SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #79

October 05, 2007

Some good news finally on the application security front. If we are ever going to turn the tide against the attackers, we have to find a way to deploy more secure code. Only programmers who know how to write secure code can make that happen. The good news is that 23 programmers, (out of 42 pioneers who took the first exam) passed the GSSP exams in Secure Coding in Java and Secure Coding in C. Cisco is in the lead among software and hardware companies with three people passing the first exams. Other companies with new GSSP certified programmers include Kaiser Permanente, Siemens, Telus and more. The names and organizations of people who passed are listed in the last story of this issue.

Momentum on the GSSP has begun. One large US company has told all its 6,500 programmers and outsourced coders that they have until next summer to pass the secure coding exam or they will not be allowed to touch the code. And one of the three largest software companies in the world just sent letters to the ten colleges that supply the most programmers telling them that job candidates should consider demonstrating secure coding skills through the GSSP.

Alan

P.S. For a schedule of times and places where programmers can take the exam: http://www.sans.org/gssp/

---

TOP OF THE NEWS

RIAA Wins US $222,000 in Damages in Copyright Case
UK Authorities Can Demand Decryption Keys
Dutch Judge Declares Use of eVoting Machine Illegal

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Microsoft Wins Software Piracy Case in UK
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
GSA Apologizes for California Domain Suspension
DHS Mailing List Problem Causes "Mini-DDoS"
Five Security Related NIST Publications
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
October's Patch Tuesday to Comprise Seven Bulletins
Apple Patches QuickTime Flaw
Vulnerability in Eircomm Customers' Wireless Routers
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Some CISRT Site Visitors Attacked by Malware
MISCELLANEOUS
Twenty-three Programmers Become First GSSP Certified Secure Programmers
LIST OF UPCOMING FREE SANS WEBCASTS

---

**************************** Sponsored By SANS **************************

The Community of Interest in Network Security (COINS) announces two events in the Central Florida area:

10/10/07: NETWORK SECURITY & EXPLORING HACKER TECHNIQUES, Orlando, sponsored by CFITS.org.
http://www.sans.org/info/17341

10/22/07 - 10/27/07: Community SANS Gainesville Security 504: Hacker Techniques, Exploits and Incident Handling
http://www.sans.org/info/15161

*************************************************************************

TRAINING UPDATE
Where can you find Hacker Exploits, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - Washington DC (12/13-12/18): http://www.sans.org/cdi07
- - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
- - London (11/26 - 12/1): http://www.sans.org/london07/
- - Chicago (11/2-11/7): http://www.sans.org/chicago07/event.php
- - Tokyo (11/5-11/10): http://www.sans.org/sanstokyo2007_autumn/event.php

*************************************************************************

---

TOP OF THE NEWS

RIAA Wins US $222,000 in Damages in Copyright Case (October 4, 2007)

In the first music piracy case to go to trial, a Minnesota jury has found Jammie Thomas liable for copyright infringement and said she must pay US $222,000 - US $9,250 for each of 24 songs listed in the lawsuit. Thomas was found liable even though the plaintiff, the Recording Industry Association of America (RIAA), did not have to prove a file-sharing program was installed on her computer when they examined her hard drive, nor did they have to prove that it was actually Thomas at the keyboard. The evidence included the defendants Internet protocol (IP) address and cable modem identifier associated with sharing 1,700 files.
-http://blog.wired.com/27bstroke6/2007/10/riaa-jury-finds.html
-http://blogs.pcworld.com/staffblog/archives/005610.html
-http://www.usatoday.com/money/media/2007-10-04-downloading-music-trial_N.htm
-http://www.news.com/8301-10784_3-9791383-7.html?part=rss&subj=news&tag=2
547-1_3-0-20
-http://www.nytimes.com/aponline/technology/AP-Downloading-Music.html?ex=13492368
00&en=e20df6612f19e706&ei=5088&partner=rssnyt&emc=rss
[Editor's Note (Boeckman): It would be trivial to demonstrate to a jury how simple it would be to compromise a computer and distribute music from a remote location without the user ever knowing what happened. This is an absolutely awful precedent that makes no sense at all. ]

