From: The SANS Institute (NewsBitessans.org)
Date: Tue Apr 11 2006 - 12:59:37 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For the folks who asked for more information on web application
security, tune in to the web cast on Microsoft's five new patches as
well as web application security Wednesday (4/12) at 1 PM EDT.
http://www.sans.org/webcasts/show.php?webcastid=90620

*************************************************************************
SANS NewsBites April 11, 2006 Vol. 8, Num. 29
*************************************************************************

TOP OF THE NEWS
  FTC Reaches Settlement in California Spam Ca se
  Irish Bank First in Country to Offer 100% Secure Guarantee

THE REST OF THE WEEK'S NEWS
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
  Five Arrested in Huge DVD Piracy Scheme
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
  Proof-of-Concept Cross Platform Virus Infects Windows and Linux
  German Bank to Deploy Electronic Signatures to Thwart Phishers
ATTACKS & INTRUSIONS & DATA THEFT & LOSS
  Everything You Ever Wanted to Know About Bots
  Progressive Data Exposure Underscores Insider Threat
STATISTICS, STUDIES & SURVEYS
  CISOs Reasons for Investing in IT Security Software
MISCELLANEOUS
  Domain Name Registrar Confident Flaw Did Not Compromise Customer Data
  Web Services' Flexibility Can Present Unintended Vulnerabilities

****** Sponsored By Blue Coat (formerly Permeo Technologies) **********

New security ebook on Information Theft Prevention

In The Definitive Guide to Information Theft Prevention, security author
Dan Sullivan provides advice on information protection and privacy
regulations; how to tackle threats from unmanaged devices; how to secure
managed devices; and how to leverage new security technologies. This
guide also discusses risk management, incident responses and emerging
best practices around information security. Download the eBook now!

http://www.sans.org/info.php?id=1100
*************************************************************************
LOW COST SANS TRAINING OPPORTUNITY

To help boost DoD and US government security, SANS is now arranging
on-site training for DoD and other government organizations that need
to prepare large numbers of people for 8570 compliance and don't want
to spend a lot of money for each student. Programs cover training for
any or all of the effective 8570 technical certifications. Minimum 100
students. Email infosans.org with subject "8570" if you would like to
schedule a session at your facility.

If you don't have 100, but still need 8570 certification, use the same
email to ask for large group (more than 25) discounts at any of the
scheduled SANS conference (www.sans.org). Onsite programs for smaller
groups also available..

*************************************************************************

TOP OF THE NEWS

 --FTC Reaches Settlement in California Spam Case
(7 April 2006 and 10 April Updates)
The US Federal Trade Commission (FTC) along with California's Attorney
General has reached a settlement with companies and individuals involved
in a large spamming operation. Optin Global Inc., Vision Media Limited
Corp., Qing Kuang "Rick" Yang and Peonie Pui Ting Chen have been barred
from further violations of US anti-spam laws. They have been ordered
to forfeit profits of approximately US$475,000 and are also required to
"monitor their affiliates" to ensure they are not violating anti-spam
laws. The defendants violated federal and state anti-spam laws by
sending millions of unsolicited commercial emails messages with forged
headers and deceptive subject lines; they also failed to provide a means
for opting out of receiving more unsolicited email, did not identify the
messages as advertisements and did not provide a valid physical postal
address. The agreement does not include admission of wrongdoing.
http://www.computerworld.com/printthis/2006/0,4814,110333,00.html
http://www.silicon.com/research/specialreports/thespamreport/0,39025001,39157964,00.htm

 --Irish Bank First in Country to Offer 100% Secure Guarantee
(9 April 2006)
Ireland's online bank RaboDirect has become the first bank in the
country to offer its customers a security guarantee; customers are
guaranteed they will not lose any money in the event of online theft.
RaboDirect customers will have a token that generates a one-time use
passcode to be used in their two-factor authentication scheme.
http://www.rabodirect.ie/press/press_releases/20060409_no_fraud_guarantee.asp
[Editor's Note (Grefer): A step in the right direction. When will U.S.
banks start to adopt similar measures?]

************************************************************************
Sponsored Links:

1) Defend the new data center with asset aware security from Lucid. Free
ipANGEL asset centric security whitepaper.
http://www.sans.org/info.php?id=1101

2) Network Discovery like you've never seen it before: Complete,
agentless, realtime. Free Trial
http://www.sans.org/info.php?id=1102

3) Free Webcast tomorrow - Internet Storm Center Threat Update: "What
You Need to Know about 5 New Microsoft Patches" and "Advanced Web
Application Hacking"
Wednesday, April 12 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info.php?id=1103
*************************************************************************

THE REST OF THE WEEK'S NEWS

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --Five Arrested in Huge DVD Piracy Scheme
(7 April 2006)
Law enforcement officers have arrested five people in London following
a raid of what is being called the largest manufacturing facility of
pirated DVDs ever discovered in the UK. The facility was equipped to
create 2,700 pirated disks an hour.
http://www.theregister.co.uk/2006/04/07/dvd_piracy_factory_raid/print.html
http://news.bbc.co.uk/1/hi/england/london/4886360.stm

