From: The SANS Institute (NewsBitessans.org)
Date: Tue May 09 2006 - 14:30:38 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In case you were wondering who writes those the editorial comments in
NewsBites, we included very brief descriptions of the editors at the end
of this issue.

And please help fix the nearly overwhelming problem of programmers who
don't know how to write safe code. What you can do right now is make
sure all the web programmers (and their bosses) who work at your
organization know about the great course on secure programming at
SANSFire (called Writing Secure Web Applications). Here's how students
describe it:
 "Great, if a bit scary. Good grounding in techniques used by hackers and
   how to protect yourself against them." Ed Jamerzek, Software Manager,
   DayJet
 "Great Course. Validates programming practices you currently use but
   points out many you never thought of." Tina Rogerson, SAIC
 "This course covers all of the major vulnerabilities in a hands-on
   fashion -- it puts you in the hacker's swivel chair." Cheryl Marlin,
   NOAA
Registration information for that course:
http://www.sans.org/sansfire06/description.php?tid=394
And for all of SANSFIRE: http://www.sans.org/sansfire06/

                                     Alan

*************************************************************************
SANS NewsBites May 9, 2006 Vol. 8, Num. 37
*************************************************************************

TOP OF THE NEWS
  Californian Pleads Guilty to Damaging Computers at Seattle Hospital
  UK Government to Challenge DDoS Acquittal
  Trojan Goes After Online Game Account Information

THE REST OF THE WEEK'S NEWS
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
    Free Peers to Pay US$30 Million to Avoid Legal Action from RIAA
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
    Microsoft Releases Patches on Patch Tuesday
  ATTACKS & INTRUSIONS & DATA THEFT & LOSS
    Redirected Traffic from Revenge Attack Against Anti-Spam Tool Took Down Blog Sites
    Chip and Pin Payments Halted at Some UK Shell Stations
    Missing Wells Fargo Computer Contains Customer Data
  MISCELLANEOUS
    Idaho Power Drives Sold on eBay Not Adequately Scrubbed
    Botmaster Sentenced To Nearly 5 Years In Prison

***************** Sponsored By Blue Coat Systems, Inc. ******************

SSL VPNs: Lesson Learned
Sponsored by: Blue Coat

Learn how to get the most out of SSL VPNs. Honest, technical, and
to-the-point, this eBooklet, by analyst Don Jones, discusses what SSL
VPNs promised, how they originally failed to deliver, and why the
technology is making comeback. He'll answer your questions, explains the
technology, and set you on the path to success. Learn more.
http://www.sans.org/info.php?id=1141

*************************************************************************

TOP OF THE NEWS

ARRESTS, CONVICTIONS AND SENTENCES
 --Californian Pleads Guilty to Damaging Computers at Seattle Hospital
(5 May 2006)
Christopher Maxwell of California has pleaded guilty to computer fraud
and intentionally damaging a protected computer by launching an attack
that attempted to install adware on vulnerable machines. Maxwell used
powerful computers at universities in California and Michigan to launch
the attack, which occurred in January 2005 and affected US Department
of Defense (DoD) computers as well as the computer network of Northwest
Hospital and Medical Center in Seattle. Maxwell faces a jail sentence
of up to 15 years when he is sentenced in August and has agreed to pay
US$252,000 in compensation to the hospital and the DoD.
http://www.theregister.co.uk/2006/05/05/hospital_zombie_attack/print.html
http://www.mercurynews.com/mld/mercurynews/news/breaking_news/14508386.htm
http://news.com.com/2102-7348_3-6069238.html?tag=st.util.print
[Editor's Note (Schultz): This is a particularly noteworthy conviction.
Maxwell's actions even caused outages at a hospital; his punishment
clearly fits his crimes. His conviction should serve as a major
deterrent to at least some of the computer criminal community.]

