SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #100

December 21, 2007

TOP OF THE NEWS

Judge Rules Against TorrentSpy
Visa Card Issuers Accept TJX Settlement Offer
New Cybersecurity Law Proposed To Thwart Data Breaches

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
IT Services Provider Convicted Of Hacking Would Be Customer
Guilty Plea in Business Kiosk Hacking
POLICY & LEGISLATION
FTC Proposes Data-Gathering Disclosure Guidelines for Online and Approves Google Buy of DoubleClick
SPYWARE, SPAM & PHISHING
Two Questioned in International Spam Case
Million Euro Fine in Dutch Spyware Case
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Adobe Releases Flash Update
Google Repairs Virus Hole in Orkut
Microsoft Suggests Workaround for IE Patch Problem
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Missing Backup Tapes Contain NY State Worker Data
Students Could Face Charges for Hacking School Computer System
LIST OF UPCOMING FREE SANS WEBCASTS

---

***************** Sponsored By Credant Technologies *********************

Portable Storage Devices a Growing Threat Survey of 323 IT managers and executives reveals usage rates and potential impacts of portable data storage devices--iPods, MP3 players, USB flash drives, and data-centric phones/SD cards--in the workplace.
Although organizations see rapid growth in portable storage device usage, few have a solution to prevent widespread data loss.
http://www.sans.org/info/21136

*************************************************************************

TRAINING UPDATE
Where can you find Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
- - San Jose (2/2 - 2/8): http://www.sans.org/siliconvalley08/event.php
- - Phoenix (2/11 - 2/18) http://www.sans.org/phoenix08/event.php
- - Prague (2/18-2/23): http://www.sans.org/prague08
- - and in 100 other cites and on line any-time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Judge Rules Against TorrentSpy (December 18,19, & 20, 2007)

A federal judge in California has made a default ruling against TorrentSpy.com in a lawsuit brought by the recording Motion Picture Association of America (MPAA). TorrentSpy is a website that allows users to share digital music and television program files. The judgment came after the judge's ruling that TorrentSpy operators had tampered with evidence by ignoring a court order to retain information, such as server logs and IP addresses, that would help identify people trading files through the site. Some of the information that the judge wanted TorrentSpy to retain was from Random Access Memory (RAM) and therefore held only temporarily, according to defense arguments, but the judge did not agree and called TorrentSpy's behavior "obstreperous." TorrentSpy is expected to appeal the decision.
-http://news.bbc.co.uk/2/hi/technology/7153323.stm
-http://www.news.com/8301-10784_3-9835333-7.html?tag=newsmap
-http://www.heise.de/english/newsticker/news/100828

Visa Card Issuers Accept TJX Settlement Offer (December 18 & 20, 2007)

New England banks and other financial institutions that issue Visa cards have agreed to accept the US $41 million reimbursement offer from TJX Cos. to cover costs incurred when they had to notify customers of the data breach and reissue cards. The proposal required 80 percent agreement to pass. The banks will receive their share of the funds within one week. In turn, they will dismiss all claims against TJX.
-http://www.forbes.com/feeds/ap/2007/12/20/ap4465062.html
-http://www.theregister.co.uk/2007/12/20/tjx_bank_settlement/print.html
-http://www.boston.com/business/articles/2007/12/18/tjx_banks_reach_settlement_in
_data_breach?mode=PF
[Editor's Note (Cole): A hint to get executive support. Every firewall has a default deny ruleset that catches traffic that is not allowed into the company. Translation, these are attempted attacks. Determine the number of packets dropped each day, put the data on a chart and give it to management once a month. Once they realize that you have 10,000 attempted attacks a month, they will start to better understand the scope of the problem you are trying to solve. ]

New Cybersecurity Law Proposed To Thwart Data Breaches (December 20 2007)

