SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #61

August 03, 2007

GREAT NEWS and CALL TO ACTION!
The first NewsBites story this week illuminates one of the great "good-news" stories in cyber security. The US Office of Management and Budget has organized all federal buyers to aggregate their buying power ($70 billion per year) to persuade hardware and software vendors to deliver secure versions of Windows and to make sure all software sold to the US government for Windows environments operate effectively on the secure standard configuration without requiring administrative privileges. That means radical reductions in help-desk costs, even greater reductions in patch testing, and most importantly far faster and safer patching. More than 90 large non-government organizations have also established minimum security configurations for their systems and most are moving toward the federal desktop standard to eliminate unnecessary application and patch testing. With Wednesday's announcement, any organization, large or small, anywhere in the world, can now take advantage of the federal initiative and get most of the same benefits. Just do two things: (1) include in every contract with which you buy software the same language the feds use, and (2) get the standard configuration (virtual machine implementation) from the NIST site and start identifying applications that need to be updated. You'll find the procurement language in OMB-07-18 at the White House site: http://www.whitehouse.gov/omb/memoranda/fy2007/m07-18.pdf And the standard configuration along with applicable Group Policy Objects and documentation may be found at NIST at:
http:/csrc.nist.gov/fdcc
A standard ISO file of the standard configuration may be downloaded from Microsoft's MVLS site if your organization has an Enterprise Agreement with Microsoft.

Alan

PS The early registration discount for SANS Network Security in Las Vegas (September 22-30) ends on Wednesday August 8.

---

TOP OF THE NEWS

Federal Desktop Core Configuration Virtual Machines Available
GAO Report Says FISMA Metrics Ineffective
Storm Worm's Huge Botnet
UK Commission Recommends Putting eVoting on Hold
eVoting Vendors Speak Out Against California Test Results

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Man Arrested for Hacking Cyclist's eMail
Wireless Piggybacking Spammer Gets Home Detention and Probation
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
DHS Issues Draft Recommendations for Control System Security
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Russian Malware Sites Resurging
Mozilla Updates Fix URI Vulnerability
Apple Issues First iPhone Patch
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Cyber Thieves Allegedly Took US $500,000 from Turkish Banks
MISCELLANEOUS
Some Retailers Still Retain Sensitive Card Data
LIST OF UPCOMING FREE SANS WEBCASTS

---

********************* Sponsored By Fortify Software *********************

Fortify Software's Security Research Group has announced a new class of vulnerability: JavaScript Hijacking. This is the first class of vulnerability that specifically affects Web 2.0 AJAX-style web applications. Download Fortify's advisory detailing the risk and how developers can make their code secure:
http://www.sans.org/info/12846

*************************************************************************

SECURITY TRAINING UPDATE
SANS Network Security 2007 (September 22-30, in Las Vegas) is the largest fall conference on cybersecurity with more than 40 courses and wonderful evening sessions and a big vendor exposition. Most importantly, it brings together the top rated teachers in cybersecurity in the world. How good are they? Here's what past attendees said:
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"The quality of teachers, speakers, and even attendees is far superior to any other training event I've attended." (Corinne Cook, Jeppesen)
"SANS provides by far the most in-depth security training with the true experts in the field as instructors." (Mark Smith, Costco Wholesale)
Registration information: http://www.sans.org/ns2007/

*************************************************************************

---

TOP OF THE NEWS

Federal Desktop Core Configuration Virtual Machines Available (August 1, 2007)

The Office of Management and Budget (OMB) has released virtual machines with implementations of Windows XP Professional SP2 and Vista with the Federal Desktop Core Configuration (FDCC). Agencies can install their own applications on the virtual machines to test them in that environment before they are required to deploy FDCC to their own computers. In March of this year, the OMB mandated the use of FDCC on Windows desktop computers at US government agencies by February 1, 2008.
-http://www.fcw.com/article103389-08-01-07-Web&printLayout
-http://csrc.nist.gov/fdcc/
A very cool and interesting use of virtual machine technology. Way to go, OMB! Note however: There are some applications that specifically check to see if they are in a virtual environment (some media players, for instance), and will refuse to run. While that doesn't, in any way, detract from the usefulness of this project, it is something that must be kept in mind. ]

GAO Report Says FISMA Metrics Ineffective (July 30, 2007)

A recent report from the Government Accountability Office (GAO) says agency computer systems have security "weaknesses ... predominantly in access controls
[as well as ]
in configuration management, segregation of duties and continuity of operations." The report goes on to say that the metrics established by the Federal Information Security Management Act (FISMA) "do not measure how effectively agencies are performing various activities." The report recommends three ways in which the Office of Management and Budget (OMB) could improve FISMA. First, agencies should be required to report how they handle patch management. Second, OMB should establish "additional performance metrics that measure the effectiveness of FISMA activities." Finally, agencies should "request inspectors to report on the quality of additional agency information security processes."
-http://www.fcw.com/article103357-07-30-07-Web&printLayout
-http://www.gao.gov/new.items/d07837.pdf
[Editor's Note (Liston): When will people realize that securing computers and networks isn't something that you do with a checklist? Good security policy and procedures requires knowledge and understanding of the environment and information assets that are being secured... something that no checklist will ever be able to provide. Checklists have their place, but they will only ever get you to the bare minimum. ]

