SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #74

September 18, 2007

TOP OF THE NEWS

Ameritrade May Have Been Aware of Breach for a Year
Symantec Report: Malware Moves Toward Commercialism
European Court Upholds Antitrust Ruling Against Microsoft

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Arrest Made in Caterpillar Document Cyber Theft
Judge Dismisses RIAA Copyright Case
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
UK Ministry of Defense Personnel to Have BlackBerrys
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Stoned.Angelina Virus Reappears After More Than a Decade
Facebook Banner Ad Exploits Known MDAC Vulnerability
Microsoft Makes MSN Messenger Upgrade Mandatory
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Conn. Agency Banking Data on Stolen Ohio Tape
STATISTICS, STUDIES & SURVEYS
UK Companies Come Up Short in Data Protection Inquiry Study
AntiVirus Spending Will Consume Half of European Security Budgets
MISCELLANEOUS
MediaDefender Internal Communication Leak
Tor Server Operator Interrogated, Released
LIST OF UPCOMING FREE SANS WEBCASTS

---

****************** Sponsored By Credant Technologies ********************

Report: Portable Storage Devices a Growing Threat Survey of 323 IT managers and executives reveals usage rates and potential impacts of portable data storage devices--iPods, MP3 players, USB flash drives, and data-centric phones/SD cards--in the workplace. Although organizations see rapid growth in portable storage device usage, few have a solution to prevent widespread data loss.
http://www.sans.org/info/16346

*************************************************************************

TRAINING UPDATE
Looking at Data Leakage or Encryption, hear lessons learned by the pioneers:
***WhatWorks in Stopping Data Leakage and Insider Threat Summit
http://www.sans.org/leakage07_summit/
***WhatWorks in Mobile Encryption Summit
http://www.sans.org/encryption07_summit/

Where can you find Hacker Exploits and SANS other top-rated courses?
Las Vegas (9/23-9-28): http://www.sans.org/ns2007/event.php
Chicago (11/2-11/7): http://www.sans.org/chicago07/event.php
Tokyo (11/5-11/10): http://www.sans.org/sanstokyo2007_autumn/event.php
London (11/26 - 12/1): http://www.sans.org/london07/">http://www.sans.org/london07/
Washington DC (12/13-12/18): http://www.sans.org/london07/">http://www.sans.org/london07/
New Orleans (1/12-1/17): http://www.sans.org/security08/event.php

How good are the courses? Here's what past attendees said:
"An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life)
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"You will never ever find anything more valuable than SANS super knowledge. Worth the price!!" (Carlos Fragoso, CESCA)

*************************************************************************

---

TOP OF THE NEWS

Ameritrade May Have Been Aware of Breach for a Year (September 14, 15 & 17, 2007)

Online brokerage TD Ameritrade Holding has acknowledged that a data security breach has compromised more than 6.3 million accounts. The database contains customer names, addresses, account numbers, Social Security numbers (SSNs) and birth dates. The attackers gained access to the database through a backdoor program they had installed on the TD Ameritrade network. TD Ameritrade says it has removed the rogue code from its systems. The intrusion was discovered in the course of an investigation into stock-related spam that had been reported by the company's customers. An attorney representing plaintiffs in a planned class action lawsuit against the online broker alleges that the company knew of the data security problem for a year before customers were notified. Furthermore, the suit alleges that the company kept entering customer data into the vulnerable database during an internal investigation.
-http://www.theregister.co.uk/2007/09/15/ameritrade_database_burgled/print.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9036639&source=rss_topic17
-http://www.amtd.com/newsroom/releasedetail.cfm?ReleaseID=264044
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201807006

Symantec Report: Malware Moves Toward Commercialism (September 17 & 18, 2007)

