SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume IX - Issue #88
November 06, 2007
A heads up for subscribers near Toronto. The highest value cyber security job today is Web Application Penetration Tester because the demand is high and the supply is low. SANS will be unveiling a course and certification on Wep App Pen Testing early next year, but Jason Lam, will teach a dry-run of the course in Toronto November 27-29. We have ten slots open. If you want one, go to and register today. http://www.sans.org/softwaresecurity07/details.php?id=8236 [If you don't see the course description there, email me (apaller@sans.org) and I'll send it to you.]
If you work in a large corporation in information security and have not yet heard about e-discovery, you soon will. It is a new legal requirement and companies are already paying millions of dollars in fines because their IT people didn't respond appropriately to the lawyers' e-discovery demands. We have talked the top two people in e-Discovery in the country into doing a two-hour mini-course at the Washington DC CDI conference, Dec. 11-18, 2007. The mini-course is free for all course attendees at CDI. CDI has all our top rated hands-on courses from hacker exploits to wireless to forensics to intrusion detection, to Windows security , to CISSP test prep, to Security Essentials. More information at http://www.sans.org/info/14231
TOP OF THE NEWS
US Critical Infrastructure Needs Tighter Cyber Security PlansEU Proposes to Collect Airline Passenger Data
THE REST OF THE WEEK'S NEWS
LEGAL MATTERSTwo Indicted for Accessing University System to Change Grades
AOL Spammer Sentenced
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Minn. Dept. of Public Safety Lax on Data Security and Inventory Control
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Microsoft Files Lawsuits Against 20 Companies for Alleged Piracy
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple Releases QuickTime Updates
Malware Spreading Through Phony Campaign Sites
Mac OS X Leopard Firewall Presents Security Concerns
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Pension Policy Holders' Data on Lost CD
Co-Location Facility Experiences Fourth Physical Intrusion
MISCELLANEOUS
Dutch Ministry Had Access to News Agency Database
LIST OF UPCOMING FREE SANS WEBCASTS
********************** Sponsored By ArcSight, Inc. **********************
Free Whitepaper: Guide to Selecting a SIM Solution for Insider Threat
An attack from a malicious insider can be just as devastating as a security breach from outsiders. But insider attacks are often more difficult to detect. Learn the top 10 best practices for selecting a software solution with this free whitepaper. Brought to you by ArcSight, the ESM leader that turns data into action.
http://www.sans.org/info/18951
*************************************************************************
TRAINING UPDATE
Where can you find Hacker Exploits, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - Washington DC (12/13-12/18): http://www.sans.org/cdi07
- - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
- - London (11/26 - 12/1): http://www.sans.org/london07/
*************************************************************************
TOP OF THE NEWS
US Critical Infrastructure Needs Tighter Cyber Security Plans (November 1, 2007)
In testimony before two House panels, Government Accountability Office (GAO) director of information technology and communications David Powner said that the nation's critical infrastructure lacks complete planning for protection from cyber attacks. According to Powner, none of the 17 critical infrastructure sectors included all 30 elements necessary for a complete cyber security plan. Eighty-five percent of US critical infrastructure is in the private domain.-http://www.fcw.com/online/news/150679-1.html?type=pf
[Editor's Note (Ullrich): Government agencies still have a hard time getting a handle on cyber security. One of the issues seems to be that they think of cyber attacks as "apocalyptic" events. However, the real threats are every-day intrusions on a smaller scale. These intrusions happen and are sometimes detected and reported. Using these present threats as a guide, a cyber security plan is much easier to "sell" and if implemented it will likely help against a large scale attack as well. ]
EU Proposes to Collect Airline Passenger Data (November 1 & 4, 2007)
A proposal from the European Commission would require airline carriers flying to Europe to provide airline traveler information to security agencies of all European Union (EU) states. The EU member states would use the data, which include names, credit card numbers and travel itineraries, to assess counterterrorism risks presented by the passengers. The data could be kept for 13 years, or even longer if they are needed for criminal investigations and intelligence operations. The US already collects airline passenger information from incoming flights. The proposal is being met with some resistance on both sides of the Atlantic. Privacy advocates in the US are concerned about the potential analysis of passenger information to assess terrorism risks; in the US, there is "a ban on testing algorithms assigning risk to passengers not on a government watch list." In the EU, those who have opposed a similar agreement between the EU and the US regarding passenger data believe that creating such a program in the EU undermines criticism of that agreement. Another proposal in the works would make it a crime to incite, recruit for, or train for terrorism on the Internet.-http://www.washingtonpost.com/wp-dyn/content/article/2007/11/03/AR2007110300956_
pf.html
-http://www.heise.de/english/newsticker/news/98335
[Editor's Note (Schultz): One of the things that make me nervous about proposals such as this one is that they generally call for data retention and archiving without specifying requirements to store data securly. Governments, particularly the US Government, have not exactly had a good track record when it comes to data security; without such requirements, they are unlikely to improve. ]
************************* Sponsored Links: ***************************
1) ALERT: "How a Hacker Launches an XPath Injection Attack!"- SPI Dynamics White Paper
http://www.sans.org/info/18956
2) Link here to complete the SANS Database Security Compliance Survey and register to win a $250 AMEX Gift card.
