From: The SANS Institute (NewsBitessans.org)
Date: Fri Mar 31 2006 - 10:35:35 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
SANS NewsBites March 31, 2006 Vol. 8, Num. 26
*************************************************************************

TOP OF THE NEWS

ARRESTS, CONVICTIONS AND SENTENCES
  Twenty-one Arrested in On-Line Cyber Crime Crackdown
  GAO Report: NIAP Testing and Accreditation Program Problematic
  Phishers Take New Tack With Three Florida Banks
  DDoS Attacks Target DNS Servers

THE REST OF THE WEEK'S NEWS

POLICY & LEGISLATION
  Virginia Law Requires Schools to Teach Cyber Safety; NY School Debuts
     Cyber Security Education Program

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
  Bagle Variants Contain Rootkit
  Third-Party Companies Issue Workarounds for IE Flaw
  Attackers Lure Users to Malicious Web Site with Real News Story

ATTACKS & INTRUSIONS & DATA THEFT & LOSS
  Bank of New Zealand Suspends Cards in Wake of Skimming Attack
  Georgia State Pension Database Intruder Exploited Known Flaw
  Hong Kong Police Complaint Database Leak

STATISTICS, STUDIES & SURVEYS
 UK Dept. of Trade and Industry Biennial Survey

*************** Sponsored By Core Security Technologies **************

SANS WEBCAST: WhatWorks for Vulnerability Management, Auditing &
Penetration Testing

"Improving System Health with Care New England:" Regulatory compliance
coupled with numerous false positives produced by vulnerability
scanners, prompted Care New England to investigate solutions that would
give them a more accurate view of their network security. Learn how they
were able to cost-effectively manage vulnerabilities while improving
overall network security.

VIEW WEBCAST NOW: http://www.sans.org/info.php?id=1088

************************************************************************
SANS Training in San Diego, Munich, London and Washington DC

Turbo charge your security career or the careers of any of your
coworkers this spring in San Diego in early May: a dozen of SANS most
popular courses and a vendor exposition right on the harbor.
http://www.sans.org/security06/
Or in London at the end of June: http://www.sans.org/london06
Or Munich in early April: http://www.sans.org/munich06
Or Washington in July right after July 4 for the biggest SANSFIRE ever:
with all 17 SANS immersion tracks and more than a dozen special courses,
a big exposition, and an inside look at how the Internet's Early Warning
System (Internet Storm Center) actually works Bring your family for the
national fireworks show.
http://www.sans.org/sansfire06
*************************************************************************

TOP OF THE NEWS

 --Twenty-one Arrested in On-Line Cyber Crime Crackdown
(29 March 2006)
Seven people in the US were arrested as part of Operation Rolling Stone,
which is targeting on-line criminal activity in the financial sector.
The seven join 14 others arrested in the US and the UK over the last
three months. The people are allegedly involved with on-line groups
that trade financial and other consumer data.
(Site requires free registration)
http://www.nytimes.com/2006/03/29/technology/29theft.html?_r=1&oref=slogin&pagewanted=print

 --GAO Report: NIAP Testing and Accreditation Program Problematic
(27 March 2006)
A report from the Government Accountability Office (GAO) says that the
National Information Assurance Partnership's (NIAP) independent
validation and accreditation of IT security products has proven helpful
in some areas but also has some serious shortcomings. NIAP is
responsible for implementing the Common Criteria Evaluation and
Validation Scheme; they provide laboratories with guidelines to conduct
the testing. While the program offers agencies guidance on what
products they may use, agencies have often found that the products they
need are not available. In addition, the number of people qualified to
validate products is falling, which means vendors will experience
greater lag times in hearing whether or not their products meet the
criteria. Finally, NIAP has not implemented any sort of system to
measure the program's effectiveness.
http://www.fcw.com/article92750-03-27-06-Web
http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=40218
http://www.gao.gov/new.items/d06392.pdf
[Editor's Note (Pescatore): GAO could have saved a few dollars and just
reprinted the findings of several cybersecurity advisory panels back in
2003 and 2004. The NIST/NSA side has to allocate budget to reinvigorate
the development and validation of standard protection profiles. Even
more important, they have to require NIAP testing to put way more
emphasis on vulnerability testing of the overall software, not just
testing of security controls. ]

