SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #43

May 31, 2007

TOP OF THE NEWS

DoD Report: China Bolstering Cyber Warfare Capabilities
Hong Kong Gets Serious About Spam
Germany Passes New Hacking Law

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Microsoft Files Lawsuits Against Alleged Pump-and-Dump Scammers
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Energy Dept. Lost More Than 1,400 Laptops Over Six Years
POLICY & LEGISLATION
EU Group Questions Google Data Retention Policy
SPYWARE, SPAM & PHISHING
Tiscali Addressing eMail Problems
Spear Phishing Attack Spoofs Better Business Bureau
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
iTunes Now Selling DRM-Free Music
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple OS X Update Addresses 17 Flaws; Exploit Code Released
Apple Patches QuickTime for Second Time This Month
Cisco Warns of Cryptographic Library Vulnerability
Worm Jumps from Skype to ICQ, MSN
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Students Cleared of Wrongdoing in Data Exposure
NC DOT Server Breach Exposes Employee and Contractor Data
MISCELLANEOUS
County Blocks Access to SSNs on Website

---

********************** Sponsored By Ounce Labs, Inc. ********************

Ounce Labs, the leader in software security assurance, allows customers to verify their critical data is secure. Our white paper, "The Path to a Secure Application," directly links source code vulnerabilities to data theft and non-compliance. Find out how to manage software risk across the enterprise and down to the line of code at
http://www.sans.org/info/7721

*************************************************************************

Training Update: The big changes coming in security appear to be creating a surge of demand for security professionals and auditors with stronger technical skills in intrusion detection, forensics, wireless security, penetration testing, secure configuration management, application security, technical security auditing and more. The only programs that provide authoritative training in these topics come from SANS. Here's where you can find training with SANS' top instructors:

Brussels: SANS Secure Europe (6 courses): June 25-30
http://www.sans.org/brussels07/
Washington DC, SANSFIRE 2007 (57 courses): July 25-August 3
http://www.sans.org/sansfire07/

*************************************************************************

---

TOP OF THE NEWS

DoD Report: China Bolstering Cyber Warfare Capabilities (May 28 & 29, 2007)

China "has established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics and measures to protect friendly computer systems and networks," according to a recent report from the US Defense Department (DoD). In previous years, the Pentagon's annual report to Congress on China's military power has indicated that China was focusing on defensive measures, so the shift to offensive tactics merits attention.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9021663&source=rss_topic17
-http://www.pcworld.com/article/id,132284-pg,1/article.html
[Editor's Note (Skoudis): Reports like this and the recent cyber attacks against Estonia may indicate a coming shift in the dominant threat we face. Such a shift has happened before. Before 2003, our dominant threats were hobbyists and insiders. In 2003 and 2004, the threat then changed to organized crime looking to make money. Depending on the geopolitical environment, the dominant threat may shift again, and very quickly, to state-sponsored cyber warfare. Note also that the state and organized crime threats are not mutually exclusive. It has been reported that in the Estonian case, the attackers rented bot-nets from cyber crime organizations.
(Honan): The ongoing cyber attacks against Estonian websites, covered in a recent NewsBites edition
-http://www.sans.org/newsletters/newsbites/newsbites.php?vol=9&issue=40,
should serve as a sobering reminder that Cyber Warfare is not a theoretical threat but a very effective and real one that nation states need to address.
(Schultz): When the concept of information warfare was introduced, it was immediately embraced by the military and intelligence community, but there did not seem to be very much substance behind it. The opposite is now true--security risks related to information warfare activity must now be clearly recognized, monitored, and mitigated. ]

Hong Kong Gets Serious About Spam (May 28 & 30, 2007)

New legislation in Hong Kong could see spammers facing longer jail sentences and paying fines of up to one million Hong Kong dollars (US $128,000). The law will be implemented in two phases. The first phase prohibits sending messages to email addresses obtained through "brute force" or dictionary methods. The second phase requires senders to provide accurate sender information, clear and "accessible" unsubscribe instructions and to comply with unsubscribe requests within 10 days. People who break into others' computers to use the machines for sending spam could face up to 10 years in jail. Included in the law are all unsolicited commercial messages sent over electronic media, including fax, email, mobile phone SMS and pre-recorded telephone messages that do not provide caller identification.
-http://www.smh.com.au/news/Technology/Hong-Kong-cracks-down-on-spam/2007/05/28/1
180205162548.html
-http://www.chinatechnews.com/2007/05/30/5449-hong-kong-will-punish-email-spammer
s/
-http://www.techspot.com/news/25443-hong-kong-spammers-face-big-fines-and-long-ja
il-terms.html

Germany Passes New Hacking Law (May 26 & 28, 2007)

