SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #27

April 03, 2007

Microsoft's programming error in handling animated cursers is so critical, and exploited so often, that the company is issuing an emergency patch, probably today. See the 3rd story in this issue.

Time change: SANS' application security tools and tests webcast time has been moved up to 12:00 noon (EDT) tomorrow (Wednesday). The briefing includes new information about the secure coding exams and certification, information about what programming errors cause nearly all the security vulnerabilities, and insights from all five leading application security tools vendors.
https://www.sans.org/webcasts/show.php?webcastid=91206

---

TOP OF THE NEWS

Fewer Successful Attacks on DOD Computer Systems
British Hacker Loses Extradition Appeal
Microsoft Will Release Emergency Fix for Animated Cursor Flaw
Japanese Police Investigating Possibility of Leaked Defense Data

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
EMT Fired for Stealing Patient Data
Man Sentenced to 27 Months for Selling Pirated Software
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
DOE IG Audit Finds Fault with Computer Controls at DOE Counterintelligence Directorate
Missing Computers Hold Navy Data
POLICY & LEGISLATION
UK Info. Commissioner Calls for Tougher Cybercrime Penalties
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
EMI to Sell Music Without Copy Protection
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Worm Pretends to be IE 7 Beta
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Disk Holds Univ. of Montana-Western Student Data
MISCELLANEOUS
CO Sec. of State Takes Steps to Protect SSNs
Newsvine CEO Claims Responsibility for McCain MySpace Page Alteration
Eight Security/Privacy People Included in 100 Most Influential in Information Technology
SANS Security Tip of the Day

---

*********************** Sponsored By SenSage, Inc. **********************

Don't buy a security information management (SIM) product without knowing the Top 10 Questions You Must Ask every vendor you are evaluating their product. Get the tough questions about data collection, event data integration, reporting, analysis and accessibility and others. Brought to you by SenSage, the only patented SIM solution that enables regulatory compliance and mitigation of security risks such as insider threats.
http://www.sans.org/info/5321
*************************************************************************
SANSFIRE 07 in Washington DC Features the Internet Storm Center Experts

No one knows the newest attacks better than the Internet Storm Center Incident Handlers, and they are sharing the newest attacks and defenses in evening sessions during SANSFIRE in Washington DC, July 25-August 7, 2007. Anyone who attends a course can also attend Internet Storm Center Threat Updates. For a list of courses http://www.sans.org/sansfire07/

If you cannot come to Washington or can't wait that long, SANS award winning security training is available in more than 70 cities in nine countries just in the next four months. Better still, you can schedule SANS training on-site or even take it live online or on demand.
*Complete schedule:
http://www.sans.org/training/bylocation/index_all.php
*SANS courses on site at your facility: http://www.sans.org/onsite/
*************************************************************************

---

TOP OF THE NEWS

Fewer Successful Attacks on DOD Computer Systems (March 29, 2007)

In testimony before the US House Armed Services Subcommittee on Terrorism, Unconventional Threats and Capabilities, Air Force Lt. Gen. Charles Croom said successful attacks against Defense Department (DOD) computer systems fell from about 130 in January 2005 to about 40 in January 2007. Croom also said that while botnet activity on the Internet in general increased 110 percent between February 2005 and December 2006, the number of DOD computers used in botnet attacks fell 61 percent over the same period. Croom attributes the decrease to improved computer configuration control and to DoD personnel logging in to DoD systems using Common Access Cards.
-http://www.fcw.com/article98089-03-29-07-Web&printLayout

British Hacker Loses Extradition Appeal (April 3, 2007)

Gary McKinnon, the North London hacker accused of 'the biggest military hack of all time' has lost his High Court fight against extradition to the US. Prosecutors allege that of he hacked into 97 US government computers, including those of the Pentagon, US army, air force and NASA. US prosecutors accuse him of accessing hundreds of military machines.
-http://www.scmagazine.com/uk/news/article/647918/mckinnon-loses-extradition-appe
al/
-http://www.iht.com/articles/ap/2007/04/03/europe/EU-GEN-Britain-US-Hacker.php