Cyber attackers aiming to damage computers or inconvenience users are giving way to more financially motivated criminals. According to Symantec's most recent Internet Security Threat Report, cyber criminals are turning to good business practices to ply their trade. Some malware purveyors are offering guarantees about the performance of their products as well as updates to keep the products current. The report also notes that phishers are scouring social networking sites to gather personal information, which they then use to create targeted emails that lure recipients to phony sites where they can harvest valuable data. Stolen bank account details are being sold online for as much as US $400 apiece. In addition, levels of pump-and-dump schemes and image-based spam have decreased.
-http://www.technewsworld.com/story/59374.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9036819&source=NLT_SEC&nlid=38
-http://www.itnews.com.au/News/61398,fraudsters-go-all-out-for-social-networkers.
aspx
[Editor's Note (Northcutt): Yup, you can even buy support contracts and upgrade to premium versions. (Schultz): Symantec's report appears to try to make financially motivated attacks look like some kind of new trend. In reality, however, financially motivated attacks have been commonplace for several years now. ]

European Court Upholds Antitrust Ruling Against Microsoft (September 17, 2007)

Microsoft has lost its appeal of a European Union antitrust ruling that found the company guilty of monopoly abuse. The European Court of First Instance upheld most parts of the ruling, meaning Microsoft will have to share its code with competitors to improve interoperability and must offer for sale a version of Windows without Media Player. The court did overturn a portion of the ruling that would have made Microsoft hire and pay for a monitoring trustee to oversee the company's compliance with the ruling, which includes a US $613 million fine. Microsoft general counsel Brad Smith says the company has not decided whether it will appeal the decision.
-http://www.usatoday.com/money/industries/technology/2007-09-17-eu-microsoft_N.ht
m?csp=34
-http://news.bbc.co.uk/2/hi/business/6998272.stm
-http://www.eweek.com/article2/0,1895,2183898,00.asp
-http://www.eweek.com/article2/0,1759,2184008,00.asp?kc=EWRSS03119TX1K0000594

---

************************* Sponsored Links: ***************************

1) ALERT: "How A Hacker Launches A Cross-Site Scripting Attack"- White Paper
http://www.sans.org/info/16356

2) **FREE** Log Management Trial. Gain visibility into your logs and simplify compliance requirements -- Download now!
http://www.sans.org/info/16361

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Arrest Made in Caterpillar Document Cyber Theft (September 17, 2007)

A man in India has been arrested and charged under that country's Information Technology Act for allegedly accessing a Caterpillar Inc. server without authorization and downloading approximately 4,000 confidential documents. The system from which the documents were taken is known as the Research and Engineering Documents Inquiry, or REDI system. The suspect allegedly used another Caterpillar employee's username and password to access the server. Evidence against the suspect includes footage from closed circuit camera systems and system logs. He was working for a different company at the time of his arrest.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=302867&source=rss_topic17
[Editor's Note (Shpantzer): Not too long ago these laws were nonexistent in many countries. The IT Act applied here only became law late 2000 in India. ]

Judge Dismisses RIAA Copyright Case (September 14, 2007)

A US district court judge in Southern California has dismissed a copyright infringement lawsuit brought by the Recording Industry Association of America (RIAA), calling the allegation nothing "more than speculation." The judge went on to say that "the complaint is simply a boilerplate listing of copyright infringement without any facts pertaining specifically to the ... Defendant."
-http://www.vnunet.com/vnunet/news/2198739/p2p-case-dismissed-speculation
-http://www.dailytech.com/RIAA+Loses+in+Precedentsetting+Case/article8884.htm
-http://www.theinquirer.net/?article=42346

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

UK Ministry of Defense Personnel to Have BlackBerrys (September 14, 2007)

The UK's Ministry of Defense (MoD) is providing staff members with BlackBerrys in an effort to enhance productivity and flexibility. A BlackBerry Enterprise Server will allow staff to check email remotely as well as to shut down and wipe data from devices that are lost or stolen.
-http://www.zdnetasia.com/news/communications/printfriendly.htm?AT=62032210-39000
002c

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Stoned.Angelina Virus Reappears After More Than a Decade (September 17, 2007)

