Get an iPad with Online Courses Now!

SANS NewsBites - Volume: VIII, Issue: 21


No skill is more important to security professionals than their ability to present security programs and projects so management will give its support. Too often security presentations grasp defeat from the jaws of victory. SANS has finally restarted the widely acclaimed training program on how to give winning security presentations. It shows the principal errors security presenters make and how to avoid them. The program was restarted primarily for SANS Institute's Master of Science degree candidates (http://www.sans.edu), but it will be presented as a special bonus program for people who attend SANSFIRE in Washington DC ( http://www.sans.org/sansfire06 ), SANS London ( http://www.sans.org/london06 ), and SANS Security 2006 in San Diego ( http://www.sans.org/security06 ). All who register for a full track at any of those conferences will be invited to attend the evening short course on giving effective security presentations.

People in London may also attend this short course on March 31 without registering for a SANS conference.
( http://www.sans.org/staysharp/details.php?id=1421 )

Alan

*************************************************************************
SANS NewsBites                     March 14, 2006                    Volume: VIII, Issue: 21
*************************************************************************
TOP OF THE NEWS

  Maryland Legislators Unanimously Approve Bill Banning Use of Diebold Voting Systems
  Citibank Citibank Acknowledges ATM Network Penetrated
  Chip and PIN Technology More Secure Than Magnetic Stripes; Could Have Blocked Citibank Breach

THE REST OF THE WEEK'S NEWS

  ARRESTS, CONVICTIONS AND SENTENCES
   Appeals Court Says Employee Who Deleted Data Violated Computer Fraud and Misuse Act
  SPYWARE, SPAM & PHISHING
   Phishers Reportedly Using Chinese Bank's Server to Host Phony Sites
   Data Mining Company Settles Suit With NY Attorney \General
  COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
   Singapore Company First to be Charged Under New Copyright Law
   Two Indicted for Piracy Under Family Entertainment and Copyright Act
  WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
   McAfee Antivirus signature file falsely flags applications as malware
   Flaws in GNU Privacy Guard
   Microsoft March Security Update Includes Critical Microsoft Office Fix
   Windows Media Player Patches Pose Problems
  ATTACKS & INTRUSIONS & DATA THEFT & LOSS
   Stolen Data Does Not Belong to iBill
   Attackers Used British Columbia Government System to Store Unauthorized Content
  MISCELLANEOUS
   Researchers Release Proof-of-Concept Virtual Rootkit


*********************** Sponsored by Imperva ****************************
Top 10 Database Attacks and How to Stop Them - Free White Paper

Insider abuse and on-line attacks on sensitive data can be costly in fines, lawsuits, and customer attrition. There are 10 commonly used database attacks. Defend against these, and you will have a highly secure database. Download now.
http://www.sans.org/info.php?id=1070
*************************************************************************

*************************************************************************
Upcoming Security Training in Monterey, San Diego and Washington DC

Turbo charge your security career or the careers of any of your coworkers this spring in San Diego in early May: a dozen of SANS most popular courses and a vendor exposition right on the harbor in San Diego.
http://www.sans.org/security06/

Or to come to Washington in July right after July 4 for the biggest SANSFIRE ever: with all 17 SANS immersion tracks and more than a dozen special courses, a big exposition, and an inside look at how the Internet's Early Warning System (Internet Storm Center) actually works Bring your family for the national fireworks show.
http://www.sans.org/sansfire06

*************************************************************************

TOP OF THE NEWS

Maryland Legislators Unanimously Approve Bill Banning Use of Diebold Voting Systems (10 March 2006)
Maryland's House of Delegates last week voted unanimously to prohibit election officials from using AccuVote-TSx touch-screen systems in 2006 primary and general elections. The system in question is made by Diebold Election Systems Inc. The reason given is that the systems do not provide a verifiable paper trail.
-http://www.computerworld.com/printthis/2006/0,4814,109436,00.html
[Editor's Note (Schultz): So Diebold has suffered yet another defeat. I wonder how many more defeats of this nature this company will be willing to accept until it finally changes its ways. Until recently Diebold has done reasonably well despite coming under fire from critics saying its voting machine security is not up to par. Now the tide is changing. ]


Citibank Acknowledges ATM Network Penetrated (10 March 2006)
Citibank acknowledged last week that attackers infiltrated its ATM network in Canada, Russia and the United Kingdom, and stole a block of PINs (personal identification numbers). Sophisticated hackers use the PINs to create counterfeit cards and steal money.
-http://www.silicon.com/financialservices/0,3800010322,39157105,00.htm


