SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #15

February 20, 2007

TOP OF THE NEWS

Bill Would Give AG Power to Determine Data Retention Period for ISPs
UK Companies Putting Disaster Recovery on Back Burner
Survey Finds 98 Percent of Irish Firms Experienced Cyber Crime Last Year

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Former DuPont Scientist Pleads Guilty to Stealing Trade Secrets
DirectRevenue Will Pay US $1.5 Million to Settle FTC Charges
Turkish Police Arrest 17 Suspected of Internet Bank Theft
Student Faces Felony Charge for Downloading School Data to iPod
Software Author Claims MPAA Pirates Blogging Tool
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
NIST Releases New Information Security Documents
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple Releases Second Security Update of 2007
Malicious JavaScript Could Alter DNS Settings on Routers with Default Passwords
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Iowa Dept. of Education Data Breach
MISCELLANEOUS
Small Business System Security Assessment Piloted in UK
Undersea Cables Repaired After Earthquake
Nevada DMV System Audit Reveals Security Problems
SETI Helps Computer Phone Home

---

************************ SPONSORED BY SANS 2007 ***********************

Save more than $200 by registering this week for SANS 2007 in San Diego Mar 29-April 6: More than 50 immersion training courses on security and audit - taught by the world's best security instructors, plus a big expo all right on the ocean in San Diego. Why attend SANS? "I have attended courses by several of SANS rivals, and SANS blew them away." (Alton Thompson, US Marines).
http://www.sans.org/sans2007/event.php

*************************************************************************

---

TOP OF THE NEWS

Bill Would Give AG Power to Determine Data Retention Period for ISPs (15 February 2007)

A bill introduced in the US House of Representatives would give the Attorney General powers to require Internet service providers (ISPs) to retain customer data. H.R. 837, known as the Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act of 2007 or the SAFETY Act, would require that ISPs retain subscriber names, addresses, phone numbers and IP addresses. The length of time the data would be kept would be determined by the Justice Department. US Attorney General Alberto Gonzalez has said he believes data should be retained for at least two years. Privacy advocates say the bill's language is vague and could be interpreted to require ISPs to retain web surfing habits and IM and email correspondence.
-http://www.internetnews.com/bus-news/print.php/3660201
-http://thomas.loc.gov/cgi-bin/query/z?c110:H.R.837:
[Please note this amends a story we ran last week (NewsBites Vol. 9, No. 13, published on Feb. 13) in which we reported that the bill required that data be held indefinitely. ]

UK Companies Putting Disaster Recovery on Back Burner (19 February 2007)

Research from NetBenefit found that although two-thirds of UK mid-size companies surveyed have established disaster recovery plans for their web sites, just 38 percent test their plans more than once a year. Sixty-four percent of companies responding to the survey said they anticipated little or no damage to business if their web sites were to go down for an entire day. The survey included responses from 100 IT directors from companies with 250 or more employees.
-http://www.vnunet.com/vnunet/news/2183550/uk-firms-under-fire-ignoring
[Editor's Note (Schultz): I am not at all surprised by the results of this survey. Furthermore, these results are by no means unique to the UK. Few organizations adequately understand the business impact that outages and disruption cause; without an understanding of this impact, the probability that organizations will create suitable continuity plans and test them is low. ]

Survey Finds 98 Percent of Irish Firms Experienced Cyber Crime Last Year (15 February 2007)

According to the Information Security Systems Association (ISSA)/University College Dublin (UCD) Irish Cybercrime Survey, 98 percent of companies experienced some form of cyber crime. Approximately one-third of respondents said they spent more than 50,000 Euros (US $65,755) to fix the problem. Twenty-two percent said they paid at least 100,000 Euros (US $131,510). More than half of the organizations responding said mitigation consumed 10 man days; nearly 25 percent said mitigation consumed more than 50 man days. Ninety percent of respondents said they had experienced a virus infection. Sixty-three percent reported asset theft and 56 percent said they had experienced phishing attacks. Just 53 percent of the organizations used outside help to address the problems.
-http://www.siliconrepublic.com/news/news.nv?storyid=single7798
-http://www.issaireland.org/ISSA
UCD Irish Cybercrime Survey 2006.pdf
[Editor's Note (Honan): This should serve as a wakeup call to business people who think their company is too small to be a target of cyber-crime. ]

