SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #4

January 12, 2007

Does anyone on your staff do an excellent job of cleaning out PCs that have been infected by spyware and other malicious software. We are just starting development of a new certification (and related training) for Certified Malware Removal Experts and we are looking for a council of 30 people who have done a lot of it to help vet the skills an dknowledge required for the certification exam and classes. Email cmre@sans.org if you have a lot of experience.
Alan

---

TOP OF THE NEWS

US National Security Agency Helped Make VISTA More Secure
Senator Feinstein Introduces Two Bills To Fight ID Theft
Corporate Security Hole: Employees Forwarding eMail to Personal Accounts
PayPal to Roll Out Another Layer of Authentication

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Man Draws Four-Year Sentence for Computer Fraud and Identity Theft
SPYWARE, SPAM & PHISHING
Spam Levels Drop in January
Spy Coins Found in Canada
RSA Finds Phishing Kit With GUI Interface
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Oracle Starts Offering Early Warning On Upcoming Security Patches
Malware Purveyors Prey on Users' Morbid Curiosity
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Hard Drive Target Of Office Break-In At A Medical Office
MISCELLANEOUS
CIPPIC Paper Calls for Canadian Breach Notification Law
Vietnamese Cyber Crime Penalties are Too Weak

---

********************* Sponsored By Symark Software **********************

Security and compliance go hand-in-hand. How can you meet compliance requirements and guard against unauthorized access or theft of data? Learn how PowerBroker, the most widely used solution for systems administration and controlling Unix/Linux root privileges, helps you meet data privacy and compliance requirements. Download the FREE White Paper "PowerBroker vs. sudo."
http://www.sans.org/info/2846

*************************************************************************

SECURITY TRAINING UPDATE: Several of the hands-on immersion security training courses at SANS 2007 (San Diego, March 29 - April 4) are starting to fill up. If you want a place, register early. You'll also save hundreds of dollars if you do it in the next few weeks. Full Schedule (53 courses):
http://www.sans.org/sans2007/event.php

*************************************************************************

---

TOP OF THE NEWS

US National Security Agency Helped Make VISTA More Secure (10 & 9 January 2007)

Microsoft has announced that the US National Security Agency (NSA) had a hand in the development of the Windows Vista operating system. NSA reportedly helped develop a configuration that would meet US Department of Defense security requirements. Although the NSA has been brought in to consult on security matters in the past, this is apparently the first time it has been involved before an operating system's release.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9007719&source=rss_topic17
-http://www.washingtonpost.com/wp-dyn/content/article/2007/01/08/AR2007010801352_
pf.html
[Editor's Note (Ullrich): The NSA has done great OS development work in the past. The Security Enhanced Linux Patch" (SELinux) developed first by the NSA is now a standard part of most linux distributions.
(Northcutt): First time? Try Security Enhanced Linux, which may grow into something wonderful, from the NSA's own web page:
-http://www.nsa.gov/selinux/
And of course since you are not allowed to say NSA without a conspiracy theory in the next sentence there is that NT thing:
-http://www.heise.de/tp/r4/artikel/5/5263/1.html
(Paller): NSA's contribution to VISTA goes back many years and goes far beyond the secure configuration mentioned here. The agency first offered all of the good ideas in SE Linux to Microsoft for an earlier version of Windows. It was only after Microsoft's refusal that the much more secure technologies were built into a Linux distribution. NSA contributed heavily to VISTA design discussions over a period of years, helping enable Microsoft to build in capabilities to block known attack vectors. The secure configuration is a separate contribution. Led by NSA and the Air Force, nearly all of DoD is now converging on a single more secure configuration of Vista. Civilian agencies (and for that matter anyone who cares about security) would do well to ask Microsoft and Dell and others to deliver Vista configured as they have for the Air Force. ]

Senator Feinstein Introduces Two Bills To Fight ID Theft (10 January 2007)

Senator Dianne Feinstein (D-Calif.) has introduced two pieces of legislation aimed at protecting citizens' personal information. The Notification of Risk to Personal Data Act would require organizations to notify people if their information has been compromised as a result of a security breach. The Social Security Number Misuse Prevention Act would prohibit organizations, including federal, state and local government agencies, from displaying or selling individuals' Social Security numbers (SSNs) without express consent.
-http://www.allamericanpatriots.com/m-news+article+storyid-17552.html
[Editor's Note (Pescatore): A unified federal law around disclosure would be a good idea *if* it doesn't lower the bar below existing state legislations, which is usually what happens as federal legislation favors business and commerce over individual privacy.
(Schultz): If passed both of these pieces of legislation would go far in helping protect individuals against identity theft and other kinds of negative consequences of data security breaches. Federal legislation requiring that those affected by data security breaches be notified has been proposed in the past, but it did not get too far. Now that the Democrats have control over both the House and the Senate, both pieces of legislation are much more likely to pass, but if they pass, the question regarding whether President Bush will veto them still remains.
(Ullrich): This is a long overdue attempt. Many states already passed similar disclosure laws creating a confusing patchwork. A single federal law would make it easier and cheaper for corporations to comply. However, the danger is that the federal standard will create a "least common denominator" and weaken existing state regulation. ]

