SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #83

October 19, 2007

TOP OF THE NEWS

Threats to Power System on the Rise; National Energy Reliability Council and DHS Roles Questioned
Proposed Law Would Let ID Theft Victims Seek Restitution
Huawei Role in 3Com Sale Raises National Security Questions

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
NASA Hacker Gets Another Shot at Appealing Extradition to US
Man Allegedly Hacked 911 System, Sent Phony Call
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Verizon Letter Describes Breadth and Depth of Information Sought by Federal Authorities
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Trojan Targets Skype Users
Microsoft Investigating Reports of Unauthorized Automatic Updates
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Fasthosts Data Breach Affects Customer Passwords
Stolen Laptop Holds Home Depot Employee Data
Irish Government Employee Resigns in Wake of Data Leaks
Louisiana Student Data on Lost Storage Device
MISCELLANEOUS
Apple to Release iPhone SDK in February '08
LIST OF UPCOMING FREE SANS WEBCASTS

---

************************* Sponsored By Sunbelt Software *****************

Trap and Kill Image Spam with Ninja Email Security for Exchange

Ninja integrates best-of-breed antispam, antivirus, disclaimers, & attachment filtering on your Exchange server. It has one of the industry's only dedicated image-spam detection engines designed to protect against emerging image spam threats.

Try the 30-day evaluation to see this policy-based email security product in action!
http://www.sans.org/info/18086

*************************************************************************

TRAINING UPDATE:
Where can you find Hacker Exploits and SANS other top-rated courses?
London (11/26 - 12/1): http://www.sans.org/london07/">http://www.sans.org/london07/
Washington DC (12/13-12/18): http://www.sans.org/london07/">http://www.sans.org/london07/
New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
Chicago (11/2-11/7): http://www.sans.org/chicago07/event.php
Tokyo (11/5-11/10): http://www.sans.org/sanstokyo2007_autumn/event.php
How good are the courses? Here's what past attendees said:
"An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life)
"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)
"You will never ever find anything more valuable than SANS super knowledge. Worth the price!!" (Carlos Fragoso, CESCA)

*************************************************************************

---

TOP OF THE NEWS

Threats to Power System on the Rise; National Energy Reliability Council and DHS Roles Questioned (October 17, 2007)

In questioning by the House Homeland Security Subcommittee on Emerging Threats, the witnesses from government and industry painted a detailed picture of increasing cyber threats to the US electric generating system, inconsistent self-policing by industry groups, and ineffective coordination by government.
-http://www.foxnews.com/wires/2007Oct17/0,4670,PowerGridSecurity,00.html
-http://www.eweek.com/print_article2/0,1217,a=217558,00.asp
-http://www.govexec.com/dailyfed/1007/101807j1.htm
[Editor's Note (Paller): NERC (the self-policing body set up by industry to ensure reliability of the US electrical system) has made significant strides in recent months toward ensuring that its standards are more than the paper exercises endemic in federal agencies following NIST guidelines, but more needs to be done. The cause of NERC's slow action appears to be a lack of urgency felt by NERC managers who have been misled about the threat and whether mitigations are fully in place. It would be wasteful for Congress to step in, but many Senators and Congressmen feel FERC's (the Federal Energy Regulatory Commission that oversees NERC) needs additional power and urgency. ]

Proposed Law Would Let ID Theft Victims Seek Restitution (October 16 & 17, 2007)

Proposed legislation in the US Senate would allow victims of identity fraud to seek restitution for costs incurred as a result of the data theft. Under The Identity Theft Enforcement and Restitution Act ( S.2168) the current US $5,000 minimum loss from computer damage would no longer be a prerequisite for prosecution.
-http://www.msnbc.msn.com/id/21336074/
-http://arstechnica.com/news.ars/post/20071017-identity-theft-bill-would-allow-co
nsumers-to-seek-restitution.html
[Editor's Note (Schultz): One would think that this legislation would not be necessary--shouldn't victims of identity fraud be allowed to seek restitution without it? ]

Huawei Role in 3Com Sale Raises National Security Questions (October 12, 15, 16 & 18, 2007)

