SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #57

July 20, 2007

Good news: Important steps forward in application security and SCADA security:
1. VISA has agreed to clarify the application security requirements in the PCI standard, and application security pioneers from Morgan Stanley, Cisco, LexisNexis, Oracle, Honeywell, Sovereign Bank, Depository Trust, Polk, TSA, Ounce, SpiDynamics, TippingPoint, and the FBI will be coming together in four weeks in Washington to share the lessons they learned in establishing a secure application development program. From how to manage outsourced application development securely, to how to organize the team, to how to get the developers engaged, to how to pick the right tools, if you are subject to PCI and/or if you are building an application security program, the Application Security Summit will save you months of research and help you avoid the pitfalls that have hurt other programs.
Agenda and registration: http://www.sans.org/appsummit07
Any company attending the Summit also gets two free tickets to the Secure Software Certification Examinations (in Java and in C) the day before the Summit.
2. The Multi-State ISAC, DHS, and INL jointly announced this week that the Cyber Security Procurement Language Guide for Control Systems has been updated and posted at http://www.msisac.org/scada/
Several utilities and other control system buyers are already using the procurement specs. They and control systems vendors will share their experiences at the 2008 Control Systems (SCADA) Security Summit in January in New Orleans. If you want an invitation to the Summit, email apaller@sans.org.


Alan

---

TOP OF THE NEWS

Former FBI Analyst Sentenced for Stealing Secret Documents
FBI Used Spyware to Find Student Behind Bomb Threats

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Movie Pirate Gets 300 Hours of Community Service
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
DHS and OMB Paper on Data Security Risk and Mitigation for Federal Agencies
SPYWARE, SPAM & PHISHING
How Much Leeway to Allow Federal Spyware
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Zune DRM Defeated
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Firefox Update Addresses IE-related Flaw
Vulnerabilities in Trillian And Yahoo! Messenger
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Ransomware Makes a Return
Kingston Technologies Acknowledges Sept. 2005 Data Breach
MISCELLANEOUS
Ohio Inspector General to Release Report on Backup Tape Incident
China Steps Up eMail Surveillance
Google Resets Cookie Expiration Date
LIST OF UPCOMING FREE SANS WEBCASTS

---

******************** Sponsored By netForensics, Inc. ********************

Collect Logs from Any Device or Data Source. FREE Trial Download from netForensics. Log management should be effective, affordable and easy. nFX Log One gives you visibility into your logs, and simplifies compliance requirements to store, review and report on event logs. Low-cost log management solutions lack extended features - and highly-featured solutions are expensive or difficult to deploy. nFX Log One answers these challenges. Download free trial today!
http://www.sans.org/info/11571

*************************************************************************

SECURITY TRAINING UPDATE
SANS Network Security 2007 (September 22-30, in Las Vegas) is the largest fall conference on cybersecurity with more than 40 courses and wonderful evening sessions and a big vendor exposition. Most importantly, it brings together the top rated teachers in cybersecurity in the world. How good are they? Here's what past attendees said:
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"The quality of teachers, speakers, and even attendees is far superior to any other training event I've attended." (Corinne Cook, Jeppesen)
"SANS provides by far the most in-depth security training with the true experts in the field as instructors." (Mark Smith, Costco Wholesale)
Registration information: http://www.sans.org/ns2007/

*************************************************************************

---

TOP OF THE NEWS

Former FBI Analyst Sentenced for Stealing Secret Documents (July 18, 2007)

Former Marine Leandro Aragoncillo has been sentenced to 10 years in federal prison for providing classified information to people attempting to overthrow the Philippine government. Aragoncillo served under two vice presidents and as an FBI intelligence analyst where he had clearance that allowed him access to the FBI's Automated Case Support computer system. He used his clearance to access documents pertinent to the Philippines. He admitted to passing national security documents classified as secret to Philippine contacts. Aragoncillo pleaded guilty to four counts of an indictment, one of which was Unlawful Use of a Government Computer. Aragoncillo was also fined US $40,000.
-http://newark.fbi.gov/dojpressrel/2007/nk071807.htm
-http://www.cbsnews.com/stories/2007/07/18/national/main3070806.shtml
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201200012
Case Timeline:
-http://cicentre.com/Documents/DOC_Aragoncillo_Timeline.html
[Editor's Note (Shpantzer): Insider threat is a difficult issue to tackle since we want to trust people working with us. The director of the US National Counterintelligence Executive (NCIX) recently addressed a symposium on private sector insider threat and touched on the evolving nature of counterintelligence in the private sector and its relationship to intelligence secrets.
-http://www.ncix.gov/publications/speeches/WELCOMING_REMARKS.pdf]