Corporate Security Hole: Employees Forwarding eMail to Personal Accounts (11 January 2007)

Employees forwarding their work email to "web-accessible personal accounts" is a growing problem. When away from the corporate network accessing email from these accounts is usually faster and easier than going through the corporate remote email solution. Accessing email from these accounts is usually faster and easier than going through corporate networks. However, because email sent from these services does not "pass through the corporate mail system, companies could run afoul of federal laws that require them to archive corporate email and turn it over during litigation." Atlanta's DeKalb Medical Center began using systems to monitor outbound email after it became aware of the growing problem of "doctors and nurses routinely forward
[ing ]
confidential medical records to their personal Web mail accounts."
-http://www.nytimes.com/2007/01/11/technology/11email.html
[Editor's Note (Pescatore): The web mail issue is really an old problem. Enterprises that do an audit of outbound email and instant messaging often find a huge percentage of those message contain customer data or other sensitive information. Content monitoring and filtering in outbound messaging has been growing quite rapidly.
(Schultz): Another risk of forwarding work mail to Web-accessible personal accounts is that the mail servers that store such mail may not meet corporate security standards, thereby increasing the risk of unauthorized exposure of email content.
(Northcutt): This is certainly not new but it is a huge problem. It would make a good security awareness Tip of the Day. "Do you know that you are putting the company and your job at risk when you send sensitive email to non-protected accounts." If you are willing to spend six dollars, Harvard Business Review recently did a case study on zero tolerance where a chemical engineer with subject matter expertise the company needed was terminated for sending potentially sensitive emails outside the organization. It serves as a wake up call to keep a bit of an eye on HR while enforcing your sensitive information policies:
-http://harvardbusinessonline.hbsp.harvard.edu/b02/en/common/item_detail.jhtml;js
essionid=HTW2JT4UYVEJQAKRGWDSELQBKE0YIISW?id=R0611A]

PayPal to Roll Out Another Layer of Authentication (11 January 2007)

PayPal plans to bolster security by providing users with a second layer of authentication. The eBay-owned company will provide its customers with a PayPal Security Key device that generates a new numeric password every 30 seconds. Users conducting transactions will be required to enter their regular passwords as well as the randomly-generated password provided by the key. The addition of this layer of security should help thwart phishers because without a current Security Key password, other account information will not allow them access to users' accounts. Users will be asked to pay US$5 for the devices; business customers will not have to pay for the Security Keys. The use of the keys is being tested right now and will eventually be phased in for all users.
-http://www.computerworld.com/action/article.do?command=printArticleBasic&art
icleId=9007818
[Editor's Note (Honan): Kudos to PayPal for taking this step to help their customers protect themselves. While not a total gaurantee against phishing, no security is ever 100%, $5 is a small price to pay to make a PayPal account more secure.
(Schultz): I very much like what PayPal is trying to do. Given the ever-growing risks from keystroke and tty sniffers, one-time authentication credentials are clearly the right direction to take.
(Pescatore): The model of a business asking customers to pay to protect against criminals pretending to be the business never, never works. If PayPal was serious about improving the experience of its customers, and reducing its fraud costs, it would be eating the $5. Heck, if eBay could afford to pay a katrillion dollars for Skype... ]

---

*************************** Sponsored Links: **************************

1) Visit Utimaco and Lenovo at RSA Booth 531 to learn about our layered security solution. http://www.sans.org/info/2851

2) Learn how VPN-1 gateways provide simple site-to-site VPN deployment and ensure your network security. http://www.sans.org/info/2856

3) SAVE BIG! Get 30% off upcoming courses via SANS OnDemand. SEC309, SEC503, SEC508, SEC617, MGT524, AUD507.
Contact ondemand@sans.org

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Man Draws Four-Year Sentence for Computer Fraud and Identity Theft (9 January 2007)

A US District Judge has sentenced George Nkansah Owusu to four years in prison for using computers to steal information of hundreds of Virginia Commonwealth University (VCU) students. Owusu pleaded guilty to computer fraud and aggravated identity theft. He admitted to installing keystroke-logging programs on student-use computers in the VCU library and in some science labs. Owusu used the programs to obtain some students' and faculty's login information. He used the information to alter his grades, download photographs and email belonging to one student, and to log in as another and drop several of that student's classes.
-http://www.timesdispatch.com/servlet/Satellite?pagename=RTD/MGArticle/RTD_BasicA
rticle&c=MGArticle&cid=1149192559762

SPYWARE, SPAM & PHISHING

Spam Levels Drop in January (10 & 9 January 2007)

