CNN.com - Georgia bride-to-be fabricated abduction story - Apr 30, 2005

Georgia bride-to-be fabricated abduction story

Saturday, April 30, 2005 Posted: 7:50 AM EDT (1150 GMT)

(CNN) -- A Georgia woman, who was found in New Mexico early Saturday and who said she had been abducted, admitted today she had made up the story because she was nervous about her upcoming wedding, police said.

Albuquerque Police Chief Ray Schultz said Jennifer Wilbanks, 32, had told them she had taken a bus to Las Vegas, Nevada, and on Saturday had taken another bus to New Mexico.

Earlier, Wilbanks had told family members and police that she had been abducted by a man and a woman in a van. She was to be married Saturday.

"Agents and detectives learned Miss Wilbanks had become scared and concerned about her pending marriage and decided she needed some time alone," Schultz said.

Schultz said no charges would be filed against Wilbanks, saying that would be up to authorities in Georgia.

Wilbanks called her fiance, John Mason, at his Duluth, Georgia, home from an Albuquerque pay phone at 1 a.m. EDT Saturday to say she had freed by two strangers who abducted her Tuesday night, Mason said.

Within minutes, Wilbanks was located by Albuquerque Police at a 7-Eleven convenience store.

Family members are expected to fly to Albuquerque Saturday morning to be with her.

Wilbanks, who was to be married to Mason in Duluth, was last seen by her fiance Tuesday night, when she left the home she shares with him for a jog about 8:30 p.m.

Earlier, Pastor Alan Jones, who was to preside at the wedding said Wilbanks told him her abductors "came up behind her, cut her hair and put her in a blue van," Jones said.

Among the clues found during the search that followed her disappearance was a clump of hair along the route she was believed to have been jogging. Ahrensfield, the Albuquerque Police spokeswoman, said it appeared Wilbanks hair had been cut.

Her father, Harris Wilbanks, said a new wedding date will be set after they talk to her.

He said Friday evening, the hours before learning his daughter was alive, was the lowest point of his life.
Disappearance drew national attention

News of Wilbanks' admission comes just hours after police in Georgia announced they would suspend their ground search for her, saying they've looked everywhere she may have been.

Her disappearance quickly drew national media attention, including talk show speculation sometimes comparing the story to that of Laci Peterson, the pregnant woman who disappeared from her Modesto, California, home on Christmas Eve, 2002. In that case, husband Scott Peterson was convicted of murder and sentenced to death.

Wilbanks' fiance said he tried not to get upset about the media comparisons to the Peterson case since he knew her family had faith in him.

"I never worried that they were going to point their fingers at me," Mason said.

Must be a lot of hobbyists out there…

Slashdot | Firefox Breaks 50,000,000 Barrier

Firefox Breaks 50,000,000 Barrier

Posted by Zonk on Friday April 29, @02:19PM
from the get-up-get-on-up dept.

MrDrBob writes "Today at 16:59 GMT (8:58 AM PST) Mozilla Firefox received its 50,000,000th download. To celebrate, SpreadFirefox.com has created a special page, where you can watch the downloads continue to climb in real time. Three cheers for Firefox! May it go on swiftly to 100,000,000!"

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

MS05-019/Win2k3 SP1 Update Troubleshooting
More information is available regarding incompatibilities and gotchas after applying this update:
http://www.sans.org/newsletters/newsbites/newsbites.php?vol=7&issue=17#307

Also
http://support.microsoft.com/default.aspx?scid=898060

MS05-020 POC Exploit Released by FrSIRT

As detailed here: http://www.frsirt.com/english/advisories/2005/0340

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Handler on Duty: Deb Hale
Updated April 28th 2005 15:52 UTC
TCP port 1025 activity; continued DNS poisonings;

TCP port 1025 activity
After the huge spike in activity on this port on 31 March, things seemed to have calmed down for a while, but we've seen a couple of smaller spikes the last few days (see http://isc.sans.org/port_details.php?port=1025 ). We're still not sure what is causing all of this, so we again ask for assistance if anyone has captured any of this traffic, we'd appreciate any samples you can share.

Continued DNS poisonings
We continue to get reports of sporadic DNS cache poisonings. We've covered this in great detail earlier this month, so we won't spend a lot of time on it except to remind folks that the Internet Software Consortium (maintainer of BIND) agrees that BIND 4 and 8 are no longer suitable for use as forwarders, so, if you are running DNS servers that act as forwarders, please upgrade as soon as possible.