The German government has approved a stringent new anti-hacking law. Aimed at closing loopholes in existing IT law, the legislation provides for prison sentences of up to 10 years for those convicted of breaking into computer systems. Under the new law, hacking means breaking into a computer system and accessing secure data; actual data theft is not necessary for prosecution. In addition, people and groups that intentionally create, distribute or purchase tools designed to access systems without authorization may be prosecuted. Other newly defined offenses include denial-of-service attacks and sabotage attacks on individuals; previously, the law covered attacks only on businesses and authorities. The law has met with criticism from groups that say it could curtail product development and become an impediment to administrators who are simply trying to do their jobs.
-http://computerworld.com.my/ShowPage.aspx?pagetype=2&articleid=5102&pubi
d=4&issueid=114
-http://www.heise-security.co.uk/news/90255
[Editor's Note (Skoudis): I worry that outlawing the creation of tools that exploit systems will actually lower our security stance so that we'll be unprepared for a major threat, like the state-sponsored cyber warfare described elsewhere in this Newsbytes. If Metasploit, to choose but one example, were never created and we didn't have powerful exploitation frameworks available in the public domain, our patching processes would likely be very shoddy (think about how immature the patching process was for most organizations back in 1999 or 2001). Metasploit has forced us to get better, so that when a big threat comes a-callin' in the future, we'll have a shot at handling it. Otherwise, we're toast.
(Schultz): The provision concerning creating, distributing, or purchasing tools for unauthorized system access is a genuine cause for concern in that these tools are often legitimately used for security purposes. Someone going to jail for launching a vulnerability scan or cracking password files as part of a security evaluation effort seems extremely unfair. ]

---

************************** Sponsored Links: ***************************

1) SANS OnSite Training
Receive bonus seat for SANS OnSite (up to $5100 value) Your Location! Your Schedule! Lower Cost!
Enter today! http://www.sans.org/info/7726

2) It's About More than Encrypting Bits on Disks! Compliance and technology requirements for mobile data security. Ask the Expert
http://www.sans.org/info/7731

3) Stay on top of SANS resources and content_use our new RSS feed page to make sure you are up to date.
http://www.sans.org/info/7876

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Microsoft Files Lawsuits Against Alleged Pump-and-Dump Scammers (May 25, 2007)

Microsoft has filed lawsuits against three individuals it believes attempted to artificially inflate stock prices through a process known as "pump-and-dump." The defendants allegedly sent large quantities of phony email messages through Microsoft's MSN Hotmail networks touting the value of certain stocks. If enough message recipients heeded the advice to purchase the stock, its price would go up temporarily, long enough for the fraudsters to reap a neat profit. The lawsuits allege the defendants violated the federal CAN-SPAM Act in addition to Washington state consumer protection laws. The lawsuits have been filed as "John Doe" cases because the defendants' identities are not known.
-http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/07/0
5/25/MS-sues-alleged-stock-scammers_1.html

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Energy Dept. Lost More Than 1,400 Laptops Over Six Years (May 25 & 29, 2007)

The US Energy Department (DOE) has acknowledged that it has lost 1,427 laptop computers since 2001. According to DOE, none of the missing laptops contained classified data. Nine of the missing machines had encryption software installed. No employees have been disciplined as a result of the laptops' disappearances. New DOE policies regarding laptop security include annual inventories of laptops, desktop computers and Blackberries, and requiring offices to report missing equipment to headquarters within 24 hours.
-http://www.gcn.com/online/vol1_no1/44344-1.html?topic=security&CMP=OTC-RSS
-http://federaltimes.com/index.php?S=2792626
[Editor's Note (Skoudis): The GCN article states that, "144 reported missing for 2001, 248 in 2002, 256 in 2003, 258 in 2004, 223 in 2005 and 205 in 2006." So, this was a continuing problem and was not being significantly lowered at all over time. That is a major concern. Also, the Federal Times article states, "Two of the missing laptops might have contained personal information on the users." Only two? That is, the other 1,425 laptops didn't have personal information for the users of those laptops themselves? What were they using these laptops for? Door stops? ]

POLICY & LEGISLATION

EU Group Questions Google Data Retention Policy (May 25, 2007)

