Get a MacBook Air, Dell XPS 13, or $600 Off with SANS Online Training for a limited time!

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VII - Issue #51

November 08, 2005

This is the final opportunity (by Friday) to get the salary data showing security salaries increasing faster than those of any other IT profession, plus data on where the high paying jobs are in security and what matters most for increased salaries and career advancement in security. Complete the survey at:

SANS 2006 in Orlando (Feb 24-March 6) just opened for registration. This is SANS largest conference (more than 20 major tracks and special courses) with lots of extra sessions a great exhibit of the security tools that actually work. Register early to get a seat in the course of your choice:


House Subcommittee Approves Data Protection and Security Breac Notification Bill
Australian Government Teams with ISPs to Track Down Bot-Infected Computers


Hong Kong Court Gives File Sharer a Three-Month Sentence
US Authorities Arrest Alleged Botnet Operator in California
Proposed Legislation in Westchester County, NY Addresses Wireless Security Concerns
Greek Police Arrest Swedish Programmer for Spamming
Phishing Attack Targets PayPal Users
Grokster to Stop Distributing File-Sharing Software; iMesh Moves to Paid Format
Australian Reseller Ordered to Pay Microsoft AU$1.3 Million for Copyright Infringement
Macromedia Urges Patch or Upgrade to Address Flash Player Flaw
Sony Patch Could Crash Windows PCs
Internet Explorer Patches Could Cause Web Site Functionality Problems
Microsoft's November Update to Contain Just One Patch
W32.Spybot.ZIF Targets Cisco Routers
RFID-Equipped Passports Pose Collision Avoidance ID Problem

************************ Sponsored by NetIQ *****************************
Automating IT Security Audits to Ensure Compliance White Paper Available Get the information you need to develop a policy compliance program that treats compliance management as a long-term program; leverages effective solutions to consistently achieve better results; and ensures your investment is adequately offset by effective risk management. Download this free white paper now.

Training Summary: A few words from SANS students:
(1) "An awesome class! Loaded with practical, in-depth knowledge and focused. Useful and downright scary tools that are pure oxygen. Should be a required baseline for any network or security professional."
- Brian Viglione, DirecTV

(2) "I've attended SANS on and off since 1998 and it keeps on getting better... Classes stay current and evolve with the industry needs."
- Joe Dietz, Qwest

(3) "Can't say enough good things about the instructor. Best teacher I have ever had from any teaching facility yet! Great information, great presentation!"
- Daniel Shafer, Bonfils Blood Center
Schedule of upcoming classes:


House Subcommittee Approves Data Protection and Security Breach Notification Bill (4 November 2005)

A subcommittee of the House Energy and Commerce Committee has approved a bill that would require data brokers to submit plans for protecting consumer data to the Federal Trade Commission (FTC) for monitoring and review. It would also require that the companies notify customers when their data has been compromised. It would, under certain circumstances, require the data brokers to submit to security audits following data security breaches. Those on the subcommittee who dissented have expressed concern that customers would be notified only when "significant risk" of fraud was determined to exist; that determination would be made by the company experiencing the breach. Those supporting the bill, including direct marketers and financial institutions, say notifying customers every time security was compromised would result in so many notifications that people would begin ignoring them. As it reads now, the bill would place the onus of enforcement on the FTC with a budget of US$1 million.

[Editor's Note (Paller): Security professionals with whom I have spoken seem to agree that the California disclosure law (now in 15 other states) has significantly improved security because senior executives demand, "Do whatever is needed to keep me off the front page of the paper." This Energy and Commerce Subcommittee decision, if written into law, will completely block all those state laws. Disclosure will likely be made only where proof of damage can be found -- which means almost never. If you think the Subcommittee made a mistake, please send an electronic comment to one (or more) of these Congressional members who will vote in the Energy and Commerce Committee hearing. Do it soon.
(click on the member and at his/her web page find the Feedback or comment button).
(Pescatoe): There does need to be some kind of balance about disclosure. We have already seen disclosure overload - it is no longer a shocking event to hear that thousands of accounts were exposed, after big processors announced they had exposed tens of millions. Avoiding the headlines is much less of a motivator - now the fear that the credit card industry will actually enforce the Payment Card Industry Data Security standards is driving improvements. The loopholes should in the proposed law be narrowed, but it is even more important to increase the FTC's enforcement capabilities and frequency of action. ]

Australian Government Teams with ISPs to Track Down Bot-Infected Computers (7 November 2005)

