From: The SANS Institute (NewsBitessans.org)
Date: Tue Mar 14 2006 - 17:15:29 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

No skill is more important to security professionals than their ability
to present security programs and projects so management will give its
support. Too often security presentations grasp defeat from the jaws of
victory. SANS has finally restarted the widely acclaimed training
program on how to give winning security presentations. It shows the
principal errors security presenters make and how to avoid them. The
program was restarted primarily for SANS Institute's Master of Science
degree candidates (http://www.sans.edu), but it will be presented as a
special bonus program for people who attend SANSFIRE in Washington DC
(http://www.sans.org/sansfire06), SANS London
(http://www.sans.org/london06), and SANS Security 2006 in San Diego
(http://www.sans.org/security06). All who register for a full track at
any of those conferences will be invited to attend the evening short
course on giving effective security presentations.

People in London may also attend this short course on March 31 without
registering for a SANS conference.
(http://www.sans.org/staysharp/details.php?id=1421)

                                          Alan

*************************************************************************
SANS NewsBites March 14, 2006 Vol. 8, Num. 21
*************************************************************************

TOP OF THE NEWS
  Maryland Legislators Unanimously Approve Bill Banning Use of Diebold
       Voting Systems
  Citibank Citibank Acknowledges ATM Network Penetrated
  Chip and PIN Technology More Secure Than Magnetic Stripes; Could Have
       Blocked Citibank Breach

THE REST OF THE WEEK'S NEWS
  ARRESTS, CONVICTIONS AND SENTENCES
    Appeals Court Says Employee Who Deleted Data Violated Computer Fraud
       and Misuse Act
  SPYWARE, SPAM & PHISHING
    Phishers Reportedly Using Chinese Bank's Server to Host Phony Sites
    Data Mining Company Settles Suit With NY Attorney \General
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    Singapore Company First to be Charged Under New Copyright Law
    Two Indicted for Piracy Under Family Entertainment and Copyright Act
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    McAfee Antivirus signature file falsely flags applications as malware
    Flaws in GNU Privacy Guard
    Microsoft March Security Update Includes Critical Microsoft Office
       Fix
    Windows Media Player Patches Pose Problems
  ATTACKS & INTRUSIONS & DATA THEFT & LOSS
    Stolen Data Does Not Belong to iBill
    Attackers Used British Columbia Government System to Store
       Unauthorized Content
  MISCELLANEOUS
    Researchers Release Proof-of-Concept Virtual Rootkit

*********************** Sponsored by Imperva ****************************
Top 10 Database Attacks and How to Stop Them - Free White Paper

Insider abuse and on-line attacks on sensitive data can be costly in
fines, lawsuits, and customer attrition. There are 10 commonly used
database attacks. Defend against these, and you will have a highly
secure database. Download now.
http://www.sans.org/info.php?id=1070
*************************************************************************

*************************************************************************
Upcoming Security Training in Monterey, San Diego and Washington DC

Turbo charge your security career or the careers of any of your
coworkers this spring in San Diego in early May: a dozen of SANS most
popular courses and a vendor exposition right on the harbor in San
Diego. http://www.sans.org/security06/

Or to come to Washington in July right after July 4 for the biggest
SANSFIRE ever: with all 17 SANS immersion tracks and more than a dozen
special courses, a big exposition, and an inside look at how the
Internet's Early Warning System (Internet Storm Center) actually works
Bring your family for the national fireworks show.
http://www.sans.org/sansfire06

*************************************************************************

TOP OF THE NEWS

 --Maryland Legislators Unanimously Approve Bill Banning Use of Diebold
    Voting Systems
(10 March 2006)
Maryland's House of Delegates last week voted unanimously to prohibit
election officials from using AccuVote-TSx touch-screen systems in 2006
primary and general elections. The system in question is made by
Diebold Election Systems Inc. The reason given is that the systems do
not provide a verifiable paper trail.
http://www.computerworld.com/printthis/2006/0,4814,109436,00.html
[Editor's Note (Schultz): So Diebold has suffered yet another defeat. I
wonder how many more defeats of this nature this company will be willing
to accept until it finally changes its ways. Until recently Diebold has
done reasonably well despite coming under fire from critics saying its
voting machine security is not up to par. Now the tide is changing.]

