SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #65

August 17, 2007

TOP OF THE NEWS

IT Contractor Company Closes After Security Breaches
Report Claims IRS Still Careless With Taxpayer Data
Case Against Russian Music Site Dismissed

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
VoIP Hacker Sentenced to Two Years
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
New URI Browser Flaws Worse Than First Thought
Zero-Day Bug in Yahoo! Messenger
Microsoft Fixes 14 Flaws on Patch Tuesday
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
National Guard Information Stolen
Ubuntu Community Servers Breached
Second Data Breach for Pfizer In Two Months
STATISTICS, STUDIES & SURVEYS
One in Five US Surfers Are Victims of Internet Scams
MISCELLANEOUS
Calls to Teach Online Safety in US Schools
LIST OF UPCOMING FREE SANS WEBCASTS

---

***************** SPONSORED BY SANS TRAINING ***************************

If you live near Virginia Beach, Houston, Chicago, Atlanta, Helsinki, Oslo, Dubai, Tokyo, or Dallas, you may attend great SANS training right in your area.
(see http://www.sans.org/training/bylocation/index_all.php)
But the BIGGEST security event of the fall is SANS Network Security 2007 (September 22-30) in Las Vegas) with more than 40 courses and wonderful evening sessions and a big vendor exposition. Most importantly, it brings together the top rated teachers in cybersecurity in the world. How good are they? Here's what past attendees said:
"The quality of teachers, speakers, and even attendees is far superior to any other training event I've attended." (Corinne Cook, Jeppesen)
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"SANS provides by far the most in-depth security training with the true experts in the field as instructors." (Mark Smith, Costco Wholesale)
Registration information: http://www.sans.org/ns2007/

Just Posted! SANS Security 2008 will be held in New Orleans January 11-19 with 23 courses and a host of relevant evening talks! Register now for best discounts and course selections at
http://www.sans.org/info/14226

SANS @Home, our most innovative and effective new educational program, announces Security 508: System Forensics, Investigation and Response, starting September 11, http://www.sans.org/info/13801. You can take this complete SANS course, live with SANS Instructor Michael Murr, and network with fellow students on-line, without leaving your home or office.

*************************************************************************

---

TOP OF THE NEWS

IT Contractor Company Closes After Security Breaches (15 August 2007)

Verus Inc, a company that designed websites and provided services to 40 to 60 hospitals nationwide and was held responsible for security breaches in at least five hospitals, has gone out of business. The company closure appears to have resulted from the affected hospitals terminating their contracts with the company and investors withdrawing funding as a result of the breaches. The breaches appear to have happened after "Verus had 'turned off a firewall for maintenance purposes' and failed to turn it back on again".
-http://www.darkreading.com/document.asp?doc_id=131712&print=true
[Editor's Note (Pescatore): Perhaps Verus built the Ubuntu web sites??? (clever emoticon here that indicates a humorous aside) Good to see that the customers finally did revolt.
(Schultz): Too bad for Verus, but this story will serve as an poignant example of the business case for security for years to come.]

Report Claims IRS Still Careless With Taxpayer Data (15 August 2007)

According to the Treasury Inspector General for Tax Administration (TIGTA), US taxpayers' personal information is at risk because managers and employees within the Internal Revenue Service (IRS) are not complying with security policies and procedures. Despite the IRS losing at least 490 computers with sensitive data between 2003 and 2006, employees were still found not to be encrypting personally identifiable information on their laptops and disregarding email policy. In addition systems were found neither to have been hardened nor to have the default passwords changed. The report calls for IRS executives to hold managers and staff accountable for their actions.
-http://www.fcw.com/article103499-08-15-07-Web&printLayout
[Editor's Note (Liston): Does anyone else find it a bit... well... upsetting that the authors of this report should find it necessary to call "for IRS executives to hold managers and staff accountable for their actions"? ]

Case Against Russian Music Site Dismissed (15 August 2007)

A Russian court has acquitted Denis Kvasov, the former owner of the website Allofmp3.com, of copyright offences for selling music downloads for as little as US$0.10 for individual tracks and albums from US$1.00. The Russian court ruled that the case should be dismissed on the grounds that the site did not breach any Russian laws. The court found that Kvasov paid the required 15% commission of sales to the Russian Multimedia and Internet Society ROMS, a Russian organization which collects and distributes fees for copyright holders. Allofmp3.com had angered music companies that claimed the site breached copyright law by undercutting the price of music downloads. The site was eventually closed down after global credit card companies prevented customers purchasing from it.
-http://www.cnn.com/2007/TECH/biztech/08/15/russia.site.reut/index.html
-http://www.vnunet.com/vnunet/news/2196801/russia-rules-favour-allofmp3
[Editor's Note (Schultz): This ruling seems to be a slap in the face not only to the music industry, but also to Russia itself. Russia has been cracking down on copyright violations in an attempt to conform to World Trade Organization standards. ]