The Article 29 Working Group, which comprises data commissioners from EU member nations, wants Google to clarify its data retention policy. At issue is the company's reported practice of retaining users' search information for as long as two years. The working group believes that the retention period is too long and that Google may be violating EU data protection laws. Google said earlier this year that it will strip identifying information from the data after 18 to 24 months. Google global privacy counsel Peter Fleischer said "I will tell the working party that Google needs to hold on to its log database to protect itself and the system from attacks and refine and improve the effectiveness of our search results."
-http://news.bbc.co.uk/2/hi/technology/6692063.stm
-http://euobserver.com/22/24137
-http://today.reuters.co.uk/news/articlenews.aspx?type=internetNews&storyID=2
007-05-25T145814Z_01_L25293447_RTRIDST_0_OUKIN-UK-GOOGLE-EU.XML&archived=Fal
se
[Editor's Note (Northcutt): A simple way to minimize the data Google collects on you is to delete your Google cookie from time to time. For more radical measures, see
-http://www.google-watch.org/cgi-bin/cookie.htm]

SPYWARE, SPAM & PHISHING

Tiscali Addressing eMail Problems (May 30, 2007)

Italian Internet Service provider (ISP) Tiscali has acknowledged that its customers have been unable to send email for more than a week because it has been identified as a spammer and other ISPs are blocking mail sent from Tiscali accounts. The ISP said it planned to take steps to fix the problem, including installing new hardware and updating its spam filters, by the end of the day on Wednesday, May 30, but the changes won't be completely in effect for at least a week.
-http://www.theregister.co.uk/2007/05/30/tiscali_spam_blacklist/print.html
-http://news.bbc.co.uk/2/hi/technology/6704003.stm

Spear Phishing Attack Spoofs Better Business Bureau (May 29 & 30, 2007)

More than 1,400 US corporate executives fell prey to a phishing attack that appeared to be from the Better Business Bureau (BBB). The executives received email messages that claimed complaints had been filed with the BBB about their companies. When they clicked on the provided link to view the complaint, a post logger was installed on their computers. The post logger sends all information sent through Internet Explorer (IE) to the attackers. The email messages are targeted to specific executives; their names and the names of their companies are correctly spelled to allay suspicions of fraud. The BBB has issued a fraud alert regarding the attack. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=2853
-http://www.theregister.co.uk/2007/05/30/bbb_spear_phishing/print.html
-http://www.eweek.com/article2/0,1759,2138285,00.asp?kc=EWRSS03119TX1K0000594
[Editor's Note (Pescatore): Did you ever notice how similar the actions people take when clicking on links in email (reach out, hopeful look, click) is to the actions they take at casinos when they play slot machines (reach out, hopeful look, pull). In both cases, by now everyone should really know the most likely outcome is something bad will happen (get phished, lose your money) but it is human nature to be hopeful and human behavior changes very sloooowly. The browsing experience needs to be made much safer (recent improvements in IE7 and Firefox 2 are starts) rather than everyone keep assuming user behavior will change.
(Grefer): And today, a very similar attack surfaced claiming to be an e-mail from the IRS. As always with these attacks: if it's simple enough to explain it to your users, then it's simple enough to script a filter for it. ]

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

iTunes Now Selling DRM-Free Music (May 30, 2007)

On Wednesday, May 30, the iTunes online music store began selling songs from the EMI music label without digital rights management (DRM). All EMI songs previously sold by iTunes are now available in DRM-free format; users who have purchased DRM-protected music can upgrade to the unprotected versions for 30 cents a song or US $3 an album. DRM-protected versions will still be available at a lower price. The music without DRM will be playable on a broader range of portable players.
-http://news.com.com/2102-1027_3-6187457.html?tag=st.util.print
-http://www.usatoday.com/tech/products/services/2007-05-30-itunes-plus-service_N.
htm?csp=34

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Apple OS X Update Addresses 17 Flaws; Exploit Code Released (May 25, 29 & 30, 2007)

On May 24, Apple issued an update for OS X to fix 17 vulnerabilities, including several remote code execution flaws. This is the fifth update for OS X that Apple has released this year. In a related story, exploit code for one of the patched vulnerabilities has already been published. An exploit for a buffer overflow flaw in the UPnP Internet Gateway Standardized Device Control code appeared less than 24 hours after Apple made the OS X update available. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=2856
-http://www.theregister.co.uk/2007/05/25/osx_security_update/print.html
-http://www.scmagazine.com/us/news/article/659978/apple-patches-17-flaws-third-ma
y-security-bulletin/
-http://www.vnunet.com/vnunet/news/2190692/baker-dozen-latest-apple
-http://www.eweek.com/article2/0,1759,2138304,00.asp
Security Update 2007-005:
-http://docs.info.apple.com/article.html?artnum=305530

Apple Patches QuickTime for Second Time This Month (May 29 & 30, 2007)

