SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #81
October 12, 2007
Update on community consensus projects that are making a difference:
The Cyber Defense Initiative program challenges both teams and individuals to make a difference by creating solutions to current, widespread problems. This year's findings will be presented at SANS CDI 2007, December 11-18 in Washington DC. The first of four initiatives, Virtual Patching for Web Applications with ModSecurity, is available for preview. The other initiatives are a Checklist for Web Service Oriented Architecture, PCI Compliance, and IPv6 Transition.
http://www.sans.edu/resources/securitylab/virtual_patching_cdi.php http://www.sans.org/cdi07/
SANS CDI in Washington is a particularly good place to get advanced security training, because the best teachers in the world all come, and the students are very engaged and tuned in.
http://www.sans.org/info/14231
Alan
TOP OF THE NEWS
Overhaul AntiVirus Product Testing NowWord Flaw Fixed on Tuesday Was Already Being Exploited
Microsoft Acknowledges URI Handling Flaw in Windows With IE 7
Hotmail Restricts Number of Recipients
THE REST OF THE WEEK'S NEWS
LEGAL MATTERSUS $25,000 Fine for Pushing Phony Windows Registry Repair Software
Manager Responsible for Stolen Ohio Tape Loses One Week of Vacation
Former Police Officers Get Jail Time for Unauthorized Wiretaps and Computer Access
Computer and Data Thief Draws 21-Month Sentence
POLICY & LEGISLATION
Nevada Law Requires Encryption of Transmitted Personal Data
SPYWARE, SPAM & PHISHING
Storm Spammers Turn to YouTube
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Customer Data Compromised in Attack on Commerce Bank
Marin County Transportation Authority Ignored Warnings of Compromise
LIST OF UPCOMING FREE SANS WEBCASTS
*********** Sponsored By netForensics, Inc. ***********
*NEW* Whitepaper. Technology now exists to keep track of internal user activity amidst massive amounts of data - without compromising performance. Learn how to prevent data breaches, identify user threats and see who is accessing critical data. This whitepaper reveals 10 proven strategies for rapidly responding to and stopping threats, no matter where they originate.
http://www.sans.org/info/17881
*************************************************************************
TRAINING UPDATE:
Where can you find Hacker Exploits and SANS other top-rated courses?
London (11/26 - 12/1): http://www.sans.org/london07/">http://www.sans.org/london07/
Washington DC (12/13-12/18): http://www.sans.org/london07/">http://www.sans.org/london07/
New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
Chicago (11/2-11/7): http://www.sans.org/chicago07/event.php
Tokyo (11/5-11/10): http://www.sans.org/sanstokyo2007_autumn/event.php
How good are the courses? Here's what past attendees said:
"An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life)
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"You will never ever find anything more valuable than SANS super knowledge. Worth the price!!" (Carlos Fragoso, CESCA)
*************************************************************************
TOP OF THE NEWS
Overhaul AntiVirus Product Testing Now (October 10, 2007)
Momentum is growing for an overhaul of the way anti-virus products are tested. Presently, tests focus on signature-based malware detection and have changed little over the last 10 years. However, anti-virus technology is changing to meet the demands created by new malware, and the organizations believe that tests need to be reformulated to reflect that change. The tests don't examine the effectiveness of behavioral anomaly malware detection, a technique that is proving valuable in catching malware that spreads quickly. Proposals for new testing methods and procedures will be presented in November at the Association of AntiVirus Asia Researchers 2007 Conference in Seoul, Korea.-http://www.theregister.co.uk/2007/10/10/av_tests_revamp/print.html
[Editor's Note (Skoudis);: Given the change in threat, with new malware introduced every hour, this is a good development. My colleagues and I have been pushing for something like this for about 2 years now. I made a call very much like this at a talk during the Anti-Spyware Coalition meeting in February 2006. My colleague Tom Liston and I released a tool called Spycar a year and a half ago to test the behavior-based claims of anti-malware vendors, and discovered that most were either not doing any behavior-based detection at all or had severely broken behavior-based functionality. Many of the anti-malware vendors publicly scoffed at our testing, while a few said that our results were interesting. Just last month, my colleague Matt Carpenter and I tested a bunch of products again, and found that the behavior-based detection capabilities of all the major vendors were severely lacking. I'm hopeful that this new initiative will help improve the state of behavior-based detection.
(Liston): Saying we were "skoffed at" is Ed's way of being polite. Essentially, they told us that we were amateurs who didn't know what we talking about, even _after_ we had discovered and disclosed serious flaws in the behavior-based detection offered by several major vendors. With increasing numbers of malware being released and the rise of targeted malcode attacks, behavior-based detection is going to become anti-malware's front line defense. It's nice to finally see this reality being addressed by AV vendors' testing methods, and, of course, it's also nice to be vindicated.