The Australian government is working with five Internet Service Providers to track down computers that have been compromised and made part of zombie networks that are used to send spam or launch distributed denial-of-service attacks. The Australian Internet Security Initiative will identify IP addresses of hosts that exhibit behavior indicating they are zombies. The ISPs then can contact their customers, let them know their computers have been compromised and help them disinfect their machines. Steps may be taken to disconnect from the Internet the computers of customers who do not disinfect their computers."
[Editor's Note (Pescatore): This ought to be standard customer service for all ISPs. This is basically what many universities (who act as broadband ISPs to dorm rooms) already do, both to save themselves money and to increase customer service. The next step is for "in the cloud" filtering of known malicious executables before they reach the customer. ]

*************************** Sponsored Links *****************************
1) FREE CYA (Cover Your Apps) T-shirt from SPI Dynamics when you evaluate WebInspect

2) ALERT: YOU vs ZOTOB? Is Your Internal Network Safe? Download FREE White Paper "Zotob: Zero-Hour Detection and Response"

3) Earn your Master's degree in Information Security from an NSA - recognized online program.




Hong Kong Court Gives File Sharer a Three-Month Sentence (8/7 November 2005)

A Hong Kong court sentenced Chan Nai-ming to three months in jail for digital piracy; he uploaded three Hollywood movies to the Internet with BitTorrent, allowing them to be shared in violation of copyright laws.


US Authorities Arrest Alleged Botnet Operator in California (7/4/3 November 2005)

FBI agents have arrested Jeanson James Ancheta and charged him with spreading a Trojan horse program that allowed him to create a botnet of 400,000 computers. A botnet is a network of compromised computers that can be controlled to send spam or launch distributed denial-of-service attacks (DDoS). Among the zombie computers in his network were some belonging to the US Department of Defense. Mr. Ancheta allegedly took payment from companies whose adware he surreptitiously loaded into their computers. He also allegedly controlled the computers via an IRC channel and advertised their use for sending spam or launching distributed denial-of-service attacks. Mr. Ancheta was scheduled to be arraigned on Monday, November 7, 2005. Two aspects make this case unique: (1) it is the first time an alleged botnet operator will be prosecuted in the United States, and (2) Mr. Ancheta is accused of using a botnet to make a profit. In the past, people who have created botnets have done so primarily for bragging rights.



Proposed Legislation in Westchester County, NY Addresses Wireless Security Concerns (7/4/2 November 2005)

Westchester County (NY) executive Andy Spano is sponsoring legislation that would require commercial businesses that offer wireless hot spots to have firewalls and other security measures in place if they also collect sensitive customer information. The legislation would require companies to separate the confidential data they hold from the networks that offer wireless access. One analyst has observed that whether a network is wireless or wired, organizations should keep sensitive data secure. The proposed legislation is believed to be the first of its kind in the United States.
[Editor's Note (Schultz): This is an intriguing piece of proposed legislation, one in which failing to provide adequate security for wireless connections would be a punishable offense. Unsecured wireless (and other) connections pose extreme risks, but who should be punished--the person or organization who failed to provide sufficient security or the person who gained unauthorized access (or possibly both)? This proposed legislation would punish the former.
(Pescatore): This is a good example of election season silly legislation, as Spano is running for election. Legislation that tries to target specific technologies (wireless) and apply specific solutions that may or may not help (firewalls), let alone such legislation at a county level, will inevitably fail. But sounds good on the campaign trail.
(Honan): Protecting data by focusing on the technology is not the right way to approach this issue. The focus should be similar to European privacy legislation and put data protection requirements and relevant penalties in place regardless of the technologies involved. ]


Greek Police Arrest Swedish Programmer for Spamming (7/2 November 2005)

Greek police have arrested a Swedish computer programmer, Rick Downes, on charges of sending spam. Mr. Downes, who retired to Greece, has denied the charges and maintains the police have no evidence against him. Mr. Downes' computer has been seized and sent to police laboratories for examination; he says he has not been asked for his administrative password. Mr. Downes is a member of the Coalition Against Unsolicited Commercial Email and has campaigned against spam in the past. Mr. Downes was suspected of sending spam after a travel agent and two other people reported receiving nearly identical spam email messages shortly after meeting him. Mr. Downes's wife says they suspect that a travel agent's computer was compromised and the addresses were being used by a spammer; the police seemed ignorant of how spammers operate, apparently believing they collect email addresses one at a time.

[Editor's Note (Grefer): Another possibility is that Mr. Downes computer might have been infected with spyware and/or adware. If Mr. Downes added these people's contact information to his address book, they could have been easily used by any of the spamming worms to sent said spam to his new contacts. ]

Phishing Attack Targets PayPal Users (4 November 2005)

A new phishing attack is targeting people who use PayPal. The users receive an email message telling them that someone has been trying to access their accounts from a foreign country. The are advised to click on a link that purports to be a PayPal Security Tool executable, but is really a Trojan horse program that modifies the local workstation's DNS settings and deletes itself; when users try to visit PayPal in the future, they are directed to a fraudulently crafted site where the thieves proceed to elicit personal data by asking them to update their accounts. The data requested includes names, Social Security numbers and bank account and routing numbers.
[Editor's Note (Grefer): Internet Explorer and Firefox users may benefit from installing the Netcraft Anti-Phishing Toolbar, which provides some basic information about the site a user is visiting, as well as a tentative rating of risk the site may be posing.


