SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #60

July 31, 2007

The OWASP Top Ten Web Security Threats have been updated. On Thursday (8/2/2007) at 1 PM EDT (17:00 UTC) OWASP chair, Jeff Williams will summarize the most important changes and take questions. You'll also hear about what enterprises are doing to eliminate the bulk of their web application security vulnerabilities and Ryan Berg from Ounce Labs will share with you information about how the new national examination for Java web programmers measures their security skills.
Register for the free webcast: http://www.sans.org/info/12176
Alan

PS. The early registration discount for SANS Network Security in Las Vegas (September 22-30) ends on Wednesday August 8

---

TOP OF THE NEWS

Report to California Sec. of State Details Security Flaws in eVoting Systems
UK Telecoms Must Retain Call Data

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Software Engineer Arrested for Data Theft
Computer Security Lecturer Gets Jail Time for Identity Fraud
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Botmasters Turn to Dynamic IP Addresses
Yahoo! Widgets Flaw
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Laptop Holds County Child Support Services Data
Stolen Laptop Holds Student Loan Data
Former Employee Allegedly Stole Personal Data for Prescription Fraud
Stolen Laptop Contains Aflac Customer Data
Charitable Donors Notified of Possible Data Breach
Marines' SSNs Unintentionally Posted to Internet
MISCELLANEOUS
Black Hat Participant Denied Entry to US
Ohio Intern Says He Is a Scapegoat
LIST OF UPCOMING FREE SANS WEBCASTS

---

******************* Sponsored By Seagate Technology *********************

What Seagate knows about secure storage could affect--perhaps materially improve--your company's security decisions, at a time when regulations and rising threats have made security decisions more and more critical. Find expert information about security planning, technologies, legislation, standards and news at
http://www.sans.org/info/12216.
Don't wait till tomorrow. One piece of information could change everything.

*************************************************************************

SECURITY TRAINING UPDATE
SANS Network Security 2007 (September 22-30, in Las Vegas) is the largest fall conference on cybersecurity with more than 40 courses and wonderful evening sessions and a big vendor exposition. Most importantly, it brings together the top rated teachers in cybersecurity in the world. How good are they? Here's what past attendees said:
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"The quality of teachers, speakers, and even attendees is far superior to any other training event I've attended." (Corinne Cook, Jeppesen)
"SANS provides by far the most in-depth security training with the true experts in the field as instructors." (Mark Smith, Costco Wholesale)
Registration information: http://www.sans.org/ns2007/

*************************************************************************

---

TOP OF THE NEWS

Report to California Sec. of State Details Security Flaws in eVoting Systems (July 27, 28, & 30 2007)

A review of electronic voting systems commissioned by California Secretary of State Debra Bowen has been released, and the results are "not encouraging." The researchers were able to get around physical and software security in every system tested. In several cases, they were able to "circumvent the system's audit logs and directly access data on the machine." Bowen has set an August 3 deadline for determining which systems to certify for use in the 2008 presidential primary elections, which are scheduled for February 5 in California. The review took two months, with two teams of researchers - one focusing on penetration testing and the other on examining source code. In California, counties purchase their own voting systems, but those systems must be certified by the Secretary of State's office before they are used. The study found "absolutely no evidence of any malicious source code anywhere."
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9028262
-http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/07/28/VOTING.TMP&tsp=1
-http://news.com.com/8301-10784_3-9752129-7.html?part=rss&subj=news&tag=2
547-1_3-0-20
-http://www.sos.ca.gov/elections/elections_vsr.htm
[Editors' Note (Schultz, Paller): The tremendous effort of Professor Bishop and his team, all from the University of California at Davis, deserves special mention. As one of the news stories says, this was the most thorough and rigorous testing of electronic voting machines ever. At the same time, however, count on electronic voting machine companies and their proponents quickly launching a very aggressive counteroffensive in which they attack the testing and its results. ]

UK Telecoms Must Retain Call Data (July 27, 2007)