(Northcutt): The anti-virus industry has served us well. Without them, computing might well have failed, but they are a tad stuck in their ways and malware grows ever more complex. I hope that projects like Spycar, which hold vendors responsible for something beyond signature detection, continue to prosper. ]
Word Flaw Fixed on Tuesday Was Already Being Exploited (October 10 & 11, 2007)
Four of the six security bulletins Microsoft released on Tuesday, October 8 were given severity ratings of critical. The vulnerabilities addressed in the bulletins include remote code execution flaws in Word and Kodak Image Viewer, as well as issues with malformed Network News Transfer Protocol (NNTP) responses in Outlook Express and Windows Mail and a cumulative IE 7 update. Many consider the vulnerability in Word to merit top patching priority because it has already been exploited in targeted attacks.-http://www.theregister.co.uk/2007/10/10/october_patch_tuesday/print.html
-http://www.theregister.co.uk/2007/10/11/exploit_wednesday/print.html
-https://www.microsoft.com/technet/security/bulletin/ms07-oct.mspx
-http://isc.sans.org/diary.html?storyid=3480
Microsoft Acknowledges URI Handling Flaw in Windows With IE 7 (October 11, 2007)
Microsoft has issued a security advisory acknowledging a remote code execution flaw in Windows XP and Windows Server 2003 running IE 7 that could be exploited to take control of vulnerable machines. The problem lies in the handling of Uniform Resource Identifiers (URIs). While the advisory does not say explicitly that a patch will be issued to address the flaw, a Microsoft Security Response Center blog entry indicated the company is developing a fix for the problem. The posting also said that Microsoft had decided to address the problem because it had received so much press that attackers are more likely to try to exploit it.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9042199&source=rss_topic17
The MS Security Response link is
-http://blogs.technet.com/msrc/archive/2007/10/10/msrc-blog-additional-
details-and-background-on-security-advisory-943521.aspx
Hotmail Restricts Number of Recipients (October 9 & 10, 2007)
In an effort to prevent spam from clogging customers' inboxes, Hotmail has apparently placed drastic restrictions on the number of Hotmail recipients it will allow to receive an email. Users are reporting that the first 10 Hotmail addresses will go through, but any more than that are returned with the message, "522 Too many recipients." Hotmail says that 90 percent of the five billion email messages its users receive daily are spam. The blocking is clearly problematic and in some cases, such as emergency weather alerts, could prove dangerous.-http://www.theregister.com/2007/10/09/limits_on_hotmail/print.html
-http://www.theregister.co.uk/2007/10/10/hotmail_blocks_emergency_alerts/print.ht
ml
[Editor's Note (Kreitner): A signature characteristic of our time--never have so few been able to easily cause pain for so many. I'd love to be able to jump ahead twenty years and look back to see how society dealt with this phenomenon. I can't believe it will be endured over the long run, but hopefully the remedies chosen will stop the bad guys but not take too much away from the majority of people who understand that respecting the interests of others is an essential balance against self-interest in order to enjoy life in a relatively stable and well-ordered society. ]
************************* Sponsored Links: ***************************
1) Security professionals focus on fighting the most common data threats - - Encryption Summit, December 3-4.