Storm Worm's Huge Botnet (August 2, 2007)

The Storm worm has reportedly infected nearly 2 million computers, "10 times more than any other email attack in the last two years." The concern that those behind this worm want to do more than just use the zombie PCs to send spam is growing; the attackers may be planning to use the botnet to launch a massive distributed denial-of-service (DDoS) attack. Small portions of the huge botnet have already been used to launch DDoS attacks; an attack that uses all of the compromised computers would have far-reaching and potentially serious consequences. There is speculation that the people behind the Storm worm were responsible for attacks against Estonian government and commercial websites earlier this year.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201202711
[Editor's Note (Liston): The Storm worm is an amazing piece of work. Anyone who has taken the time to reverse engineer Storm will tell you that it is a very sophisticated piece of software and it is highly unlikely that it was created just to send spam. ]

UK Commission Recommends Putting eVoting on Hold (August 2, 2007)

The UK's Electoral Commission wants the government to create a strategy to update the voting process and improve its security. While the commission noted that much had been learned from recent pilot runs, it sees no value in further pilots of such systems until improvements have been made based on lessons learned. In local elections in May, there were 13 pilots of the voting systems. Of particular concern is "low public confidence in the security of Internet and phone voting, accessibility, and technical difficulties."
-http://news.bbc.co.uk/2/hi/uk_news/politics/6926625.stm
-http://www.eweek.com/article2/0,1759,2165663,00.asp
-http://www.electoralcommission.org.uk/files/dms/Keyfindingsandrecommendationssum
marypaper_27191-20111__E__N__S__W__.pdf

eVoting Vendors Speak Out Against California Test Results (August 1, 2007)

eVoting vendors said at a hearing on Monday, July 30 that the results of California Secretary of State Debra Bowen's mandated testing of their voting systems demonstrated only "that any computerized system, removed from its environment and placed ... into a laboratory for anyone to tamper with, can be successfully attacked." Election officials also expressed frustration with the review's failure to take into account their established security procedures. Voting rights advocates implored Bowen to mandate the use of paper ballots. The report has also prompted the scheduling of a Senate Rules and Administration Committee hearing in September to look more closely at the researchers' findings.
-http://www.sci-tech-today.com/story.xhtml?story_id=0010003OSTT7
-http://blog.wired.com/27bstroke6/2007/07/senate-to-hold-.html
[Editor's Note (Schultz): If eVoting vendors devoted a proportion of the resources they use to discredit analysts and researchers who find flaws in their products to actually improving the security of their products, security in eVoting machines would not be so flawed. ]

---

************************ Sponsored Link: ******************************

1) Find out what Seagate knows about secure storage. It could improve your company's security.
http://www.sans.org/info/12851

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Man Arrested for Hacking Cyclist's eMail (August 2, 2007)

A Danish man could face up to 18 months in prison if convicted of charges of illegally obtaining someone else's email. The man allegedly broke into the email account of cyclist Michael Rasmussen and attempted to sell messages to a newspaper. Rasmussen was ousted from a Tour de France team on July 25 because he allegedly lied to drug testers about his whereabouts before the race.
-http://www.bradenton.com/462/story/112328.html
-http://www.theregister.co.uk/2007/08/02/cycling_email_hack/print.html

Wireless Piggybacking Spammer Gets Home Detention and Probation (August 1, 2007)

Nicholas Tombros received six months of home detention and three years probation for sending out spam through unsecured wireless access points. Tombros drove around Venice, California looking for wireless network access points that were unprotected and used his laptop to send thousands of spam messages through those connections. Tombros was also fined US $10,000. It is unclear why Tombros's sentencing took nearly three years from the date of his plea deal. He is the first person to be convicted under 2003's CAN-SPAM Act.
-http://www.theregister.co.uk/2007/08/01/smut_spam_wifi/print.html
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201202305
-http://www.dailybreeze.com/news/articles/8823942.html
[Editor's Note (Liston): Tombros pleaded guilty in 2004 and it took THREE YEARS to sentence him to probation, home detention, and a $10K fine! There is absolutely no deterrent factor in this kind of slap-on-the-wrist justice. Based on the likelihood of being caught, my take-away from this case is that spamming through open wireless essentially has no legal down-side. If you run wireless, it had better be secure. ]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

DHS Issues Draft Recommendations for Control System Security (July 30, 2007)

The US Department of Homeland Security (DHS) has released a draft document that provides recommendations for automated control systems, especially those used in the power industry. The recommendations include ways to protect systems from spam and social engineering attacks. Other recommendations include using antivirus software, not using VoIP, IM, FTP, HTTP and filesharing on control systems, and making sure DNS is not used to protect control systems from denial-of-service attacks. The draft document was created with input from the National Institute of Standards and Technology (NIST) and four national laboratories.
-http://www.vnunet.com/vnunet/news/2195190/homeland-security-warns-power