 --UK Government to Challenge DDoS Acquittal
(4 May 2006)
The UK government will this week challenge a ruling that saw a teenager
accused of launching a denial-of-service attack on his former employer
acquitted because the UK's Computer Misuse Act (CMA) does not have a
provision criminalizing that act. The Crown Prosecution Service (CPS)
plans to argue that deliberate attacks, such as a distributed
denial-of-service (DDoS) attack, should be considered unauthorized
modification to a system and therefore illegal under CMA.
http://www.vnunet.com/computing/news/2155257/email-attack-ruling-disputed
[Editor's Note (Honan): The original ruling in November 2005 has already
prompted a review of the UK's Computer Misuse Act. At the end of
January 2006, the UK Government published the Police and Justice Bill,
Part 5, which contains a number of new provisions to deal with computer
crime. This bill includes provisions specifically relating to denial
of service attacks by making it an offence to "impair the operation of
a computer".]

 --Trojan Goes After Online Game Account Information
(8/2 May 2006)
The PWS.Win32.WOW.x Trojan horse program seeks user names and passwords
for the online game "World of Warcraft." Once attackers have the means
to access an account, they have the ability to transfer virtual goods
to another account. Although the game's publisher has forbidden the
sale of virtual goods for money there is a black market for them on the
Internet. The program spreads through peer-to-peer file sharing,
pop-ups and email attachments and tries to disable security software on
computers it infects.
http://www.informationweek.com/news/showArticle.jhtml?articleID=187002835
http://www.theregister.co.uk/2006/05/08/wowcraft/print.html

************************ Sponsored Links: *****************************

1) "Top 10 Guide to Evaluating SIM Solutions" Many factors go into
buying a SIM solution - Discover the best practices
http://www.sans.org/info.php?id=1142

2) Stop spyware!
Try Webroot Spy Sweeper Enterprise for free and assess your spyware risk exposure
http://www.sans.org/info.php?id=1143

3) Learn about Botnets, Rootkits and RATs from the MX Logic White Paper,
"Malicious Intrusion Techniques."
http://www.sans.org/info.php?id=1146

***********************************************************************

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
 --Free Peers to Pay US$30 Million to Avoid Legal Action from RIAA
(5 May 2006)
Free Peers Inc., the company that ran the BearShare file sharing
service, has agreed to stop operating unlicensed online music services
and "to pay US$30 million to avoid action from the music industry."
Free Peers was one of seven companies threatened with legal action from
the Recording Industry Association of America (RIAA) unless they ceased
their activity.
http://news.bbc.co.uk/2/hi/entertainment/4976902.stm

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
 --Microsoft Releases Patches on Patch Tuesday
(5 May 2006)
On Tuesday, May 9, Microsoft released three security bulletins that
address vulnerabilities in Microsoft Windows and Microsoft Exchange. At
least two of the flaws have been given a "critical" rating; Microsoft
did not specify exactly how many flaws the bulletins will address. Some
of the fixes may require restarts.
http://www.scmagazine.com/uk/news/article/557843/three+patches+due+microsoft+tuesday/

ATTACKS & INTRUSIONS & DATA THEFT & LOSS
 --Redirected Traffic from Revenge Attack Against Anti-Spam Tool Took Down Blog Sites
(8/5 May 2006)
A distributed denial-of-service (DDoS) attack that made thousands of
blogs inaccessible has been attributed to a retribution attack against
Blue Security, a company that provides a service that launches
denial-of-service attacks against suspected spammers. Blue Security
dealt with the deluge of traffic by redirecting it to its blog host, Six
Apart.
http://www.vnunet.com/vnunet/news/2155504/blue-security-under-seige
http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39357282-39000005c
http://www.informationweek.com/blog/main/archives/2006/05/blue_security_s.html
[Editor's Note (Pescatore): This is sort of like running your rain
gutters onto your neighbor's yard to keep your own basement from
flooding. Of course Six Apart ought to have much better sump pumps -
anyone whose revenue is completely dependent on keeping their customer's
blog sites up and running should have been spending on denial of service
prevention services.]