UK Authorities Can Demand Decryption Keys (October 1 & 3, 2007)

Law enforcement authorities in the UK now have the power to compel people to reveal decryption keys. If the request is refused, people could face up to five years in jail. The change comes as Part III of the Regulation of Investigatory Powers Act (RIPA) was activated as of October 1. Critics of the measure say that it is not only a violation of civil liberties - it could be used to force people to incriminate themselves and expose personal information unrelated to the investigation - but decryption keys can easily be forgotten. Additionally, people could pretend to have forgotten the key or have difficulty convincing a court that they have actually forgotten it. People have the option of surrendering their key or making it possible for authorities to view the decrypted material. Under the law, people who receive a notice requesting their decryption keys "can be prevented from telling anyone apart from their lawyer" about it. The reason Part III was not activated when RIPA was passed in 2000 is that encryption was not widely used at that time.
-http://www.theregister.co.uk/2007/10/03/ripa-decryption_keys_power/print.html
-http://www.zdnet.co.uk/misc/print/0,1000000169,39289786-39001093c,00.htm
-http://www.washingtonpost.com/wp-dyn/content/article/2007/10/01/AR2007100100511_
pf.html
[Editor's Note (Shpantzer): Quick survey: How many of us have every PGP email key they've ever generated, available to them still? How about the passphrase? ]

Dutch Judge Declares Use of eVoting Machine Illegal (September 27 & October 1 & 3, 2007)

A judge in Holland has declared use of electronic voting machines illegal. According to the ruling, machines used in Dutch elections in November and March did not have adequate authorization and some were not certified. The most concerning factor for the Dutch government, which last week decided stop using evoting machines, appeared to be the absence of a verifiable paper audit trail. Thousands of e-voting machines are sitting idle in various storage areas; the Dutch government spent 60 million Euros (US $84.8 million) to purchase the machines, and storage is costing 700,000 Euros (US $989,000) annually.
-http://www.independent.ie/national-news/evoting-plans-hit-by-decision-in-dutch-c
ourt-1114882.html
-http://www.theregister.co.uk/2007/10/01/dutch_pull_plug_on_evoting/print.html
-http://www.engadget.com/2007/09/27/dutch-government-abandons-e-voting-for-red-pe
ncil/
[Editor's Note (Schultz): No one likes to see the kind of money that the Dutch government has invested in voting machines go wasted. On the other hand, it is better to waste money than to run a high risk of having invalid vote counts in elections due to exploitation of vulnerabilities in voting machines. ]

---

************************* Sponsored Links: ***************************

1) Find out what Seagate knows about secure storage. It could improve your company's security.
http://www.sans.org/info/17346

2) Learn to select and implement the right tools at the Data Leakage and Insider Threat Summit December 3-4.
http://www.sans.org/info/17351

3) Disaster Recovery special evening event during SANS Security 2008 in New Orleans 11-19 January 2008: lessons learned from those who have lived through it. They'll share the mistakes they made, too. T's in the evening so you can attend a course and this program, as well. https://www.sans.org/security08/

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Microsoft Wins Software Piracy Case in UK (October 2, 2007)

R J Campbell Ltd. must pay Microsoft GBP 35,000 (US $71,392) for selling counterfeit Microsoft software on the Internet. The High Court suggested that the company is likely to be required to make additional payments. The company was also ordered to take out an advertisement to publicize the decision.
-http://www.vnunet.com/vnunet/news/2200184/microsoft-outs-pirate
-http://www.channelregister.co.uk/2007/10/02/microsoft_uk_nabs_grey_market_softwa
re_vendor/print.html

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

DHS Mailing List Problem Causes "Mini-DDoS" (October 3 & 4, 2007)

