SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #55

July 13, 2007

The last story in this issue is about a study showing that professional security certifications are rising in value. What is most important to note is complementary data showing that from 2005 to 2007 the value of general security certifications has dropped, while the value of those certified in operational security disciplines of forensics, intrusion detection, perimeter protection, wireless security, incident handling and penetration testing has increased. Why the change? From 2000 to 2005 compliance-based security was ascendant, and technical security skills were not valued highly. In 2006 the widespread failure of checklist security became visible, and CIOs quickly decided to place MUCH higher value on people who had advanced, hands-on security skills. Shortages of those people have led to significant salary increases.
Alan

---

TOP OF THE NEWS

Phishers Debut One-Step Site Installation Kit
Man Gets 25 Years for Hacking Teens' Webcams
Five-Year Sentence for Data Theft
Two Charged in Pump and Dump Scheme

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Former Boeing Employee Charged with Computer Trespass
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Cyber Counterterrorism: Infiltrating Jihad Online
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Flaw Affects IE Users Who Have Firefox Installed
Apple Issues QuickTime Updates
Adobe Releases Critical Flash Updates
Lack of Update Coordination at Sun Poses Security Concerns
Patch Tuesday Addresses Eight Critical Vulnerabilities
.NET Patch Reportedly Causing Problems
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Card Numbers in Florida Fraud Case Linked to TJX and Polo Ralph Lauren Breaches
STATISTICS, STUDIES & SURVEYS
Study: Professional Security Certifications Boost Salary

---

***************** SPONSORED BY SANS NETWORK SECURITY 2007 ***************

SANS Network Security 2007 (September 22-30, in Las Vegas) is the largest fall conference on cybersecurity with more than 40 courses and wonderful evening sessions and a big vendor exposition. Most importantly, it brings together the top rated teachers in cybersecurity in the world. How good are they? Here's what past attendees said: "This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton) "The quality of teachers, speakers, and even attendees is far superior to any other training event I've attended." (Corinne Cook, Jeppesen) "SANS provides by far the most in-depth security training with the true experts in the field as instructors." (Mark Smith, Costco Wholesale)
Registration information: http://www.sans.org/ns2007/

**************************************************************

---

TOP OF THE NEWS

Phishers Debut One-Step Site Installation Kit (July 10 & 11, 2007)

According to RSA's most recent monthly fraud report, phishers have developed what has been dubbed a "plug-and-play" phishing kit that allows them to install phishing websites on compromised servers within seconds. The single PHP code file creates all necessary directories and installs all necessary files at once. Usually, phishers have to gain access to the targeted server numerous times to set up a phishing site, so the new tool cuts down on the likelihood of being detected.
-http://www.theregister.co.uk/2007/07/10/plug_and_play_phishing/
-http://www.vnunet.com/computing/news/2194016/phishing-made-easy-fraudsters
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9026709&taxonomyId=17&intsrc=kc_top

Man Gets 25 Years for Hacking Teens' Webcams (July 10 &12, 2007)

Mark Wayne Miller was sentenced to 25 years in prison followed by supervised release for life for breaking into webcams and surreptitiously watching and recording minors in their own homes. In January 2006, Miller pleaded guilty to computer intrusion and sexual exploitation of children. At that time, he was already on probation and a registered sex offender. He allegedly shared the recordings he made with other people.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201001050
-http://cincinnati.fbi.gov/doj/pressrel/2007/ci071007a.htm
[Editor's Note (Northcutt): At my house, all of the computers are in a public room. For a number of reasons, I do not think minors having computers in their bedrooms is a good idea, but other people have other opinions, and I respect that. According to the article, Miller used "phishing" techniques to get their passwords, so this is one more opportunity for awareness training that needs to begin at home. By the way, a number of webcams have default passwords as we see from the Johnny Long database:
-http://johnny.ihackstuff.com/ghdb.php?function=summary&cat=18

(Ullrich): webcams should include an "activity LED" which is physically linked in series with the webcam sensor. Without this hardware precaution, it might be possible to turn on the camera without the user knowing. ]

Five-Year Sentence for Data Theft (July 10, 2007)

Binyamin Schwartz has been sentenced to five years in prison for gaining unauthorized access to personally identifiable information of more than 100,000 individuals and trying to sell data to someone who turned out to be an undercover Secret Service agent. Schwartz was employed as a software consultant at an insurance firm. Schwartz's sentence also includes two years of supervised release and he was ordered to pay his former employer more than US $500,000 in costs related to the incident. He was convicted on charges of identity theft, aggravated identity theft, access device fraud, and wire fraud.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9026701&taxonomyId=17&intsrc=kc_top

Two Charged in Pump and Dump Scheme (July 10, 2007)

