SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #69

August 31, 2007

Law enforcement and other government agencies at the state and local level, and educational institutions, have traditionally been woefully underfunded for IT in general and for IT security specifically. To try to help, SANS has implemented partnership programs with several states to get their people advanced SANS training at very low cost. The State of Texas has a program starting shortly where discounts reach 60% on two programs: Hacker Exploits and Forensics. Details may be found at: http://www.dir.state.tx.us/security/training/index.htm Even if you don't live in Texas, you are eligible for this low cost program if you are:
* An employee of a state or local agency
* A member of law enforcement at the state or local level
* A faculty or staff member from an accredited educational institution, including colleges, universities, technical training institutes, K-12 schools or any institution with a .edu domain name.
If you do not meet these criteria, you may still attend these classes for the standard tuition fee. If you would like to set up a partnership program like this in your state email Brian at bcorreia@sans.org.

Alan

---

TOP OF THE NEWS

TorrentSpy to Block US IP Addresses
Westpac Bank Won't Hold Customers Liable for Fraud in Most Cases
Homes Raided in Japanese Military Data Leak Investigation

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Ohio Judge Dismisses Privacy Breach Case Against Ohio University
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
China to Deploy Virtual Cyber Police
Australian Tax Office Employees Accessed Data Without Authorization
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Zero-Day Vulnerability in MSN Messenger Video Chat
Slammer Still Spreading Through SQL Server
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Storm Goes After Google Blogger
Breach at Canadian Brokerage Firm
STANDARDS & BEST PRACTICES
NIST Issues Web Services Security Guide
MISCELLANEOUS
Monster.com Acknowledges There May Have Been More Breaches
Sony USB Drives Contain Rootkit-Like Software
Digital Car Key Algorithm Cracked
LIST OF UPCOMING FREE SANS WEBCASTS

---

*************************************************************************

TRAINING UPDATE
The BIGGEST security event of the fall is SANS Network Security 2007 (September 22-30) in Las Vegas with more than 40 courses and wonderful evening sessions and a big vendor exposition. It brings you the top rated teachers in cybersecurity in the world, teaching the most up to date, hands-on courses.
How good are the courses? Here's what past attendees said:
"You learn something new every day...the experience of the instructor and of the students make the difference." (Gabriel Schmitt, Hoffmann-LaRoche)
"An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life)
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"You will never ever find anything more valuable than SANS super knowledge. Worth the price!!" (Carlos Fragoso, CESCA)
Registration information:
London: http://www.sans.org/london07/

*************************************************************************

---

TOP OF THE NEWS

TorrentSpy to Block US IP Addresses (August 27 & 28, 2007)

TorrentSpy will block IP addresses that originate in the US rather than violate its users' privacy. US courts have ruled that TorrentSpy must surrender server logs with information about user behavior. The ruling came as a result of a lawsuit filed by the Motion Picture of Association of America (MPAA) alleging that TorrentSpy helped users download digital content in violation of US copyright laws. The MPAA wants logs that contain users' IP addresses and lists of files they have downloaded. TorrentSpy balked at the request because their "server logs pass through system memory, but are never permanently recorded," and to save these transient data would violate TorrentSpy's privacy policy. The Electronic Frontier Foundation (EFF) has expressed concern that the ruling could set a precedent that would require organizations to violate their own privacy policies, and surmised that the judge misunderstood that because the IP addresses exist in TorrentSpy's web server RAM, they are "electronically stored information." Requiring organizations to retain those data would be analogous to requiring them to record the content of phone calls and conversations.
-http://www.theregister.co.uk/2007/08/28/torrentspy_shuts_doors_to_america/print.
html
-http://www.vnunet.com/vnunet/news/2197496/torrentspy-blocks-users
-http://www.securityfocus.com/columnists/450
[Editor's Note (Schultz): This is a very significant ruling, another in the ongoing battle between copyright enforcement and protection of privacy. TorrentSpy's response, namely to block IP addresses originating in the US, is likely to end up being merely a stopgap measure in that other organizations similar to the MPAA in other countries are likely to file similar lawsuits in time. ]

Westpac Bank Won't Hold Customers Liable for Fraud in Most Cases (August 29, 2007)

New Zealand's Westpac Bank says its customers will not be liable for losses incurred due to online fraud. The announcement runs contrary to the New Zealand Bankers' Association practices, which say customers could be liable for losses from online fraud if their computers are found to be lacking adequate security. The practice would also give banks the right to inspect customers' computers when they file complaints of fraud. Westpac says it will not inspect customers' computers and that customers' losses will be covered as long as they do not knowingly use malware infected computers, leave their computers unattended, or write down or share their passwords.
-http://www.nzherald.co.nz/section/story.cfm?c_id=5&objectid=10460455
[Editor's Note (Schultz): Good for Westpac Bank! I especially like the provisions that delineate reasonable customer responsibilities. Hopefully, this bank's decision will have a snowball effect on other banks in New Zealand. ]