A snafu originating with a Department of Homeland Security (DHS) mailing list resulted in a deluge of messages being sent to all of the list's subscribers. The problem started when one subscriber responded to the list address. The message was somehow sent to everyone, as were messages sent in response. In all, more than 2.2 million extraneous messages flooded subscribers' inboxes.
-http://www.eweek.com/article2/0,1759,2192161,00.asp?kc=EWRSS03119TX1K0000594
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202201282
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9040878&source=rss_topic17
-http://isc.sans.org/diary.html?storyid=3450

Five Security Related NIST Publications

The National Institute of Standards and Technology (NIST) has released five new and revised publications related to information security. SP 800-44 version 2, "Guidelines on Securing Public Web Servers;" Draft SP 800-55 Revision 1, "Performance Measurement Guide for Information Security;" Draft SP 800-61 Revision 1, "Computer Security Incident Handling Guide;" SP 800-82, "Guide to Industrial Control Systems Security;" and Draft SP 800-110, Information System Security Reference Model."
-http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf
-http://csrc.nist.gov/publications/drafts/800-55-rev1/Draft-SP800-55r1.pdf
-http://csrc.nist.gov/publications/drafts/sp800-61-rev1/Draft-SP800-61rev1.pdf

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

October's Patch Tuesday to Comprise Seven Bulletins (October 4, 2007)

According to Microsoft's Advance Notification website, the company will issue seven security bulletins on Tuesday, October 9. Four have been given maximum severity ratings of critical; the other three have been given maximum severity ratings of important. Software affected by the updates includes Windows 2000, XP and Vista, Internet Explorer, Outlook Express, Windows Mail, Microsoft Office and Microsoft Office 2004 for Mac.
-http://www.news.com/8301-10784_3-9791304-7.html?part=rss&subj=news&tag=2
547-1_3-0-20
-http://www.microsoft.com/technet/security/bulletin/ms07-oct.mspx

Apple Patches QuickTime Flaw (October 4, 2007)

Apple has released an update for QuickTime for Windows to address a "command injection" flaw that could be exploited to break into Firefox. The vulnerability was disclosed a year ago along with another QuickTime flaw, but only one of the pair was fixed. The vulnerability affects QuickTime on Windows XP and Vista, but not on Mac OS X.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202201130

Vulnerability in Eircomm Customers' Wireless Routers (October 2, 2007)

Certain broadband wireless routers used by as many as 250,000 Eircomm customers are vulnerable to piggybacking, meaning others can use those customers' wireless connections without their knowledge. Under certain conditions, the piggybackers could also gain access to the customers' files or shared network data. The problem lies in the fact that eight digits of the 16-digit Wired Equivalent Privacy (WEP) network access key are derived from the routers' serial numbers, which are visible to people with wireless-enabled computers close by. Eircomm is informing customers about how to change their default WEP keys.
-http://www.theregister.co.uk/2007/10/02/eircom_wireless_security_flaw/print.html
-http://home.eircom.net/content/irelandcom/topstories/11215681?view=Eircomnet&
;cat=Top%20Stories
-http://www.siliconrepublic.com/news/news.nv?storyid=single9323
-http://www.ireland.com/newspaper/breaking/2007/1002/breaking72.htm
[Editor's Note (Liston): As if WEP was buying them that much protection to begin with... WEP is a seriously and deeply flawed protocol and as a practical matter WEP keys can be easily cracked within minutes. Eircomm's mistake only makes it that much easier. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Some CISRT Site Visitors Attacked by Malware (October 2 & 4, 2007)

The Chinese Internet Security Response Team (CISRT) has apologized for a situation on its websites that causes some visitors to be subjected to an attack that exploits buffer overflow flaws in BaoFeng Storm, a browser-based media player. Apparently random site visitors will find their browsers redirected to sites hosting malware. CISRT believes its website is the victim of ARP spoofing.
-http://www.theregister.co.uk/2007/10/02/chinese_internet_security_response_team_
attacked/
-http://www.zdnet.com.au/news/security/soa/Chinese-security-team-becomes-malware-
victim/0,130061744,339282584,00.htm
[Editor's Note (Liston): If the available information on this attack is true, it is interesting in that the attack against CISRT appears to be targeted at the intermediate connection between the visitors and the CISRT site. If this was indeed an ARP-based attack, the bad-guys have upped their game, and tracking this down will be very, very difficult. ]

MISCELLANEOUS

Twenty-three Programmers Become First GSSP Certified Secure Programmers (5 October 2007)

The vanguard of the new wave of programmers with security expertise was named today by the SANS Institute.

