SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #51

June 29, 2007

TOP OF THE NEWS

Proposed Calif. Data Breach Law Would Place Onus of Notification and Costs on Merchants
Credit Bureaus Lobby Against Consumer Freezes
European Banks Must Let Customers Know of Data Monitoring
Two Convicted Under CAN-SPAM

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
More Guilty Pleas in Pirated Software Sales
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
More Los Alamos Security Breaches
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
MySpace Taken Over By Hackers Building Botnets
RealPlayer Flaw Fixed
Apple Updates Windows Safari Beta Again
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
DoJ Warns of Phishing Attack
Phony eMails Claim to Provide Microsoft Patch
UC Davis Vet School Admissions Data Hacked
Lost Flash Drive Holds Bowling Green State Univ. Student Data
EXTRA
SANS Volunteer Tracks Down Belgian Hacker

---

************************ Sponsored By Symark Software *******************

Demonstrate compliance and guard data from unauthorized access! Security from within is the priority. Symark access control and identity management solutions control access granularly at the systems level while logging events and keystrokes into an indelible audit trail. Get a Free 30 Day Trial of any of our products and receive our famous Fox in the Henhouse poster!
http://www.sans.org/info/10006

*************************************************************************

SANS TRAINING UPDATE: Las Vegas will be the site of the largest fall cyber security training program. SANS Network Security 2007 September 22-30. http://www.sans.org/ns2007/ Complete schedule of all training can be found at: http://www.sans.org/training/bylocation/index_all.php Two other ways to take SANS courses: (1) from your home or office you can learn from top SANS faculty teaching live on line and you asking questions in real time - very cool - called SANS@HOME
http://www.sans.org/athome/
(2) Or have SANS faculty come to your site and shape the course to your specific needs: http://www.sans.org/onsite/

*************************************************************************

---

TOP OF THE NEWS

Proposed Calif. Data Breach Law Would Place Onus of Notification and Costs on Merchants (June 28, 2007)

California state legislators are considering a bill that would make merchants responsible for notifying consumers of data breaches. That duty is presently performed by financial institutions. The bill would also require that merchants observe the payment card industry (PCI) data security standard to safeguard consumers' personal information. The retailers would also bear the costs of consumer notification and card replacement. All companies that do business with California residents would be subject to the requirements of the law.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=200001385
[Editor's Note (Schultz): Once again California has shown leadership initiating in data security breach notification legislation. The proposed legislation makes sense; the entity responsible for a data security breach should, after all, assume responsibility for it. ]

Credit Bureaus Lobby Against Consumer Freezes (June 25, 2007)

Credit bureaus are lobbying hard to thwart legislation allowing consumers to freeze their credit reports. Whereas their efforts have been largely successful at the federal level, more and more states have begun to pass data breach notification bills that include provisions to allow consumers to block access to their credit information. By the end of this year, it is expected that 35 states will have such laws in place. The credit bureaus, through the Consumer Data Industry Association (CDIA), have been refocusing their efforts on state legislators. Part of the reason for the increase in credit-freeze laws is the "messiness" of new account fraud, which occurs when a thief armed with an individual's personal information opens new accounts; without easy access to credit files, identity thieves would have a much harder time establishing the new accounts. A CDIA lobbyist has said that freezing credit reports "has not been proven to be a viable identity-theft tool."
-http://www.usatoday.com/money/perfi/credit/2007-06-25-credit-freeze-usat_N.htm
[Editor's Note (Schultz): It is a shame that entities such as credit bureaus have such little regard for the welfare of their customers. At the same time, however, these entities appear to be fighting a losing battle, as the momentum currently appears to be on the side of customers. ]

European Banks Must Let Customers Know of Data Monitoring (June 27, 2007)

The European Union's Article 29 Working Party has given member state banks until September 1, 2007 to notify their customers that their transactions are subject to monitoring by US security agencies. This applies to transactions within Europe as well as international transactions. "The recommendation comes in the wake of a controversy over the fact that European inter-bank payment agency SWIFT was found to have allowed US authorities access to transaction details, ... but account holders were not informed." The US says it needs to monitor the transactions as part of its counter-terrorism efforts.
-http://www.theregister.co.uk/2007/06/27/swift-disclosure_rules_for-european_bank
s/print.html
[Editor's Note (Honan): It is important to note that as part of this agreement the US has agreed to retain this date for a maximum of five years and only use the data counter-terrorism purposes. SWIFT will also protect this data in line with EU legislation and have agreed to an annual inspection by EU officials to ensure these measures are being met. More details from SWIFT can be found at
-http://www.swift.com/index.cfm?item_id=62260]