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Proof-of-Concept Cross Platform Virus Infects Windows and Linux
(7 April 2006)
A proof-of-concept virus that can infect both Windows and Linux
platforms has been detected. The worm, known as both Linux.Bi.a and
Win32.Bi.a, does not carry a malicious payload. However, the very fact
of its appearance suggests that cross-platform malware could become more
prevalent.
http://www.techweb.com/wire/184429692
http://www.computerworld.com/printthis/2006/0,4814,110330,00.html

 --German Bank to Deploy Electronic Signatures to Thwart Phishers
(7 April 2006)
In an effort to fight phishing attacks, Germany's Postbank plans to
incorporate electronic signatures into all electronic correspondence
with its customers. Postbank customers have been targeted in several
phishing scams. Five people connected with one of the scams were
arrested in December 2004.
http://www.theregister.co.uk/2006/04/07/postbank_curbs_phishing/print.html
[Editor's Note (Schultz): It is surprising that more financial
institutions have not already gone in the direction that Postbank
recently has. Identity assurance in electronic transactions and
correspondence has become imperative; without it, perpetrators have a
world of opportunity.]

ATTACKS & INTRUSIONS & DATA THEFT & LOSS
 --Everything You Ever Wanted to Know About Bots
(6 April 2006)
This article provides a thorough explanation of how bots work and what
steps organizations can take to protect their systems. The author
presents a detailed account of the case of Jeanson James Ancheta, which
illuminates the scope of the bot problem; Ancheta reached a plea
agreement in January in a large botnet case.
http://www.baselinemag.com/print_article2/0,1217,a=175186,00.asp

 --Progressive Data Exposure Underscores Insider Threat
(6 April 2006)
The danger of insider threats was illuminated by a recent case in which
a woman was fired from Progressive Casualty Insurance Company for
accessing company records about property in foreclosure she was
interested in purchasing. The company has contacted 13 people to let
them know that their personal information, including names and Social
Security numbers, had been viewed by the employee. Progressive
officials became aware of the situation following a complaint from one
of the people affected by the security breach who said she had been
contacted by a Progressive agent regarding her property. The incident
underscores the importance of establishing internal security controls.
http://www.computerworld.com/printthis/2006/0,4814,110303,00.html

STATISTICS, STUDIES & SURVEYS
 --CISOs Reasons for Investing in IT Security Software
(6 April 2006)
A Merrill Lynch & Co. Inc. survey of 50 chief information security
officers (CISOs) found regulatory compliance tops the list of "reasons
driving demand for security software." Seventy-eight percent of the
CISOs said less than 10 percent of their IT budgets are given over to
security software and infrastructure. That figure is expected to
increase an average of 11.4 percent over the next 18 months.
http://www.informationweek.com/story/showArticle.jhtml?articleID=184429550
[Editor's Note (Boeckman): While it is good see that CISO's are
recognizing the importance of investing in security, it is equally
important to note that low cost improvements can be made by leveraging
open source products and establishing better business practices and
guidelines that do not tolerate poor security practices.
[Editor's Note (Northcutt): In 2003 Gartner reported IT Security
spending had risen to above 5% in most industries. Now in 2006 this new
survey ways less than ten percent and increasing. I wonder what price
point it takes for people to get excited about fixing the root cause of
the problem (bad software) instead of trying to put another set of
Band-Aids on the patient.
http://www3.gartner.com/5_about/press_releases/pr3june2003b.jsp ]

MISCELLANEOUS

 --Domain Name Registrar Confident Flaw Did Not Compromise Customer Data
(7 April 2006)
Domain name registrar DiscountDomainRegistry.com says it fixed a
security hole that exposed customer data shortly after being alerted to
the problem. DiscountDomainRegistry.com CEO Alex Brecher says the
company is certain that customer data was not compromised. The exposed
database contained credit card numbers, usernames and passwords.
http://www.networkworld.com/news/2006/040706-registrars-database-exposed-data.html

 --Web Services' Flexibility Can Present Unintended Vulnerabilities
(7 April 2006)
Speaking at a recent conference, Alex Stamos described how web services
technologies present unprotected vectors of attack for cyber criminals.
Web services are applications that are able to interact with a variety
of types of software. While portability and cross-platform capability
are appealing features, they also have the potential to "create
situations that may not have been anticipated by the software
developers." The inadvertently created vulnerabilities could be
exploited to gather data and to launch denial-of-service attacks.
http://www.computerworld.com/printthis/2006/0,4814,110321,00.html

===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian
Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore,
Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw
Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEO+Rj+LUG5KFpTkYRAq3uAJ47PBWQz/p5riIardbJOoxb7C4gmwCfUOmn
mQDGw8fedHqJleNHhuZJ36Q=
=Zhn9
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]