New legislation in the UK will require telecommunications companies to keep records of all landline and mobile phone calls for one year. Internet activity, which includes VoIP calls, is not affected by the new law, which goes into effect on the first of October. The law reflects the European Union's Data Retention Directive and is aimed at establishing uniform industry standards.
-http://www.out-law.com/page-8332
-http://www.jisclegal.ac.uk/publications/dataretention.htm
Draft of the legislation:
-http://www.opsi.gov.uk/si/si2007/draft/20077449.htm

---

************************ Sponsored Links: ****************************

1) ALERT: Hacking Web Applications- A Step-by-Step Attack Analysis Download this SPI Dynamics White Paper:
http://www.sans.org/info/12221

2) CA Secure Content Manager takes security to the next level, offering all-around security protection for the gateway.
http://www.sans.org/info/12226

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Software Engineer Arrested for Data Theft (July 29, 2007)

Police in India have arrested a software engineer for allegedly breaking into a server that belongs to the US-based company Caterpillar and taking proprietary information. M.S. Ramasamy worked at a Caterpillar office in India earlier this year. He allegedly broke into the "Research and Engineering Documents Inquiry System" and used another employee's login credentials to access and download more than 4,000 sensitive documents.
-http://www.hinduonnet.com/thehindu/thscrip/print.pl?file=2007072959470300.htm&am
p;date=2007/07/29/&prd=th&
[Editor's Note (Shpantzer): One of the hardest things to prove is not what happened or when, but who was at the keyboard. In this case, the stolen User ID and password that were used did not throw off the investigators permanently, since there was a CCTV pointed at the terminal to visually ID the man at the keyboard during the period the files were accessed. At the end of the day, information security is a three legged stool comprised of physical, personnel and computer security. ]

Computer Security Lecturer Gets Jail Time for Identity Fraud (July 26 & 27, 2007)

Eni Oyegoke, a Nigerian man who has been a lecturer in computer security at the University of Glamorgan in South Wales, UK, was sentenced to two years in jail after admitting to fraud, deception and theft offenses. Oyegoke applied for a British driving license with a false passport number. When police searched his home, they found a phony driving license as well as evidence that he had made nearly GBP 22,000 (US $44,683) in fraudulent credit card charges using his former landlords' identities. He came to Wales as a PhD student in 2005 and soon after began lecturing in the computer science department about identity theft. Oyegoke maintains the phony license was made as part of his graduate thesis. It is likely that he will be deported once his jail term is complete.
-http://news.bbc.co.uk/2/hi/uk_news/wales/south_east/6917965.stm
-http://icwales.icnetwork.co.uk/southwalesecho/news/tm_headline=university-speaks
-out-over-id-fraud&method=full&objectid=19529398&siteid=50082-name_p
age.html
[Editor's Note (Weatherford): It sounds like his day job conflicted with his noble aspirations to be a good citizen. Intelligence is a terrible thing to waste although this could lend credence to creating a technology category for the annual "Darwin Award." ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Botmasters Turn to Dynamic IP Addresses (July 28 & 17, 2007)

Always on the lookout for ways to prolong the life of their attacks, botmasters are starting to use a new technique dubbed fast-flux to make it harder to track them down. Instead of communicating with their zombie PCs through IRC, botmasters have begun to take advantage of load balancing and resiliency techniques used by legitimate companies to hide behind dynamically changing IP addresses. The "infected machines serve as proxies ... for malicious websites." IP-based blocking is ineffective against this technique.
-http://www.eweek.com/print_article2/0,1217,a=212440,00.asp
-http://www.forbes.com/technology/2007/07/17/symantec-security-bot-tech-cx_0717da
rkreading.html
[Editor's Note (Skoudis): This is a really interesting development for the bad guys in improving the resiliency of their bot-nets. As bot-nets grow ever bigger, pushing the envelope toward multiple millions of machines, the attackers are encountering the same problems with massively distributed computing that big enterprises have faced for the last twenty years. It makes sense for the attackers to borrow the ideas that enterprises perfected for creating resilient, patchable, manageable, large-scale computing systems, and I expect to see a lot more of those ideas incorporated into bots going forward.
(Ullrich): This new phenomenon, sometimes referred to as "flux" is the next malware challenge. Domain name registrars hold the keys to the solution. Sadly, not all of them step up to the challenge and even a small number of uncooperative registrars are able to cause a lot of pain. ]