On May 29, Apple issued an update for a pair of flaws in the QuickTime media player. Both flaws lie in the way QuickTime handles Java. The more serious of the pair could be exploited to execute arbitrary code. The other vulnerability could be exploited to access data in memory. This QuickTime update comes just weeks after another QuickTime update to fix a vulnerability that gained widespread attention when it was used to win a hacking challenge at a security conference in Canada. That flaw was addressed in a May 1 update. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=2865
-http://www.theregister.co.uk/2007/05/30/latest_quicktime_security_patch/print.ht
ml
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9021798&source=rss_topic17
-http://news.zdnet.co.uk/security/0,1000000189,39287282,00.htm
-http://www.appleinsider.com/articles/07/05/29/apple_patches_two_critical_quickti
me_for_java_flaws.html
QuickTime Advisory:
-http://docs.info.apple.com/article.html?artnum=305531

Cisco Warns of Cryptographic Library Vulnerability (May 25, 2007)

Cisco has issued an advisory warning of a vulnerability in a third-party cryptographic library used by several different Cisco products. The flaw could be exploited when parsing a malformed Abstract Syntax Notation One ( ASN.1) object. Repeated exploitation of the flaw could result in a denial-of-service (DoS) condition. Affected products include Cisco IOS, Cisco IOS XR, Cisco PIX and ASA Security Appliances, Cisco Firewall Module and Cisco Unified CallManager. Cisco has released a patch to address the vulnerabilities; there are no workarounds. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=2844
-http://news.zdnet.co.uk/security/0,1000000189,39287234,00.htm
-http://www.cisco.com/en/US/products/products_security_advisory09186a0080847c5d.s
html
[Editor's Note (Skoudis): This flaw is illustrative of a bunch of concerns, and I'm going to use it as an example in talks I have with CIOs and others in the future. It shows the problems that can be caused by third-party code that is not carefully scrutinized when it is incorporated into a product. It shows that cryptographic libraries must be carefully analyzed for not just bad cryptography implementation, but also plain old denial of service, buffer overflow, and other conditions. It shows that packet parsing of something as complex as ASN.1 is very tough to do properly. And, it highlights how a single mistake in one library can be replicated across most of the product line of a single vendor. What a cornucopia of important lessons this one holds! Thanks, Cisco, for this important lesson and example. ]

Worm Jumps from Skype to ICQ, MSN (May 24, 2007)

A variant of the Stration worm has moved from Skype to the ICQ and MSN Messenger networks. The variant seeks other instant messaging (IM) clients on infected computers and sends itself out through them. Computers become infected when users click on a provided link and agree to download an executable file. The link will usually be accompanied by a suspiciously bland message, such as "Check this out. Give me your opinion." This appears to be the first time a worm has jumped from Skype to a different network.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9021241&source=NLT_AM&nlid=1
[Editor's Note (Northcutt): The title is a bit misleading, Stration is now trying to infect via ICQ Messenger. The most important thing to know is this has to be a self inflicted injury, you have to double click on the attachment, click on the link etc, Vista users are safer, they have to then type in their password to get infected. In issue 40 we ran a story about a researcher that ran an ad "Drive-By Download. Is your PC virus-free? Get it infected here!" and 409 people clicked on it. There is a very comprehensive analysis of Stration and its many tricks on the Computer Associates site:
-http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=58375]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Students Cleared of Wrongdoing in Data Exposure (May 25, 2007)

Two Susquehanna Township (PA) high school students will not face charges after they inadvertently viewed sensitive student medical data. A teacher had provided the students with the password to a restricted account so they could do school work. The teacher was unaware that the account would allow access to student allergy and other health information. Both students informed their parents of the situation, and the parents notified the school district. Links to the health information have been removed and all faculty members have been instructed to change their passwords.
-http://www.pennlive.com/news/patriotnews/index.ssf?/base/news/118005090311140.xm
l&coll=1

NC DOT Server Breach Exposes Employee and Contractor Data (May 25, 2007)

The names and Social Security numbers (SSNs) of approximately 25,000 North Carolina Department of Transportation (DOT) employees, contractors and other state employees were potentially exposed when the security of a server was breached. The breach affects employees who were issued identification badges between 1997 and 2006. Those affected by the breach will be notified by mail. The North Carolina Bureau of Investigation has been notified.
-http://www.wral.com/news/local/story/1446009/

MISCELLANEOUS

County Blocks Access to SSNs on Website (May 25 & 27, 2007)

Last week, the Franklin County (OH) recorder's office removed images of mortgage documents pending the completion of an audit. Some of the documents contain SSNs; the audit will find and mask the numbers. Most of the documents are from the 1990s. A Virginia woman has been searching county web sites throughout the country for sensitive data and raising awareness in the hope of prompting those responsible for the sites to remove the information.
-http://www.wtol.com/Global/story.asp?S=6574415
-http://www.columbusdispatch.com/dispatch/content/local_news/stories/2007/05/25/w
atchdog.ART_ART_05-25-07_A1_236QOB2.html

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/