Microsoft Will Release Emergency Fix for Animated Cursor Flaw (March 30, April 1 & 2, 2007)

Microsoft says it will release an out-of-cycle patch for a remote code execution flaw that is being actively exploited. The company released an advisory about the animated cursor vulnerability last week and by the end of the week, exploit code was circulating on the Internet. The patch will be released on Tuesday, April 3, a week ahead of schedule; Microsoft's monthly security update is slated for April 10. Microsoft and law enforcement are working together to find those responsible for the attacks.
-http://news.com.com/2102-1002_3-6172364.html?tag=st.util.print
-http://www.theregister.co.uk/2007/03/30/animated_cursor_vuln/print.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9015281
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=198701798
-http://www.computerworlduk.com/technology/security-products/prevention/news/inde
x.cfm?RSS&newsid=2422
-http://blogs.technet.com/msrc/archive/2007/04/01/latest-on-security-update-for-m
icrosoft-security-advisory-935423.aspx
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9015343
[Editor's Note (Ullrich): It appears Microsoft learned its lesson from the WMF fiasco. A quick out of order patch will mitigate the technical and the publicity fallout from this unfortunate bug. ]

Japanese Police Investigating Possibility of Leaked Defense Data (April 2, 2007)

Kanagawa (Japan) prefectural police are investigating the possibility that classified information found on disks at the home of a Maritime Self-Defense Force officer was leaked. The data include information about "an advanced defense system designed to protect a fleet from air attacks." Japanese law imposes prison sentences of up to 10 years for those convicted of leaking classified data. Police found the disks while searching the officer's home when his wife was arrested on an immigration law violation.
-http://www.asahi.com/english/Herald-asahi/TKY200704020115.html

---

************************* Sponsored Links: ****************************

1) Take the 2007 Log Management Survey and be eligible to win a Nintendo Wii system. Click here to take the survey.
http://www.sans.org/info/5326

2) The SANS Encryption Summit, April 23-25, provides concrete, actionable information you can deploy as soon as you return to work.
http://www.sans.org/info/5331
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

EMT Fired for Stealing Patient Data (March 29, 2007)

An emergency medical technician (EMT) has been fired from the University of Illinois Medical Center at Chicago (UIC) for allegedly using his position to access sensitive patient data. Leslie Langford was charged with eight counts of felony identity theft. He allegedly accessed records of 243 patients, but just eight records were allegedly misused. The data include Social Security numbers (SSNs) and driver's license numbers. Langford was arrested on February 23; the hospital sent affected patients breach notification letters on March 8. Hospital administrators received a tip about the activity and were able to determine through the electronic record keeping system which employee was accessing the data, and which data were being accessed.
-http://abclocal.go.com/wls/story?section=local&id=5164853
-http://www.chicagotribune.com/news/local/chi-070329uic,1,3234070.story?coll=chi-
news-hed
[Editor's Note (Ranum): I am sure these incidents represent the tip of the iceberg. A number of years ago I talked to a private investigator who said that before the Internet, most PIs used to know someone who knew someone with data access at MVAs, etc - who'd do a lookup for a couple hundred bucks. So now that has translated to selling entire databases. The genie has been out of the bottle in this matter for over a decade but the industry is only figuring that out now - now that it's too late.]

