SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #67

August 24, 2007

If you are planning to come to Las Vegas (or considering it) for SANS Network Security 2007, it may be helpful to know that five classes are nearing capacity. If you want a place in one of these courses, register by the 6th of September: Assessing and Securing Wireless Networks, System Forensics, Investigation and Response, Intrusion Detection In Depth, SANS Security Essentials Bootcamp, and Hacker Techniques, Exploits, and Incident Handling. (www.sans.org/ns2007)

Alan

---

TOP OF THE NEWS

Study: Mobile Workers Leave Security to IT
Study Indicates Network Encryption Not Widely Used
Monster.com Users Targeted in Phishing and Ransom Schemes

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
AOL Phisher Enters Guilty Plea
UK Man Arrested for Unauthorized Wireless Connection Use
Alleged Fujacks Worm Author and Distributors Charged
Man Arrested in Turkey Has Ties to TJX Breach Case
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Financial Service Organizations Encouraged to Participate in Pandemic Flu Exercise
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Yahoo! Releases Messenger Update for Webcam Flaws
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Stolen Laptop Holds NYC Retiree Data
Stolen Mobile Phone Investigation Data Recovered
MISCELLANEOUS
Wells Fargo Systems Outage Fixed
Skype Says Microsoft Not at Fault for Outage
LIST OF UPCOMING FREE SANS WEBCASTS

---

******************* Sponsored By Credant Technologies *******************

Report: Portable Storage Devices a Growing Threat

Survey of 323 IT managers and executives reveals usage rates and potential impacts of portable data storage devices--iPods, MP3 players, USB flash drives, and data-centric phones/SD cards--in the workplace. Although organizations see rapid growth in portable storage device usage, few have a solution to prevent widespread data loss. http://www.sans.org/info/14711

*************************************************************************

TRAINING UPDATE
The BIGGEST security events of the fall are SANS Network Security 2007 (September 22-30) in Las Vegas with more than 40 courses and wonderful evening sessions and a big vendor exposition, and SANS London (Nov 26 - Dec 4). They bring you the top rated teachers in cybersecurity in the world, teaching the most up to date, hands-on courses. How good are they? Here's what past attendees said:
"You learn something new every day...the experience of the instructor and of the students make the difference." (Gabriel Schmitt, Hoffmann-LaRoche)
"An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life)
"The depth of knowledge is awesome." (Stephen Hall, Barclays)
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"The quality of teachers, speakers, and even attendees is far superior to any other training event I've attended." (Corinne Cook, Jeppesen)
"You will never ever find anything more valuable than SANS superknowledge. Worth the price!!" (Carlos Fragoso, CESCA)
Registration information:
Las Vegas: http://www.sans.org/ns2007
London: http://www.sans.org/london07/

*************************************************************************

---

TOP OF THE NEWS

Study: Mobile Workers Leave Security to IT (August 21 & 23, 2007)

A study commissioned jointly by Cisco Systems and the National Cyber Security Alliance found that most mobile wireless workers view security as "IT's job." Forty-four percent of respondents said they open email messages and attachments from unknown or suspicious senders and one-third use unauthorized wireless connections. While many of the 700 mobile workers surveyed said they are sometimes aware of security issues and best practices, more than a quarter said they "hardly ever" consider those issues. Those workers said that they were busy getting their work done and that security should be addressed by IT.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201801429
-http://www.theregister.co.uk/2007/08/23/mobile_security_survey/print.html
[Editor's Note (Skoudis): This is tremendously sad. Even if the underlying technology is perfect, a clueless user can still undermine it. Bummer... We certainly face an uphill battle in user awareness.
(Schultz): I suspect that if a similar study were to be conducted in which users of conventional computing sysems were asked the same questions, the results would be very similar. Disappointingly little progress in security training and awareness has been achieved with users over the years.
(Pescatore): Usual disclaimer that this study was sponsored by a security vendor and a security vendor lobbying organization but the results just sort of point out a truism: humans are a hopeful species and will probably be so, right to the bitter end. Users will generally hope something good will happen when they click on something or download something - just the way they hope something good will happen when they pull a slot machine lever or buy a lottery ticket. Home PCs are security disasters compared to decently managed work PCs, and it is the same people using both - the difference is IT Security when it is done right.
(Ullrich): Why shouldn't users expect IT to take care of securityy? I think we (IT / Security professionals) expect too much if we expect office workers to worry about security. Perhaps we can ask them not to leave their laptop unattended. But beyond that, it's our job! ]