---

************************ Sponsored Links: *****************************

1) Learn to select and implement the right tools at the Log Management Summit April 23-25.
http://www.sans.org/info/3911

2) Security professionals focus on fighting the most common data threats - - Encryption Summit, April 23-25.
http://www.sans.org/info/3916

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Former DuPont Scientist Pleads Guilty to Stealing Trade Secrets (19 & 16 February 2007)

Former DuPont scientist Gary Yonggang Min faces up to 10 years in prison and a fine of up to US $250,000 for stealing trade secrets worth more than US $400 million. Min pleaded guilty in November 2006 to downloading proprietary information from DuPont's computer systems after he had accepted a position at a rival company but before DuPont became aware of his imminent departure. Min's document access activity was 15 times greater than that of the next most frequent user of the electronic library, but the anomaly went unnoticed until after he informed DuPont he was leaving. Most of the information Min accessed was not related to his job function. DuPont alerted authorities when it became aware of Mi's activities. Min obtained DuPont documents one month after he left DuPont, storing it on a laptop owned by the rival company. When that company learned of Min's actions, it seized the laptop and turned it over to the FBI. Federal prosecutors unsealed the case last week.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=283564&source=rss_topic17
-http://www.scmagazine.com/us/news/article/633578/400-million-corporate-espionage
-incident-dupont/
-http://www.dfw.com/mld/dfw/business/16708448.htm
[Editor's Note (Grefer): Most people at most companies have more access than they need. If your organization is not classifying intellectual property and prioritizing access control, then detecting and prosecuting unauthorized access and misuse is going to be very difficult. The government cybercrime site, www.cybercrime.gov/ has news and other resources related to US federal activity in this arena. Review the trade secrets checklist, (
-http://www.cybercrime.gov/reportingchecklist-ts.pdf
) and ask yourself, if I were the prosecutor, would I feel confident taking this to court?]

DirectRevenue Will Pay US $1.5 Million to Settle FTC Charges (17 February 2007)

DirectRevenue LLC will pay US $1.5 million to settle charges brought by the Federal Trade Commission (FTC). The charges said DirectRevenue offered free screensavers and games, but bundled adware with those applications without giving users appropriate notice. The adware tracked users' on-line behavior and sent them pop-up ads tailored to their apparent interests. The settlement also requires that DirectRevenue download adware only with express user consent and that it provide an easy way to remove the software from computers.
-http://www.al.com/business/birminghamnews/index.ssf?/base/business/1171708300304
350.xml&coll=2
[Editor's Note (Grefer): Ben Edelman has posted additional data on Direct Revenue's tactics here:
-http://www.benedelman.org/news/040706-1.html]

Turkish Police Arrest 17 Suspected of Internet Bank Theft (16 February 2007)

Turkish police have arrested 17 people who are part of a gang believed to be responsible for the theft of US $300,000 from Internet bank accounts. The gang allegedly worked with three Russians who supplied them with the user names and passwords needed to access the accounts. The Russians allegedly obtained the information by infecting computers with spyware. Interpol has been provided with the names of the Russian suspects.
-http://www.vnunet.com/vnunet/news/2183504/turks-arrest-online-theft
-http://www.scmagazine.com/us/news/article/633686/spyware-aided-hackers-arrested-
turkey-online-bank-robbery/

Student Faces Felony Charge for Downloading School Data to iPod (14 February 2007)