 --Phishers Take New Tack With Three Florida Banks
(29/27 March 2006)
Attackers broke into servers belonging to an Internet service provider
(ISP) that hosts web sites for three small Florida banks. They then
redirected traffic from those sites to a phony server designed to mimic
the real banking sites where they attempted to gather sensitive customer
account data. The attack is believed to be the first of its kind.
http://www.computerworld.com/printthis/2006/0,4814,110046,00.html
http://www.techweb.com/wire/security/184401079
http://news.netcraft.com/archives/2006/03/27/phishers_hack_bank_sites_redirect_customers.html

 --DDoS Attacks Target DNS Servers
(29/28/26 March 2006)
German domain name registrar Joker.com and Network Solutions both
experienced distributed denial-of-service (DDoS) attacks against Domain
Name System (DNS) servers in recent days. Attacks against DNS servers
are especially significant because of their potential to cause serious
service degradation and interfere with the availability of large numbers
of web sites.
Internet Storm center: http://isc.sans.org/diary.php?storyid=1219
http://www.computerworld.com/printthis/2006/0,4814,109972,00.html
http://www.theregister.co.uk/2006/03/29/dns_ddos_attacks/print.html
http://news.netcraft.com/archives/2006/03/26/domain_registrar_joker_hit_by_ddos.html

************************ Sponsored Links: *****************************

1) SANS OnSite InfoSec Training
Your Location! Your Schedule! Lower Cost!
Receive a bonus seat for your OnSite Course (up to $4,750 value).
Simply complete the interest form today!
http://www.sans.org/info/1087

2) Security 508: System Forensics, Investigation & Response via
SANSHome starts April 19!
http://www.sans.org/athome/details.php?id=1404
Also Security 506: Securing Unix/Linux led by the SANS System Administrators
http://www.sans.org/athome/details.php?id=1431
See http://www.sans.org/athome/ for complete SANSHome listings.

*************************************************************************

THE REST OF THE WEEK'S NEWS

POLICY & LEGISLATION
 --Virginia Law Requires Schools to Teach Cyber Safety; NY School Debuts
    Cyber Security Education Program
(30/28 March 2006)
Under a new Virginia law, the state Department of Education must provide
schools with guidelines "for integrating Internet safety into their
regular instruction." In a separate story, Syracuse University and the
US Air Force Research laboratory in Rome, NY are funding a cyber
security education program at an area private high school. Classes
taught in the program include "encryption and data protection, computer
networking and security, and ethical and legal concepts of cyber
defense."
(Site requires free registration)
http://www.washingtonpost.com/wp-dyn/content/article/2006/03/29/AR2006032900705_pf.html
http://www.dailyorange.com/home/index.cfm?event=displayArticlePrinterFriendly&uStory_id=b33d481c-a909-4eba-aae2-dda120e16b50

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Bagle Variants Contain Rootkit
(29 March 2006)
At least three new variants of the Bagle worm have been outfitted with
rootkits. The Bagle variants spread through email and try to download
files from a number of Internet addresses, many of which are in the .ru
domain. The Bagle variants try to disable security software. In
addition, a rootkit has been detected in Gurong.A, a new worm based on
code from Mydoom.
http://www.eweek.com/print_article2/0,1217,a=174601,00.asp
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1176494,00.html

 --Third-Party Companies Issue Workarounds for IE Flaw
(29/28 March 2006)
Two third-party companies have issued temporary workarounds to protect
Windows computers using Internet Explorer (IE) from being exploited
through the TextRange vulnerability that affects IE 6.0 and IE 5.01.
This is not the first time a third-party company has issued a workaround
to address a vulnerability that Microsoft has not yet patched; a
third-party patch for the WMF flaw was released in January. Users can
also protect themselves by disabling Active Scripting in IE. Microsoft
has not said when it plans to release a fix for the flaw; its next
security updates are scheduled for April 11.
Internet Storm Center: http://isc.sans.org/diary.php?storyid=1226
http://www.theregister.co.uk/2006/03/29/ie_patches_released/print.html
http://www.techworld.com/security/news/index.cfm?NewsID=5666
http://news.com.com/2102-1002_3-6055051.html?tag=st.util.print
[Editor's Note (Pescatore): My neighbor is a smart guy, and he designs
medical machinery. However, I'm pretty sure I won't be using his
homegrown remedy for bird flu. I'm also really sure I don't want my kids
to think its OK to accept medicine from anywhere they find it. It is not
a good idea for enterprises or consumers to get in the habit of
accepting patches to software from anywhere other than the vendor of the
software. Use the time you'd spend undoing them to pressure software
vendors to reduce the time the spend talking about security and increase
the time they spend reducing security vulnerabilities before they ship
their products.]