Homes Raided in Japanese Military Data Leak Investigation (August 28, 2007)

Government and military authorities in Japan have raided the homes of a number of Japan's Maritime Self Defense Force (JMSDF) members to gather evidence in a data leak case. Information pertaining to the Aegis missile defense system and other sensitive government projects was leaked from a government computer some time before March of this year. The leak was discovered in March during an unrelated immigration investigation.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9033179&source=rss_topic17
[Editor's Note (Northcutt): Another report adds a military school to the search:
-http://pcworld.about.com/od/privacysecurity1/Japan-military-school-raided-o.htm
It seems the Japanese government and JMSDF simply will not self police when it comes to the Winny file sharing program. This is not the first time these types of problems have occurred. The Japanese people are quite concerned. While preferring peace, they know their way of life could be threatened and depend heavily on their advanced weaponry. A youtube.navi-gate video on Aegis really shows the national perception of their system:
-http://youtube.navi-gate.org/v/H9_tbmTnrjA/]

---

*********************** Sponsored Links: ******************************

1) Purchase SANS Voucher Credit today. One procurement, transcend fiscal years, online usage reports, status updates. Visit online today http://www.sans.org/info/15111 or Email Vouchers@sans.org.

2) Free Webcast: Create Once, Comply Many Times: Addressing The Complexity of Governance, Risk & Compliance.
http://www.sans.org/info/15116

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

Ohio Judge Dismisses Privacy Breach Case Against Ohio University (August 30, 3007)

An Ohio judge has granted a motion to dismiss a case against Ohio University (OU) regarding security breaches of the school's computer systems that compromised alumni data. The two alumni who filed the lawsuit wanted OU to pay for credit monitoring services for everyone whose data were compromised. The judge said the pair had not proven that they had suffered damages for which they could be compensated. Results of an investigation into the 2005 breaches suggest that the intruders were trying to use the university's computers to store digital movie and music files. Attorneys plan to try to get the case reinstated with new plaintiffs. The two who filed the lawsuit were not victimized by identity fraud, but approximately 40 other alumni were, although none has drawn a definitive connection between the OU breach and the identity fraud.
-http://www.whec.com/article/stories/S113838.shtml?cat=10054
-http://www.bizjournals.com/columbus/stories/2007/08/27/daily28.html

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

China to Deploy Virtual Cyber Police (August 29, 2007)

Chinese web portals will begin deploying virtual cyber police in an effort to help "wipe out information that does public harm and disrupts social order." Images of one male and one female police officer will pop up on computer screens every 30 minutes. Users can click on the icons to report suspicious activity. The images are meant to remind web surfers that their activity is being monitored. Authorities are targeting "sites and ... activities that incite secession, promote superstition, gambling, fraud, and pornography."
-http://www.smh.com.au/news/Technology/China-sending-virtual-police-on-cyberpatro
ls/2007/08/29/1188067182165.html
-http://www.theregister.co.uk/2007/08/29/virtual_police/print.html
-http://news.bbc.co.uk/2/hi/asia-pacific/6968195.stm
[Editor's Note (Ullrich): Now, if we could justget China to take actual cybercrimes seriously...
(Schultz): What a fascinating new approach in that it gets down to the level of users in a very concrete way. I predict that China will experience at least some amount of success using this approach. ]

Australian Tax Office Employees Accessed Data Without Authorization (August 28, 2007)

A dozen people are no longer employed by the Australian Tax Office (ATO) after an audit found 26 instances of people accessing tax records without authorization in 2006. Of the dozen that no longer work there, nine resigned and three were fired. The breaches are somewhat surprising given that the ATO stepped up privacy education for employees in the wake of earlier abuses of privilege. In a separate story, results of a survey from Australia's Office of the Privacy Commissioner indicate that "Australians do not trust online businesses to protect their identities and financial data."
-http://news.zdnet.co.uk/security/0,1000000189,39288867,00.htm
-http://www.news.com.au/business/story/0,23636,22318087-462,00.html
-http://www.australianit.news.com.au/story/0,24897,22317999-15306,00.html
Office of the Privacy Commissioner Survey:
-http://www.computerworld.com.au/index.php/id;1696952368;fp;;fpid;;pf;1
[Editor's Note (Ullrich): Auditing abuses is a great "first step". On the other hand, only prevention involving technical means to prevent employees from accessing data they are not authorized to view, will actually solve the problem. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Zero-Day Vulnerability in MSN Messenger Video Chat (August 28 & 29, 2007)