Man Sentenced to 27 Months for Selling Pirated Software (March 29, 2007)

An Indiana man who pleaded guilty to selling counterfeit software over the Internet has been sentenced to 27 months in federal prison. Courtney Smith sold more than US $700,000 worth of pirated Rockwell Automation software through eBay auctions, earning just over US $4,000 from the sales.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=198701097

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

DOE IG Audit Finds Fault with Computer Controls at DOE Counterintelligence Directorate (March 28 & 30, 2007)

A Department of Energy (DOE) inspector general's audit found "problems with the control and accountability of desktop and laptop computers" at the Counterintelligence Directorate. Twenty desktop computers are missing from the department; of those, at least 14 were used to process classified data. The audit also found "the department is using
[57 ]
computers not listed in its inventory, and one computer listed as destroyed was in fact being used." (Please note this site requires free registration)
-http://www.nytimes.com/2007/04/01/washington/01missing.html?pagewanted=print
-http://www.ig.energy.gov/documents/IG-0762.pdf

Missing Computers Hold Navy Data (March 30, 2007)

Three laptop computers have been reported missing from the Navy College Office in San Diego. The computers may contain sailors' personally identifiable information, including SSNs, names, rates and rankings. Those potentially affected by the data security breach are "Sailors and former Sailors homeported on San Diego ships from January 2003 to October 2005 and who were enrolled in the Navy College Program for Afloat College Education." The Naval Criminal Investigative Service (NCIS) "is investigating the incident as a possible theft" and is working with San Diego police to recover the computers.
-http://www.military.com/features/0,15240,130657,00.html

POLICY & LEGISLATION

UK Info. Commissioner Calls for Tougher Cybercrime Penalties (March 29, 2007)

Calling sentences recently handed down to data thieves "derisory," UK Information Commissioner Richard Thomas is calling for more stringent penalties for those convicted of stealing information. In most cases, people convicted of such crimes have been fined or received conditional discharges.
-http://www.vnunet.com/vnunet/news/2186730/tougher-sentences-needed-online
[Editor's Note (Schultz): I agree. The punishment must fit the crime, but in too many computer crime-related cases the punishment falls far short of the magnitude of the crime.
(Honan): One of the big attractions for criminals to get involved in online crime is that this type of crime does not involve physical violence. As a result the courts often take a more lenient view on such cases brought before them, making the risk reward equation much more attractive to the criminal. However the impact on the victim can be just as devastating as they try to restore their credit rating and recover lost funds. Courts need to realise that a crime in the online world is not a victimless one and should be treated just as seriously as one in the physical world, and sentenced accordingly.]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

EMI to Sell Music Without Copy Protection (April 2 & 3, 2007)

Music label EMI says that this spring it will start selling music from its digital catalog without digital rights management (DRM). The songs will cost US $1.29, 30 cents more than the DRM-protected songs. People who have already bought DRM-protected versions may upgrade to unprotected versions by paying the difference. The cost for full albums will not change. EMI chief executive Eric Nicoli said, "We take the view that we have to trust our customers." (Please note both sites require free registration)
-http://www.washingtonpost.com/wp-dyn/content/article/2007/04/02/AR2007040200401_
pf.html
-http://www.nytimes.com/2007/04/03/technology/03music.web.html?ei=5088&en=fd3
2dfade3dbe1f9&ex=1333252800&adxnnl=1&partner=rssnyt&emc=rss&
adxnnlx=1175565807-fDxxFnPlnbeP6V4PRkf5Ug&pagewanted=print
[Editor's Note (Pescatore): Interesting to see a "DRM pain premium": - if you are willing to pay a 25% premium, you will not have to endure the limitations of buying a song with DRM, and EMI will see if that revenue uplift is enough to offset the impact of any increase in piracy. There are not many examples where the gain of DRM has exceeded the pain. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Worm Pretends to be IE 7 Beta (March 30, 2007)

The Grum-A worm is spreading by pretending to be a beta 2 version of Internet Explorer 7 (IE7). The email messages containing the malicious link appear to come from admin@microsoft.com and the subject lines indicate the message contains a link for the IE7 beta download. The full version of IE7 was released in October 2006.
-http://www.theregister.co.uk/2007/03/30/grum_worm/print.html
[Editor's Note (Ullrich): I am not sure what's worse: End users executing the attachments, virus scanners ignoring it, or system administrators not blocking executable attachments. This is just another unnecessary set of spambots. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Stolen Disk Holds Univ. of Montana-Western Student Data (March 30, 3007)