Representative Clay, Chairman of the Information Policy Subcommittee of the House Government Oversight and Reform Committee, proposed a new law that would codify the direction OMB gave federal agencies in the aftermath of the big data breaches of 2006.
-http://www.fcw.com/online/news/151149-1.html
[Editor's Note (Paller): The bill, despite the best intentions of its authors, completely missed the most important thing it could do to improve federal cybersecurity and instead focused attention on more reporting. One day, when a really bad attack has disabled a large segment of the government, someone will ask, "Did that billion dollars we spent on writing FISMA reports have any impact on ensuring our systems are substantially better protected against common attacks?" When that happens, federal CISOs and contractors will say aloud what they say frequently in private, "we knew compliance with FISMA wasn't improving security; the only reason we wrote those useless reports was that FISMA forced us to." ]

---

************************* Sponsored Links: ***************************

1) The Norman SandBox technology leads the way in the world of proactive anti-virus solutions. Please visit us at:
http://www.sans.org/info/21141

2) Register for Department of Homeland Security Control Systems Cyber Security Trainings. SANS Process Control and SCADA Summit January 16-17.
http://www.sans.org/info/21146

3) Learn what's effective in penetration testing and vulnerability assessments. Penetration Testing and Ethical Hacking Summit March 17-18.
http://www.sans.org/info/21151



*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

IT Services Provider Convicted Of Hacking Would Be Customer (December 20, 2007)

Lee James Garvin has pleaded guilty to breaking into a former client's computer and deleting files. Garvin had arranged a deal to manage computer hardware and software for Uniform NameMakers, an embroidery company in Buffalo, NY. When the deal fell through, Garvin hacked into the computer system and deleted all client files. He could be sentenced to up to 10 years in prison and fined US $250,000.
-http://www.silive.com/newsflash/metro/index.ssf?/base/news-24/1198196075180460.x
ml&storylist=simetro
[Editor's Note (Cole): The big question is how many Mr. Garvin's do you have at your company. Hint, the answer is greater than one. In our Security Essentials (SEC401) course, we teach that the key way to control this problem is with better access control, only giving users the least access they need to do their job. While this seems difficult, role based access control (RBAC) can help make this easier to implement. In addition, data classification is a foundation piece that needs to be put in place. ]

Guilty Plea in Business Kiosk Hacking (December 18 & 19, 2007)

Hario Tandiwidjojo has pleaded guilty to unauthorized access to a protected computer for installing malware on business computer kiosks in hotels. Tandiwidjojo gained access to the computers with passwords obtained when he was employed by the company that services the kiosks. The malware sent data gathered from the infected computers to a website he had constructed. He used stolen credit card information to make more than US $34,000 in fraudulent charges over a period of three days in February 2007. A search of Tandiwidjojo's home in August turned up equipment used to make cloned credit cards. Although the maximum jail sentence would be five years in federal prison, the plea agreement is expected to result in a 10- to 16-month sentence.
-http://lawfuel.com/show-release.asp?ID=16492
-http://www.channelregister.co.uk/2007/12/19/hotel_kiosk_hijacks/print.html

POLICY & LEGISLATION

FTC Proposes Data-Gathering Disclosure Guidelines for Online and Approves Google Buy of DoubleClick Advertisers (December 20, 2007)

The Federal Trade Commission (FTC) has proposed guidelines for online advertisers about disclosing how users' web-surfing habits are tracked and used to generate personalized advertisements. The guidelines would require that advertisers let users know what sort of information is being collected and how it is being used. The FTC also wants advertisers to allow surfers to opt out of having their surfing habits information collected. The FTC recommends that sites collecting sensitive personal data only do so if consumers have expressly opted-in to the practice. The guidelines were released on the same day the FTC approved Google's proposed acquisition of DoubleClick. The proposed merger now requires approval from European regulators before it will be permitted to proceed.
-http://www.msnbc.msn.com/id/22346236/
-http://www.eweek.com/article2/0,1895,2238411,00.asp