Yahoo! Widgets Flaw (July 27, 2007)

A critical remote code execution flaw in Yahoo! Widgets is due to "a boundary error within the YDPCTL.dll ActiveX control when handling the 'GetComponentVersion()' method." The vulnerability has been confirmed in YDPCTL.dll version 2007.4.13.1 in Yahoo! Widgets version 4.0.3, which also goes by the name "build 178". Other versions of Widgets may be affected was well. Users are urged to update their Widget software to version 4.0.5. In the next few weeks, users will start to receive prompts to download the new version when they launch the application. "Yahoo! Widgets are software plug-ins that allow information
[such as weather reports and sports scoreboards ]
to be delivered to a user's desktop."
-http://www.vnunet.com/vnunet/news/2195121/yahoo-widgets-hit-highly
-http://www.scmagazine.com/us/news/article/673773/activex-vulnerability-hits-yaho
o-widgets/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Stolen Laptop Holds County Child Support Services Data (July 28, 2007)

A laptop stolen from the Yuba County (CA) Health and Human Services Building contains personally identifiable information of approximately 70,000 individuals whose cases were opened before May 2001. The data were on the laptop because it "was being used as a backup system for the county's computer system." The data include Social Security numbers (SSNs) and driver's license numbers. The Yuba County Department of Health and human services has begun notifying affected clients by mail.
-http://www.appeal-democrat.com/news/county_51837___article.html/information_brow
n.html

Stolen Laptop Holds Student Loan Data (July 27, 2007)

A stolen laptop contains personally identifiable information of 5,184 American Education Services (AES) student loan customers. Most of those affected by the breach are thought to be from Pennsylvania. The computer was stolen from the Livermore, California headquarters of subcontractor Vista Financial, Inc. The data include names, addresses and SSNs, and were not encrypted. AES has sent notification letters to the affected customers. Vista was found to be violating both AES's and its own security policies.
-http://www.post-gazette.com/pg/07208/804836-96.stm

Former Employee Allegedly Stole Personal Data for Prescription Fraud (July 27, 2007)

A former benefits administration company employee has been arrested and charged with prescription fraud. Melissa Lea McDevitt allegedly stole Virginia Beach city and school district employees' personal information and used it to commit prescription fraud. The breach affects approximately 2,000 employees. Police discovered a list of names and SSNs at the suspect's home. McDevitt was formerly employed at Flexible Benefits Administrators, a City of Virginia Beach Contractor. Affected employees have been notified.
-http://www.wtkr.com/Global/story.asp?S=6850947

Stolen Laptop Contains Aflac Customer Data (July 26, 2007)

A laptop stolen from an insurance agency employee in Japan holds personally identifiable information of approximately 152,000 Aflac supplemental health insurance customers. The computer was stolen on July 17; Aflac notified affected customers before disclosing the theft to the media. The data on the computer are encrypted and password protected.
-http://www.bloomberg.com/apps/news?pid=20601101&sid=afw8zxz12Koo

Charitable Donors Notified of Possible Data Breach (July 26, 2007)

More than 12,000 people who have made donations to City Harvest, a New York-based organization aimed at feeding hungry people, have received letters informing them their credit card data may have been compromised. The breach affects people who made donations in the two years prior to April 25, 2007. Few other details have been released about the breach, but the Manhattan DA is investigating.
-http://www.ny1.com/ny1/content/index.jsp?stid=8&aid=72018
-http://www.nypost.com/seven/07292007/business/morgy_probing_id_theft_at_city_har
vest_business_richard_wilner.htm