Republican legislators are urging President Bush to prevent a merger between a US company that sells attack prevention hardware to the Pentagon and a Chinese company with known ties to that country's military "and a history of illicit exports and industrial espionage." Bain Capital Partners and China's Huawei Technology plan to buy 3Com. The Committee on Foreign Investment in the United States (CFIUS) will examine the proposed merger and its possible effect on national security. Bain Capital Partners maintains that "Huawei will not have any access to sensitive US-origin technology or US government sales as a result of this transaction."
-http://www.washingtontimes.com/apps/pbcs.dll/article?AID=/20071016/NATION/110160
071/1001
-http://www.cbronline.com/article_news.asp?guid=DB44B253-4D39-46F8-8118-CDDBEB002
07F
-http://www.hawaiireporter.com/story.aspx?a0d2f3e4-e51a-4369-af02-6d66e33c1a6d
-http://www.msnbc.msn.com/id/21258026/
-http://money.cnn.com/2007/10/18/magazines/fortune/dubairedux.fortune/

---

************************* Sponsored Links: ***************************

1) IT Staff Survey Reveals:
iPod, Portable Storage Device usage rates and potential impacts
http://www.sans.org/info/18091

2) SANS announces a new course, "Security 539: Mac OS X Security Fundamentals" in Albuquerque, 11/29-30/07
http://www.sans.org/info/17356

3) Link here to take the SANS Database Compliance Survey and register to win a $250 AMEX Gift card.
http://www.sans.org/info/18096

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

NASA Hacker Gets Another Shot at Appealing Extradition to US (October 16 & 17, 2007)

The House of Lords has granted Gary McKinnon permission to pursue an appeal to the Law Lords to fight his extradition to the US to face hacking charges. McKinnon allegedly gained unauthorized access to US Army, Navy, Pentagon and NASA computer systems; prosecutors estimate the damage caused by the intrusions cost US $700,000. McKinnon's stay of extradition was granted "on the grounds of the coercive nature of plea bargain discussions with the US prosecuting authorities."
-http://www.zdnet.com.au/news/security/soa/UK-NASA-hacker-gets-appeal/0,130061744
,339283009,00.htm
-http://www.itpro.co.uk/news/130556/mckinnon-given-leave-to-appeal-hacking-extrad
ition.html
[Editor's Note (Northcutt): What does it take for the US to realize our superpower bullying, "our way for the highway" days are gone? Repeat after me, US law only applies in the US. And if you are a reader and you are getting mad at me right now, ask yourself this question, what closer friend does the US have than the UK.]

Man Allegedly Hacked 911 System, Sent Phony Call (October 16 & 17, 2007)

Randall Ellis of Washington state will face a number of charges, including computer access and fraud and falsely reporting a crime. Ellis is accused of hacking into an Orange County, California emergency phone system and making a 911 call that appeared to come from a randomly chosen phone number. The call resulted in a SWAT team descending on the home. Ellis may have conducted similar attacks on 911 systems in California, Arizona, Pennsylvania and Washington. He could face up to 18 years in prison if convicted.
-http://www.ocregister.com/news/home-emami-county-1894171-ellis-system
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9043098&intsrc=hm_list

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Verizon Letter Describes Breadth and Depth of Information Sought by Federal Authorities (October 17, 2007)

In a letter to several members of the US House Energy and Commerce Committee, Verizon Communications described the extent to which it has complied with federal authorities' requests for customer telephone records, even in the absence of court orders. The letter also told how the FBI, using administrative subpoenas, also known as National Security letters, sought "two-generation" information - records of all people called by an individual and all the people those people called as well. Verizon does not retain such data. Between January 2005 and September 2007, Verizon gave federal authorities data "on an emergency basis" in 720 instances. During the same period, Verizon provided government agents with information supported by subpoenas or court orders 94,000 times. Lawmakers are considering a bill that would grant telecommunication carriers immunity from being sued by individuals whose information is disclosed without court orders. The telecoms maintain it should not fall to them to determine whether or not the government is using National Security letters in an appropriate fashion.
-http://www.washingtonpost.com/wp-dyn/content/article/2007/10/15/AR2007101501857_
pf.html
[Editor's Note (Northcutt): These numbers are EXTREME. With numbers like this, I am convinced that we have stepped all over the civil liberties of a number of our fellow citizens. And don't be shy, if you wish to engage in a discussion on why we need to monitor 94,000 US citizens suspected to be terrorists, please write me at stephen@sans.edu]


[Editor's Note (Pescatore): We've seen Belgium-based SWIFT act to stop using US-based data centers because of concerns of transaction information being disclosed at government request. Every company outsourcing (not just off-shoring, but certainly including off-shoring) data centers or call centers needs to determine if the outsourcer will allow government access to their data. Soon countries that can provide higher assurance for data privacy in hosted data centers will be able to charge higher rates and lessen the advantage of countries with lower labor costs. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Trojan Targets Skype Users (October 17, 2007)

