that consumes their budgets.
ITAA interviewed 36 CIOs and assistant CIOs and three government
oversight officials during the last five months of 2005.
http://www.fcw.com/article92517-03-07-06-Web
http://www.public-cio.com/newsStory.php?id=2006.03.08-98692
http://www.itaa.org/govt/docs/cio_survey.pdf
[Editor's Note (Pescatore): A stressful balance, sure. But "consumes
their budgets"? Federal agencies spend (on average) a lower percentage
of their IT budgets on security than the typical private sector
business.]

SPYWARE, SPAM & PHISHING
 --Attackers Sidestepping Phishing Site Closures
(8 March 2006)
Phishers have begun using a new technique to ensure a higher rate of
victims reaching fraudulently constructed web sites. Because
anti-phishing vendors are taking more aggressive steps to close phishing
sites, some phishing email now directs recipients to one IP address that
hosts a "smart redirector" that checks to see which web sites are still
live before deciding where to send the intended victim. Smart
redirector attacks have been detected at two banks.
http://www.theregister.co.uk/2006/03/08/smart_redirect_phish_attack/print.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Apple Patch Has Limitations
(7 March 2006)
Apple's recently released security update for Mac OS X does not
adequately address a serious flaw that allows malicious code execution.
While Apple has added a function to Safari, Apple Mail and iChat that
informs users that downloads could be malicious, attackers could still
create malicious files that appear to be safe. Rather than addressing
the flaw head on, the fix acts as a checkpoint. The warning does not
appear for users who have disabled the "open safe files after
downloading" option, nor does it appear in applications other than those
listed above.
http://news.com.com/2102-1002_3-6046588.html?tag=st.util.print

ATTACKS & INTRUSIONS & DATA THEFT & LOSS
 --Debit Card Fraud May be Linked to OfficeMax-Related Breach
(8 March 2006)
Investigators say that debit card fraud affecting members of credit
unions in Leominster and Fitchburg, Massachusetts may have been linked
to a security breach related to OfficeMax; all affected customers had
used Visa debit cards at OfficeMax. Fraudulent account withdrawals have
been made in Spain, Turkey, Greece, Switzerland, the UK, as well as in
the US and Canada, suggesting that the information is being sold on the
Internet. The thieves used cloned debit cards constructed with the use
of stolen PIN numbers, either from OfficeMax or from a transaction
processor. An OfficeMax spokesperson said there is no evidence of a
security breach of their network.
http://www.eweek.com/print_article2/0,1217,a=173073,00.asp
[Editors' Note (Schultz, Honan, Paller): When a company claims "no
evidence of a security breach," one should ask three questions: whether:
1) an adequate level of system logging was turned on and inspected
regularly, 2) adequate intrusion detection measures were in place, and
3) the "no evidence" verdict was independently verified by a technical
expert.
(Weatherford): One of the more important pieces of information in this
article may be the fact that debit card accounts are less well-protected
by anti-fraud technology than traditional credit card accounts. This
might be an issue the banking industry should be addressing.]

 --Citibank Takes Steps to Stanch Fraudulent Cash Withdrawals
(7 March 2006)
Citibank has reissued "an unspecified number of credit and debit cards"
and "blocked PIN-based transactions of Citi-branded MasterCard cards in
the UK, Russia and Canada" due to a rash of fraudulent ATM withdrawals
in those three countries. Citigroup says the cards may have been
"compromised following an unspecified breach of its network."
http://www.channelregister.co.uk/2006/03/07/citibank/print.html
http://www.theage.com.au/news/breaking/fraudsters-target-citibank/2006/03/07/1141493649374.html
http://www.networkworld.com/news/2006/030706-citibank-network-breach.html

MISCELLANEOUS
 --Google Settles Fraudulent Clicks Suit
(9/8 March 2006)
Google will pay as much as US$90 million to settle a lawsuit brought by
advertisers who allege the company overcharged them for phony sales
referrals generated by "click fraud." The settlement applies to all
companies that advertised on Google over the past four years. Google
has offered to provide the companies with credit for the fraudulent
clicks since 2002. Google will also pay legal costs. The court has not
yet approved the settlement, however.
http://www.theage.com.au/news/breaking/google-to-settle-click-fraud-case/2006/03/09/1141701611014.html
http://news.com.com/2102-1030_3-6047717.html?tag=st.util.print
http://internetweek.cmp.com/showArticle.jhtml?articleID=181502179
[Editor's Note (Pescatore): The entire area of clickstream data and
search string data used to set advertising rates is wide open to
Internet-based fraud. In the TV and publication world, the companies
selling advertising space have to pay into services that verify
circulation or viewership numbers used to determine advertising prices.
Companies selling Internet ads need to invest in similar assurance that
the clickers or searchers are real people, not automated bots.
(Northcutt): Hmmm, according to The Age, Click Fraud is when users click
on links when they have no intention of buying. I hope this does not
lead to browser hard sell, where you click on a link and a dialog box
pops up asking if you are prepared to buy *right now*.]

 --Oxford Shops Test Pilot Fingerprint Payment System
(8 March 2006)
Three branches of the Co-op in Oxford, UK are running a trial biometric
fingerprint payment system. The free service is reportedly a response
to shoppers' worries about having to remember PIN numbers. The pilot
is scheduled to run for 16 weeks; customers will be asked to provide
feedback to help the store decide if the system will become permanent.
http://software.silicon.com/security/0,39024655,39157057,00.htm

 --Microsoft Says it Did Not Provide Info Leading to Chinese Web Journalist's Arrest
(8/7 March 2006)
A Microsoft spokesperson said the company did not provide Chinese
authorities with information leading to the arrest of journalist Li
Yuanlong, who was charged in February with incitement to subversion for
posting articles on a website. Li apparently used a Hotmail account to
post his articles anonymously.
http://www.computerworld.com/printthis/2006/0,4814,109335,00.html
http://www.theregister.co.uk/2006/03/07/ms_cyberdissident_denial/print.html
http://www.theage.com.au/news/breaking/chinese-hotmail-user-charged-with-subversion/2006/03/07/1141493650111.html

 --Lloyds TSB Pleased with Two-Factor Authentication Trial
(6 March 2006)
A five-month trial of two-factor authentication technology at Lloyds TSB
has proven successful; none of the 23,5000 participating customers
experienced online banking fraud. Seventy percent of the customers
using the keychain-sized device rated it "very good" or "excellent."
The device generates a one-time password.
http://www.vnunet.com/computing/news/2151425/lloyds-tsb-trial-wipes-online
[Editor's Note (Weatherford): I'm not sure that quoting "a lack of
on-line banking fraud by 23,500 customers" is the right metric to
measure success because it almost sounds like they expected a certain
amount of fraud. However, if this pilot convinces people that
two-factor authentication is worth the effort and expense, it may help
move industry in the right direction.

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEEcU1+LUG5KFpTkYRAu7ZAJ4vJgjcX8BH7QiYsS8ucvvUPVud6gCgkY1/
pFm4UpYvwSs5A6+cxoDOZkU=
=8uZR
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]