GIAC Certified Secure Programmers in JAVA
Vinay Bansal, Cisco Systems; Jim Horner, Arinbe Technologies, Inc.; Frank Kim, Kaiser Permanente; Pramod Nair, Unisys; Ricardo Patino, Telus Security Solutions; Darian Anthony Patrick, Criticode LLC; Craig D. Williams, Cisco Systems; Richard Wolf, Cisco Systems

GIAC Certified Secure Programmers in C
David Ireland, DI Management Pty Ltd; Aryeh Katz, Arinc; Alex Muratov, TELUS Security Solutions; Jonathan D. Pittman, The Mississippi State University Center for Computer Security Research (CCSR); Alan Saqui, CGI Federal; Jonathan Sharp, Siemens Corporate Research, Inc.; Bill Hannold

The other eight GSSPs have not yet given permission for their names to be disclosed. More than 70 enterprise partners have committed to using the GSSP for employee skills development and for ensuring outsourcers and suppliers have the necessary skills to create secure code. University partners will be teaching secure coding as part of their core curriculum.
-http://www.sans-ssi.org/ssi_press2.pdf
-http://www.sans.org/gssp/

LIST OF UPCOMING FREE SANS WEBCASTS

Ask the Expert: Late-Breaking Computer Attack Vectors by Mike Poor
WHEN: Tuesday, October 16, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Mike Poor
-http://www.sans.org/info/16856
Sponsored By: Core Security

This lively session will discuss recent and anticipated computer and network attack vectors, showing the most powerful tools in the bad guys' arsenal today and predicting where they are headed in the future. Specific topics to be discussed include client-side exploitation and the rise of privilege escalation attacks against Windows Vista and other operating systems.

Ask the Expert: The Evolution of Access Management
WHEN: Wednesday, October 17, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Howard Ting
-http://www.sans.org/info/16861
Sponsored By: Securent

In this webcast, learn how access control technologies have evolved over the years, the types of access management solutions organizations are evaluating today, and the challenges they face in design and implementation.

SANS Special Webcast: Building Brick Houses
WHEN: Wednesday, October 24, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Gary W. Longsine and Jonathan Ham
-http://www.sans.org/info/16851
Sponsored By: Watchfire

With the advent of Web 2.0 interactive applications and demand for financial, shopping and other applications for hand held devices, never has secure lifecycle of Web applications been more critical. Leveraging the same agile application methodologies in use today, Gary W. Longsine and Jonathan Ham unveil a flexible framework called Scalable and Agile Lifecycle Security for Applications - or SALSA for short.

Ask the Expert: Log Heaven: How to Simplify Log Management for Compliant, Secure Operations
WHEN: Thursday, October 25, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Dave Steidle
-http://www.sans.org/info/16866
Sponsored By: netForensics

Join this webcast to learn:
- - - What to consider when evaluating log management solutions
- - - How to use log management to address compliance audits
- - - How to get better security intelligence from existing data
- - - Tips for streamlining log management operations

Tool Talk Webcast: Guidelines for Implementing Role-Based Security Policies in Unix/Linux Environments
WHEN: Wednesday, October 31, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Alan Dobbs
-http://www.sans.org/info/16876
Sponsored By: FoxT

In this webinar, you will discover how FoxT's IT Controls solution suite is helping organizations, including five of the top ten banks, resolve access control challenges and achieve unprecedented speed in adopting role-based security policies across multi-vendor Unix/Linux infrastructures.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/