 --Citibank Acknowledges ATM Network Penetrated
(10 March 2006)
Citibank acknowledged last week that attackers infiltrated its ATM
network in Canada, Russia and the United Kingdom, and stole a block of
PINs (personal identification numbers). Sophisticated hackers use the
PINs to create counterfeit cards and steal money.
http://www.silicon.com/financialservices/0,3800010322,39157105,00.htm
 
 --Chip and PIN Technology More Secure Than Magnetic Stripes; Could Have
    Blocked Citibank Breach
(10/8/7 March 2006)
According to Gartner research director Avivah Litan, the use of chip and
PIN technology could have prevented the recently disclosed Citibank ATM
network breach in Canada, Russia and the UK; the cards in question has
sensitive data stored in magnetic stripes. Citibank acknowledged last
week that attackers managed to infiltrate the ATM network and steal a
block of PINs (personal identification numbers). Chip cards are more
difficult to replicate than magnetic stripe cards. In a separate story,
the UK's Association of Payment and Clearing Services (APACS) has
released statistics showing than in 2005, the year Chip and PIN
technology debuted, card fraud fell by 13 percent in the UK.
http://www.silicon.com/financialservices/0,3800010322,39157105,00.htm
http://www.techworld.com/security/news/index.cfm?NewsID=5526
http://www.apacs.org.uk/media_centre/press/06_03_07.html

************************* Sponsored Links: ******************************

1) ALERT: How do you protect what you can't see? Get network
visibility now.
http://www.sans.org/info.php?id=1068

2) Free WhatWorks Webcast next week - "WhatWorks in Log Management:
Caring for Logs with Northwestern Memorial Hospital" Tuesday, March 28
at 1:00 PM EST
http://www.sans.org/info.php?id=1069

3) When a live conference is not an option due to cost, time away or
visa issues, try SANSHOME Weekly Webcasts - great course leaders, same
material, great way to learn, and less expensive. For details, go to
http://www.sans.org/athome
*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES
 --Appeals Court Says Employee Who Deleted Data Violated Computer Fraud
    and Abuse Act
(11/10 March 2006)
A recent ruling from the US Court of Appeals for the Seventh Circuit
says that an employee who deleted files from a laptop computer he was
issued before returning it to his employer violated the Computer Fraud
and Abuse Act. Jacob Citrin's former employer, International Airport
Centers (IAC), sued him when they discovered the hard disk on the laptop
he returned to them had been "erased with a deletion program." The
company alleges Citrin began doing personal business while still
employed with them and they hoped to find incriminating evidence on his
laptop. A lower court initially threw out the case against Citrin, but
the appeals court said he had violated CFAA by using a secure delete
program. The court also found that Citrin "effectively terminated his
employment not when he turned in the laptop, but when he started doing
personal business while still ... employed at IAC." Citrin maintains
"his employment contract authorized him to 'return or destroy' the data
in the laptop, but the court said that he ceased to be protected by that
contract when he started doing his own work."
http://www.tgdaily.com/2006/03/11/deletingfiles_appealscourt_citrin_reversed/
http://news.com.com/2102-1030_3-6048449.html?tag=st.util.print
http://www.groklaw.net/pdf/CitrinPosnerOrder.pdf
http://www.ca7.uscourts.gov/tmp/R60ZGH1H.pdf
[Editor's Note (Shpantzer): Typically these clauses are written to
maintain confidentiality of the data, not to preserve it, since that's
what backups are for. It seems that the backups were also deleted.
(p.7 of complaint http://www.groklaw.net/pdf/CitrinComplaint.pdf ) See
Groklaw's coverage on this case, she will be following developments.
http://www.groklaw.net/article.php?story=2006031107414764 ]

SPYWARE, SPAM & PHISHING
 --Phishers Reportedly Using Chinese Bank's Server to Host Phony Sites
(13/12 March 2006)
According to Netcraft, phishing web sites purporting to belong to eBay
and the US's Chase Bank are being hosted on a server that belongs to the
Shanghai branch of China Construction Bank Corp. The data gathered by
the phony Chase bank site are being sent to a server in India.
http://www.computerworld.com/printthis/2006/0,4814,109500,00.html
http://news.netcraft.com/archives/2006/03/12/chinese_banks_server_used_in_phishing_attacks_on_us_banks.html

 --Data Mining Company Settles Suit With NY Attorney General
(13 March 2006)
Datran Media has settled a lawsuit with the New York State Attorney
General's office. The lawsuit alleged Datran mined the data from
companies that gathered the information in exchange for chances to win
items like iPods. Datran allegedly knew of the companies' pledges not
to share the private information with others, yet violated that
agreement by spamming about six million email addresses with unsolicited
commercial offers. The terms of the agreement dictate that Datran cease
using improperly obtained email addresses, destroy those it does have
and not buy new lists without first checking to see if the data have use
restrictions. Datran will also pay the state of New York US$1.1
million.
http://www.theregister.co.uk/2006/03/13/datran/print.html
http://www.msnbc.msn.com/id/11808172/
http://www.ecommercetimes.com/story/XayOJp5EX2jYTs/Spitzer-Settles-With-E-Mail-Marketer.xhtml

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --Singapore Company First to be Charged Under New Copyright Law
(10 March 2006)
Acting on a tip from the Business Software Alliance (BSA), authorities
in Singapore have charged a company under the country's recently revised
copyright laws. PDM International faces charges for allegedly using
more than US$30,000 worth of unlicensed software. Police seized eight
desktops, three laptops and five CD-ROMs following a raid in September
2005. Singapore's Copyright Act fines offenders up to S$20,000
(US$12,310) and provides for a sentence of up to six months in prison.
http://www.zdnetasia.com/news/business/printfriendly.htm?AT=39342567-39000003c