SPYWARE, SPAM & PHISHING

Two Questioned in International Spam Case (December 19, 2007)

Authorities in New Zealand executed warrants at four locations in raids connected with a spam investigation. A firm in Christchurch is allegedly behind an international spamming ring. Investigators have interviewed two people in connection with the case. New Zealand enacted an anti-spam law in September. Under the Unsolicited Electronic Messages Act 2007, individuals could face fines of up to NZ $200,000 (US $152,600), while organizations could be fined as much as NZ $500,000 (US $381,500).
-http://www.nzherald.co.nz/section/story.cfm?c_id=5&objectid=10483270

Million Euro Fine in Dutch Spyware Case (December 18 & 19, 2007)

Three Dutch companies and their two directors have been fined a total of one million Euros (US $1.43 million) for infecting users' computers with spyware. Approximately 22 million computers around the world were infected with the malicious software, which allowed the machines to be used to launch botnet attacks. The software, called DollarRevenue, paid up to US $.25 for each installation. The fine was imposed by OPTA, the Dutch telecommunications watchdog. The names of the companies and individuals fined were not disclosed for legal reasons.
-http://www.theregister.co.uk/2007/12/18/duch/print.html
-http://www.infoworld.nl/idgns/bericht.phtml?id=002570DE00740E18002573B50074325B

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Adobe Releases Flash Update (December 20, 2007)

Adobe has issued an update for Flash to address 10 critical vulnerabilities that could be exploited to gain access to information on vulnerable machines, create denial-of-service conditions, and execute arbitrary code. The vulnerabilities affect versions of Flash prior to 9.0.1115.0 for Mac OS, Linux, and Windows. The vulnerabilities include cross-site scripting flaws, code injection attacks, and input validation errors. In a separate update, Adobe provided fixes for flaws in the GoLive HTML editor.
-http://www.theregister.co.uk/2007/12/20/adobe_flash_security_update/print.html
-http://www.securityfocus.com/brief/648
-http://www.adobe.com/support/security/bulletins/apsb07-20.html
-http://www.adobe.com/support/security/bulletins/apsb07-17.html
[Editor's Note (Cole): Most of the functionality patched by Adobe over the past several weeks the average user does not use. Remove the functionality, and you no longer have to worry about applying the patch before the vulnerability is exploited.]

Google Repairs Virus Hole in Orkut (December 19 & 20, 2007)

Google has patched a cross-site scripting hole in Orkut that allowed a virus to infect the computers of at least 400,000 members of a Portuguese language community of the online social networking site. The virus spread through an email message that alerted recipients to a new guestbook entry. When the malicious entry was viewed, it sent itself to contacts in the user's list. The virus's spread was somewhat lessened by the use of the NoScript plug-in.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=205101460
-http://www.theregister.co.uk/2007/12/19/worm_hits_orkut/print.html
-http://www.eweek.com/article2/0,1895,2237733,00.asp

Microsoft Suggests Workaround for IE Patch Problem (December 19, 2007)

Microsoft has offered a temporary workaround for users who have found that the MS07-069 security bulletin causes Internet connectivity problems. The bulletins addresses flaws in Internet Explorer (IE); some users were reporting that IE would crash when they attempted to connect to certain websites. The workaround involves editing the Windows' registry, a task beyond the capability of most users.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9053598&taxonomyId=17&intsrc=kc_top

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Missing Backup Tapes Contain NY State Worker Data (December 20, 2007)

As many as 800 current and former employees of New York's state Dormitory Authority have been notified that their personally identifiable information, including Social Security numbers (SSNs), is on backup tapes that were lost in transit. The loss affected people who were hired prior to January 1, 2006. The tapes are not encrypted, but they do require special equipment and software to be read. The backup tapes are sent daily to the agency's New York City office; this particular package arrived damaged and empty.
-http://timesunion.com/AspStories/story.asp?storyID=648817&category=FR