---

*********************** Sponsored Links: ******************************

1) Find out what Seagate knows about secure storage. It could improve your company's security.
http://www.sans.org/info/14206

2) Find out what Fortify knows about JavaScript Hijacking and how developers can make their code secure:
http://extra.fortifysoftware.com/landing/javascript-hijacking.html

3) FREE Whitepaper- Five Things CISOs Need to Know About the Importance of Entitlement Management
http://www.sans.org/info/14216

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

VoIP Hacker Sentenced to Two Years (15 August 2007)

A 23 year old man from Spokane, Washington, has been sentenced to two years in a federal prison and fined US$150,000 for his part in breaking into some of America's largest IP telephony providers and defrauding them of more than a million dollars worth of call minutes. The man, Robert Moore, was able to break into various systems using simple dictionary and brute force attacks. Moore claims that "most of the telecom administrators were using the most basic password - Cisco, Cisco or admin, admin. They weren't hardening their boxes at all." His accomplice, Edwin Pena, has fled the United States after posting bail following his arrest.
-http://www.voipnews.com.au/content/view/1628/159/
-http://www.computerworld.com.au/index.php/id;1841623469;fp;;fpid;;pf;1
[Editor's Note (Skoudis): There is nothing new under the sun. Default passwords are still a plague. I've seen several just this week in some analysis I'm doing. It would be nice if vendors would clearly state that they need to be changed in their documentation, or, better yet, prompt the installer or first user to set a different password when the system is first configured. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

New URI Browser Flaws Worse Than First Thought (15 August 2007)

New research into the recent vulnerabilities in the URI (Uniform Resource Identifier) protocol handler technology has discovered further weaknesses that could be exploited to expose users' data. Two security researchers, Billy Rios and Nathan McFeters, discovered how attackers could misuse the legitimate features of software launched via the URI protocol handler "to actually steal content from the user's machine and upload that content to a remote server of the attacker's choice". McFeters, a senior security advisor for Ernst & Young Global Ltd., claims "The problem is that software developers have rushed to enable their applications without properly thinking about how they could then be misused by attackers". The affected software vendor has been notified and details of the research will not be released until the problem has been fixed.
-http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/07/0
8/15/New-URI-browser-flaws-worse-than-first-thought_1.html
[Editor's Note (Liston): McFeters' comment should be tattooed in reverse onto forehead of every CEO in the software industry. That way, every morning when they look in the mirror, they're reminded of the single most damaging aspect of modern software design: marketing-driven features overriding security. ]

Zero-Day Bug in Yahoo! Messenger (15 August 2007)

A heap overflow bug has been discovered in Yahoo! Messenger version 8.1.0.413 which allows attackers to inject malicious code into a victim's computer. The bug is triggered when the user accepts a specially crafted webcam invite. Yahoo! has confirmed the vulnerability and is working to develop a fix. In the meantime users are advised not to accept webcam invites from unknown sources and network administrators should block outgoing Yahoo! Messenger webcam traffic on port 5100.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201800324
-http://www.theregister.co.uk/2007/08/16/yahoo_messenger_vuln/print.html
-http://www.vnunet.com/vnunet/news/2196774/yahoo-messenger-flaw-emerges
[Editor's Note (Skoudis): Perhaps I'm unusual, but I think it's a good practice, "not to accept webcam invites from unknown sources," regardless of whether there is a flaw in my Messenger client or not. ]

Microsoft Fixes 14 Flaws on Patch Tuesday (15 August 2007)

This month's patch Tuesday from Microsoft saw the biggest security update since February of this year. Tuesday's update saw 9 security bulletins issued addressing 14 vulnerabilities. Eight of the fixes were rated as critical, the highest risk rating given by Microsoft for its patches. Four bulletins were released for Windows 2000, five for Windows XP and two for Vista. Other products affected included Internet Explorer and Microsoft Excel.
-http://www.computerworld.com/action/article.do?command=printArticleBasic&art
icleId=9030696
-http://www.smh.com.au/news/security/microsoft-issues-six-critical-ptches/2007/08
/15/1186857572390.html
-http://www.vnunet.com/vnunet/news/2196636/microsoft-patches-critical
[Editor's Note (Skoudis): I'd like to draw your attention to MS07-049. This patch for Virtual PC and Virtual Server fixes a heap overflow vulnerability that, according to Microsoft, "Could allow a user with administrator permissions to the guest operating system to run code on the host operating system or other guest operating systems." That's a textbook definition of VM escape. For years, many very bright folks have told me that VM escape is impossible. Folks, it is possible. How can you cope? First, harden your guest machines. Next, patch your VM software just as diligently as you patch your OSs. Then, on critical VMs with sensitive data, disable any ease of use features, such as drag and drop, file sharing, and cut and paste. Finally, plan your VM deployment carefully, assuming that VM escape is a possibility. Put strong guests with sensitive data on one underlying host, and weak machines without sensitive data on another underlying host. Don't mix and match. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