A 13-year-old virus has been detected on as many as 100,000 Medion laptops that were to be sold in Denmark and Germany. The "Stoned.Angelina" virus rests on the computers' hard disk boot sectors. The virus has no payload and would require a floppy disk to spread to another machine. The machines had been preinstalled with Microsoft's Windows Vista and Bullguard antivirus software. Bullguard says their software detected the virus but no longer, had the tools to remove it. Bullguard has supplied a "tailor-made" fix for the problem.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9036998
-http://www.theregister.co.uk/2007/09/17/vista_hit_by_stoned_angelina/print.html

Facebook Banner Ad Exploits Known MDAC Vulnerability (September 2007)

A banner ad on the Facebook social networking website is apparently serving up adware. Unpatched versions of Internet Explorer could be manipulated to download malicious Microsoft Data Access Components (MDAC). The attack exploits a vulnerability addressed a year ago in security bulletin MS06-014. Systems in which the patch has been installed should not be vulnerable to the attack.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62032270-39000005c

Microsoft Makes MSN Messenger Upgrade Mandatory (September 13 &14, 2007)

In an attempt to protect users from a vulnerability addressed in a recent security update, Microsoft will require users of MSN Messenger upgrade to Windows Live Messenger 8.1. Users attempting to log in will receive a message telling them they must upgrade and asking them if they would like to do it at that time. Windows Live Messenger 8.1 has been available since February 2007. The flaw that prompted the mandatory upgrade decision lies in Messenger's webcam and video chat features and is addressed in security bulletin MS07-054. The vulnerability does not affect Office Communicator, the enterprise-grade version of Messenger. Microsoft will provide an updated version of MSN Messenger 7.0 because Windows Live Messenger does not run on Windows 98 or 2000. The updates version will be MSN Messenger 7.0.0820.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9036718&source=rss_topic17

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Conn. Agency Banking Data on Stolen Ohio Tape (September 14 & 17, 2007)

The computer tape stolen from the car of an Ohio state intern in June contained Connecticut state agency banking information in addition to the personal data of millions on Ohioans. The Connecticut data include bank names and account numbers for nearly every state agency account as well as information about state agency purchasing cards. The Connecticut data were on the Ohio tape because a consultant for a company that was doing work for both states accidentally transferred it. This comes close on the heels of the theft of a Connecticut Department of Revenue laptop from a car; that computer held names and SSNs of more than 100,000 state taxpayers. A breakdown in communications between the office of the Connecticut State Comptroller and the governor initially led to the misconception that the only Connecticut-related data on the tape were the names and Social Security numbers (SSNs) of 57 Connecticut residents.
-http://money.cnn.com/news/newsfeeds/articles/newstex/AFX-0013-19622066.htm
-http://www.newsday.com/news/local/wire/connecticut/ny-bc-ct--datatheft0914sep14,
0,5343159.story
-http://abclocal.go.com/wabc/story?section=local&id=5661564

STATISTICS, STUDIES & SURVEYS

UK Companies Come Up Short in Data Protection Inquiry Study (September 17, 2007)

A study from Marketing Improvement found that many companies in the UK "fall short of simple competence" when faced with an inquiry about data protection. Companies in the UK are required to comply with data protection and privacy laws. Data protection laws allow people to view and correct any inaccuracies in data organizations hold about them. Most of the 50 companies in the study were unable to direct the caller to an appropriate individual to address the request. Organizations that retain personal data are also required to notify the Information Commissioner to specify why they have the data and what they will do with them. The majority of the companies had complied with this requirement.
-http://www.theregister.co.uk/2007/09/17/ftse_100_data_protection_survey/
-http://www.marketingimprovement.com/Data
Protection Study 2007.pdf
[Editor's Note (Northcutt): You could get cynical in this business if you allowed yourself to. I think three basic things are true:
- - Industry isn't going to do security well until the class action suits cause the Ameritrades and TJ Maxxs of the world to be hurt financially
- - Industry isn't going to do security well until the CEO and the CIO themselves grasp the basic issues and are fluent with security
- - Industry isn't going to do security well until people with real hands on skill and pragmatic knowledge are put in the decision making positions
We would wring our hands and say that will never happen, but I think it just might. There are good reasons a class action suit against Ameritrade might have significant merit if in fact they knew their customers data was exposed for a year, or even longer.]