Two men have been charged in connection with a pump-and-dump stock spam scheme. Darrel and Jack Uselton allegedly used botnets to send out spam to encourage people to buy certain low value stocks between May 2005 and December 2006. They were caught because one of the people who received the spam email was a Securities and Exchange Commission (SEC) lawyer. Authorities have seized more than US $4.2 million from bank accounts in connection with the scheme. It is estimated that investors were duped out of as much as US $4.6 million. The Useltons face charges of securities fraud and money laundering.
-http://www.theregister.co.uk/2007/07/10/stock_spam_charges/print.html
-http://www.washingtonpost.com/wp-dyn/content/article/2007/07/09/AR2007070901780_
pf.html

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Former Boeing Employee Charged with Computer Trespass (July 11, 2007)

A former Boeing quality insurance inspector has been charged with computer trespass for allegedly accessing information without authorization and passing it to the media. Gerard Lee Eastman allegedly copied the documents to a portable drive between September 2004 and April 2006. More than 300,000 pages of internal Boeing documents were found at Eastman's home. Authorities arrested Gerald Lee Eastman last year, and shortly thereafter, Boeing fired him. Eastman was reportedly "disgruntled" with Boeing's lack of attention to the concerns he noted about flaws in the parts inspection process. If he is convicted on all counts, Eastman could face up to 57 months in prison.
-http://news.bbc.co.uk/2/hi/business/6290400.stm
-http://www.scmagazine.com/us/news/article/670671/former-boeing-employee-charged-
data-theft/

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Cyber Counterterrorism: Infiltrating Jihad Online (Summer 2007)

As a cyber counterterrorism expert, former Montana municipal court judge Shannen Rossmiller has been instrumental in numerous cases involving al-Qaeda and sympathizers. Rossmiller plunged into the online world of Jihad following the September 11 attacks. She learned Arabic and with the help of translators was able to infiltrate chat rooms. She has supplied the US military with valuable information about overseas activities and has participated in sting operations in the US. Rossmiller helped authorities track down Ryan Anderson, an Army National Guard member who sympathized with al-Qaeda. She gained Ryan's trust and he supplied her with weaknesses in US tanks and US troop locations in Iraq. Anderson was arrested in February 2004 just days before he was to be deployed; on September 3, 2004, Ryan was sentenced to five concurrent life terms.
-http://www.washingtonpost.com/wp-dyn/content/article/2006/06/03/AR2006060300530.
html
-http://www.meforum.org/article/1711
[Editor's Note (Northcutt): Great story on "super mom," not to be missed. When you read it, don't think only al-Qaeda, think competitive intelligence and someone doing open source collection on your organization. It shows what is possible.]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Flaw Affects IE Users Who Have Firefox Installed (July 11 & 12, 2007)

A flaw that affects Internet Explorer (IE) users who also have Firefox installed has Microsoft and Mozilla pointing fingers at each other. Microsoft has no plans to fix IE, but Mozilla says it will offer a fix for Firefox around the end of this month. Mozilla maintains the problem is the result of an input validation flaw in IE and will provide a fix to protect its customers. The fix will prevent Firefox from accepting bad data from IE. Others place the blame for the problem on Firefox, and still others see it as a shared issue. The remote code execution flaw can be exploited when someone who is browsing with IE and has Firefox installed is lured to a maliciously crafted web site. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=3121
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9026918&source=rss_topic17

-http://www.zdnet.com.au/news/security/soa/IE-plus-Firefox-equals-critical-securi
ty-risk/0,130061744,339279914,00.htm

-http://www.theregister.co.uk/2007/07/11/ie_firefox_vuln/print.html
-http://www.heise-security.co.uk/news/92544

[Editor's Note (Schultz): Microsoft and Mozilla's blaming each other for a vulnerability that occurs only when IE and Firefox run on the same system is truly pathetic. However, the fact that Firefox has announced its intention to make a patch available at least shows some concern for the welfare of the Internet community. ]

Apple Issues QuickTime Updates (July 12, 2007)

Apple has released an update for its QuickTime media player for both Mac OS X and Windows. The update addresses eight flaws, all of which could be exploited to allow remote code execution. Four of the flaws lie in QuickTime's Java implementation, two are integer overflow flaws, and two are memory corruption flaws.
-http://www.scmagazine.com/us/news/article/671041/apple-fixes-eight-quicktime-vul
nerabilities/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9026858&intsrc=news_ts_head

Adobe Releases Critical Flash Updates (July 11 & 12, 2007)

Adobe has released updates to address three critical security vulnerabilities in its Flash Player. The flaws affect Adobe Flash Player 9.0.45.0, 8.0.34.0, and 7.0.69.0 and earlier versions on all platforms. The flaws could be exploited to execute arbitrary code or create denial-of-service conditions on vulnerable systems. Adobe also released security updates for Photoshop CS2 and CS3 that could be exploited to allow arbitrary code injection and execution. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=3126
-http://www.adobe.com/support/security/bulletins/apsb07-12.html
-http://news.com.com/8301-10784_3-9743316-7.html?part=rss&subj=news&tag=2
547-1_3-0-20
-http://www.scmagazine.com/us/news/article/670654/adobe-fixes-two-flash-player-vu
lnerabilities/