FBI Used Spyware to Find Student Behind Bomb Threats (July 18, 2007)

The FBI used remotely installed spyware to gather information on a bomb threat suspect. After obtaining a court order, the FBI installed a CIPAV, or Computer and Internet Protocol Address Verifier, on the suspect's MySpace account. The spyware provided the FBI with the IP address associated with the suspect's computer, information found on the computer and a log of the computer's outbound connections. Ultimately, a high school student was arrested and sentenced to three months in juvenile detention for making bomb threats and other illegal activities. An affidavit from an FBI agent says details about the CIPAV are confidential. It is not known how the spyware was installed, though it is likely to have been done through instant messaging. In previous cases, police have required physical access to install keystroke loggers on suspects' computers.
-http://news.com.com/8301-10784_3-9746451-7.html?part=rss&subj=news&tag=2
547-1_3-0-20
-http://www.wired.com/politics/law/news/2007/07/fbi_spyware?currentPage=all
-http://blog.wired.com/27bstroke6/2007/07/fbi-spyware-how.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9027418&source=rss_topic17
[Editor's Note (Schultz): It was inevitable that spyware would be deployed by law enforcement in this manner and also that new, sophisticated methods of installing it would be used. Meanwhile, the questions surrounding the legality of using spyware in this manner are mounting and will be tested in numerous future court cases.
(Boeckman): Since it is trivial to avoid being duped by this type of spyware by simply booting off of an Ubuntu Live CD, for example, this falls into the category of "ways of catching stupid criminals". Of course anyone that uses MySpace to post bomb threats most certainly falls into that category. ]

---

*************************** Sponsored Links: **************************

1) Don't miss SANS Tool Talk Webcast: Meeting PCI Data Security Standards: It's more than log collection, Wednesday, July 25, 2007 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info/11576

2) FREE WEBINAR featuring independent Forrester Research Analysts: The Next Wave in Identity and Access Management.
http://www.sans.org/info/11581

3) Answer Technical Security Questions to enter to Win Free Trip to SANS Network Security Show in Las Vegas!
http://www.sans.org/info/11586

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Movie Pirate Gets 300 Hours of Community Service (July 19, 2007)

A New Zealand man was sentenced to 300 hours of community service for movie piracy. Frederick Higgins says he took the movie from the post-production house where he worked for his own viewing; he says he destroyed the copy at work. Higgins appears to have made no money from his actions. The judge maintained that the pirated copies of the movie that had become available must have their origins with the copies Higgins stole. Higgins has been fired.
-http://www.nzherald.co.nz/topic/story.cfm?c_id=137&objectid=10452390

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

DHS and OMB Paper on Data Security Risk and Mitigation for Federal Agencies (July 2007)

The US Department of Homeland Security (DHS) and the Office of Management and Budget (OMB) have released a paper called "Common Risks Impeding the Adequate Protection of Government Information." The "paper identifies common risks or 'mistakes'" agencies make when protecting sensitive data. Each risk is accompanied by a list of best practices to avoid the pitfalls and a list of resources from which agencies can draw support and obtain concrete information.
-http://www.fcw.com/article103240-07-17-07-Web&printLayout
-http://csrc.nist.gov/pcig/document/Common-Risks-Impeding-Adequate-Protection-Gov
t-Info.pdf
[Editor's Note (Kreitner): This document contains solid guidance for managing the security of information, but it's implementation and effectiveness will be unknown without tracking a few well-chosen enterprise performance metrics, particularly results-oriented metrics . I hope OMB and DHS will follow this up with an effort to devise some key metrics. Metrics that highlight the root causes of security incidents are a good place to start. Examples: Percent of incidents that involved third parties; Percent of intrusions for which security controls were known but not implemented that would have prevented the intrusion. If enterprise management knows what is causing its security incidents, it can apply its attention to eliminating those causes. Several years ago, a sub-committee convened the Corporate Information Security Working Group (CISWG) that developed a pretty good set of information security metrics that provide some suggestions. See
-http://www.cisecurity.org/Documents/BPMetricsTeamReportFinal111704Rev11005.pdf
(Honan): While this may prove to be an excellent resource, I always worry when people title reports outlining recommendations with the word "Adequate". I prefer my security, like my steak dinners, to be more than "adequate". ]