A Trojan horse program that targets Skype users has been spreading in the guise of a security plug-in. The Trojan spreads through social engineering; users must be tricked into downloading the file. When users' devices are infected, what appears to be the Skype login screen appears, asking users to log in to their accounts. Once the data are entered, a message tells the user that the credentials are not recognized. The harvested information is sent to a website. Those behind the attack could access Skype accounts with the information and possibly gain access to SkypeOut credits and PayPal accounts.
-http://www.theregister.co.uk/2007/10/17/skype_trojan/print.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9043015&source=rss_topic17

Microsoft Investigating Reports of Unauthorized Automatic Updates (October 17, 2007)

Microsoft is looking into reports that some users' machines automatically downloaded last week's set of security updates and rebooted themselves. Customers have been reporting that their machines installed the updates even though they had chosen the option to decide themselves whether or not to install them. Initial examination of some customer logs indicates the changes to automatic update (AU) settings were not caused by changes made to the AU client or by any updates installed through AU. Microsoft is investigating reasons for the unexpected behavior, including the possibility that another application is the source of the problem.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62033411-39000005c
-http://www.aeroxp.org/index.php?categoryid=23&p2_articleid=133
-http://blogs.technet.com/mu/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Fasthosts Data Breach Affects Customer Passwords (October 18, 2007)

Customers of the UK-based web-hosting firm Fasthosts are being urged to change all their passwords following an attack on a company server. After the attack, "Fasthosts ... reviewed and updated its security and worked with external security experts to ensure that all data held by
[the company ]
is secure." Fasthosts said that all passwords that can be changed through the customer control panel were compromised. The company says it has now started encrypting passwords and is working with law enforcement authorities on the investigation.
-http://www.theregister.co.uk/2007/10/18/fasthost_police_hack_investigation/print
.html
[Editor's Note (Honan): According to the article Fasthosts did not encrypt the passwords because "Historically, Internet companies have rarely encrypted passwords to aid customer service." If true, this is a worrying practise and one that Internet companies should redress immediately to better protect their customers' system both from internal and the external threats. ]

Stolen Laptop Holds Home Depot Employee Data (October 16 & 17, 2007)

A laptop computer stolen from a car contains personally identifiable information of approximately 10,000 Home Depot employees from across the country. No customer information was affected. The laptop was stolen from a manager's car while it was parked outside his home. Police are investigating the theft. The compromised data include names, addresses and Social Security numbers (SSNs). Affected employees have been notified of the data breach by letter. The manager violated company policy by leaving the computer in his car. The data were protected by a password, but it is not known if they were encrypted.
-http://www.nytimes.com/aponline/technology/AP-Home-Depot-Stolen-Laptop.html?_r=1
&ei=5088&en=b1e8c9da4440f08a&ex=1350360000&oref=slogin&partn
er=rssnyt&emc=rss&pagewanted=print
-http://www.thebostonchannel.com/news/14353117/detail.html

Irish Government Employee Resigns in Wake of Data Leaks (October 16, 2007)

A woman who worked at Ireland's Department of Social and Family Affairs has resigned amid evidence she accessed personal records without authorization and shared them with a newspaper. The breach was discovered after a woman whose details were published in the newspaper had her solicitor send a letter to the Department. An investigation revealed that within days after the woman had accessed personal records, sometimes of high-profile individuals, articles containing information from those records appeared in the newspaper.
-http://www.independent.ie/national-news/official-gave-private-details-to-media-i
n-new-leak-shock-1197811.html
[Editor's Note (Honan): This is one of a number of recent stories highlighting abuse of access by Irish civil servants to personal data in the care of the government. In another case (
-http://www.breakingnews.ie/ireland/mhmhcwauidmh/)
a civil servant leaked personal information to his criminal brother who then used that information to rob and extort money from the affected individuals. These activities are clearly in breach of Ireland's data protection laws, but as there are no data breach disclosure laws in Ireland these stories only came to light as a result of journalists submitting Freedom of Information Requests. These cases will hopefully reinforce calls I recently made to the Irish Government to introduce breach disclosure laws
-http://www.tmcnet.com/usubmit/2007/08/31/2901198.htm]

Louisiana Student Data on Lost Storage Device (October 15, 2007)

Storage media lost by data storage firm Iron Mountain include personally identifiable information gathered by the Louisiana Office of Student Financial Assistance (LOSFA). The incident is under investigation by state and local police. The breach affects individuals who applied for and/or participated in LOSFA administered programs. Accessing the data on the storage device would "require special software specific computer equipment and sophisticated computer skills." LOSFA is working to notify all affected individuals.
-http://www.katc.com/Global/story.asp?S=7217462

MISCELLANEOUS

Apple to Release iPhone SDK in February '08 (October 17 & 18, 2007)