This is a great way to start the day.  Looks like Symantec and Trend Micro are both reporting a new variant of MyDoom and Symantec is also reporting a new variant of Netsky.  Lets hope these don’t spread too fast.

http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.ai@mm.html

 W32.Netsky.AI@mm is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses it gathers from certain files on the compromised computer, and copies itself to mapped network drives. The worm also downloads a copy of Backdoor.Nemog.D.

http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.bl@mm.html

 Symantec Security Response is currently investigating this threat and will post more information as it becomes available.

 WORM_MYDOOM.AQ

 This worm uses its own Simple Mail Transfer Protocol (SMTP) to propagate. It sends multiple copies of itself to all addresses found in the infected system's Windows address book.

The email it sends has varying subjects, message bodies, and attachment file names.  Upon execution, it drops a copy of itself in the Windows system folder. It modifies the registry to ensure its automatic execution at every system startup.

Slashdot | Microsoft Demands Removal Of Longhorn Images

Microsoft Demands Removal Of Longhorn Images

Posted by timothy on Wednesday April 27, @03:51PM

from the now-there's-a-marketing-move dept.

bonch writes "After the previously reported release of the Longhorn beta at this year's WinHEC, Neowin and other Windows sites are reporting that Microsoft is going around sending legal letters demanding removal of Longhorn Build 5048 screenshots. Paul Thurrott discusses it on his site, stating that Microsoft never told anyone beforehand not to post screenshots of the publicly available beta, and links to the new galleries he has up now. 'Enjoy it while it lasts.'"

F-Secure : News from the Lab

Bagle history

Posted by Mikko @ 09:14 GMT

Jason Gordon from infectionvectors.com has written a thorough three-part study on the history of the Bagle worm.

The study is available as PDF files: part 1, part 2 and part 3.



Yury Mashevsky from Kaspersky lab has also posted a good article on Bagle botnets.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Google != Googkle
Reader Alan Phelps wrote in this morning to alert us to a malicious site that has registered a domain that might be entered as a typo for google.com. DO NOT VISIT THIS SITE! Visiting this site installs about 49 pieces of spyware, uses the local hosts file to block access to popular anti-virus websites, and offers a link to a website that sells AV and anti-spyware tools with the slogan "We help people"... No comment.
Administrators might want to do a quick check on their DNS cache records to see if any users have resolved anything matching "googkle" lately, and then have field support visit the (likely) infested workstations.

Update 2005-04-27 @ 10:21 UTC
Several readers have written in to add that there are several other sites similar to the Googkle site including:

msnm(dot)com, gfoogle(dot)com, ghoogle(dot)com, googfle(dot)com, luycos(dot)com, msn1(dot)com, passpport(dot)com and xcnn(dot)com.

Did I mention that you should NOT visit these sites?
More information on googkle is available at http://www.f-secure.com/v-descs/googkle.shtml

Thanks to Juha-Matti Laurio, Barrie Dempster, Gene Chen, Arjan Haringa and anonymous posters who submitted their reports regarding this and other sites.

CNN.com - Preliminary autopsy: Toddlers drowned - Apr 26, 2005

Preliminary autopsy: Toddlers drowned

WARRENTON, Georgia (CNN) -- Two toddlers whose bodies were found in an algae-covered sanitation pond drowned, according to preliminary autopsy results, a rural Georgia county official said Tuesday.

Warren County Coroner Paul Lowe noted that although the investigation continues, there is no evidence foul play was involved.

"We'll be looking at some other avenues," Lowe said. "We're still waiting to put some things together with the [Georgia Bureau of Investigation]."

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Oracle April Critical Patch Update
Following up on Jim Clausing's diary regarding the Oracle April Critical Patch Update, this most recent patch cluster resolves several critical issues in 9i and 10g database releases. Two sections of this patch bundle seem to be the most pressing:

Oracle HTTP Server/Apache
The Oracle HTTP Server is a release of Apache 1.3.22. The April CPU updates the Apache distribution to resolve several Apache bugs, the oldest of which was reported in Jun 22, 2002. If you are using the Oracle HTTP Server product, it is recommended that you apply this patch bundle to resolve several outstanding vulnerabilities. If you are NOT using the Oracle HTTP Server on your database, it is recommended that you remove the software using the Oracle Universal Installer (OUI) tool.

Oracle Built-In Package SQL Injection
Several Oracle packages have been fixed with the April CPU to resolve SQL injection vulnerabilities that can allow an authenticated attacker to cause a denial-of-service attack, or to run arbitrary code as the SYS user with SQL injection techniques. As exploit code is publicly available for these vulnerabilities, it is important that DBA's take action to protect against authorized users escalating their privileges on the database.
The three most important packages that are of concern are DBMS_CDC_PUBLISH, DBMS_CDC_SUBSCRIBE and DBMS_METADATA. As a workaround, DBA's are encouraged to revoke PUBLIC privileges on these functions:

revoke EXECUTE on DBMS_METADATA from PUBLIC;
revoke EXECUTE on DBMS_CDC_PUBLISH from PUBLIC;
revoke EXECUTE on DBMS_CDC_SUBSCRIBE from PUBLIC;

F-Secure : News from the Lab

Hackers infiltrate WLAN conference Posted by Jarno @ 13:47 GMT

Silicon.com  is reporting of rather interesting hacker attack that happened on WLAN IT conference in London on previous week.