http://www.sans.org/info/17886
2) ALERT: "How a Hacker Launches a LDAP Injection Attack Step-by-Step"- White Paper
http://www.sans.org/info/17891
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
US $25,000 Fine for Pushing Phony Windows Registry Repair Software (October 11, 2007)
HoanVinh V. Nguyenphuoc will pay US $25,000 to settle charges he violated Washington state's consumer protection and spyware laws. Nguyenphuoc used the Windows net send feature (command) to send phony messages to Windows users warning them of potential Windows registry problems. The pop-ups looked like internal notices and told users that if left unfixed, the problems could cause data corruption or loss. Users were encouraged to download a free trial of FixWinReg software. The software claimed to detect problems even when none existed, and said that the errors could be fixed if the users purchased a US $30 version of the program. Nguyenphuoc and other defendants were sued by the Washington state Attorney General Rob McKenna in February. Under the terms of the settlement, Nguyenphuoc and FixWinReg are prohibited from using net send in advertisements and from sending advertisements that masquerade as security alerts or provide false information.-http://www.theregister.co.uk/2007/10/11/crudware_pusher_settles/print.html
-http://www.consumeraffairs.com/news04/2007/10/wa_spyware.html
Manager Responsible for Stolen Ohio Tape Loses One Week of Vacation (October 10, 2007)
The payroll team leader for the Ohio Department of Administrative Services' Administrative Knowledge System (OAKS) ERP project will lose one week of vacation time for failing to make sure the data on a stolen backup tape were secure. The tape, which was stolen from an Ohio state government intern's car in June, contains personally identifiable information of nearly 84,000 current and former Ohio state employees and more than 47,000 state taxpayers. A department spokesperson says that when similar projects are undertaken in the future, the department will have people whose primary focus is data security.-http://www.theregister.co.uk/2007/10/10/official_penalized_following_data_breach
/print.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9042001&taxonomyId=17&intsrc=kc_top
[Editor's Note (Honan): According to
-http://www.cantonrep.com/index.php?Category=13&ID=380377&subCategoryID
The manager in question did not follow instructions issued 3 months previous to the incident to store the breached information on a secure drive. The intern in this case who was following the instructions of his manager loses his job, while the manager only gets hit with a one week loss in vacation time. Security initiatives will remain ineffective until management take security seriously and breaches by management punished in accordance with the responsibility they hold. ]
Former Police Officers Get Jail Time for Unauthorized Wiretaps and Computer Access (October 10, 2007)
Two former UK police officers have received jail sentences for using their police connections to tap phone lines and gain unauthorized access to computers while running a detective agency. Jeremy Young was sentenced to 27 months and Scott Gelsthorpe to 24 months. The agency, called Active Investigation Services (AIS), was started in 1999 and was detected after BT (the primary phone company in the UK) investigators noticed someone tampering with telephone lines. The ensuing investigation revealed the extent of AIS's illegal activities. The man observed tampering with the phone lines received a 14-month jail sentence, and two men who ran a different detective agency that used similar methods received 10-month and three-month sentences.-http://www.theregister.co.uk/2007/10/10/police_private_detective_hacking/print.h
tml
[Editor's Note (Northcutt): Good story, good bust! Privacy protections have been significantly eroded over the past twenty five years to stop the Russians, fight terrorism or whatever menace they hold in front of us. This story is the tip of the iceberg. ]
Computer and Data Thief Draws 21-Month Sentence (October 9, 2007)
Joseph Nathaniel Harris has been sentenced to 21 months in prison for stealing medical record data. In August and September 2004, Harris was employed as a branch manager at the San Jose (California) Medical Group; he was asked to leave his position following a number of thefts in the office. In May 2007, Harris pleaded guilty to health-care related theft for stealing a computer from the San Jose Medical Group along with a DVD holding patient data such as names, Social Security numbers (SSNs) and medical diagnoses. Approximately 187,000 patients were affected by the breach. Harris was also ordered to pay US $145,154 in restitution.-http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/10/10/BA6VSN2NJ.DTL
POLICY & LEGISLATION
Nevada Law Requires Encryption of Transmitted Personal Data (October 2, 2007)
A new law in Nevada says Nevada businesses may not transmit "any personal information of a customer through an electronic transmission[with the exception of a fax ]
unless the business uses encryption to ensure
[its ]
security." Under the law, personal information includes individuals' names in combination with a Social Security number (SSNs), employer identification numbers, driver's license or identification card numbers, or financial account numbers, including payment card numbers, accompanied by any code that could allow access to the account. The law takes effect October 1, 2008; penalties for violating the law have not been specified.