SPYWARE, SPAM & PHISHING

How Much Leeway to Allow Federal Spyware (July 18, 2007)

There are just two known criminal prosecutions in which law enforcement agents have obtained court orders allowing them to enter homes of suspects and install keystroke-logging software on their computers. The practice raises questions about the role of anti-spyware vendors in such endeavors. Should they allow their products to "overlook" spyware planted by police? Or should they alert their customers to the presence of the malware on their computers? The question is somewhat simplified when compounded with the presence of a court order. There is some disagreement about whether current law would permit such a court order.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62028587-39000005c

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Zune DRM Defeated (July 16, 2007)

An application that removed the digital rights management (DRM) protection from music bought through the Zune Marketplace has been made available on the Internet. Zune Marketplace works with Microsoft's Zune media players just as iTunes works with iPods. The tool allows Zune users to share music with other people who own Zune media players, even if they do not have Zune marketplace accounts.
-http://www.theregister.co.uk/2007/07/16/zune_drm_crack/print.html
[Editor's Note (Pescatore): While DRM does not have to be unbreakable to be useful (keeping the honest people honest is often good enough), to really be workable DRM needs to be preceded by both trustable computing platforms (not here yet) and trustable, reliable, ubiquitous federated identity systems (not even close). ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Firefox Update Addresses IE-related Flaw (July 18, 2007)

Mozilla has released Firefox 2.0.0.5 to address nine security flaws, including one involving Internet Explorer (IE) that recently made headlines. That vulnerability could be exploited to execute code by launching Firefox from IE. The flaw has been fixed in Thunderbird 2.0.0.5 as well. The fix prevents Firefox and Thunderbird from accepting bad data from IE, but it does not address the problem in IE. The update also fixes several memory corruption and privilege escalation flaws.
-http://www.theregister.co.uk/2007/07/18/firefox_ie_security_bug/print.html
-http://news.com.com/8301-10784_3-9746541-7.html?part=rss&subj=news&tag=2
547-1_3-0-20
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9027289&source=rss_topic17
-http://www.mozilla.org/security/announce/2007/mfsa2007-23.html
-http://www.us-cert.gov/cas/techalerts/TA07-199A.html

Vulnerabilities in Trillian And Yahoo! Messenger (July 17, 2007)

Security flaws in Yahoo! Messenger and the Trillian instant messaging client have recently been disclosed. The Yahoo! Messenger vulnerability is a buffer overflow flaw that is exploitable though maliciously crafted address book entries and can cause Messenger crashes. It is possible that the flaw could be exploited to allow remote code execution as well. A Yahoo! spokesperson says a fix should be available soon. The two vulnerabilities in Trillian lie in the way it handles the AIM uniform resource identifier (URI). There has been no word yet on the availability of patches for the Trillian flaws.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9027209&source=rss_topic17
-http://www.scmagazine.com/us/news/article/671813/flaws-revealed-trillian-yahoo-i
m-platforms/
-http://www.kb.cert.org/vuls/id/786920

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Ransomware Makes a Return (July 17,18 & 19, 2007)

Using phony job listings in advertisements and email, cyber criminals infected computer systems at the US Department of Transportation (DOT) and a number of US companies with malware that encrypts data on hard drives and holds them for ransom. The malware, known as the Gpcode-AI Trojan, also provides a pop-up with an offer to decrypt the data for US $300. The malware also has a key logger element that allows it to gather bank account and credit card information.
-http://www.eweek.com/print_article2/0,1217,a=211802,00.asp
-http://www.gcn.com/online/vol1_no1/44686-1.html?topic=security&CMP=OTC-RSS
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201001860
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201001837
-http://www.networkworld.com/news/2007/071707-government-contractors-hit-in-targe
ted.html
-http://www.theregister.co.uk/2007/07/19/ransomware_trojan/print.html