AntiVirus Spending Will Consume Half of European Security Budgets (September 13, 2007)

According to Gartner, antivirus will account for more than half of security spending in Europe in 2007. All told, security spending in Europe is expected to exceed 2.4 billion Euros (US $3.33 billion). Customers are becoming savvier, choosing to work with fewer vendors that work well together instead of choosing products independently of each other.
-http://software.silicon.com/security/0,39024655,39168441,00.htm
[Editor's Note (Northcutt): I think there is a problem with Gartner's numbers. They might be correct for home users, but I cannot believe they are right for organizations. I did track a press release that indicates this has been some time in coming and a second source that agrees with Analyst Contu's findings:
-http://www.gartner.com/press_releases/asset_154006_11.html
-http://www.networkmagazineindia.com/200206/cover8.shtml
Also, if AV is 50% of your budget, try free AV and put in a firewall or something with the savings:
-http://free.grisoft.com/
-http://www.clamwin.com/
(Grefer): AntiVirus spending in and by itself is one of the lower priced expenses; as such, the thought that only half of the security budget in Europe is assigned for dealing with all other issues, is a discomforting one. ]

MISCELLANEOUS

MediaDefender Internal Communication Leak (September 17, 2007)

Hackers have posted what they say are internal MediaDefender email messages. MediaDefender works for music and movie industries to protect their copyrighted content from media pirates. The company has been known to place decoy files on the Internet to thwart downloaders. Some of the messages suggest that MediaDefender was considering creating a website, MiiVii, that would appear to allow people to upload and download digital media but which would, in fact, track users' online behavior, and send the information back to MediaDefender. At least one of the internal messages implied that it is nearly impossible to reduce filesharing at colleges and universities. Other messages were from clients who were frustrated that their content was still available on the Internet despite supposed action from MediaDefender. For its part, MediaDefender is investigating the source of the information leak.
-http://online.wsj.com/article_email/SB118998414197229169-lMyQjAxMDE3ODE5NjkxODY0
Wj.html

Tor Server Operator Interrogated, Released (September 16, 2007)

A German man who operated a Tor server was held and interrogated by police in connection with a bomb threat that was traced to traffic through his server. Alexander Janssen was ultimately released, but says he will no longer run a Tor server. The Tor project anonymizes Internet traffic by sending it over a random route through independently operated servers. The police acknowledged that they made a mistake.
-http://www.theregister.co.uk/2007/09/16/bomb_threat_leads_police_to_raid_tor_ope
rator/print.html

LIST OF UPCOMING FREE SANS WEBCASTS

Ask the Expert: Encryption Face-Off: Software Encryption vs. DriveTrust Technology
WHEN: Thursday, September 20, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Jim Hietala and Joni Clark
-http://www.sans.org/info/16171
Sponsored By: Seagate Technology

The stakes have never been higher for organizations that process and store sensitive information on customers and employees. This webcast will explore the business drivers for encryption of system disks and provide the results of a hands-on evaluation comparing SeagateR DriveTrustT against a software-based approach.

Ask the Expert: Separated at Birth - Identity and Access Reunited!
WHEN: Tuesday, September 25, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Andrew Hay and Stuart Rauch
-http://www.sans.org/info/16176
Sponsored By: Secure Computing

This webcast will focus on the trend toward reuniting Access and Identity and why it is important to consider strong authentication right from the planning phase of a remote access project. We will also review key criteria associated with choosing and deploying two-factor authentication in an enterprise environment.

Ask the Expert: Curing The Common Cold With Log Management
WHEN: Wednesday, September 26, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and A.N. Ananth
-http://www.sans.org/info/16181
Sponsored By: Prism MicroSystems EventTracker

Well, perhaps that is a stretch, but Log Management is incredibly valuable to help solve a host of other real problems in IT beyond simple compliance. Compliance drives most log management purchases but IT Managers are constantly challenged to maximize investments in technology.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/