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Russian Malware Sites Resurging (August 2 2007)

Several security finders have reported evidence that Russia is, once again, housing sites that store significant amounts of malware. Some of what has been found, however, appears to have originated outside Russia. Another firm reported that Russia's share of malware infested web sites increased from 3.5% to 14.7% from June to July.
-http://news.yahoo.com/s/zd/20070802/tc_zd/212787

Mozilla Updates Fix URI Vulnerability (July 31 & August 1, 2007)

Mozilla has released its second Firefox update in less than a month. Firefox 2.0.0.6 addresses a critical URI (uniform resource indicator) flaw that could be exploited to install malware on vulnerable computers. It also fixes a privilege escalation flaw in Firefox add-ons. The update is available for Mac, Windows, and Linux users. The URI flaw also affects Mozilla's Thunderbird and SeaMonkey products; users are urged to upgrade to Thunderbird 2.0.0.6 and SeaMonkey 1.1.4. Mozilla released Firefox 2.0.0.5 several weeks ago to prevent the browser from accepting malicious URIs from Internet Explorer (IE), but later learned that its own browser suffered from the same URI problem.
-http://www.theregister.co.uk/2007/07/31/firefox_update/print.html
www.vnunet.com/vnunet/news/2195356/mozilla-makes-second-attempt
-http://www.securityfocus.com/brief/559
-http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0
.6

Apple Issues First iPhone Patch (July 31 & August 1 & 2, 2007)

Apple has released fixes for flaws in Mac OS X, Safari for Windows beta, and the iPhone. The OS X fix addresses at least 45 flaws, 11 of which could allow arbitrary code execution. The Safari fix addresses four flaws, which involve cross-site scripting and remote code execution issues. The iPhone fix addresses five flaws, and comes just days before a Black Hat Briefings presentation about a critical flaw in the new device's operating system. The iPhone update installs automatically when the phones are placed in docks.
-http://www.securityfocus.com/brief/560
-http://www.theregister.co.uk/2007/08/01/first_iphone_security_update/print.html
-http://www.vnunet.com/vnunet/news/2195459/apple-issues-trio-updates
iPhone Update Information:
-http://docs.info.apple.com/article.html?artnum=306173
OS X Update Information:
-http://docs.info.apple.com/article.html?artnum=306172
Safari for Windows Beat Update Information:
-http://docs.info.apple.com/article.html?artnum=306174

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Cyber Thieves Allegedly Took US $500,000 from Turkish Banks (August 2, 2007)

A pair of cyber thieves in Russia allegedly stole more than US $500,000 from Turkish banks over a two-year period. One man has been arrested; another remains at large. "The men purchased a dedicated server with remote access to a desktop hosted in a US data center, and a special application" that they used to infect Turkish online banking customers' computers with a Trojan horse program. They allegedly used that program to gather account login details. The pair allegedly had collaborators in Turkey who helped transfer the stolen money to accounts in Russia.
-http://www.theregister.co.uk/2007/08/02/turkish_trojan/print.html
-http://en.rian.ru/world/20070730/69939519.html

MISCELLANEOUS

Some Retailers Still Retain Sensitive Card Data (July 31, 2007)

Payment Card Industry (PCI) data security standard compliance statistics from Visa indicate that most - but not all --- major retailers do not store sensitive credit card account data. Ninety-six percent of Level 1 and Level 2 merchants say they do not retain sensitive data, but this means that four percent, or approximately 42 major retail companies, do. (Level 1 merchants process more than six million Visa transactions annually; Level 2 merchants process between one and six million transactions annually.) The statistics are based on declarations to Visa by the companies; audit results could potentially turn up a higher rate of non-compliance because the companies may be unaware of where the data are stored in their systems. For larger companies, changing point-of-sale (POS) systems can be costly and complicated because of widely distributed stores and sheer volume. The problem can often be traced to payment applications that store the data instead of a deliberate decision by the retailer to retain the information.
-http://www.eweek.com/print_article2/0,1217,a=212601,00.asp

LIST OF UPCOMING FREE SANS WEBCASTS

Thursday, 8/9/07 - The Service/Help/Support Desk Implications of Migrating to 802.1x Standards
-http://www.sans.org/info/12776
Sponsored By: AirWave

Wednesday, 8/15/07 - Internet Storm Center: Threat Update
-http://www.sans.org/info/12791

Thursday, 8/23/07 - Full Disk Encryption - The Reasons, Options and Deployment Issues
-http://www.sans.org/info/12796
Sponsored By: Seagate

Be sure to check out the following FREE SANS archived webcasts:

July 31, 2007 - WhatWorks in Intrusion Prevention and Detection: PCI, Global Compliance and Log Management at a Large Financial Firm
-http://www.sans.org/info/12806
Sponsored By: Sourcefire

July 25, 2007 - Meeting PCI Data Security Standards: It's more than log collection
-http://www.sans.org/info/12811
Sponsored By: Q1 Labs

July 24, 2007 - Validating the Vault: Penetration Testing for Financial Institutions
-http://www.sans.org/info/12816
Sponsored By: Core Security

*************************************************************************

---

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/