SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #52

July 03, 2007

Challenges of Outsourcing and Security?
If you have found great solutions to the challenges of security in outsourced application development, we'd be very interested in talking with you. More than 100 large organizations are getting together in August to exchange lessons learned in application security and nearly 80% of some organizations' development is now outsourced to India and China and Poland and to outsourcers in their own countries. A big part of the meeting will be about how to get secure code developed when you are outsourcing (and insourcing). If you are interested in attending the workshop either because you have interesting stories to tell and lessons to learn, or because you are looking for best practices, please email me at apaller@sans.org.
Alan

---

TOP OF THE NEWS

US, EU Reach Data Sharing Agreements
Russian Independent Websites Under Attack
VA IG Report Pins Medical Center Data Loss on IT Specialist

THE REST OF THE WEEK'S NEWS

SPYWARE, SPAM & PHISHING
Phishers Exploit iPhone Obsession
Phishing Attack Spreading Through Yahoo! IM
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
BSA Ups Maximum Piracy Whistleblowing Reward
Music Piracy Raid on Scottish Honeywell Office
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Flux Bot Spreads Through Infected MySpace Pages
Storm Trojan Variant Spreading Through Phony eCard Links
Srizbi and Storm Trojans: Battle of the Bots
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Microsoft UK Web Page Hit with SQL Injection Attack
STATISTICS, STUDIES & SURVEYS
US Schools Need to Improve Security Education

---

********************** Sponsored By Symark Software *********************

Demonstrate compliance and guard data from unauthorized access! Security from within is the priority. Symark access control and identity management solutions control access granularly at the systems level while logging events and keystrokes into an indelible audit trail. Get a Free 30 Day Trial of any of our products and receive our famous Fox in the Henhouse poster!
http://www.sans.org/info/10146

*************************************************************************

SANS TRAINING UPDATE: Las Vegas will be the site of the largest fall cyber security training program. SANS Network Security 2007 September 22-30. http://www.sans.org/ns2007/ Complete schedule of all training can be found at: http://www.sans.org/training/bylocation/index_all.php Two other ways to take SANS courses: (1) from your home or office you can learn from top SANS faculty teaching live on line and you asking questions in real time - very cool - called SANS@HOME
http://www.sans.org/athome/
(2) Or have SANS faculty come to your site and shape the course to your specific needs: http://www.sans.org/onsite/

*************************************************************************

---

TOP OF THE NEWS

US, EU Reach Data Sharing Agreements (June 29, 2007)

The US and the European Union (EU) have reached agreements regarding the US's access to EU citizen airline passenger and financial transaction data. The agreement regarding travel data allows the US to retain EU passenger record information for up to 15 years and places no limits on what the US may do with the information. EU officials will be permitted to visit the US to see how the data are used. The US maintains it needs airline passenger information to monitor who enters the country. The agreement regarding banking data allows the US treasury department to retain the information for up to five years; its use is restricted to counter-terrorism efforts.
-http://www.theregister.co.uk/2007/06/29/us_eu_data_use/print.html
-http://www.vnunet.com/computing/news/2193144/eu-does-double-deal
[Editor's Note (Honan): Many European citizens are upset at the erosion of their privacy rights by a foreign nation without any recourse to ensure the data held on them is accurate and correct and not shared with other third parties. In time we may live to regret the erosion of our rights and liberties in the name of "the war on terror". ]

Russian Independent Websites Under Attack (July 2, 2007)

Web sites of organizations that have been critical of the Russian government are falling prey to cyber attacks that the organizations maintain bear a striking resemblance to those launched against Estonian web sites in April and May. The groups believe the Kremlin is behind these attacks that attempt to stifle freedom of speech and information. They believe the motives are related to the upcoming Russian parliamentary and presidential elections. The Russian government denies the allegations, maintaining hackers could spoof IP addresses to make it appear as though the attacks are coming from somewhere other than their true origins.
-http://www.cnn.com/2007/TECH/07/02/russia.cyberwar.ap/index.html

VA IG Report Pins Medical Center Data Loss on IT Specialist (June 30, 2007)