Study Indicates Network Encryption Not Widely Used (August 21 & 23, 2007)

A survey of 1,200 IT directors and other security professionals indicates that 34 percent of UK companies encrypt less than one-quarter of their network traffic. The number of organizations with no network traffic protection at all fell one percentage point, from 6 percent to 5 percent, since 2006. The total number of organizations using encryption and other security measures on network traffic has actually dropped since last year.
-http://www.vnunet.com/vnunet/news/2197101/unencrypted-networks-data

Monster.com Users Targeted in Phishing and Ransom Schemes (August 21 & 23, 2007)

Cyber thieves used stolen credentials to access the employer section of Monster.com. Once in, they stole personal data of hundreds of thousands of users of the job-hunting site. The data include names, street addresses, and email addresses, and were uploaded to a remote server. Monster.com has managed to get that server shut down. Monster.com users have received phishing emails that try to trick them into divulging financial account information. The emails contain personal information, which makes them seem more authentic. The email encouraged recipients to download a "Monster Job Seeker Tool" that is actually a program that encrypts files and leaves a ransom note demanding money for decrypting those files. The server of stolen data contains 1.6 million records, but there may be duplicates or more than one record for each individual. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=3295
and
-http://isc.sans.org/diary.html?storyid=3303
-http://news.bbc.co.uk/2/hi/technology/6956349.stm
-http://www.washingtonpost.com/wp-dyn/content/article/2007/08/22/AR2007082202625_
pf.html
-http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/07/0
8/23/Monster-shuts-down-rogue-server_1.html
[Editor's Note (Honan): Many victims may have accessed Monster's website from their work PCs thus exposing corporate login details as well as their own personal details. ]

---

*********************** Sponsored Links: ******************************

1) FREE Whitepaper- Five Things CISOs Need to Know About the Importance of Entitlement Management
http://www.sans.org/info/14716
2) Free Webcast Logging Web Proxy Logs: Best Practices, Big Tips & Meeting Compliance Mandates.
http://www.sans.org/info/14721
3) SANS @Home Reverse Engineering Malware, taught by Lenny Zeltser, starts Wednesday, September 12
http://www.sans.org/info/14726

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

AOL Phisher Enters Guilty Plea (August 23, 2007)

Michael Dolan has pleaded guilty to conspiracy to commit fraud and aggravated identity theft for his role in a phishing scheme. Other individuals have been implicated in the scheme, which involved collecting user names from AOL chatrooms and sending phishing emails to steal names, bank and credit card account information, and Social Security numbers (SSNs). The stolen information was used to create phony debit cards to make online purchases and withdrawals from ATMs, as well as purchases at brick-and-mortar stores. Dolan's plea agreement will have him spending 84 months in prison followed by two or three years of supervised release. He will also pay a US $250,000 fine and restitution to his victims.
-http://www.scmagazine.com/us/news/article/733140/aol-phisher-pleads-guilty-id-th
eft-scheme/
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201801971
[Editor's Note (Ullrich): The fact that he pled guilty tells me that the prosecution of these cases and the laws around them have become more established and tested. So I hope we will see more of this soon! Of course, at first this will affect only US based phishing operations. ]

UK Man Arrested for Unauthorized Wireless Connection Use (August 23, 2007)