Kingston Technologies Acknowledges Sept. 2005 Data Breach (July 17 & 19, 2007)

Kingston Technology Company is sending letters to approximately 27,000 online customers informing them their personal information, including credit card numbers, was compromised in a September 2005 security breach. The letters do not say when the breach was detected; they merely say they had conducted a probe after detecting "irregularities" in their computer system. A final report from the probe was released on May 22. The breach affects people who have made online purchases from Kingston.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9027220&source=rss_topic17
-http://www.scmagazine.com/us/news/article/672567/usb-encryption-vendor-suffers-c
omputer-breach/

MISCELLANEOUS

Ohio Inspector General to Release Report on Backup Tape Incident (July 19, 2007)

Ohio Inspector General Thomas P. Charles is expected to issue a report on July 20 regarding the theft of a state computer data backup tape that was stolen from an intern's car in mid-June. A memo dated more than two months prior to the theft instructs that sensitive data, including Social Security numbers (SSNs), were to be removed to a secure part of the Ohio Administrative Knowledge System, Ohio's payroll and accounting system. The data were not to be saved on the network drive from which the backup tape was created.
-http://www.columbusdispatch.com/dispatch/content/local_news/stories/2007/07/19/d
atagone.ART_ART_07-19-07_A1_SF7APIO.html

China Steps Up eMail Surveillance (July 18, 2007)

Adjustments made to China's "great firewall" are believed to be responsible for email problems at IT companies with offices in the country. Many companies have reported problems receiving messages from outside the country and some have had trouble sending email as well. The country's strict email policy, created to quell the spread of "unhealthy content," appears to have been stepped up in preparation for an August meeting of the Shanghai Cooperation Organization, which takes a stand against terrorism and cross-border crime.
-http://www.cnn.com/2007/TECH/07/18/china.email.reut/index.html

Google Resets Cookie Expiration Date (July 17 & 19, 2007)

Google says that the cookies it places on users' computers will delete themselves two years after the user last visits a Google site. Current settings have Google cookies deleting themselves after 2038. Google global privacy counsel said the decision was made after receiving feedback from users and privacy advocates. Some say Google's plan, while not a bad idea, provides no privacy benefits. Users would have to refrain from visiting a Google website for two years for the cookies to disappear on their own, and they can always take the initiative to remove them manually.
-http://news.bbc.co.uk/2/hi/technology/6901946.stm
-http://www.zdnetasia.com/news/internet/0,39044908,62028641,00.htm
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9027411&source=rss_topic17
[Editor's Note (Pescatore): A lot of studies show that 20-30% of cookies are deleted, impacting authentication approaches that rely on cookies to identify the particular PC from which the user logs in. That's not a bad thing from a privacy perspective - browsers should include easier to use controls for users to select automatic deletion vs only allowing manual deletion of cookies when the user thinks about it.
Northcutt): This is a great step in the right direction, thanks Google, for those looking for a reason to be paranoid, my favorite conspiracy theory Google link is shown below (and heck yes, I delete all of my cookies regularly):
-http://www.google-watch.org/cgi-bin/cookie.htm]

LIST OF UPCOMINGFREE SANS WEBCASTS

July 24, 2007 Hacking Banks for Fun and Profit!

-http://www.sans.org/info/11496

Sponsored by: Core Security

July 25, 2007 Meeting PCI Data Security Standards: It's more than log collection
-http://www.sans.org/info/11506

Sponsored by: Q1 Labs

July 31, 2007 - PCI, Global Compliance and Log Management at a Large Financial Firm
-http://www.sans.org/info/11521

Sponsored by: Sourcefire

Be sure to check the following Archived SANS Webcasts:

June 28, 2007 The Importance of Web Application Security for PCI Compliance
-http://www.sans.org/info/11531

Sponsored by: Watchfire

June 27, 2007 Regulating Logs Globally
-http://www.sans.org/info/11536

Sponsored by: LogLogic, Inc.

June 26, 2007 Securing the Castle: From Doors to Data
-http://www.sans.org/info/11541

Sponsored by: ArcSight, Inc.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/