The University of Montana-Western is notifying between 400 and 500 current and former students that their personally identifiable information was on a computer disk stolen from a professor's office last week. The data include SSNs, names, dates of birth and addresses. The students affected by the data security breach are all enrolled in the school's TRIO Student Support Services Program, formerly the Educational Opportunity Program. Police are investigating the incident.
-http://www.havredailynews.com/articles/2007/03/30/local_headlines/state.txt
-http://www.umwestern.edu/incident/

MISCELLANEOUS

CO Sec. of State Takes Steps to Protect SSNs (March 30, 2007)

Colorado Secretary of State Mike Coffman has joined others around the nation in eliminating online access to Uniform Commercial Code filing documents to protect citizens from identity fraud. Colorado had already taken steps to redact SSNs from UCC filings received before July 1, 2001, when the state issued a new UCC form that does not require SSNs. However, because some institutions continued to use the old forms, some individuals' SSNs were exposed. When Coffman became aware of the situation, he made a number of changes. The Secretary of State's business division web site will no longer be available online, and bulk electronic sales of UCC database records are no longer available. Coffman also established "a process to review each new paper filing received, so a SSN will be redacted prior to scanning and posting." Institutions still using the old form are being notified that they must switch to the new one. Coffman also established a procedure for redacting SSNs from the forms received after July 1, 2001.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9015196
-http://www.sos.state.co.us/pubs/business/PressRelease_3-29-07.pdf

Newsvine CEO Claims Responsibility for McCain MySpace Page Alteration (March 28 & 29, 2007)

Mike Davidson, who is CEO of online news site Newsvine, says he is responsible for changes made to Senator John McCain's MySpace page. Davidson says he altered the page in retribution for a breach of Internet etiquette. Apparently, the McCain page used a template Davidson had created and made available at no cost, but neglected to give Davidson credit. Furthermore, the McCain page linked to images from Davidson's servers instead of providing its own, so whenever someone viewed McCain's page, Davidson's bandwidth was being consumed. The changes to McCain's page were made when Davidson altered images on his own server. The situation has been corrected.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=198700757
-http://seattlepi.nwsource.com/local/309349_mccain29.html

Eight Security/Privacy People Included in 100 Most Influential in Information Technology (2 April, 2007)

The 2007 list of the 100 most influential people in information technology starts with Sergei Brin and Larry Page, the Google founders, ranked number 1, and ends with Larry Wall the creator of Perl, ranked 100. Eight security and privacy people were also on the list: Paul Neilsen of SEI, Rob Portman of OMB, Phil Zimmerman, creator of PGP, Bruce Schneier of BT Counterpane, Ed Felten of Princeton University, Alan Paller of SANS, and HD Moore, author of Metasploit.
-http://www.eweek.com/article2/0,1895,2104992,00.asp
100-76:
-http://www.eweek.com/slideshow/0,1206,l=&s=&a=203045,00.asp
75-51:
-http://www.eweek.com/slideshow/0,1206,l=&s=&a=203375,00.asp
50-26:
-http://www.eweek.com/slideshow/0,1206,l=&s=&a=203660,00.asp
25-1:
-http://www.eweek.com/slideshow/0,1206,l=&s=&a=203821,00.asp

SANS Security Tip of the Day

If you get up from your computer, lock it!

"I sent an email to your boss letting him know what you really think of him". This Notepad message was on my screen when I got back to my cubicle after getting up to stretch my legs. What? I had been gone for 180 seconds -- three quick minutes. Lucky for me, the note turned out to be from our systems administrator who wanted to make a point. All it takes is about one minute for a disgruntled colleague to send a message on your behalf to the boss and there is no way for you to prove you didn't send it. In about 30 seconds, a cracker could install a keystroke logger to capture everything you type including company secrets, user names and passwords. In about 15 seconds, a passerby could delete all your documents.

If you work for a company of 1,000 or more and would like to help distribute SANS Security Tips, please email brietveld@sans.org.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/