 --Chip and Pin Payments Halted at Some UK Shell Stations
(6 May 2006)
Shell has stopped accepting chip and pin payments at 600 of its fuel
stations in the UK after learning that thieves misused the system to
steal approximately GBP 1 million (US$1.86 million) from customer
accounts. Eight people have been arrested in connection with the
scheme, which is reportedly limited to the Shell chain. Customers will
still be able to pay for purchases by swiping their cards and providing
their signatures.
http://news.bbc.co.uk/1/hi/england/4980190.stm

 --Missing Wells Fargo Computer Contains Customer Data
(5 May 2006)
Wells Fargo has acknowledged that a computer containing personal data
belonging to current and prospective mortgage customers is missing. The
computer was being delivered from one facility to another by a global
shipping company. Wells Fargo says there is no evidence the data, which
includes names, Social Security numbers and mortgage loan numbers, has
been misused.
http://news.com.com/2102-7348_3-6069367.html?tag=st.util.print

MISCELLANEOUS
 --Idaho Power Drives Sold on eBay Not Adequately Scrubbed
(4 May 2006)
Idaho Power Co. is trying to track down old company hard drives that
were sold on eBay without going through prescribed scrubbing procedures.
The data on the drives includes memos, customer correspondence and
confidential employee data. Idaho Power recycles old drives through a
salvage vendor. The power company has launched a private investigation
into why scrubbing procedures were not followed. Idaho Power requires
that their discarded drives be destroyed or scrubbed to US Department
of Defense standards. Companies that do not properly scrub memory
devices risk violating regulations in addition to the embarrassment of
exposing confidential data. According to a Gartner survey,
approximately 30 percent of organizations use third party companies to
dispose of PCs and servers they are no longer using. Idaho Power says
it will now destroy old drives rather than recycle them.
http://www.computerworld.com/securitytopics/security/story/0,10801,111148,00.html
[Editor's Comment (Northcutt): Great reminder. Most organizations have
policy concerning data destruction. Some even have procedures. The
wise ones test for compliance! A nice paper on legislation concerning
such things can be found here:
http://www.csileasing.com/WhitePaperLegislation&PCDisposal.pdf ]
(Schmidt): Here comes my broken record again: ENCRYPT, ENCRYPT,
ENCRYPT!!! Not "wiping" (they call scrubbing) it is bad enough, but
depending on 3rd parties to do this just invites mistakes. At least if
the data is encrypted there will be less risk.

 --Botmaster Sentenced To Nearly 5 Years In Prison
(8 May, 2006)
Jeanson James Ancheta, a member of the "Botmaster Underground" pleaded
guilty in January to federal charges of conspiracy, fraud and damaging
U.S. government computers. He was given a 57 month sentence, the longest
sentence for spreading computer viruses, according to federal
prosecutors.
http://ct.enews.cioinsight.com/rd/cts?d=188-336-1-20-148108-42789-0-0-0-1

===end===

NewsBites Editorial Board:

Eugene Schultz, Ph.D., is the author/co-author of books on Unix
security, Internet security, Windows NT/2000 security, incident
response, and intrusion detection and prevention. He also founded the
Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in
computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves
as President of the SANS Technology Institute, a post graduate level IT
Security College, www.sans.edu.

Bruce Schneier has authored eight books -- including BEYOND FEAR and
SECRETS AND LIES -- and dozens of articles and academic papers. Schneier
has regularly appeared on television and radio, has testified before
Congress, and is a frequent writer and lecturer on issues surrounding
security and privacy.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair
of the President's Critical Infrastructure Protection Board.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer
for the State of Colorado.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a
division of 3Com, and authors the critical vulnerabilities section of
the weekly SANS Institute's RISK newsletter and is the project manager
for the SANS Top20 2005 and the Top 20 Quarterly updates.

Clint Kreitner is the founding President and CEO of The Center for
Internet Security.

Marcus J. Ranum built the first firewall for the White House and is
widely recognized as a security products designer and industry
innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development
Authority (IDA) of the Singapore government.

Brian Honan is an independent security consultant based in Dublin, Ireland,

Chuck Boeckman is Lead Network Security Engineer supporting the US
Transportation Command, responsible for the security of global military
transportation command and control systems.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing
companies and was involved in multiple SANS projects, such as the
E-Warfare course and the Business Continuity Step-by-Step Guide.

Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
http://portal.sans.org/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFEYOBI+LUG5KFpTkYRAt/YAJ4nwklJ3F7jzyKJlZ4Tvw2b0JFjowCfVjZr
uJuTcc8JsWRMsjLHeuYUFtA=
=8ZrU
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]