According to a report from the Department of Veterans Affairs inspector general (IG), the Birmingham, Alabama VA medical center responsible for missing data belonging to more than 1.5 million people was not conforming to department privacy regulations. The data were on an external hard drive that was discovered to be missing on January 22, 2007. The IT Specialist responsible for the data initially misinformed investigators and deleted files from his computer to make the problem seem less serious. The data, which include Social Security numbers (SSNs) and medical and health information, were not encrypted or password-protected. The employee's mis-statements led investigators to underestimate the number of individuals affected by the breach. It was later discovered that the breach affects approximately 250,000 veterans and approximately 1.3 million physicians and other medical service providers. Despite policy requiring that data be protected by encryption, managers at this particular facility decided to lock external drives in a safe. However, employees routinely left the drives outside the safe or took the drives offsite; furthermore, there was no established procedure for monitoring safe access. The report also questions whether the IT specialist was authorized to access such large pools of data and whether protocols were followed.
-http://www.al.com/news/birminghamnews/index.ssf?/base/news/1183192343301010.xml&
amp;coll=2
-http://www.computerworld.com/action/article.do?command=printArticleBasic&art
icleId=9026059
-http://www.va.gov/oig/51/FY2007rpts/VAOIG-07-01083-157.pdf
[Editor's Note (Honan): While this story highlights issues regarding policy enforcement and data access, it also highlights that when investigating a suspected breach interviews of staff should be done so by those with the appropriate interview skills and let the facts support the findings of those interviews.
(Boeckman): It is interesting that there is always a witch hunt after an incident and the culprit never turns out to be the CIO. (Ranum): Policies and procedures always look good on paper. But that's the only place they work. Restricting data to a "need to know" basis is the end-game that everyone's trying to avoid confronting.
(Weatherford): OK, all together now, "NEED TO KNOW!" The lying employee, while inexcusable, is not surprising. People will always minimize the effects of their acts if they think they will get in trouble and when "investigators" are asking questions, trouble is imminent. Is this another case of "management" violating corporate policy or is there could be more to the story? Perhaps "management" didn't get the funding they asked for and needed to encrypt the data so their risk mitigation strategy was to lock the hard drives in a safe? Not the best strategy but at least it's a strategy! Of course they now needed to establish and enforce a policy for monitoring safe access and there's still that darn "NEED TO KNOW" issue! ]

---

************************ Sponsored Links: ******************************

1) ALERT: "How A Hacker Launches A Blind SQL Injection Attack!"- White Paper
http://www.sans.org/info/10151

2) SANS Ask the Expert webcast, "Reputation-Based Network Security" sponsored by Secure Computing. Register today.
http://www.sans.org/info/10156

3) Compliance and Technology Essentials for Mobile Data Security. It takes more than encrypting bits on disks! Archived webcast:
http://www.sans.org/info/10161

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

SPYWARE, SPAM & PHISHING

Phishers Exploit iPhone Obsession (July 2, 2007)

Not surprisingly, phishers have already begun exploiting the popularity of iPhones to spread malware. The emails tell the recipients they have won an iPhone; when they click on the provided link, they are directed to a site that tries to install malware on their computers. The site hosts more than 10 different exploits to take advantage of a variety of browser vulnerabilities to boost the likelihood that malware will be installed on their computers. Users whose computers try to access the malicious code site more than once are redirected to a benign site.
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=339279440-1300
61744t-110000005c
[Editor's Note (Grefer): A nicely illustrated slideshow introduction to such scam spam is available at
-http://www.eweek.com/slideshow_viewer/0,1205,l=&s=25932&a=210554&po=
1,00.asp]

Phishing Attack Spreading Through Yahoo! IM (July 2, 2007)

A phishing scam is spreading through Yahoo! Instant Messenger (IM) contact lists. The malicious messages come from someone on users' contact lists and contain a link to a Geocities web page that opens what "looks like a legitimate Yahoo 360 sign-in page." The scam tries to get users to divulge their Yahoo! IM usernames and passwords. Yahoo! is investigating the scheme and will likely take down the offending web site. Yahoo! will also add filters to prevent the link from being sent to others.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62026697-39000005c

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

BSA Ups Maximum Piracy Whistleblowing Reward (July 2, 2007)

In an attempt to ferret out more software license violators, the Business Software Alliance (BSA) has announced a temporary increase in the maximum reward it is offering to whistleblowers. Until October 2, 2007, the BSA will pay up to US $1 million for reports of unauthorized software use that result in settlements with the violators. The maximum reward is normally US $200,000, although records indicate that no reward from BSA has even come close to approaching that figure. The amount of the reward is ultimately at the discretion of the BSA.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9026060&source=rss_topic17
-http://news.com.com/8301-10784_3-9738805-7.html?part=rss&subj=news&tag=2
547-1_3-0-20
-https://reporting.bsa.org/usa/rewardsconditions.aspx
[Editor's Note (Schultz): The fact that there is such a discrepancy between what the BSA promises to pay to "whistleblowers" and what the BSA actually pays is truly disturbing. ]