-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9026824&taxonomyId=17&intsrc=kc_top

-http://www.heise-security.co.uk/news/92520
-http://www.us-cert.gov/cas/techalerts/TA07-192A.html

Lack of Update Coordination at Sun Poses Security Concerns (July 10 & 11, 2007)

Sun Microsystems has been criticized for failing to address a Java Runtime Environment (JRE) vulnerability on all platforms at the same time. Sun released an update for a buffer overflow vulnerability in JRE 5 on June 29. The company plans to release a patch for the flaw in the consumer users' version of JRE 6 some time this week; a patch for the developer version of JRE 6 has already been released. This is problematic because once a patch is released, it is often reverse engineered to discover the core of problem it addresses. Releasing the updates so far apart allows time for the flaw to potentially be exploited.
-http://www.theregister.co.uk/2007/07/10/sun_java_security_update/print.html
Details of the patched Java Flaws:
-http://www.heise-security.co.uk/news/92547
[Editor's Note (Ullrich): Java updates have been a continuing headache. Multiple concurrent version and limited automated update capability make it hard to keep Java up to date. ]

Patch Tuesday Addresses Eight Critical Vulnerabilities (July 10 & 11, 2007)

Microsoft's monthly security release for July included six bulletins comprising 11 vulnerabilities. Eight of the vulnerabilities have been assigned severity ratings of critical. Two flaws in the Active Directory implementations in Windows 2000 Server and Windows Server 2003 could be exploited to crash machines, run programs and steal information from Active Directory. Flaws in Microsoft Excel and in the .Net framework could be exploited to allow remote code execution. There is some debate about the everety levels set by Microsoft on several flaws. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=3120
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201000567
-http://www.theregister.co.uk/2007/07/11/ms_patch_tuesday/print.html
-http://www.microsoft.com/technet/security/bulletin/ms07-jul.mspx

.NET Patch Reportedly Causing Problems (July 13, 2007)

Some users have reported that installing Microsoft's patch MS07-040, which addresses vulnerabilities in the .NET framework, has caused their systems to go "haywire." Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=3132
-http://www.theregister.co.uk/2007/07/12/ms_patch_problems/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Card Numbers in Florida Fraud Case Linked to TJX and Polo Ralph Lauren Breaches (July 10 & 12, 2007)

The credit card numbers involved in the fraud case in which four people were recently arrested in Florida have been linked to data security breaches at TJX and Polo Ralph Lauren. The four people have been charged with aggravated identity theft, counterfeit credit card trafficking, and conspiracy. They allegedly specialized in creating the phony cards from the data they received from people in Eastern Europe. Authorities recovered approximately 200,000 credit card numbers that had been used to commit fraud in excess of US $75 million. The TJX data security breach occurred over a period of months or even years and was disclosed in late 2006. Approximately 45 million records were compromised. Polo Ralph Lauren suffered a data security breach in April 2005 in which 180,000 records were compromised. Earlier this year, credit card account numbers from the TJX database were used to fraudulently purchase US $8 million worth of gift cards.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201001100
-http://www.eweek.com/article2/0,1895,2156263,00.asp

STATISTICS, STUDIES & SURVEYS

Study: Professional Security Certifications Boost Salary (July 9, 2007)

According to a report from Foote Partners, companies are willing to pay salaries between 10 and 15 percent higher for employees who hold professional security certifications than for those who do not. This marks a 1.7 percent increase between October 2006 and April 2007. Salary premiums for professional certification in other IT areas have fallen about two percent over the past year. Foote based its analysis on data collected from 33,800 IT professionals in the US and Canada.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9026624
-http://www.footepartners.com/FooteNewsrelease_ITsecurityskills_070207.pdf

---

********************* Upcoming SANS Webcasts **********************

July 18, 2007 Making your Web Applications PCI Compliant
http://www.sans.org/info/11001
Sponsored by: SPI Dynamics

July 19, 2007 Next-Gen Log Monitoring: Who's Minding the Applications?
http://www.sans.org/info/11006
Sponsored by: ArcSight

July 25, 2007 Meeting PCI Data Security Standards: It's more than log collection
http://www.sans.org/info/11011
Sponsored by: Q1 Labs

Be sure to check the following Archived SANS Webcasts:

WhatWorks in Log Management: Regulating Logs Globally
http://www.sans.org/info/11031
Sponsored by: LogLogic

The Importance of Web Application Security for PCI Compliance
http://www.sans.org/info/11036
Sponsored by: Watchfire

Reputation-Based Network Security
http://www.sans.org/info/11041
Sponsored by: Secure Computing Corporation

******************************************************************
The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/