Two Convicted Under CAN-SPAM (June 26, 2007)

A federal jury has convicted two men on multiple charges relating to a spam operation advertising pornographic web sites. Jeffrey Kilbride and James Schaffer earned US $2 million in commission for setting up the scheme. Kilbride and Shaffer were among the first people to be charged under the CAN-SPAM Act. The charges of which they were found guilty include money laundering, conspiracy and fraud. Sentencing has been set for September, 2007; the pair could face five years in prison for each CAN-SPAM offense and fines of up to US $500,000. Three accomplices have already entered guilty pleas.
-http://www.theregister.co.uk/2007/06/26/can_spam_convictions/print.html
-http://www.vnunet.com/vnunet/news/2192862/court-slams-dirty-duo-spammers
-http://www.usdoj.gov/opa/pr/2007/June/07_crm_453.html

---

**************************** Sponsored Links: *************************

1) Attend the Application Security Summit August 15-16 in Washington, DC and hear what others are saying about application security.
http://www.sans.org/info/10011

2) Swap Out your SPI or Watchfire app sec solution Now for FREE - limited Time Offer
http://www.sans.org/info/10016

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

More Guilty Pleas in Pirated Software Sales (June 26, 2007)

Two more people have pleaded guilty to selling pirated Rockwell Automation software on eBay. Robert Koster pleaded guilty to selling more than US $5 million worth of software for a profit of US $23,000; Yutaka Yamamoto pleaded guilty to selling more than US $540,000 worth of software for a profit of US $6,000. The two will be sentenced in November. They face penalties of up to five years in jail, a fine of US $250,000 and three years of supervised release. Seven other individuals have already been convicted of selling Rockwell Automation software.
-http://www.theregister.co.uk/2007/06/26/ebay-software_piracy_convictions/print.h
tml

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

More Los Alamos Security Breaches (June 25, 2007)

Two more data security breaches linked to Los Alamos National Laboratory (LANL) have come to light. In May, a LANL employee took his work laptop with him on vacation to Ireland; the computer was stolen from his hotel room. The computer holds sensitive government documents and is equipped with an export-controlled encryption card. The employee violated lab policy by taking the computer to Ireland, but if he had asked permission, his request would likely have been granted. LANL is reportedly undertaking an inventory of all lab laptops and replacing many of them with desktop computers. Also, less than two weeks ago, a LANL scientist sent highly classified information over the open Internet to colleagues at another site; the scientist should have used a secure network. This email is separate from the January incident in which board members communicated about highly classified nuclear information over the regular Internet.
-http://www.msnbc.msn.com/id/19418769/site/newsweek/page/0/
[Editor's Note (Weatherford): The first sentence of the article says it all..."What's going on at Los Alamos?" In the Navy, when leadership begins noticing trends or sees too many similar accidents happen in a short period of time they call for a "Safety Stand-down" to refocus all-hands on safety. Los Alamos has been embarrassed by too many of these incidents over the last couple of years and the potential loss of sensitive information from an organization whose mission revolves around classified data is simply unacceptable. It appears that an elitist attitude exists there that the employees think they are exempt from the rules and policies that everyone else lives by. These events have crossed the line from being isolated incidents and that is a Leadership issue. Los Alamos needs a "Security Stand-down!"
(Northcutt): If someone offers you the Chief Security Officer position at LANL; I recommend you say no; it is a tough problem. To do the work they do at the lab you need PhDs and all the trimmings of an academic environment. Even today, many academics feel that packets must roam free etc. On the other hand, LANL has been a poster child for security problems for a decade. So, with apologies to Richard Clarke, if you spend more on coffee than security awareness you will be publicly humiliated; what's more, you deserve to be publicly humiliated.
-http://www.cbsnews.com/stories/2007/01/30/ap/politics/mainD8MVNTN82.shtml
-http://www.freenewmexican.com/news/63172.html
-http://www.freenewmexican.com/news/56133.html]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

MySpace Taken Over By Hackers Building Botnets (June 27 2007)

Dozens of MySpace pages have been changed so they infect visitors to those pages. According to Johannes Ullrich of the Internet Storm Center, the pages exploit an old (2006) Internet Explorer bug. Ullrich also said MySpace is an increasingly popular target for attackers.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=200001122

RealPlayer Flaw Fixed (June 27 & 28, 2007)

RealNetworks has fixed a buffer overflow flaw in RealPlayer and HelixPlayer that could have been exploited to execute arbitrary code. The vulnerability affects versions running on Windows, Mac and Linux. The flaw lies in a function that "processes the time specification in SMIL media files." For the flaw to be exploited, users would need to be tricked into opening a maliciously crafted SMIL file. Users are urged to upgrade to the patched versions.
-http://www.theregister.co.uk/2007/06/28/realplayer_security_hole_plugged/print.h
tml
-http://www.heise-security.co.uk/news/91810