Exploit code for a zero-day vulnerability in MSN Messenger's video chat component has been posted to the Internet. Maliciously crafted videos can result in a heap-based buffer overflow that could be exploited to crash vulnerable systems or execute arbitrary code. The vulnerability affects MSN Messenger versions 6 and 7. Users are encouraged to upgrade to version 8.1, which is not affected by the flaw. No patch is presently available. Users are urged to be cautious while participating in video conversation sessions and should refuse sessions from untrusted sources.
-http://www.scmagazine.com/us/news/article/733830/msn-messenger-video-based-explo
it-revealed/
-http://www.vnunet.com/vnunet/news/2197536/webcam-flaw-reveals-itself-msn
-http://www.heise-security.co.uk/news/95060

Slammer Still Spreading Through SQL Server (August 24, 2007)

While the amount of attention the Storm worm has been getting is warranted, other, older viruses and worms are still spreading, and they may present even a larger threat than does Storm. The Slammer worm debuted in January 2003 and is still spreading. According to IBM's Internet Security Systems director of security strategy Gunter Ollman, "When people restore data after a crash, it is probably from an old system and it may not have the patches it can easily be reinfected." Slammer exploits a known vulnerability in Microsoft SQL Server to spread. Some users may be unaware that SQL Server is even running on their machines. Additionally, people are not conscientious about patching flaws.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201802266
[Editor's Note (Ullrich): Slammer is still alive and well. However, it appears to be confined to some fo the less maintained parts of the internet. A single slammer infected system spreads an enormous amount of packets, making them more noisy then some of the modern bots like storm. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Storm Goes After Google Blogger (August 30, 2007)

Google's Blogger site is the latest vector of attack for the Storm worm. Phony blog entries include links to malicious downloads. The malware attempts to infect Windows-based PCs. Infected computers are exploited to glean valuable sensitive data or attack other computers. The links purport to be YouTube, ecards, and information about being a software tester. The group believed to be responsible for the blog attacks is also known for sending spam with malicious links.
-http://news.bbc.co.uk/2/hi/technology/6970368.stm
-http://www.cbc.ca/technology/story/2007/08/30/tech-worm.html

Breach at Canadian Brokerage Firm (August 28, 2007)

Montreal-based TradeFreedom Securities Inc. has started notifying its customers about a data security breach that compromised personal information. Customers were initially notified of the breach in mid-August; a follow-up message says the company has completed its investigation. The compromised data include names, social insurance numbers, and street addresses. TradeFreedom is dealing with the incident on a customer-by-customer basis; not all customers were affected by the breach.
-http://www.theglobeandmail.com/servlet/story/LAC.20070828.RTRADEFREEDOM28/TPStor
y/Business

STANDARDS & BEST PRACTICES

NIST Issues Web Services Security Guide (August 30, 2007)

The National Institute of Standards and Technology (NIST) has published SP 800-95, "Guide to Secure Web Services." The document aims to provide organizations with guidance regarding web services standards as well as information about guarding against web services security threats. The publication acknowledges that the very "features that make web services attractive ... are at odds with traditional security models and controls."
-http://www.gcn.com/online/vol1_no1/44962-1.html?topic=security&CMP=OTC-RSS
-http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf
[Editor's Note (Northcutt): I think this is one of the better special pubs, it really helps construct a framework around security web services, there is a good introduction to 800-95 here:
-http://www.stsc.hill.af.mil/CrossTalk/2007/09/0709Goertzel.html]

MISCELLANEOUS

Monster.com Acknowledges There May Have Been More Breaches (August 29, 2007)

Monster.com is taking steps to bolster security on its web site following the recent disclosure of a data security breach. While not providing specific details, Monster Worldwide chairman and CEO Sal Iannuzzi said the company will increase surveillance of the site's use and limit access to data. Attackers managed to infiltrate the recruiters' section of Monster.com and harvest personally identifiable information of approximately 1.3 million job hunters. Iannuzzi admitted that this attack was not the first Monster.com has suffered and that significantly more than 1.3 million people may have been affected by this most recent breach. Among those whose data were compromised are 146,000 subscribers to USAJOBS.gov.
-http://www.azcentral.com/business/articles/0829biz-monster29-ON1.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9033658&source=rss_topic17
-http://www.federaltimes.com/index.php?S=3001571