Chip and PIN Technology More Secure Than Magnetic Stripes; Could Have Blocked Citibank Breach (10/8/7 March 2006)
According to Gartner research director Avivah Litan, the use of chip and PIN technology could have prevented the recently disclosed Citibank ATM network breach in Canada, Russia and the UK; the cards in question has sensitive data stored in magnetic stripes. Citibank acknowledged last week that attackers managed to infiltrate the ATM network and steal a block of PINs (personal identification numbers). Chip cards are more difficult to replicate than magnetic stripe cards. In a separate story, the UK's Association of Payment and Clearing Services (APACS) has released statistics showing than in 2005, the year Chip and PIN technology debuted, card fraud fell by 13 percent in the UK.
-http://www.silicon.com/financialservices/0,3800010322,39157105,00.htm
-http://www.techworld.com/security/news/index.cfm?NewsID=5526
-http://www.apacs.org.uk/media_centre/press/06_03_07.html



************************* Sponsored Links: ******************************

1) ALERT: How do you protect what you can't see?
Get network visibility now.
http://www.sans.org/info.php?id=1068

2) Free WhatWorks Webcast next week
"WhatWorks in Log Management: Caring for Logs with Northwestern Memorial Hospital" Tuesday, March 28 at 1:00 PM EST
http://www.sans.org/info.php?id=1069

3) When a live conference is not an option due to cost, time away or visa issues, try
SANS@HOME Weekly Webcasts - great course leaders, same material, great way to learn, and less expensive.
For details, go to http://www.sans.org/athome

*************************************************************************

THE REST OF THE WEEK'S NEWS

ARRESTS, CONVICTIONS AND SENTENCES


Appeals Court Says Employee Who Deleted Data Violated Computer Fraud and Abuse Act (11/10 March 2006)
A recent ruling from the US Court of Appeals for the Seventh Circuit says that an employee who deleted files from a laptop computer he was issued before returning it to his employer violated the Computer Fraud and Abuse Act. Jacob Citrin's former employer, International Airport Centers (IAC), sued him when they discovered the hard disk on the laptop he returned to them had been "erased with a deletion program." The company alleges Citrin began doing personal business while still employed with them and they hoped to find incriminating evidence on his laptop. A lower court initially threw out the case against Citrin, but the appeals court said he had violated CFAA by using a secure delete program. The court also found that Citrin "effectively terminated his employment not when he turned in the laptop, but when he started doing personal business while still ... employed at IAC." Citrin maintains "his employment contract authorized him to 'return or destroy' the data in the laptop, but the court said that he ceased to be protected by that contract when he started doing his own work."
-http://www.tgdaily.com/2006/03/11/deletingfiles_appealscourt_citrin_reversed/
-http://news.com.com/2102-1030_3-6048449.html?tag=st.util.print
-http://www.groklaw.net/pdf/CitrinPosnerOrder.pdf
-http://www.ca7.uscourts.gov/tmp/R60ZGH1H.pdf
[Editor's Note (Shpantzer): Typically these clauses are written to maintain confidentiality of the data, not to preserve it, since that's what backups are for. It seems that the backups were also deleted. (p.7 of complaint
-http://www.groklaw.net/pdf/CitrinComplaint.pdf
) See Groklaw's coverage on this case, she will be following developments.
-http://www.groklaw.net/article.php?story=2006031107414764]


SPYWARE, SPAM & PHISHING


Phishers Reportedly Using Chinese Bank's Server to Host Phony Sites (13/12 March 2006)
According to Netcraft, phishing web sites purporting to belong to eBay and the US's Chase Bank are being hosted on a server that belongs to the Shanghai branch of China Construction Bank Corp. The data gathered by the phony Chase bank site are being sent to a server in India.
-http://www.computerworld.com/printthis/2006/0,4814,109500,00.html
-http://news.netcraft.com/archives/2006/03/12/chinese_banks_server_used_in_phishi
ng_attacks_on_us_banks.html



Data Mining Company Settles Suit With NY Attorney General (13 March 2006)
Datran Media has settled a lawsuit with the New York State Attorney General's office. The lawsuit alleged Datran mined the data from companies that gathered the information in exchange for chances to win items like iPods. Datran allegedly knew of the companies' pledges not to share the private information with others, yet violated that agreement by spamming about six million email addresses with unsolicited commercial offers. The terms of the agreement dictate that Datran cease using improperly obtained email addresses, destroy those it does have and not buy new lists without first checking to see if the data have use restrictions. Datran will also pay the state of New York US$1.1 million.
-http://www.theregister.co.uk/2006/03/13/datran/print.html
-http://www.msnbc.msn.com/id/11808172/
-http://www.ecommercetimes.com/story/XayOJp5EX2jYTs/Spitzer-Settles-With-E-Mail-M
arketer.xhtml



COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT


Singapore Company First to be Charged Under New Copyright Law (10 March 2006)
Acting on a tip from the Business Software Alliance (BSA), authorities in Singapore have charged a company under the country's recently revised copyright laws. PDM International faces charges for allegedly using more than US$30,000 worth of unlicensed software. Police seized eight desktops, three laptops and five CD-ROMs following a raid in September 2005. Singapore's Copyright Act fines offenders up to S$20,000 (US$12,310) and provides for a sentence of up to six months in prison.
-http://www.zdnetasia.com/news/business/printfriendly.htm?AT=39342567-39000003c


Two Indicted for Piracy Under Family Entertainment and Copyright Act (10 March 2006)
Two men have been indicted for piracy under the Family Entertainment and Copyright Act (FECA) law. Robert Thomas of Milwaukee, WI, and Jared Bowser, of Jacksonville, FL, allegedly made available portions of a Ryan Adams album on a web site popular with Adams' fans prior to the album's official release. Thomas and Bowser are the first people believed to be charged under FECA's prerelease provision. If convicted, each man faces up to 11 years in prison.
-http://today.reuters.co.uk/news/newsArticle.aspx?type=internetNews&storyID=2
006-03-10T085733Z_01_N10240531_RTRIDST_0_OUKIN-UK-PIRACY.XML&archived=False

-http://www.govtrack.us/congress/billtext.xpd?bill=s109-167


WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES


Flaws in GNU Privacy Guard (10 March 2006)
Two flaws in GNU Privacy Guard (also known as GnuPG or GPG) could be exploited to insert data into digitally signed messages and forge digital signatures. The software ships with several open-source operating systems. While there have been no reported attacks using these holes, users are advised to apply fixes as soon as they are available. The GnuPG team has made fixes available for the flaws; other groups whose products contain the software have issued updates as well.
-http://news.com.com/2102-1002_3-6048612.html?tag=st.util.print


Microsoft March Security Update Includes Critical Microsoft Office Fix (9 March 2006)
In Microsoft's monthly security update two security bulletins will describe fixes; one addresses a "critical" flaw in Microsoft Office. The second bulletin will address flaws in Windows and has an "important" rating. Microsoft will release the bulletins on Tuesday, March 14 along with an updated version of Windows' malicious software removal tool and one non-security, high-priority update.
-http://www.eweek.com/print_article2/0,1217,a=173209,00.asp
-http://www.microsoft.com/technet/security/bulletin/advance.mspx


Windows Media Player Patches Pose Problems (9 March 2006)
Microsoft has issued an advisory warning that three previously released patches for Windows Media Player 10 can be problematic. WMP users who have installed the patches may experience trouble seeking, rewinding and fast-forwarding files. One of the patches was released in February in MS06-005 and was deemed a "critical" fix. The other two patches in question were released in October 2005. Microsoft suggests two workarounds.
-http://www.computerworld.com/printthis/2006/0,4814,109366,00.html
-http://support.microsoft.com/kb/912226/en-us


ATTACKS & INTRUSIONS & DATA THEFT & LOSS


Stolen Data Does Not Belong to iBill (9 March 2006)
iBill says that large quantities of stolen customer data linked to the on-line payment company are in fact not theirs. One of the data files contains information about 17 million customer records and was discovered on a website purportedly used by phishers. Another group of data, containing information on just over one million people, was found on a spamming web site. iBill President Gary Spaniak Jr. says when his company cross referenced the database with 17 million people's information, with their own customer database just three email addresses matched. iBill does a large part of its business with adult services; an individual who had originally linked the large database with iBill, now says that perhaps it was deliberately mislabeled by a data thief because databases of adult services transactions are particularly sought-after by spammers. No one claims to know the stolen data's origins.
-http://www.wired.com/news/technology/1,70380-0.html


Attackers Used British Columbia Government System to Store Unauthorized Content (8 March 2006)
British Columbia's government computer system has been infiltrated and used to store movies and unauthorized software. At least 78 computers were involved, according to New Democratic Party leader Mike Farnsworth. The attack apparently came through a Dutch service provider. The attackers appeared to be seeking space to store their illegal files, not to steal data.
-http://www.canada.com/vancouversun/news/story.html?id=20b74870-ceb9-4723-a6ee-cf
55548e2001&k=21513



MISCELLANEOUS


Researchers Release Proof-of-Concept Virtual Rootkit (13/10 March 2006)
Researchers have created proof-of-concept code to demonstrate how to hide rootkit software in virtual machine environments. The proof-of-concept rootkit, called SubVirt, takes advantage of known vulnerabilities and places a virtual machine monitor (VMM) underneath Windows or Linux installations. SubVirt is undetectable because security software does not have access to its state.
-http://www.eweek.com/print_article2/0,1217,a=173285,00.asp
-http://www.theregister.co.uk/2006/03/13/virtual_rootkit/print.html


===end===

NewsBites Editorial Board:
Kathy Bradford, Chuck Boeckman, Rohit Dhamankar, Roland Grefer, Brian Honan, Clint Kreitner, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan, Mark Weatherford

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/