SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #41

May 22, 2007

Note to Washington DC area security professionals: Please invite two or three of your programmers (or contractor programmers) to participate in the pilot test of the new secure coding exams in C or Java, on August 14 in Washington DC. Pilot participants will be contributing to the improvement if the exams and will be eligible to earn secure programming certification. Participants' names will be entirely confidential. Those who sign up in the next few days will get an invitation to a webcast that helps them ensure they know what will be covered and where to find study materials. Exam blueprints and details at:
http://www.sans.org/gssp07/
Test information: www.sans-ssi.org
Questions: spa@sans.org

Alan

---

TOP OF THE NEWS

DHS Wants Security White Papers
House Committee Wants NRC to Conduct Deeper Investigation Into Data Spike at Alabama Power Plant

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Convicted Movie Pirate Loses Appeal
Two Arrested in Hospital Computer Theft
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Glitch Leaves Office 2007 Users Running Vista Unprotected
New Gozi Trojan Variant Spreading
Critical Flaws in Java Development Kit
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Columbia Bank Online Customers Notified of Breach
Illinois State Database Suffers Security Breach
Nevada College Server Infected
MISCELLANEOUS
University Hosts Hacking Challenge for Teens
Memorial Day Week NewsBites Publication Schedule

---

********************** Sponsored By ArcSight, Inc. **********************

**** Free Whitepaper: Extracting Value From Log Data ****

Discover how to extract the value in your event log data. Learn how to capture log data across your enterprise, reduce long-term retention costs and simplify access to historical data with this free whitepaper. Brought to you by ArcSight, the SIM leader that turns operational data into action.
http://www.sans.org/info/7456
*************************************************************************
Where can you find courses by SANS best teachers of Hacking, Techniques, Forensics, Intrusion Detection, Security Essentials, Auditing and more?
Brussels: SANS Secure Europe (6 courses): June 25-30
http://www.sans.org/brussels07/
Washington DC, SANSFIRE 2007 (57 courses): July 25-August 3
http://www.sans.org/sansfire07/

Or schedule courses on site at your location:
http://www.sans.org/onsite/
************************************************************************

---

TOP OF THE NEWS

DHS Wants Security White Papers (May 21, 2007)

The US Department of Homeland Security (DHS) is seeking white papers on a variety of cyber security topics, including botnets and malware protection, routing security, process control security, and insider threat detection and management. The white papers on the technologies to address and mitigate these and other threats are due on June 27; final proposals will be due on September 17.
-http://www.fcw.com/article102766-05-21-07-Web&printLayout
-http://www.fbo.gov/spg/DHS/OCPO/DHS-OCPO/BAA07%2D09/Attachments.html

House Committee Wants NRC to Conduct Deeper Investigation Into Data Spike at Alabama Power Plant (May 18, 2007)

The US House Committee on Homeland Security wants the Nuclear Regulatory Commission (NRC) to conduct a deeper investigation into an apparent data spike that forced operators at the Brown's Ferry nuclear power plant in Alabama to shut down the plant's reactor in August 2006. The operators shut down the reactor after two water recirculation pumps failed due to what an NRC notice called a "data storm," which appeared to be caused by a malfunctioning variable frequency drive (VFD) controller. The committee is urging further investigation because there is speculation that the incident could have been triggered by activity from outside the plant. A letter from the Committee's Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology reads, "Unless and until the cause of the excessive network load can be explained, there is no way for either the licensee or the NRC to know that this was not an external DDoS attack." The letters expresses "deep reservations about the NRC's hesitation to conduct a special investigation into this incident." The NRC has until June 14 to respond to the letter.
-http://www.securityfocus.com/news/11465
-http://www.scmagazine.com/us/news/article/658709/congressmen-want-explanation-po
ssible-nuclear-power-plant-cybersecurity-incident/
-http://homeland.house.gov/press/index.asp?ID=212

---

************************* Sponsored Links: ****************************
1) It's About More than Encrypting Bits on Disks! Compliance and technology requirements for mobile data security. Ask the Expert
http://www.sans.org/info/7461

2) ALERT: Hacking Web 2.0- Ajax Security Dangers- White Paper How Hackers are attacking Ajax Web Apps. Download this SPI Dynamics white paper.
http://www.sans.org/info/7466

3) Is your MPLS network secure? Register for a FREE webinar "Securing MPLS Networks" and learn how to utilize NetFlow to harden and securely operate your MPLS.
http://www.sans.org/info/7471
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Convicted Movie Pirate Loses Appeal (May 18, 2007)

A Hong Kong man convicted of making movies available for download over the BitTorrent peer-to-peer (P2P) file-sharing network has lost his appeal. Chan Nai-ming will serve a three-month prison sentence for distributing three movies, "Daredevil," "Miss Congeniality," and "Red Planet," in 2005. The defense argued that Chan merely uploaded the movies but did not distribute them; the judges said that by his actions, Chan "enabled people to download" the films.
-http://www.theage.com.au/news/Technology/Hong-Kong-man-loses-Internet-piracy-app
eal/2007/05/18/1178995401345.html

Two Arrested in Hospital Computer Theft (May 11& 15, 2007)