A significant downturn in spam levels is being blamed on a possible broken botnet. SoftScan noted a 30 percent drop in spam during the first week of January, following a month of rising spam levels. Another explanation for the sudden decrease could be the earthquake in Asia, but this is unlikely, as the drop off has been gradual rather than sudden, as would have been expected with disruption from the earthquake.
-http://www.techworld.com/security/news/index.cfm?newsID=7735
-http://www.vnunet.com/vnunet/news/2172204/broken-botnet-cuts-global-spam
[Editor's Note (Ullrich): Other sources, like data from postini, spamcop and message labs see much smaller or no decrease. This may just be the fact of a particular anti-spam vendor receiving less attention then usual.
(Pescatore): Or maybe the spammers just had a really, really good New Years Eve party... ]

Spy Coins Found in Canada ( 11 January 2007 )

A US Government report describes hollowed out coins such as the Canadian Two dollar "Toonie" that carries a small radio to allow tracking of the person holding the coin. The technology has been described as very sophisticated. At least three US defense contractors found such coins had been given to them, and the US Defense Department has warned American contractors to look out for such coins.
-http://ca.news.yahoo.com/s/capress/spy_money
-http://www.examiner.com/a-501456~Defense_Workers_Warned_About_Spy_Coins.html
-http://forums.collectors.com/messageview.cfm?catid=6&threadid=560665
[Editor's Note (Northcutt): The article clearly states this is not the work of our northern neighbor and that our own CIA has done this in the past. If you are concerned about being targeted because you are American, the best response is to blend in when in another country. Blending in includes several behaviors: speak quietly, listen more than you speak, wear clothes purchased in country, avoid US sports team shirts or other US branded merchandise, minimize alcohol consumption and either don't tip, or tip minimally. ]

RSA Finds Phishing Kit With GUI Interface (10 January 2007)

A new "do-it-yourself" phishing kit enables criminals to launch quite effective man-in-the-middle phishing attacks. The graphical user interface makes it easy for less skilled criminals to start fooling users into providing sensitive information. The tool steals the actual web page of the target institution so that the user sees a completely familiar page.
-http://www.eweek.com/article2/0,1759,2082039,00.asp

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Oracle Starts Offering Early Warning On Upcoming Security Patches (11 January 2007)

Oracle reported that it will fixes for 52 security vulnerabilities, some quite serious, in its quarterly patch update next week. Microsoft has been doing similar pre-releases since 2004, but Oracle's pre-announcement goes further than Microsoft's by listing which products and components will get fixes.
-http://news.com.com/Oracle+offering+early+warning+on+security+fixes/2100-1002_3-
6149632.html?tag=sas.email

Malware Purveyors Prey on Users' Morbid Curiosity (11 & 8 January 2007)

Not surprisingly, people's fascination with the macabre is being exploited to spread malware. There are reports of email messages claiming to offer footage of Saddam Hussein's execution; when users click on the provided link, they are directed to a site that tries to download a Trojan horse program. Similar emails have been detected that use attachments rather than links within the body of the message. Several different pieces of malware that try to download keystroke loggers have been detected accompanying messages about the execution.
-http://www.vnunet.com/vnunet/news/2172307/saddam-videos-hiding-trojan
-http://www.informationweek.com/management/showArticle.jhtml?articleID=196801963
[Editor's Note (Ullrich): This is an important reminder that while we like to focus on vulnerabilities in software, a lot of malware is still installed by the user without any help from software vulnerabilities. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Hard Drive Target Of Office Break-In At A Medical Office (3 January 2007)

A computer hard drive was stolen from a medical office in Somerset, Pennsylvania. Whoever broke into the office took just the hard drive, leading some to suspect that the thief was after the information on the storage device. The doctor's office did not provide details about what information the drive may contain.
-http://www.tribune-democrat.com/local/local_story_003233725.html

MISCELLANEOUS

CIPPIC Paper Calls for Canadian Breach Notification Law (9 January 2007)

The Canadian Internet Policy and Public Interest Clinic (CIPPIC) has published a white paper titled "Approaches to Security Breach Notification." The paper "argues for a Canadian law requiring that organizations notify individuals when their personal information has been compromised as a result of a breach of the organization's security." The paper also "analyzes security breach legislation in the US."
-http://www.cippic.ca/en/news/documents/BreachNotification_9jan07-web.pdf
[Editor's Note (Grefer): A step in the right direction. ]

Vietnamese Cyber Crime Penalties are Too Weak (6 January 2007)

Police in Vietnam are calling for stronger penalties for people who launch attacks against local computer networks. Currently, the law imposes only fines; the Ministry of Public Security would like the government to impose prison sentences for those convicted of such cyber crimes. Nguyen Tu Quang, director of the network security centre BKIS at Ha Noi University of Technologies said "the law is not strict enough and criticism from the public hasn't been strong enough." Vietnam is also working with international security organizations to help fend off attacks that originate outside the country.
-http://vietnamnews.vnagency.com.vn/showarticle.php?num=03SOC060107

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/