Grokster to Stop Distributing File-Sharing Software; iMesh Moves to Paid Format (7/3 November 2005)

As part of its settlement with the Recording Industry Association of America, Grokster will stop distributing the software that allows people to copy music files without permission. Four months ago, the US Supreme Court ruled that Grokster and other peer-to-peer file sharing networks could be held liable if they induce users to flout copyright law. Grokster will be bought by Mashboxx LLC, which hopes to create a legitimate peer-to-peer company. In a separate story, iMesh has moved from the old peer-to-peer file-sharing format to a legitimate paid file sharing service. iMesh has built Microsoft Digital Rights Management into its software; users are permitted to download only the music files they pay for or those that are not copyright protected.

Australian Reseller Ordered to Pay Microsoft AU$1.3 Million for Copyright Infringement (4 November 2005)

The Australian Federal Court has ordered New South Wales-based reseller PC Club and its associates to pay Microsoft AU$1.3 million (US$952,300) in damages and costs for selling pirated and illegal software and counterfeit Certificate of Authenticity labels. The charges included copyright and trademark infringement and breaches of the Trade Practices Act.


Macromedia Urges Patch or Upgrade to Address Flash Player Flaw (7 November 2005)

Macromedia has warned of an improper memory access flaw in its Flash Player that affects all Windows versions of Flash Player 6.x and Flash Player and prior. The current version of Flash Player 8 ( is not affected. Macromedia recommends that users upgrade to Flash Player 8, but has also released a patch for Flash Player 7, as Flash Player 8 is not supported by some older operating systems. The flaw could be exploited to take control of vulnerable systems.

Sony Patch Could Crash Windows PCs (7/4 November 2005)

The patch posted by Sony that uncloaks files in the digital rights management (DRM) software that comes with certain CDs could crash Windows computers and may result in data loss. The crash could take place as the patch is being installed. Researchers had pointed out last week that the copy protection technology amounts to a rootkit because of its design. In a separate story, on line gamers are reportedly using Sony's DRM technology to create undetectable cheating tools.

[Editor's Note (Pescatore): This very misguided approach is just another example (Intuit's attempt at copy protection was an earlier, less invasive example) of what happens when content owners go too far - treating your customers as criminals does not pay off. It is also an example of why, without hardware security improvements in the basic PC platform, content protection can only go so far. ]

Internet Explorer Patches Could Cause Web Site Functionality Problems (4 November 2005)

Microsoft has posted advisories warning users that two previously released patches for Internet Explorer (IE) could cause functionality problems on certain web sites. The patches delivered with the MS05-038 and MS05-052 bulletins, issued in August and October respectively, can cause problems with ActiveX controls. In addition, the patch delivered with MS05-038 can cause problems with Java applications. The problems should not affect many customers, according to Microsoft. Microsoft suggests resolutions and workarounds, some of which involve lowering security settings, though they do not recommend implementing those that heighten security risks.

Microsoft's November Update to Contain Just One Patch (4/3 November 2005)

Microsoft's monthly security update for November will contain just one patch, which is for a critical flaw in Windows, according to advance notification from the company. The fix will require users to restart their machines. The update will be released on Tuesday, November 8, 2005. The release will also include a number of high-priority, non-security related updates.

W32.Spybot.ZIF Targets Cisco Routers (2 November 2005)

The W32.Spybot.ZIF bot spreads through a variety of Windows vulnerabilities and targets Cisco routers. It opens a backdoor by contacting an IRC server through TCP port 6667. Once a machine is compromised, attackers could scan networks for Cisco routers with vulnerable Telnet or HTTP servers, steal passwords from protected storage or launch a denial-of-service attack. The bot is actively scanning TCP port 23 (the default telnet port) and TCP port 80 (the default HTTP port).


RFID-Equipped Passports Pose Collision Avoidance ID Problem (3 November 2005)

The US State Department made changes to the proposed design of RFID-equipped passports that enhance their security. A radio shield in the passport's cover will prevent the chip from being read while the document is closed; access control in the form of encryption will prevent the chip from being read without the key, which is printed on the passport. While the changes made to the new passports enhance the security of the data they contain, the State Department has not addressed the problem of collision avoidance ID numbers, which, as currently implemented, have unique identifiers and are not related to the data or application on the chip.


NewsBites Editorial Board:
Kathy Bradford, Rohit Dhamankar, Roland Grefer, Richard Hayler, Jaap-Henk Hoepman, Brian Honan, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit