SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #18

March 02, 2007

The final deadline for savings on SANS 2007 is next Wednesday, March 7. You'll save $150 on SANS largest training program: fifty immersion training courses, a big expo, the most bonus evening networking and tech briefing sessions, and all right on the ocean in San Diego.
http://www.sans.org/sans2007/event.php

---

TOP OF THE NEWS

RIAA Opposes FAIR USE Bill

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Hewlett Packard Executives Say Infamous Investigation Was Ethical Wake-Up Call
Four Arrested in Connection with Stop & Shop Card Reader Tampering
Pair Avoid Jail Time for Attempted MySpace Extortion
Verizon Wins Permanent Injunction Against SMS Spammer
Spokane Police Err in Cyberstalking Case
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Stolen Computers Raise Data Theft Fears in Northern Ireland
Shawn Carpenter Interview
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Sun Offers Fixes for Solaris Telnet Worm
Storm Worm Targets Blogs and Bulletin Boards
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Texas A&M System Breach Forces Password Changes
Missing Hard Disk Holds Student and Alumni Data
Stolen Computers Hold Child Patient Data
Winny Leaks Sensitive Information

---

************************** Sponsored By Symantec ************************

Take a 5 minute compliance test. How well do your security policies and practices hold up under regulatory mandates? Take a five minute test to get an overall "compliance score". Then learn how Symantec solutions can help you monitor and report on compliance through a single compliance architecture that enables you to manage multiple regulations.
http://www.sans.org/info/4176
*************************************************************************

How Good Are SANS Courses?

++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines ++SANS has the highest quality instructors and the most relevant, current information of any training I have attended. Melodee McHone, Hallmark ++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA ++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - David Ritch, Department of Defense

In addition to the big conference in San Diego, programs are scheduled in more than 40 cities in the next few months or you can attend live classes (or on-demand courses) without leaving your home, or you may even study online. Schedule: http://www.sans.org/training/bylocation/index_all.php
*************************************************************************

---

TOP OF THE NEWS

RIAA Opposes FAIR USE Bill (February 28 & March 1, 2007)

The recording Industry Association of America (RIAA) is opposed to a bill that would ease some of the restrictions imposed by the Digital Millennium Copyright Act (DMCA). The RIAA says the proposed Boucher/Doolittle FAIR USE Act, which would allow people who purchase music and movies to make backup copies for personal use, would in effect "legalize hacking." The bill would "allow consumers to circumvent certain restrictions applied to the digital copies of CDs and DVDs when those copies don't have material impact on the copyright holders."
-http://www.technewsworld.com/story/56037.html#
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=197700216
-http://www.infoworld.com/article/07/02/28/HNriaaopposesfairuse_1.html
[Editor's Note (Schultz): The RIAA's reaction to this bill appears to be quite an overreaction. Making a copy of media containing movies or music for backup purposes or for personal use hardly comprises legal hacking. At the same time, however, easing some of the provisions of the DMCA would increase the likelihood that illegal copies of such media will be made.]

---

************************* Sponsored Links: ****************************

1) Learn about using/implementing automated log management technologies at the Log Management Summit April 23-25.
http://www.sans.org/info/4181

2) Register Today! SANS Tool Talk Webcast sponsored by ArcSight. March 7th at 1pm EDT.
http://www.sans.org/info/4186

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Hewlett Packard Executives Say Infamous Investigation Was Ethical Wake-Up Call (1 March 2007)

A battle is brewing between former HP Director Thomas Perkins and former HP Chairman Patricia Dunn over interpretation of changes in the board room and Dunn's role. The investigation techniques led to federal indictments and to both Dunn and Perkins leaving the board. Perkins claims boards are becoming compliance control organizations rather than providing guidance for business growth.
-http://news.com.com/HP+execs+Spy+scandal+was+ethical+wake-up+call/2100-1014_3-61
63563.html?tag=newsmap

Four Arrested in Connection with Stop & Shop Card Reader Tampering (February 27, 2007)