Apple Updates Windows Safari Beta Again (June 27, 2007)

Apple Computer has released yet another updated version of Safari for Windows. The beta version of the browser was unveiled earlier this month and the first security update was released within a week. The second update, version 3.0.2, addresses a flaw that could be exploited by phishers to trick users into sharing sensitive data.
-http://www.zdnetasia.com/news/security/0,39044215,62025165,00.htm
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=200000815

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

DoJ Warns of Phishing Attack (June 28, 2007)

The US Department of Justice (DoJ) is warning people that phishing emails appearing to come from DoJ have been circulating. The messages may refer to a phony IRS suit. Users are asked to report any such emails to the DoJ through their website; they are advised not to open the email and not to download any accompanying attachments.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9025842&source=rss_topic17
[Editor's Note (Northcutt): At the bottom of this IRS Security Web page are examples of IRS phish you can use to educate your folks:
-http://www.irs.gov/individuals/article/0,,id=155344,00.html
If one of these phish get through your spam filter, you can report it here:
-http://www.ic3.gov/complaint/]

Phony eMails Claim to Provide Microsoft Patch (June 27 & 28, 2007)

The SANS Internet Storm Center is getting reports of emails that claim users need to download a fix for a zero-day flaw in Microsoft Outlook. The spear phishing emails appear to come from Microsoft and include the recipients' full names and company names, but have misspellings in other places. The emails appear to try to trick recipients into visiting a site that looks like a Microsoft site. Microsoft recommends users view site certificates to ensure their legitimacy.
-http://www.scmagazine.com/us/news/article/667467/researchers-warn-bogus-microsof
t-patch-spam/
[Editor's Note (Ullrich): Microsoft never has and never will send patches via e-mail. However, there are still plenty of people who haven't gotten that memo yet :-(]

UC Davis Vet School Admissions Data Hacked (June 27 & 28, 2007)

A computer system at the University of California Davis School of Veterinary Medicine has been breached, exposing the names, birth dates and Social Security numbers (SSNs) of approximately 1,120 applicants. The breach affects people who applied for the 2007-2008 academic year, including 131 students who had been accepted to the program, and possibly 375 applicants for the 2004-2005 academic year. The breach was uncovered when the accepted students tried to establish computer accounts at the school only to discover that accounts had already been set up in their names. Letters and email messages have been sent to people whose information was exposed. Law enforcement officials learned of the breach on June 15. A criminal investigation has been launched.
-http://sanantonio.bizjournals.com/sacramento/stories/2007/06/25/daily37.html
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=200001374

Lost Flash Drive Holds Bowling Green State Univ. Student Data (June 27, 2007)

Approximately 18,000 current and former Bowling Green State University (BGSU) students are being notified that their personally identifiable information is on a missing flash drive. An accounting professor reported the drive missing on May 30. The data loss affects students from 1992 through to the present; 199 students' SSNs are included in the data, but after 1992, BGSU switched from SSNs to university-generated unique identifiers. Other data on the drive include names and grades.
-http://toledoblade.com/apps/pbcs.dll/article?AID=/20070627/NEWS08/70627020
[Editor's Note (Pescatore): In a few months we will be reading "Stolen iPhone Holds 247,000 Customer Records." or "iPhone Bought On eBay Contains Passwords to Administrative Servers." Mobile and portable devices are continually overlooked as a problem area, though we're starting to see movement towards adding security and controls.]

EXTRA

SANS Facilitator Tracks Down Belgian Hacker

Thank you to John Fitzgerald (Director of EMEA, SANS) for letting us know that the forensics analyst responsible for tracking down the Belgian Federal Police web site defacer is Geert van Acker, a SANS facilitator who completed the SEC508 forensics course in Sweden in early June.
(Alleged Belgian Police Website Defacer Arrested
-http://www.smh.com.au/news/Technology/Teen-arrested-for-hacking-Belgian-police-w
ebsite/2007/06/25/1182623818050.html
[NewsBites Volume 9, Number 50 ]
)
[Editor's Comment (Northcutt): SANS facilitators are the backbone of our conferences, they arrive early and help set up, run and tear down the conference, we could not exist without them. The advantage to the facilitator is they get access to the training at a substantial discount. Below are links to the work study facilitator program and our Forensics course:
-http://www.sans.org/training/volunteer.php
-http://www.sans.org/training/description.php?mid=98]

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/