Apparently the hackers created malicious WLAN hotspots with forged log-in web page, that tries to install malware on users computer that logs to the hotspot and tries to access web over it.

While technically this kind of attack is rather simple to accomplish, it raises worrying implications on use of free wireless hotspots. As business travellers frequently use whatever connection is available, and carry quite important data in their laptops.

The best way to protect yourself against such attack, is to have up to date operating system and browser, with Anti-Virus and firewall installed. Also it is important to have any critical connections done over VPN, and not to use unsecure connection for any service that requires user name and password.

So if you are using open WLAN connection, do not log in to any service that requires user name and password and does not use SSL. If you really need to use such service, use VPN connection to your company office and route the connection from there. Or use some proxy service that provides SSL such as Anonymizer

I am at a loss for words..

CNN.com - Missing Georgia toddlers found dead - Apr 25, 2005

Missing Georgia toddlers found dead

Monday, April 25, 2005 Posted: 4:35 PM EDT (2035 GMT)

WARRENTON, Georgia (CNN) -- The bodies of two toddlers reported missing over the weekend were found Monday in a pond near their rural Georgia home, state investigators said.

"It appears that our worst fears have been realized," said John Bankhead, spokesman for the Georgia Bureau of Investigation.

Bankhead said the bodies were found about 12:15 p.m. in a sanitation pond, and that they were positively identified in a photograph by their father. The spokesman said an autopsy will be performed Tuesday and that the investigation was ongoing.

CNN.com - Georgia toddlers missing since Saturday - Apr 25, 2005

Georgia toddlers missing since Saturday
Spokesman: Children need daily medical treatments

Monday, April 25, 2005 Posted: 12:35 PM EDT (1635 GMT)

WARRENTON, Georgia (CNN) -- The search for two missing toddlers who need daily medical treatment resumed Monday morning, said Warren County sheriff's officials, who suspended the search Sunday night because of fatigue.

The officials said they still had no reason to suspect foul play in the disappearance of 3-year-old Jonah Payne and his 2-year-old sister, Nicole.

Nicole needs "a particular type of breathing machine on a daily basis" and Jonah requires medication, said Jay Jones, a friend of the children's parents, Lottie Kain and Dennis Payne.

"It's very important we find these children as quickly as we can so we can see that their medical needs are taken care of," he said.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Handler on Duty: David Goldsmith
Updated April 25th 2005 12:15 UTC

Update on TrendMicro Pattern 594 Issue

If you came in to the office this morning, are running a Windows OS on your computer, your computer CPU is maxing out close to 100% utilization and you have a TrendMicro antivirus product installed, please go to the link referenced below.

As reported in the diary on 2005-04-23 and on 2005-04-24, TrendMicro had a problem with their Patterm 594 update released Friday afternoon around 15:30 PDT. They have now posted an explanation of the cause and solution on their site here.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Trend Pattern 594 Update

We're continuing to receive reports from readers who have been impacted by the Trend Micro AV Signature 594 issues, including reports of machines being rebuilt to restore functionality. An ISC reader who prefers to remain anonymous suggest the following solution*:

"If customers are using Trend OfficeScan and have Outbreak Prevention Services, they can active Outbreak mode on the server. This will lock down the firewall on the client machines and allow them to only communicate with the OfficeScan server. The reduction in network traffic being processed by the client should allow enough CPU usage to download (albeit, slowly) the update from the server. This could take several hours depending on the number of clients...it took us about 2 1/2. But, if it works it keeps you from having to touch all 100's, 1000's, or 10's of thousands of clients. Trend has a lot of 30,000+ client customers that were slammed by this and are probably still trying to recover from it. This might help them."

Trend have also posted updated information at http://www.trendmicro.com/en/support/pattern594/overview.htm

Hopefully this will help any readers out there who haven't already resorted to scorched-earth tactics in dealing with this unfortunate issue. If only they were running Macs, they wouldn't have to run antivirus.

Oh, wait a minute...

Macintosh Trojan "Discovered"

As a Mac aficionado (3 Powerbooks between home & work), I'm happy to report that we've finally warranted some attention from the Malware community. It's about damn time. Intrepid ISC reader Juha-Matti alerted us to Sophos' (brief) writeup on the Cowhand trojan. If any readers have spotted this thing in the wild, please let us know.