A junior at Clay High School in Oregon, Ohio has been charged with a felony for allegedly breaking into the school's computer system and downloading information from personnel and student files onto his iPod. Two members of the high school staff have reportedly been reprimanded for their "inaction or lack of follow-through." A classroom instructor saw that students were looking at the sensitive files and told them to log out and delete any information they had downloaded, but he did not see the students do this. The student has withdrawn from the school.
-http://toledoblade.com/apps/pbcs.dll/article?AID=/20070214/NEWS03/702140355

Software Author Claims MPAA Pirates Blogging Tool (17 February 2007)

The author of ForestBlog says he has discovered that the Motion Picture Association of America is using his blog software in violation of the license.
-http://www.boingboing.net/2007/02/17/mpaa_rips_off_freewa.html
[Editor's Comment (Northcutt): The author's blog site is below, but apparently this story is making the rounds so fast his site is overwhelmed so it may take you a few tries:
-http://www.patrickrobin.co.uk/default.asp?Display=4]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

NIST Releases New Information Security Documents (16 February 2007)

The National Institute of Standards and Technology (NIST) has released two new information security documents. NISTIR 7359, "Information Security Guide for Government Executives," is designed to "assist senior leaders in understanding how to oversee and support the development and implementation of information security programs." NISTIR 7358, "Program Review for Information Security Management Assistance (PRISMA)" describes "a methodology developed by NIST for reviewing complex requirements and posture of a federal information security program." It "should help identify program deficiencies, establish baselines, validate corrections and provide supporting information for Federal Information Security Management Act (FISMA) scorecards." The document provides definitions for five levels of maturity, from policy development to integration, for each of nine "primary topic areas."
-http://www.gcn.com/online/vol1_no1/43141-1.html?topic=security&CMP=OTC-RSS
-http://www.csrc.gov/publications/nistir/ir7359/NISTIR-7359.pdf
-http://www.csrc.gov/publications/nistir/ir7358/NISTIR-7358.pdf

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Apple Releases Second Security Update of 2007 (16 February 2007)

Apple has released Security Update 2007-002 to address multiple vulnerabilities. The flaws include a buffer overflow vulnerability in Finder that could be exploited to crash the application or to run arbitrary code; a privilege escalation vulnerability in UserNotification; and three vulnerabilities in iChat, two of which could be exploited to crash the application and the other of which could be exploited to run arbitrary code. The flaws affect various versions of Mac OS X and Mac OS X Server.
-http://www.vnunet.com/vnunet/news/2183478/five-fixes-latest-apple-patch
-http://www.us-cert.gov/cas/techalerts/TA07-047A.html
-http://docs.info.apple.com/article.html?artnum=305102

Malicious JavaScript Could Alter DNS Settings on Routers with Default Passwords (16 & 15 February 2007)

Malicious JavaScript placed on web sites could be used to change DNS settings on home routers that are still using default passwords. Once the change has been made, the next time the router is rebooted, the user would be redirected to spoofed, possibly malicious web sites. Research indicates than about half of router owners have not changed the password from the default.
-http://www.theregister.co.uk/2007/02/15/router_vuln/print.html
-http://news.bbc.co.uk/2/hi/technology/6367691.stm
Technical details:
-http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_phar
ming_how_clicking_1.html
[Editor's Note (Pescatore): This is a clever attack exploiting the weak default configuration of most consumer home network products. Those consumer products tend to walk the user through a wide open setup and then at the end say "If you want to turn security on, click here - but it might ruin performance or totally screw up your network." The WiFi Alliance has started an effort called WiFi Protected Setup to make it easier for default configuration of WiFi networks to be secure - the same thing should happen for the rest of the consumer network products.
(Skoudis): Although this attack focuses on consumers, it illustrates a major trend I'm seeing in the cases I'm investigating. Browser scripts are a scourge, with implications beyond the browsers in which they run. Recent browser script attacks that I've investigated, as well as the attack described in this article, involve a browser requesting content from a web site where the attacker has posted a malicious script. The web site shoots the script back in a web response that causes the browser to take some action on the infrastructure on which the browsing machine resides. The browser is used, in effect, as a remote control sentinel inside an organization's firewall to manipulate its infrastructure (such as routers, internal applications, etc.), controlled via browser scripts. We're seeing this in some advanced attacks today, but watch for this vector to increase massively in the next year or so. To defend against it, you may want to disable browser script support in your browsers associated with critical components of your network, or enable them only for important web servers that you've added to your trusted zone. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Iowa Dept. of Education Data Breach (15 February 2007)