Two men have been arrested in connection with the theft of two laptop computers from Highland Hospital in Rochester, NY. Both have been charged with third-degree burglary and third-degree grand larceny for allegedly stealing the computers and selling them on eBay. One of the computers was recovered in Florida; the other computer has not been recovered. The recovered computer is thought to have contained personal data of more than 13,000 patients at the time it was stolen; the FBI is analyzing the computer to see if any data were downloaded.
-http://www.democratandchronicle.com/apps/pbcs.dll/article?AID=/20070515/NEWS01/7
05150325/1002/NEWS
-http://www.13wham.com/news/local/story.aspx?content_id=d70aed97-d001-4e3f-990d-5
0f9d8e32769

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Glitch Leaves Office 2007 Users Running Vista Unprotected (May 21, 2007)

Microsoft has "updated the detection logic for the May 8th Security and Non-Security Updates for Office 2007." The original detection logic in some cases failed to offer the updates or failed to install updates correctly on systems running Vista. Vista users who are offered the updates again should install them. The issue affects MS07-023 and MS07-025.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9020262&source=rss_topic17
-http://blogs.technet.com/msrc/archive/2007/05/17/new-detection-logic-for-may-8th
-office-2007-updates.aspx

New Gozi Trojan Variant Spreading (May 19, 2007)

A new variant of the Gozi Trojan horse program has been spreading since mid-April. The malware grabs data from encrypted SSL streams and sends them back to a server in Russia. The upstream ISP cut the server off from Internet connection once it was alerted to the situation. The malware has gathered sensitive information, including bank account and credit card numbers, user names, passwords and Social Security numbers (SSNs) of more than 2,000 people. Changes apparent in the new version of Gozi include the addition of a packer utility that helps the malware evade detection by standard virus signatures and a keystroke logging capability that increases the amount of information it can steal. Gozi exploits a known flaw in Microsoft's Internet Explorer (IE) iFrame tags.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9019978&source=rss_topic17

Critical Flaws in Java Development Kit (May 17, 2007)

Java Development Kit users running version 1.x are encouraged to upgrade to protect their systems from two remotely exploitable flaws. The first flaw is an integer overflow error in the image parser that occurs when processing ICC profiles embedded in JPEG images; the flaw could be exploited to crash the JVM (Java Virtual Machine) and possibly allow arbitrary code execution. The second flaw is due to an error in the BMP image parser when parsing malformed files on Unix/Linux systems and could be exploited to cause denial-of-service conditions. Sun Microsystems has released JDK versions 1.5.0_11-b03 and 1.6.0_01-b06 to address the flaws.
-http://www.eweek.com/print_article2/0,1217,a=207757,00.asp

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Columbia Bank Online Customers Notified of Breach (May 21, 2007)

Fair Lawn, NJ-based Columbia Bank has acknowledged that cyber intruders "gained access to
[online ]
customers' names and SSNs." The breach did not affect account numbers or passwords. Columbia Bank CEO Raymond G. Hallock declined to reveal how many customers were affected by the incident. Customers received letters dated May 18 informing them of the situation and offering one year of free credit monitoring. The FBI and the New Jersey State Police are investigating.
-http://www.northjersey.com/page.php?qstr=eXJpcnk3ZjczN2Y3dnFlZUVFeXkzJmZnYmVsN2Y
3dnFlZUVFeXk3MTM4Njk2JnlyaXJ5N2Y3MTdmN3ZxZWVFRXl5Mg==

Illinois State Database Suffers Security Breach (May 19, 2007)

A database holding personally identifiable information of approximately 300,000 people who have applied for or hold certain professional licenses in Illinois has been breached. The compromised data include addresses, tax identification numbers and SSNs. People affected by the breach will receive notification letters. On May 3, officials at the Illinois Department of Financial and Professional Regulation confirmed that data had been breached; the incident may have occurred as long ago as January 2007. Those affected by the breach include mortgage brokers, real estate agents and pawn-shop operators.
-http://www.sj-r.com/sections/news/stories/114739.asp
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9020218&source=rss_topic17
-http://www.idfpr.com/breachinformation.asp

Nevada College Server Infected (May 17, 2007)

A server at the Community College of Southern Nevada (CCSN) was hit with a virus in February, 2007, compromising the personal data of nearly 200,000 current and former students. The attack occurred while the network was being reconfigured. The data included in the SQL database include names, SSNs and birth dates. An investigation "did not conclusively determine whether any information had been accessed or acquired." CCSN sent letters to all affected individuals and has established a website to provide people with additional information.
-http://www.scmagazine.com/us/news/article/658373/virus-compromises-200000-record
s-community-college-southern-nevada/

MISCELLANEOUS

University Hosts Hacking Challenge for Teens (May 21, 2007)

Iowa State University held a cyber defense challenge for high school students, pitting 19 blue teams against a red team composed of security experts bent on infiltrating and causing trouble on the students' networks. First place went to West Des Moines Valley High School for the second year in a row; one team member noted that they won by "watch
[ing their ]
network activity like a hawk."
-http://cosmiclog.msnbc.msn.com/archive/2007/05/21/199009.aspx

Memorial Day Week NewsBites Publication Schedule

Next week, NewsBites will be published just once, on Thursday, May 31. The following week, we will be back to our usual Tuesday and Friday publications.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/