 --Attackers Lure Users to Malicious Web Site with Real News Story
(30 March 2006)
One of the attacks exploiting the IE flaw (described elsewhere in this
Newsbites under the title "Third-Party Companies Issue Workarounds")
lures computer users to maliciously crafted web sites by enticing them
with bits of real BBC news stories and offering a "read more" link. The
spoofed site contains the rest of the story but also attempts to
download and install a keystroke logger on vulnerable computers with no
user interaction.
http://www.eweek.com/print_article2/0,1217,a=174708,00.asp

ATTACKS & INTRUSIONS & DATA THEFT & LOSS
 --Bank of New Zealand Suspends Cards in Wake of Skimming Attack
(30 March 2006)
The Bank of New Zealand (BNZ) has suspended 1,300 credit and debit cards
that were used at an automatic teller machine (ATM) where thieves
installed skimming technology. People also used the ATM for
transactions with about 700 cards from other banks. According to BNZ,
21 customers reported fraudulent transactions on their accounts totaling
NZD$20,000 (US$12,246); two ASB customers have reportedly lost a total
of between NZD$3,000 and $5,000 (US$1,836 and $3,062). BNZ and the
other banks plan to reimburse their customers for their losses.
http://www.nzherald.co.nz/section/story.cfm?c_id=5&ObjectID=10375158

 --Georgia State Pension Database Intruder Exploited Known Flaw
(30 March 2006)
A cyber intruder exploited an unpatched, known vulnerability in unnamed
software to gain access to a Georgia Technology Authority database. The
database contained information belonging to more than 570,000 people who
invested in the state's pension plans. The intrusion took place in late
February. A GTA spokesperson said they were in the process of fixing
the flaw when the intruder exploited it. GTA is informing the 180,000
people for whom it has contact information and hopes media attention and
other outreach efforts will alert those for whom it does not have
contact information.
http://www.computerworld.com/printthis/2006/0,4814,110094,00.html

 --Hong Kong Police Complaint Database Leak
(29/28 March 2006)
A database containing the personal details about people who have made
complaints about Hong Kong police was accidentally leaked to the
Internet. The exposed data include complaints made between 1996 and
2004. "The Independent Police Complaints Council is seeking legal
advice" regarding the security breach; there are apparently no penalty
clauses in the contracts with the contractor.
http://www.theregister.co.uk/2006/03/28/hk_data_leak_rumpus/print.html
http://www.news.gov.hk/en/category/lawandorder/060329/html/060329en08005.htm

STATISTICS, STUDIES & SURVEYS
 --UK Dept. of Trade and Industry Biennial Survey
(28 March 2006)
A survey conducted late last year by PricewaterhouseCoopers LLP on
behalf of the UK Department of Trade and Industry found that Internet
misuse ranks second behind viruses in accounting for security incidents
at large companies in the UK. The biennial survey compiled responses
from 1,000 UK companies. The number of companies with acceptable use
policies at companies of all sizes has grown significantly. Two years
ago, 43 percent of the companies had an acceptable use policy; this
year's survey found that figure to be 63 percent. Eight-nine percent
of the large businesses surveyed this year had acceptable use policies
in place.
http://www.techworld.com/security/news/index.cfm?NewsID=5661
[Editor's Note (Honan): While policy development is an important step
it is equally important to ensure the policies are managed, monitored
and enforced.
(Pescatore): this is another survey where you have to read beyond the
headlines. So, acceptable use policies grew from 43% of 63%? Sounds
good, until you read that over the same period misuse of web surfing
grew from 8% to 17%. a 50% increase in telling users not to do
something" and a 100% increase in them doing that same thing occurred
over the same period of time. Acceptable use policies are all well and
good - use URL blocking if you actually want to stop dangerous, illegal
or questionable surfing behavior.]

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFELVOb+LUG5KFpTkYRAon/AJ9NC5VFCplsjCb4l0m32/4yN1W0fACfX4kk
CX+rozArURAlqre0UaCIh6E=
=viZ4
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]