The Iowa Department of Education has warned that someone accessed data located in what was supposedly a protected area of its web site. The data include the names, addresses, dates of birth and Social Security numbers (SSNs) of people who received a GED (general education degree) from Iowa between 1965 and 2002. The intrusion was discovered on February 12. The data have been secured and the vulnerable application taken offline. A department spokesperson said they believe the intruder viewed approximately 600 of the 160,000 records. The FBI is investigating along with the Iowa Department of Public Safety's Division of Criminal Investigation.
-http://www.radioiowa.com/gestalt/go.cfm?objectid=C62EC2FD-D6CA-6148-ECA10EFC215A
B72D
-http://www.iowa.gov/educate/content/view/897/1051/

MISCELLANEOUS

Small Business System Security Assessment Piloted in UK (15 February 2007)

The Yorkshire-safe.org web site allows small businesses to answer 20 questions designed to assess the security of their systems. The site also provides security advice, a glossary of cyber security terms and information about reporting cyber crime. The system is scheduled to be rolled out nationally by March and throughout Europe by September.
-http://www.vnunet.com/articles/print/2183262
-http://www.yorkshire-safe.org/

Undersea Cables Repaired After Earthquake (15 February 2007)

A spokesperson for Hong Kong's Office of the Telecommunications Authority says cables damaged in the December 2006 earthquake have been repaired and that "external telecoms services, including Internet access, have been fully restored." Two undersea earthquakes near Taiwan on December 26 damaged six undersea cable systems.
-http://www.vnunet.com/vnunet/news/2183438/asia-net-links-restored

Nevada DMV System Audit Reveals Security Problems (15 February 2007)

A state audit of the Nevada Department of Motor Vehicles (DMV) computer systems found a host of security concerns. The encryption the system uses for credit cards is not up to industry standards. Approximately 30 former Nevada DMV employees still have active accounts on the network. Data such as SSNs and dates of birth are supposed to be deleted each day, but auditors found several disks and two laptops that held this sort of data dating back as far as 2002. The DMV says it is taking steps to address the vulnerabilities.
-http://www.klas-tv.com/global/story.asp?s=6090641&ClientType=Printable
[Editor's Note (Northcutt): And this after 8,000 records were stolen in 2005:
-http://www.lasvegassun.com/sunbin/stories/nevada/2005/mar/11/031110432.html
Keep in mind there have been a number of data breaches and abuses of information at numerous state DMZs and these are the people that will have the operational lead on the REAL ID ACT and 2008 is coming fast. If you live in the USA, maybe it would be a good idea to let the governor of your state know about any concerns that you have:
-http://en.wikipedia.org/wiki/Real_ID_Act
-http://www.citizinemag.com/commentary/commentary-0505_haroldsmith.htm
-http://news.com.com/National+ID+cards+on+the+way/2100-1028_3-5573414.html]

SETI Helps Computer Phone Home (14 February 2007)

A man was able to help police locate his wife's stolen laptop because of software he had installed to allow it to take part in the SETI@home distributed computing project. When participating computers communicate with the SETI computers at the University of California, Berkeley Space Sciences Laboratory, servers record the computer's IP address and file it in a database that people running the software can view. The laptop communicated with SETI three times; the man gave the IP addresses to the police who then subpoenaed the ISP to help track down the computer's location. They were able to recover the machine within days.
-http://www.signonsandiego.com/news/state/20070214-2240-ca-nerdylovestory.html
[Editor's Note (Honan): Nice to see "an undocumented feature" of an application being used for the forces of good for a change. ]

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/