A UK man has been arrested for wireless piggybacking. The unidentified man was observed sitting on a wall outside a house in Chiswick, West London while using his laptop computer. When confronted, he admitted he was using a wireless connection in the area without permission. He could face charges under the Communications Act 2003 and the Computer Misuse Act. Two other individuals arrested in the UK for similar offenses this year were let go after being cautioned. In 2005, a man was fined GBP 500 (US $1,000).
-http://www.heise-security.co.uk/news/94788
[Editor's Note (Northcutt): There is an article discussing this issue with some interesting web 2.0 style comments here:
-http://news.bbc.co.uk/2/hi/uk_news/magazine/6960304.stm]

Alleged Fujacks Worm Author and Distributors Charged (August 22, 2007)

Chinese authorities have charged four men with creating and distributing the Fujacks worm. At least one of the men allegedly made money from selling the worm. The worm changes program icons and steals online gaming user names and passwords. Each of the men could face up to five years in prison if convicted of all charges. Police made the worm's author create a clean-up program, but so far it has not been released. It is estimated that one million PCs in China were infected with Fujacks.
-http://www.theregister.co.uk/2007/08/22/panda_worm_suspects_charged/print.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9032181&source=rss_topic17

Man Arrested in Turkey Has Ties to TJX Breach Case (August 21, 2007)

A Ukrainian man has been arrested in Turkey in connection with the sale of credit card numbers stolen in the massive TJX customer data breach. Authorities are hopeful that the arrest of Maksym Yastremskiy will provide information that leads to those responsible for the breach. Yastremskiy allegedly sold stolen card numbers online. He was arrested several weeks ago, but his connection to the TJX breach was not made clear until recently. It appears that cyber thieves "placed software on the
[TJX ]
computer network to capture data." The network was compromised from 2005 through 2006 and the data compromised include transactions dating back to 2003.
-http://www.boston.com/business/personalfinance/articles/2007/08/21/suspect_named
_in_tjx_credit_card_probe/

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Financial Service Organizations Encouraged to Participate in Pandemic Flu Exercise

More than 1,200 organizations have registered for the Financial Services Sector Pandemic Flu Exercise, scheduled for September 24 through October 12. The exercise will be conducted by the Financial Banking Information Infrastructure Committee (FBIIC) and the Financial Services Sector Coordinating Council (FSSCC) and is sponsored by the US Department of the Treasury and the Security Industry and Financial Markets Association. All members of the US financial services industry are eligible to apply for participation; there is no charge. The registration deadline is August 31.
-http://www.fspanfluexercise.com/
-http://www.fspanfluexercise.com/
Exercise Overview_Final.pdf
[Editor's Note (Skoudis): Pandemic planning is something that information security people and business continuity folks should get involved in. You've got a VPN infrastructure, right? What if there is a pandemic, and 95% of your employees can't come into the office, so most of them try to use the VPN? For most organizations, sparks and smoke will start shooting out of your VPN concentrators because of the load. Thus, you need to either add capacity, or, more likely, create a plan for prioritizing VPN usage amongst your most critical employees. Your plan should include the ability to block some users who are less than critical during crisis times. ]


[Editor's Note (Shpantzer): Steadfast Response II is a widely used tabletop exercise for continuity of operations in the face of bird flu. Find it free here
-http://www.steadfastresponse.com/]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Yahoo! Releases Messenger Update for Webcam Flaws (August 23, 2007)

On Tuesday, August 21, Yahoo! released an update for Yahoo! Messenger to address security flaws in the webcam chat invitation function. Information that would allow people to create exploits for the flaws was posted to the Internet. The holes could be exploited to execute code on vulnerable machines and cause denial-of-service conditions. Users who obtained version of Yahoo! Messenger prior to August 21, 2007 are urged to update to Yahoo! Messenger version 8.1.0.416.
-http://blog.washingtonpost.com/securityfix/2007/08/yahoo_issues_security_update_
f.html?nav=rss_blog
-http://news.com.com/8301-10784_3-9764988-7.html?part=rss&subj=news&tag=2
547-1_3-0-20
-http://messenger.yahoo.com/security_update.php?id=082107
[Editor's Note (Ullrich): Note that this is only a denial of service condition. Not patching it may actually increase office productivity and overall security (because in businesses this service is often used for non-business purposes.) ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Stolen Laptop Holds NYC Retiree Data (August 23, 2007)