Four people have been arrested for their alleged involvement in tampering with electronic card transaction devices at Stop & Shop stores in Rhode Island. Stop & Shop says the devices had been altered at six stores in Rhode Island and Massachusetts, allowing account information and Personal Identification Numbers to be stolen.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9011943&taxonomyId=17&intsrc=kc_top
[Editor's Note (Honan): This story highlights how security of an information system needs to include all the components that make up that system and that the risks relating to each component are identified and managed accordingly. The fact that thieves could physically access and alter the card readers and for that activity to be also not detected highlights a major gap in Stop & Shops assessment of this system. ]

Pair Avoid Jail Time for Attempted MySpace Extortion (February 27, 2007)

Two men arrested for attempted extortion from MySpace.com have reached a plea agreement with prosecutors. Shaun Harrison and Saverio Mondelli will each pay MySpace US $13,500 in restitution, serve three years probation and perform 160 hours of community service. If they violate their probation, they will go to jail. Harrison and Mondelli developed and sold software that tracked MySpace users. MySpace tracked down the duo and sent them a "cease and desist" letter; rather than comply, the pair offered their services as "consultants" for US $150,000 in return for stopping distribution of the code. MySpace and law enforcement officials interpreted the offer as attempted extortion, although the extortion charges were dropped as part of the plea agreement.
-http://www.technewsworld.com/rsstory/55997.html
-http://www.theregister.co.uk/2007/02/27/myspace_hack_sentencing/print.html

Verizon Wins Permanent Injunction Against SMS Spammer (February 26 & 27, 2007)

Verizon has won a permanent injunction against Specialized Programming and Marketing LLC, prohibiting the Florida-based company from sending unsolicited text messages to Verizon mobile phone customers. The company must also pay US $200,000 in damages as well as US $10,000 to be donated to the Florida Coalition Against Domestic Violence. Verizon initially sued Passport Holidays in October 2005, winning a permanent injunction against that company in February 2006. During litigation, Passport named Specialized Programming and Marketing as the source of the spam and Verizon filed an amended complaint.
-http://www.vnunet.com/vnunet/news/2184349/sms-spammer-hit-massive-fine
-http://www.libn.com/breakingNews.htm?articleID=7083#
-http://news.com.com/2102-7350_3-6162263.html?tag=st.util.print

Spokane Police Err in Cyberstalking Case (February 19 & 23, 2007)

Police in Spokane, Washington admit they initially bungled a cyberstalking investigation when they misinterpreted computer data. The detectives were provided with a list of computers that had been assigned an IP address associated with threats made against an area family. The police arrested a man whose name appeared on the list; they failed to notice that the IP address in question had been assigned to his computer long before the cyber threats occurred, but was no longer assigned to his computer. The man was released within 24 hours after police realized the threats were continuing even while he was in custody and had no access to a computer. The police later arrested a 13-year-old girl who it suspects had been making the threats against her own family.
-http://www.columbian.com/news/state/APStories/AP02232007news107824.cfm
-http://www.kxly.com/news/?story_id=8628&view=text
[Editor's Note (Honan): This story demonstrates that handling and interpreting computer evidence is a highly specialised skill which if bungled could end up with your organisation facing a civil or legal case. If you do not have these skills in-house then as part of your incident response plan make sure you have put in place an agreement with a third party who can supply those skills to you. ]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Stolen Computers Raise Data Theft Fears in Northern Ireland (February 27, 2007)

Fifty-five computers have been stolen from Northern Ireland civil servants over a nine-year period. The value of the stolen equipment is 90,900 Euros (US $118.670). Northern Ireland Office spokesperson David Lidington said "We need to know what information was there. ... We need an assurance that personal information was not on these computers." A Department of Finance and Personnel spokesperson said the computers did not hold confidential information.
-http://www.breakingnews.ie/print/?jp=CWSNSNIDOJID

Shawn Carpenter Interview (February 26, 2007)

Former Sandia analyst Shawn Carpenter answers questions from Computerworld about his experience tracking down serious computer intrusions and Sandia's less-than-welcoming response to his findings. Carpenter was recently awarded US $4.3 million in a wrongful termination suit.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9011832&source=rss_topic17

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Sun Offers Fixes for Solaris Telnet Worm (March 1 & February 28, 2007)

The United States Computer Emergency Readiness Team (US-CERT) has issued an alert warning of a worm that exploits a vulnerability in the Sun Solaris telnet daemon. The flaw could be exploited to gain unauthorized access to a host using the service. Sun Microsystems has made available a patch and a workaround for the flaw, as well as an inoculation script to disable the telnet daemon and repair changes the worm has made. Internet Storm Center (published far earlier than most other major organizations):
-http://isc.sans.org/diary.html?storyid=2316
-http://www.theregister.co.uk/2007/03/01/solaris_security_worm/print.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9012000&source=rss_topic17
-http://www.eweek.com/print_article2/0,1217,a=202136,00.asp
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61993207-39000005c
-http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1&searchclau
se=
-http://www.us-cert.gov/cas/techalerts/TA07-059A.html

Storm Worm Targets Blogs and Bulletin Boards (February 27 & 28, 2007)

The Storm Worm has taken a new tack in its effort to self-propagate across the Internet. When the malware first appeared in January 2007, it arrived in email attachments. This variant has added a twist; if an infected user posts to a blog or bulletin board, the malware inserts a malicious link into the posting.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61992913-39000005c
-http://www.networkworld.com/news/2007/022707-storm-virus-blogs.html?nltxsec=0226
securityalert3&code=nlsecuritynewsal64135
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9011903&source=NLT_PM&nlid=8
[Editor's Note (Ullrich): "bulletin board spam" has become much more then a nuisance. Software to automate this kind of spam has been available commercially for a long time. It is important that BBS administrators restrict posts to registered users and if possible, prevent the posting of hyperlinks. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Texas A&M System Breach Forces Password Changes (March 1, 2007)

All users of Texas A&M University computer systems are being forced to change their passwords following an attempted breach of files that contain encrypted passwords. All 96,000 students, faculty and staff are being told to change their NetID passwords. Financial, payroll and student administrative systems were not affected by the breach.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=197700420
-http://cis.tamu.edu/netid/

Missing Hard Disk Holds Student and Alumni Data (March 1, 2007)

An external hard disk containing personally identifiable information of approximately 8,800 students and graduates of Tokyo University of Science was stolen on February 24. A professor had taken the device home with him, but the bag it was in was stolen while he was on a train home. The professor will face punishment.
-http://mdn.mainichi-msn.co.jp/national/news/20070301p2a00m0na026000c.html

Stolen Computers Hold Child Patient Data (February 16, 2007)

Two laptop computers stolen from a locked vehicle in the parking lot of Seton Highland Lakes Hospital near Austin, TX hold personally identifiable information of approximately 2,500 juvenile patients treated by the hospital's mobile medical unit. The data include names, medical information and Social Security numbers (SSNs).
-http://www.kxan.com/Global/story.asp?S=6100779&nav=0s3d

Winny Leaks Sensitive Information (February 24 & 15, 2007)

The Winny file-sharing software is again being blamed for two instances of personally identifiable information being leaked onto the Internet. In the first case, Information regarding 500 investigations by Yamanashi Prefectural Police was discovered on a web site; it is believed to have come from a senior officer's computer. The police banned the use of file-sharing programs in June 2005. The second case involves data belonging to customers of Chiba Bank. The compromised information includes amounts the customers have in their savings accounts. The Winny software was installed on an employee's personal computer.
-http://mdn.mainichi-msn.co.jp/national/news/p20070224p2a00m0na022000c.html
-http://mdn.mainichi-msn.co.jp/national/news/20070215p2a00m0na024000c.html

---

New Item
Security Tip of the Day

Tip: Don't plug in USB drives that you find lying around. Criminals can use them to steal your data

People's natural curiosity and desire to help were exploited by consultant Steve Stasiukonis, who was hired to check security awareness at a credit union. He loaded malicious software on old thumbnail drives and left the drives on the ground and tables in the parking lot and smoking areas. Each time a curious, helpful person plugged any of the thumb drives into his computer, it loaded software and reported who had taken the bait. His test was harmless, but criminals can use the same technique to take control of our computers. The full story can be found at this link:
http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1


Do you have a tip you would like to share? If you work for a large (1000+ employees) company, please send your tip to brietveld@sans.org.

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/