Sony USB Drives Contain Rootkit-Like Software (August 28, 2007)

Sony is once again the focus of unwanted attention regarding rootkit-like software. This time, the offending software is "bundled with Sony's MicroVault USM-F USB stick with fingerprint reader." The software installs files in a hidden folder; presumably, attackers could exploit the presence of the rootkit to install malware on those computers. While the USM-F stick is no longer being manufactured, similar software has reportedly been detected on its replacement, the Sony USM512FL USB drive. In 2005, Sony ran into controversy regarding rootkit software on certain DRM-protected CDs that installed itself on users PCs and provided a vector for attackers to gain control of the computers.
-http://www.heise-security.co.uk/news/95034
-http://www.vnunet.com/vnunet/news/2197450/sony-caught-playing-rootkits
-http://news.zdnet.co.uk/security/0,1000000189,39288854,00.htm
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9033058&source=rss_topic17
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9033798&source=rss_topic17

Digital Car Key Algorithm Cracked (August 24, 2007)

Researchers have found a hole in the algorithm used in many automobile anti-theft digital key systems. The attackers would require about one hour of close contact with one key to discover the code for that particular key as well as to "determine the key initialization process used to code the digital keys for all of the cars made by that manufacturer." The process involves sending 65,000 challenge/response queries and using those responses to determine the key's code, which takes about one day.
-http://blog.wired.com/27bstroke6/2007/08/researchers-cra.html
[Guest Editor's Note (Franzen): This work shows, once again, that trying to keep an algorithm secret to make it more secure does not work. Publicly scrutinized algorithms are the way forward. More URLs:
-http://www.cosic.esat.kuleuven.be/keeloq/
-http://www.theregister.co.uk/2007/08/24/car_cypher_crack/]

LIST OF UPCOMING FREE SANS WEBCASTS

Ask the Expert Webcast: Lose Your Laptop - Keep the Data: Top 10 Mobile Security Issues
-http://www.sans.org/info/14706

WHEN: Wednesday, September 5, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Mark Jordan and Dr. Eric Cole
Sponsored By: Sybase
-http://www.sybase.com/

Mobile computing relies on laptop computers, which are extremely vulnerable to being physically stolen, as well as to network intrusions via wireless card. Because of their portability and widespread use, this presentation focuses on encryption and information security solutions for laptop computers.

Ask The Expert Webcast: Security Tools Landscape plus Top 10 UNIX Shell Tricks to Review Your Web Logs
-http://www.sans.org/info/14751
WHEN: Thursday, September 6, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Johannes Ullrich and Danny Allen
Sponsored By: Watchfire
-http://www.watchfire.com/

While web sites streamline access to information, they are vulnerable-potentially exposing critical corporate information and customer data, or otherwise compromising enterprise IT. Online security breaches can lead to a number of damaging consequences. To avoid these types of situations you must understand the Security Tools Landscape.

Internet Storm Center: Threat Update
-http://www.sans.org/info/15011
WHEN: Wednesday, September 12, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich
Sponsored By: Core Security
-http://www.coresecurity.com/

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

Ask the Expert: Encryption Face-Off: Software Encryption vs. DriveTrust Technology
WHEN: Thursday, September 20, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Jim Hietala and Joni Clark
-http://www.sans.org/info/15016
Sponsored By: Seagate Technology
-http://www.seagate.com/www/en-us/

The stakes have never been higher for organizations that process and store sensitive information on customers and employees. This webcast will explore the business drivers for encryption of system disks and provide the results of a hands-on evaluation comparing SeagateR DriveTrustT against a software-based approach.

Ask the Expert Webcast: Separated at Birth - Identity and Access Reunited!
WHEN: Tuesday, September 25, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Andrew Hay and Stuart Rauch
-http://www.sans.org/info/15021
Sponsored By: Secure Computing
-http://www.securecomputing.com/

This webcast will focus on the trend toward reuniting Access and Identity and why it is important to consider strong authentication right from the planning phase of a remote access project. We will also review key criteria associated with choosing and deploying two-factor authentication in an enterprise environment.

Ask the Expert Webcast: Curing The Common Cold With Log Management
WHEN: Wednesday, September 26, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and A.N. Ananth
-http://www.sans.org/info/15031
Sponsored By: Prism MicroSystems EventTracker
-http://www.eventlogmanager.com/

Well, perhaps that is a stretch, but Log Management is incredibly valuable to help solve a host of other real problems in IT beyond simple compliance. Compliance drives most log management purchases but IT Managers are constantly challenged to maximize investments in technology.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/