Marines' SSNs Unintentionally Posted to Internet (July 26, 2007)

Personally identifiable information of 10,554 US Marines was inadvertently posted to the Internet. The data were in the possession of Penn State University, which had obtained them under a research contract. The data include names and SSNs; the problem was discovered by a Marine who had Googled his own name. Penn State officials took the information off the Internet as soon as they learned of the situation and Google has deleted the data from its cache.
-http://www.marinecorpstimes.com/news/2007/07/marine_data_exposed_070726/
[Editor's Note (Honan): This story highlights the dangers of using live data for any research and test purposes. Where possible data used for research and testing should be anonymised. Indeed, under EU Data Protection Legislation any companies based in the EU should ensure that test/research data is anonymised and where actual data needs to be used, then it should be treated with the same due care as live data. ]

MISCELLANEOUS

Black Hat Participant Denied Entry to US (July 29 & 30, 2007)

Security researcher and reverse engineering specialist Thomas Dullien was prevented from entering the US after more than four hours of questioning by immigration officials. Dullien was headed to the Black Hat Security briefings in Las Vegas where he was to teach a class. Officials decided to question him after finding course materials in his luggage. He was ultimately refused entry because of a visa problem. The immigration officials determined that because he was being paid directly by Black Hat, he was essentially an employee and thus required a different type of visa from the one he held. Because of the incident, Dullien is no longer eligible for the US visa waiver program, even if he wants to visit on vacation. The visa waiver program allows citizens of 27 countries to enter the US without a visa for a stay of 90 days or less for business or leisure.
-http://www.theregister.co.uk/2007/07/30/black_hat_visa_refusal/print.html
-http://www.vnunet.com/vnunet/news/2195242/block-entry-blackhat-teacher
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9028378&intsrc=news_ts_head
-http://www.securityfocus.com/brief/557

Ohio Intern Says He Is a Scapegoat (July 25, 2007)

The intern in the Ohio database backup tape theft has issued a statement in which he refers to himself as a "scapegoat." Jared Ilovar maintains he was merely following instructions to "bring these back tomorrow" when he took the data tapes home and that he was never instructed how to handle or store them. Ilovar also says he was following instructions from his employer when he did not tell the police the tapes contained sensitive data. Ilovar says he will ask for written instructions in the future.
-http://www.dispatch.com/dispatch/content/local_news/stories/2007/07/25/ilovar_em
ail.html

LIST OF UPCOMING FREE SANS WEBCASTS

Wednesday 8/1/07 - Host Based Intrusion Prevention (HIPS), what does it do for me?
-http://www.sans.org/info/12171
Sponsored By: CA

Thursday, 8/2/07 - What's New with the OWASP Top 10
-http://www.sans.org/info/12176
Sponsored By: SANS

Wednesday, 8/8/07 - Internet Storm Center: Threat Update
-http://www.sans.org/info/12181
Thursday, 8/9/07 - The Service/Help/Support Desk Implications of Migrating to 802.1x Standards
-http://www.sans.org/info/12186
Sponsored By: AirWave

Wednesday, 8/22/07 - Encryption Face-Off: Software Encryption vs. DriveTrust Technology
-http://www.sans.org/info/12191
Sponsored By: Seagate

Thursday, 8/23/07 - Full Disk Encryption - The Reasons, Options and Deployment Issues
-http://www.sans.org/info/12196
Sponsored By: Seagate

Be sure to check the following Archived SANS Webcasts:

Tuesday, 7/31/07 Archived Webcast Promos:

July 24, 2007 - Validating the Vault: Penetration Testing for Financial Institutions
-http://www.sans.org/info/12201
Sponsored By: Core Security Technologies

July 19, 2007 - Next-Gen Log Monitoring: Who's Minding the Applications?
-http://www.sans.org/info/12206
Sponsored By: ArcSight, Inc.

July 18, 2007 - Making Your Web Applications PCI Compliant
-http://www.sans.org/info/12211
Sponsored By: SPI Dynamics

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/