Students Could Face Charges for Hacking School Computer System (December 17 & 19, 2007)

Three people allegedly broke into the computer system of duPont Manual High School in Louisville, Kentucky. Two current and one former student allegedly altered grades and attendance records and created a website where they posted tests and quizzes along with answers they obtained from teachers' computers. Authorities believe the three used keystroke-logging software to give them the necessary information to access the computers. The students are working with technicians to help the school improve its cyber security. They have been suspended and if the school presses charges, they could face time in jail. The public school system is having teachers change their passwords and may start using fingerprint scanners for computer access.
-http://www.wave3.com/Global/story.asp?S=7509176
-http://www.courier-journal.com/apps/pbcs.dll/article?AID=/20071219/NEWS01/712190
859/1008/NEWS01
[Editor's Note (Schultz): I suppose that requiring teachers to change passwords will do some good, but it is not likely to prevent the kind of keystroke-logging attacks that recently occurred very well because it addresses only one possible attack vector. Additionally, having students who have engaged in illegal activity help improve security at the school in question is one of the most unwise moves school officials could have made. ]

LIST OF UPCOMING FREE SANS WEBCASTS

Internet Storm Center: Threat Update
WHEN: Wednesday, January 9, 2008 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKER: Johannes Ullrich
-http://www.sans.org/info/20067

Sponsored By: Core Security
-http://www.coresecurity.com/
">
-http://www.coresecurity.com/


This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

SANS Ask the Expert Webcast: Going beyond log management to solve security, risk and audit challenges
WHEN: Wednesday, January 23, 2008 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKERS: Dave Shackleford and Vijay Basani
-http://www.sans.org/info/20082

Sponsored By: eIQnetworks
-http://www.eiqnetworks.com

In this webcast, learn the benefits of going beyond log management to perform end-to-end correlation and analysis, how compliance can tie into the use of security technologies, and why the future of security information management (SIM) systems is shaping up to integrate security, risk and audit management onto one platform.

SANS Special Webcast: Things That Go Bump in the Network: Embedded Device Security
WHEN: Thursday, January 24, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Paul Asadoorian
-http://www.sans.org/info/20087

Sponsored By: Core Security
-http://www.coresecurity.com/
">
-http://www.coresecurity.com/


Embedded devices come into your network and appear in many different forms, including printers, iPhones, wireless routers and network-based cameras. What you might not realize is that these devices offer unique opportunities for attackers to do damage and gain access to your network - - and to the information it contains. This webcast will review known embedded device vulnerabilities and cover how these vulnerabilities can be used to gain control of devices, networks, and data - and, more importantly, what can be done about it.

********************************************************************

Be sure to check out the following FREE SANS archived webcasts:

Internet Storm Center: Threat Update
WHEN: Wednesday, December 12, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich and John Weinschenk
-http://www.sans.org/info/20062

Sponsored By: Cezic
-http://www.cenzic.com/

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

SANS Special Webcast: Pinpointing and Proving Web Application Vulnerabilities with Eric Cole
WHEN: Monday, December 10, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Dr. Eric Cole
-http://www.sans.org/info/20057

Sponsored By: Core Security

The September "Internet Security Threat Report" from Symantec reported that 61% of all vulnerabilities disclosed in the first half of 2007 were web application vulnerabilities. It's no wonder, since web apps are often highly customized and can be rife with potential security holes. Fortunately, recent advances in penetration testing products can help you to pinpoint and prove web application security weaknesses - even in customized apps.

SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN NetDetector/NetVCR 2005
WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Jerry Shenk
-http://www.sans.org/info/20052

Sponsored By: NIKSUN

How deep can traffic inspection reach without hindering data flow and how much data should it store for post-mortem analysis? Join this Webcast to hear senior SANS Analyst Jerry Shenk go over his test results on the NetDectector/NetVCR 2005 and features such as full packet inspection and the ability to call up and review raw data in its native format.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/