-http://mofo.com/news/updates/bulletins/12866.html
[Editors' Note (Schultz, Grefer): This is an example of a bad piece of legislation. What good does a law that does not prescribe any penalties for disobeying it do? ]
SPYWARE, SPAM & PHISHING
Storm Spammers Turn to YouTube (October 10, 2007)
Storm worm spammers have turned to YouTube to reach more potential victims. The spammers take advantage of YouTube's "invite your friends" function and use intelligent character recognition software to fool the Captcha authentication system and create accounts. This particular version of spam preys on Xbox owners, enticing them to click on a link with promises of a copy of the recently released Halo 3 game. The link actually is to a file containing a Storm variant.-http://www.zdnet.co.uk/misc/print/0,1000000169,39289916-39001093c,00.htm
-http://www.theregister.co.uk/2007/10/05/youtube_spam_relay/print.html
[Editor's Note (Skoudis): When the storm worm started in January 2007, it was a pretty standard piece of malware with a fairly lame attempt at tantalizing e-mail subjects about a big storm in Europe. Since these humble beginnings, the storm worm has grown into a very nasty beast indeed, with all kinds of clever distribution methods, like this one. A lot of innovation is going on with storm, which is already being copied by other malware writers. ]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Customer Data Compromised in Attack on Commerce Bank (October 9, 10 &11, 2007)
Commerce Bank has acknowledged that cyber intruders gained access to a database containing account information of 3,000 customers; the bank also said that it knows the attackers viewed the information of 20 customers before their activity was detected and thwarted. The FBI is investigating the incident. Commerce Bank has notified those affected by the breach and has offered them two years of credit monitoring. Commerce Bank has branches in Kansas, Illinois, and Missouri.-http://www.theregister.co.uk/2007/10/11/commerce_bank_hack/print.html
-http://www.bizjournals.com/wichita/stories/2007/10/08/daily10.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9041879&taxonomyId=17&intsrc=kc_top
Marin County Transportation Authority Ignored Warnings of Compromise (October 5 & 11, 2007)
The Marin County (California) transportation authority was reportedly warned several times in the last month that its website was hosting pornography and spyware, but apparently took no steps to fix the situation. The staff apparently believed the warnings to be a hoax and an attempt to gain access to the site, so they were not taken seriously. When the problem was noticed by the US General Services Administration (GSA) in the first week of October, it pulled the ca.gov sub-domain from the root directory, which caused some state government websites and email systems to shut down. The service was eventually restored later that same day. The Marin County site at the center of the incident was offline once again earlier this week after it found links to pornography still on the site.-http://www.internetnews.com/security/article.php/3703791
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9042118&source=rss_topic17
[Editor's Note (Liston): I can't tell you the number of times I've called a company to inform them that they've been hacked only to be ignored, laughed at, or accused of doing the hacking myself. I once got an incredibly nasty phone call from a lawyer at a government agency in response to an email informing them that their website was hosting links to porn. My advice: be professional, be polite, and keep doing the right thing.
(Grefer): Whether or not a third party tasked with hosting and maintenance is vigilant enough in applying patches and updates and taking care of security depends to a large extent on the contractual arrangements between the parties involved, as well as on the oversight exercised by and enforcement executed by the outsourcing party. All this can easily be defined in an SLA (Service Level Agreement). ]
LIST OF UPCOMING FREE SANS WEBCASTS
Ask the Expert: Late-Breaking Computer Attack Vectors by Mike PoorWHEN: Tuesday, October 16, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Mike Poor
-http://www.sans.org/info/16856
Sponsored By: Core Security
This lively session will discuss recent and anticipated computer and network attack vectors, showing the most powerful tools in the bad guys' arsenal today and predicting where they are headed in the future. Specific topics to be discussed include client-side exploitation and the rise of privilege escalation attacks against Windows Vista and other operating systems.
Ask the Expert: The Evolution of Access Management
WHEN: Wednesday, October 17, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Howard Ting
-http://www.sans.org/info/16861
Sponsored By: Securent
In this webcast, learn how access control technologies have evolved over the years, the types of access management solutions organizations are evaluating today, and the challenges they face in design and implementation.
SANS Special Webcast: Building Brick Houses
WHEN: Wednesday, October 24, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Gary W. Longsine and Jonathan Ham
-http://www.sans.org/info/16851
Sponsored By: Watchfire
With the advent of Web 2.0 interactive applications and demand for financial, shopping and other applications for hand held devices, never has secure lifecycle of Web applications been more critical. Leveraging the same agile application methodologies in use today, Gary W. Longsine and Jonathan Ham unveil a flexible framework called Scalable and Agile Lifecycle Security for Applications - or SALSA for short.
Ask the Expert: Log Heaven: How to Simplify Log Management for Compliant, Secure Operations
WHEN: Thursday, October 25, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Dave Steidle
-http://www.sans.org/info/16866
Sponsored By: netForensics
Join this webcast to learn:
- What to consider when evaluating log management solutions
- How to use log management to address compliance audits
- How to get better security intelligence from existing data
- Tips for streamlining log management operations
Tool Talk Webcast: Eenie-Meenie-Minie-Mo: No Way to Choose a Log Management Solution
WHEN: Tuesday, October 30, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Ansh Patnaik
-http://www.sans.org/info/16871
Sponsored By: ArcSight
Join this Webcast to learn:
- How to evaluate and select the right log management solution for your environment
- What big log management mistakes can be avoided, and how to avoid them
- Why the compliance, security, IT operations, forensics, and helpdesk
teams will all applaud you for making the right choice
Tool Talk Webcast: Guidelines for Implementing Role-Based Security Policies in Unix/Linux Environments
WHEN: Wednesday, October 31, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Alan Dobbs
-http://www.sans.org/info/16876
Sponsored By: FoxT
In this webinar, you will discover how FoxT's IT Controls solution suite is helping organizations, including five of the top ten banks, resolve access control challenges and achieve unprecedented speed in adopting
=========================================================================
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/