 --Two Indicted for Piracy Under Family Entertainment and Copyright Act
(10 March 2006)
Two men have been indicted for piracy under the Family Entertainment and
Copyright Act (FECA) law. Robert Thomas of Milwaukee, WI, and Jared
Bowser, of Jacksonville, FL, allegedly made available portions of a Ryan
Adams album on a web site popular with Adams' fans prior to the album's
official release. Thomas and Bowser are the first people believed to
be charged under FECA's prerelease provision. If convicted, each man
faces up to 11 years in prison.
http://today.reuters.co.uk/news/newsArticle.aspx?type=internetNews&storyID=2006-03-10T085733Z_01_N10240531_RTRIDST_0_OUKIN-UK-PIRACY.XML&archived=False
http://www.govtrack.us/congress/billtext.xpd?bill=s109-167

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

 --Flaws in GNU Privacy Guard
(10 March 2006)
Two flaws in GNU Privacy Guard (also known as GnuPG or GPG) could be
exploited to insert data into digitally signed messages and forge
digital signatures. The software ships with several open-source
operating systems. While there have been no reported attacks using these
holes, users are advised to apply fixes as soon as they are available.
The GnuPG team has made fixes available for the flaws; other groups
whose products contain the software have issued updates as well.
http://news.com.com/2102-1002_3-6048612.html?tag=st.util.print

 --Microsoft March Security Update Includes Critical Microsoft Office Fix
(9 March 2006)
In Microsoft's monthly security update two security bulletins will
describe fixes; one addresses a "critical" flaw in Microsoft Office.
The second bulletin will address flaws in Windows and has an "important"
rating. Microsoft will release the bulletins on Tuesday, March 14 along
with an updated version of Windows' malicious software removal tool and
one non-security, high-priority update.
http://www.eweek.com/print_article2/0,1217,a=173209,00.asp
http://www.microsoft.com/technet/security/bulletin/advance.mspx

 --Windows Media Player Patches Pose Problems
(9 March 2006)
Microsoft has issued an advisory warning that three previously released
patches for Windows Media Player 10 can be problematic. WMP users who
have installed the patches may experience trouble seeking, rewinding and
fast-forwarding files. One of the patches was released in February in
MS06-005 and was deemed a "critical" fix. The other two patches in
question were released in October 2005. Microsoft suggests two
workarounds.
http://www.computerworld.com/printthis/2006/0,4814,109366,00.html
http://support.microsoft.com/kb/912226/en-us

ATTACKS & INTRUSIONS & DATA THEFT & LOSS
 --Stolen Data Does Not Belong to iBill
(9 March 2006)
iBill says that large quantities of stolen customer data linked to the
on-line payment company are in fact not theirs. One of the data files
contains information about 17 million customer records and was
discovered on a website purportedly used by phishers. Another group of
data, containing information on just over one million people, was found
on a spamming web site. iBill President Gary Spaniak Jr. says when his
company cross referenced the database with 17 million people's
information, with their own customer database just three email addresses
matched. iBill does a large part of its business with adult services;
an individual who had originally linked the large database with iBill,
now says that perhaps it was deliberately mislabeled by a data thief
because databases of adult services transactions are particularly
sought-after by spammers. No one claims to know the stolen data's
origins.
http://www.wired.com/news/technology/1,70380-0.html

 --Attackers Used British Columbia Government System to Store
    Unauthorized Content
(8 March 2006)
British Columbia's government computer system has been infiltrated and
used to store movies and unauthorized software. At least 78 computers
were involved, according to New Democratic Party leader Mike Farnsworth.
The attack apparently came through a Dutch service provider. The
attackers appeared to be seeking space to store their illegal files, not
to steal data.
http://www.canada.com/vancouversun/news/story.html?id=20b74870-ceb9-4723-a6ee-cf55548e2001&k=21513

MISCELLANEOUS
 --Researchers Release Proof-of-Concept Virtual Rootkit
(13/10 March 2006)
Researchers have created proof-of-concept code to demonstrate how to
hide rootkit software in virtual machine environments. The
proof-of-concept rootkit, called SubVirt, takes advantage of known
vulnerabilities and places a virtual machine monitor (VMM) underneath
Windows or Linux installations. SubVirt is undetectable because
security software does not have access to its state.
http://www.eweek.com/print_article2/0,1217,a=173285,00.asp
http://www.theregister.co.uk/2006/03/13/virtual_rootkit/print.html

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEF0gY+LUG5KFpTkYRAkj6AJ9lPxugtR6whH9Kc3m1X1iLyNi6ygCePxta
KjDPscAzWAnrSdKrAmLqMjY=
=6y3a
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]