Music Piracy Raid on Scottish Honeywell Office (June 29, 2007)

Acting on a tip about music piracy, the British Phonographic Industry (BPI) and Scottish police have raided a Motherwell Honeywell plant. The raid was the culmination of a two-month investigation into allegations that servers at the plant were hosting a filesharing network. The servers have been imaged so their contents and activity can be more thoroughly examined.
-http://www.theregister.co.uk/2007/06/29/bpi_raids_honeywell/print.html
-http://news.bbc.co.uk/2/hi/business/6253874.stm

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Flux Bot Spreads Through Infected MySpace Pages (June 29, 2007)

MySpace users are being targeted by a drive-by exploit that surreptitiously recruits their computers to be used in a sophisticated bonet scheme. When MySpace users visit profile pages infected with certain malicious JavaScript, they are redirected to a known Internet Explorer (IE) exploit that installs a proxy network bot, or flux bot, on the machine. Infected profile pages are being shut down as they are detected.
-http://www.scmagazine.com/us/news/article/667981/myspace-users-warned-drive-by-e
xploit-attack/
-http://isc.sans.org/diary.html?storyid=3060&rss

Storm Trojan Variant Spreading Through Phony eCard Links (June 28 & July 2, 2007)

Malware believed to be a variant of the Storm Trojan horse program spreads through email claiming to offer a link to an e-card sent by a relative. The link leads to a site that attempts to exploit three different vulnerabilities in the hope of downloading malware onto users' computers. This particular attack checks to see if JavaScript is enabled; if it is not, users are prompted to download an .exe file so that they become infected. The Storm Trojan recruits infected computers to be used as part of a botnet.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9025898&source=NLT_AM&nlid=1
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=200001991
-http://www.theregister.co.uk/2007/06/29/ecard_storm_trojan/print.html
[Editor's Note (Grefer): On a related note, please bear in mind that the MPack Trojan exploits various known vulnerabilities that mostly can be fixed by staying up to date on your OS and application patches:
-http://isc.sans.org/diary.html?storyid=3015]

Srizbi and Storm Trojans: Battle of the Bots (July 1, 2007)

A Trojan horse program known as Srizbi has been found not only to infect computers and recruit them for use in botnets, but also to uninstall the Storm Trojan, which it views as a competitor for vulnerable computers. In retaliation, Storm botnets have been detected launching distributed denial of service (DDoS) attacks against the servers that download Srizbi installation files.
-http://www.theregister.co.uk/2007/07/01/malware_gang_war/print.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Microsoft UK Web Page Hit with SQL Injection Attack (June 29, 2007)

A web page in Microsoft's UK domain was defaced in an SQL (Structured Query Language) injection attack. The hole has been repaired. An SQL injection attack has several steps. The attacker first sends a number of specially crafted queries to the database; these often return error messages that can provide the attacker with an understanding of the database's structure. The attacker then creates queries that will cause the database to perform the desired function -- in this case, to insert data. A link to an external site can be inserted, causing users who try to view the database to view that site instead. Secure programming practices can be used to avoid the problems that allow SQL injection attacks.
-http://www.networkworld.com/news/2007/062907-microsoftcouk-succumbs-to-sql-injec
tion.html

STATISTICS, STUDIES & SURVEYS

US Schools Need to Improve Security Education (June 27, 2007)

According to CDW Government Inc.'s School Safety Index, US schools are taking some steps to protect students from the dangers of cyber space, but they still have a long road ahead in terms of teaching the students about cyber security. Ninety-five percent of school districts block web sites, 89 percent position monitors so teachers can see what students are viewing and 81 percent monitor the students' computer activity. However, just 38 percent of districts have a closed network to allow them to control content accessible by students and the types of communications the students can send and receive. Even districts with closed networks face the problem of tech-savvy students who know how to circumvent that blockade. Nearly all districts have acceptable use policies, though not all are updated annually. But just eight percent of the districts surveyed give their students cyber safety training. "School districts rely too heavily on technical solutions to protect networks and buildings and need to focus more attention on educating students about physical and cyber dangers."
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=200001143
-http://newsroom.cdwg.com/news-releases/news-release-06-25-07.html

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/