Apple Computer plans to release an iPhone software development kit (SDK) in February 2008 to allow independent software developers to create applications for the device. Steve Jobs said that security concerns fueled the company's reluctance to allow third party developers to create applications for the iPhone. A recent iPhone update deleted unauthorized applica tions installed on the devices and caused some altered phones to become inoperable. Apple will not budge on its policy that will allow only AT&T as its carrier.
-http://www.nytimes.com/2007/10/18/technology/18apple.html?ei=5088&en=cd6f36d
a93451c6e&ex=1350446400&partner=rssnyt&emc=rss&pagewanted=print
-http://www.zdnetasia.com/news/communications/printfriendly.htm?AT=62033490-39000
002c
[Editor's Note (Pescatore): Apple needs to do a lot more than just application signing to make the iPhone an enterprise platform. The types of security policy support that RIM provides on the Blackberry and the type of patching support Microsoft provides are two minimum requirements. ]

LIST OF UPCOMING FREE SANS WEBCASTS

SANS Special Webcast: Building Brick Houses
WHEN: Wednesday, October 24, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Gary W. Longsine and Jonathan Ham
-http://www.sans.org/info/16851
Sponsored By: Watchfire

With the advent of Web 2.0 interactive applications and demand for financial, shopping and other applications for hand held devices, never has secure lifecycle of Web applications been more critical. Leveraging the same agile application methodologies in use today, Gary W. Longsine and Jonathan Ham unveil a flexible framework called Scalable and Agile Lifecycle Security for Applications - or SALSA for short.

Ask the Expert: Log Heaven: How to Simplify Log Management for Compliant, Secure Operations
WHEN: Thursday, October 25, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Dave Steidle
-http://www.sans.org/info/16866
Sponsored By: netForensics

Join this webcast to learn:
- What to consider when evaluating log management solutions
- How to use log management to address compliance audits
- How to get better security intelligence from existing data
- Tips for streamlining log management operations

Tool Talk Webcast: Eenie-Meenie-Minie-Mo: No Way to Choose a Log Management Solution
WHEN: Tuesday, October 30, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Ansh Patnaik
-http://www.sans.org/info/16871
Sponsored By: ArcSight

Join this Webcast to learn:
- How to evaluate and select the right log management solution for your environment
- What big log management mistakes can be avoided and how to avoid them
- Why the compliance, security, IT operations, forensics, and helpdesk teams will all applaud you for making the right choice

Tool Talk Webcast: Guidelines for Implementing Role-Based Security Policies in Unix/Linux Environments
WHEN: Wednesday, October 31, 2007 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Alan Dobbs
-http://www.sans.org/info/16876
Sponsored By: FoxT

In this webinar, you will discover how FoxT's IT Controls solution suite is helping organizations, including five of the top ten banks, resolve access control challenges and achieve unprecedented speed in adopting role-based security policies across multi-vendor Unix/Linux infrastructures.

Tool Talk Webcast: NEW - Web Application Pen Testing with CORE IMPACT
WHEN: Tuesday, November 6, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Anthony Alves
-https://www.sans.org/webcasts/show.php?webcastid=91461
Sponsored By: Core Security Technologies

Core Security Technologies introduces new capabilities for web application penetration testing with CORE IMPACT v7.5. The new release allows security professionals to leverage the product's automated Rapid Penetration Test methodology to identify exposed web applications and interact with backend data - just as an attacker could.

Ask the Expert Webcast: Don't Bring A Knife To a Gunfight! - How threats are easily infiltrating most security deployments
WHEN: Wednesday, November 7, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford, Paul Henry, and Andrew Stevens
-https://www.sans.org/webcasts/show.php?webcastid=91186
Sponsored By: Secure Computing

In this webcast, learn about some of the newest threats spotted in the wild, and why most of today's network firewalls won't be effective at preventing newer attacks.

Internet Storm Center: Threat Update
WHEN: Wednesday, November 14, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich
-https://www.sans.org/webcasts/show.php?webcastid=90826
Sponsored By: Core Security Technologies

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

Ask the Expert Webcast: Preventing Data Breaches: Protecting Critical Data through Database Compliance Monitoring
WHEN: Thursday, November 15, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Dave Steidle
-https://www.sans.org/webcasts/show.php?webcastid=91341
Sponsored By: netForensics

Join this webcast to discover how database compliance monitoring can:
- Safeguard vulnerable and compliance related data by preventing malicious and unauthorized access
- Effectively mitigate both well-known application-layer attacks, as well as more subtle behavioral attacks

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/