Personally identifiable information of as many as 280,000 New York City retirees has been compromised after the theft of a consultant's laptop. The consultant was working for the city's Financial Information Services Agency and had access to data of several city pension systems. The city plans to notify all those affected by the theft. A City Hall spokesperson says they know that the breach does not affect all 280,000 retirees in the system, but they are notifying everybody because they have not determined who exactly is affected. There is also uncertainty about whether or not the data are encrypted. California's state pension fund office recently sent mailings to 445,000 retirees with SSNs visible in the address pane.
-http://www.newsday.com/business/am-retiree0823,0,6813539,print.story
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9032458&source=rss_topic17

Stolen Mobile Phone Investigation Data Recovered (August 21, 2007)

A server stolen from Forensics Telecommunications Services (FTS) in Kent, England, has been recovered. The server contains a database of forensic mobile phone information used to track suspected terrorists. An examination of the server determined that the data it holds had not been accessed.
-http://scmagazine.com/uk/news/article/732736/police-recover-stolen-database/

MISCELLANEOUS

Wells Fargo Systems Outage Fixed (August 22, 2007)

A computer failure at Wells Fargo on Sunday, August 19 was still causing problems for customers on Tuesday. Customers attempting to conduct banking transactions experienced difficulties because Wells Fargo's Internet, telephone, and ATM services were offline. While not providing specific information about the cause of the outage, Wells Fargo did say they had to restore their systems from backups. All systems are now operational, though account information may not yet appear current.
-http://www.computerworld.com.au/index.php?id=618735096&eid=-180

Skype Says Microsoft Not at Fault for Outage (August 22, 2007)

Skype has clarified an earlier statement that implied Microsoft was partly responsible for last week's outage. A Skype spokesperson wrote in a blog, "We do not blame anyone but ourselves. The Microsoft Update patches were merely a catalyst ... for a series of events that led to
[the problem ]
, not the root cause of it." Skype's "peer-to-peer network management algorithm was not tuned to take into account a combination of high usage load and supernode rebooting." A large number of users rebooting after the Microsoft updates were installed triggered the situation, unveiling the algorithm problem. The blog posting made note of Microsoft's helpfulness and support regarding the situation. Skype has fixed the algorithm so the problem will not recur. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=3292
-http://www.vnunet.com/vnunet/news/2197141/skype-clears-microsoft-blame
-http://heartbeat.skype.com/2007/08/the_microsoft_connection_explained.html
[Editor's Note (Ullrich): Skype still has not answered the main question: Why did this happen this month, and not on any of the other "reboot Wednesdays"?
(Grefer): Given that supernodes quite often are operated by large(r) companies with ample CPU power and bandwidth, I have my doubts about this explanation. Most large(r) companies will have their own update schedule that includes testing of patches prior to roll-out. As such, it does not appear likely that a/the majority of supernodes would have been affected by Patch Tuesday. ]

LIST OF UPCOMING FREE SANS WEBCASTS

Ask The Expert Webcast: Regaining Your Technical Edge: SANS Hacking for Managers Webcast
-http://www.sans.org/info/14676

WHEN: Tuesday, August 28, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Dr. Eric Cole
Sponsored By: Core Security
-http://www.coresecurity.com/

Ask The Expert Webcast: What's New in Malware and Top 5 thins Required for Total Protection
-http://www.sans.org/info/14686
WHEN: Wednesday, August 29, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Brian Grayek
Sponsored By: CA
-http://www.ca.com/worldwide/

Over the past several years, malware has evolved from relatively simple viruses and worms to complex and distributed software with Trojan capabilities. Today we are faced with sophisticated bots, worms that can update themselves dynamically, and a significant increase in the types of platforms affected. In this webcast, you will learn of the latest types of malware threats in the wild, with several recent examples.

Ask the Expert Webcast: Top 10 Mobile Security Issues
-http://www.sans.org/info/14696
WHEN: Wednesday, September 5, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Dr. Eric Cole
Sponsored By: Sybase
-http://www.sybase.com/

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/