National Guard Information Stolen (15 August 2007)

A thumb drive containing the personal information of every National Guard soldier in Idaho was stolen from a soldier's car on Monday August 13. The thumb drive containing information on 3,400 soldiers was taken when other computer equipment and personal items were stolen from the car. The information on the thumb drive was not encrypted.
-http://www.forbes.com/feeds/ap/2007/08/15/ap4020711.html

Ubuntu Community Servers Breached (16 August 2007)

Five of the eight Ubuntu community servers were compromised and used to attack other systems. The servers were shut down to deal with the compromise and are now back online. Canonical, the sponsor and manufacturer of Ubuntu, states the breach was due to more than 15 unpatched web applications running in parallel on the systems, out of date server software being used and the systems using unencrypted FTP.
-http://www.heise-security.co.uk/news/94449
-http://www.eweek.com/article2/0,1895,2171318,00.asp
[Editor's Note (Pescatore): "the breach was due to more than 15 unpatched web applications running in parallel on the systems, out of date server software being used and the systems using unencrypted FTP" - - Gee, was that all? Other than that, Mrs. Lincoln, did you enjoy the play? Unfortunately, not all that unusual on many web sites to find similar numbers of problems - easily remedied problems. ]

Second Data Breach for Pfizer In Two Months (16 August 2007)

Two laptops containing the personal details including the names, home addresses and Social Security numbers of 950 Pfizer contract workers were stolen from a car in Boston. The car belonged to an employee of consulting firm Axia. The hard drives were not encrypted, although they are password protected. The theft occurred on May 21 but Pfizer only notified the affected workers on July 21. Earlier this year personal information on 17,000 Pfizer employees was leaked onto a P2P network from an employee's laptop.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201800113
-http://www.theregister.co.uk/2007/08/16/pfizer_security_breach/print.html

STATISTICS, STUDIES & SURVEYS

One in Five US Surfers Are Victims of Internet Scams (16 August 2007)

According to a survey commissioned by Microsoft, one in five US based Internet users has fallen victim to an online scam. Of those victims, 81% admitted doing something to compromise their system, such as clicking on attachments in an email which appeared to be from someone they trusted. The survey revealed that more than half of those surveyed "had little or no knowledge of current online threats and scams." The report highlights that while security tools are important, "people need to be constantly updated to the threats that exist and how to avoid them"
-http://www.vnunet.com/vnunet/news/2196820/one-five-surfers-fallen-internet-scam
[Editor's Note (Skoudis): We really do need an awareness campaign directed at the general public, like the anti-smoking, anti-drug, anti-litter, and anti-crime TV campaigns of the past.
(Paller) An awareness campaign is definitely needed. For it to have an impact it needs to be required, timely, and repeptitive. The best model is the USAID "Tips of the Day" in which every user reads a security tip and answers a quiz question BEFORE being allowed to start computing - every time they sign on. That approach allows repetition of the critical tips and up-to-the-minute education. The fact that the rest of the federal government still uses ineffective online or live annual awareness training implies that many government security leaders are unaware of the methods attackers are using to penetrate their agency computers and networks. ]

MISCELLANEOUS

Calls to Teach Online Safety in US Schools (16 August 2007)

The US National Cyber Security Alliance (NCSA) has requested that state leaders, schools and colleges work together to ensure that cyber-security, online safety and ethics lessons are taught to students. Despite a recent survey on children's health issues by the University of Michigan showing adults ranked 'internet safety' as the seventh most important issue affecting children today, there is still no formal education on how students can stay safe, secure and ethical online.
-http://www.vnunet.com/vnunet/news/2196759/ncsa-urges-schools-teach-cyber

LIST OF UPCOMING FREE SANS WEBCASTS

Wednesday, 8/22/07 - WhatWorks in Log Management: Maximizing Logging ROI at Premier
-http://www.sans.org/info/14086
Sponsored By: SenSage

Thursday, 8/23/07 - Full Disk Encryption - The Reasons, Options and Deployment Issues
-http://www.sans.org/info/14091
Sponsored By: Seagate

Tuesday, 8/28/07 - Regaining Your Technical Edge: SANS Hacking for Managers Webcast
-http://www.sans.org/info/14096
Sponsored By: Core Security

Wednesday, 8/29/07 - What's New in Malware and Top 5 things Required for Total Protection
-http://www.sans.org/info/14101
Sponsored By: CA

Please be sure to check out the following FREE SANS Archived Webcasts:

8/15/07 - Internet Storm Center: Threat Update
-http://www.sans.org/info/14106
Sponsored By: Core Security

8/9/07 - The Service/Help/Support Desk Implications of Migrating to 802.1x Standards
-http://www.sans.org/info/14111
Sponsored By: AirWave

8/1/07 - Host Based Intrusion Prevention (HIPS), what does it do for me?
-http://www.sans.org/info/14116
Sponsored By: CA

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/