http://www.sans.org/info/18961
*************************************************************************
THE REST OF THE WEEK'S NEWS
LEGAL MATTERS
Two Indicted for Accessing University System to Change Grades (November 5, 2007)
Two men have been indicted on charges of unauthorized computer access, identity theft, conspiracy, and wire fraud for allegedly breaking into a California state university computer system and changing their grades. John Escalera and Gustavo Razo allegedly took advantage of Escalera's job at a university help desk to access the system. If they are convicted on all charges against them, they could face up to 20 years in prison and fines of up to US $250,000.-http://www.linuxworld.com.au/index.php/id;706691158;fp;4;fpid;1
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9045585&source=rss_topic17
[Editor's Note (Cole): Too many organizations still focus most of their efforts on blocking external attacks, but this story shows the damage insider are causing. It is critical that organizations institute least privilege, giving each user the minimal access they need to do their jobs. Data classification and role based access control (RBAC) are tools organizations can deploy to help with this problem. ]
AOL Spammer Sentenced (November 2, 2007)
Todd Moeller was sentenced to 27 months in prison for sending spam to AOL members. Moeller was also fined US $180,000. Moeller's accomplice, Adam Vitale, will be sentenced on November 13. Both entered guilty pleas earlier this year to charges of having violated anti-spam laws. Moeller and Vitale were caught in a sting operation during which they bragged that they could send spam in a way that the source would be untraceable.-http://www.washingtonpost.com/wp-dyn/content/article/2007/11/02/AR2007110201739_
pf.html
-http://blogs.techrepublic.com.com/networking/?p=379
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Minn. Dept. of Public Safety Lax on Data Security and Inventory Control (November 1, 2007)
According to a report from Minnesota's Legislative Auditor, Minnesota's Department of Public Safety did not take adequate security precautions with private data stored on its systems, nor did it maintain an accurate inventory of its laptops, cell phones and other property. The report says that as of May 2007, nearly 950 department laptops were not encrypted and approximately 300 desktops did not have cable locks or other physical security. The department also provided inadequate review of "employee security profiles for excessive or unnecessary use of the department's computer system." Five people who were no longer employed by the department still had access to the computer system.-http://www.infosecnews.org/hypermail/0711/13945.html
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Microsoft Files Lawsuits Against 20 Companies for Alleged Piracy (November 1, 2007)
Microsoft has filed lawsuits against 20 companies it says are violating copyright law by selling "counterfeit or infringing" software. Seventeen of the cases came about as the result of tips to Microsoft's anti-piracy hotline. When Microsoft receives a tip through the hotline, Microsoft employees act as "secret shoppers" who purchase software from the suspected companies to use as evidence. Microsoft says it had sent warning or cease-and-desist letters in each case prior to filing the lawsuit.-http://mcpmag.com/news/print.asp?EditorialsID=1396
[Editor's Note (Cole): Most people would not walk into a store and steal a candy bar, but they do not have a problem with using software in which they did not pay. Employers need to carefully audit all software users are running to make sure they have valid licenses. Desktop lockdown is an effective way to ensure only authorized software is in use and to improve security at the same time. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple Releases QuickTime Updates (November 5, 2007)
Apple has released updated versions of its QuickTime media player for Mac OS X and for Windows. The updates, version 7.3 in both cases, address seven security flaws. All seven flaws could be exploited to execute arbitrary code; one could be exploited to gain elevated privileges.-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9045599&source=rss_topic17
-http://blogs.zdnet.com/security/?p=632
-http://docs.info.apple.com/article.html?artnum=306896
Malware Spreading Through Phony Campaign Sites (November 2, 2007)
As political races heat up, malware purveyors are exploiting the increased traffic on candidates' websites to create spoofed political sites that try to trick users into downloading malicious programs. Users land on the spoofed sites by selecting them from a list of search results or by mistyping the legitimate web sites' addresses. The technique is being used to download the Zlob Trojan horse program; once computers are infected with Zlob, they are recruited into a network of other compromised machines.-http://www.theregister.co.uk/2007/11/02/fake_presidential_site_spyware/print.htm
l
[Editor's Note (Pescatore): The IT industry (and mostly the members of the Certification Authority/Browser Forum) really need to invest in the outreach required to make sure that Extended Validation SSL certificates and the "green" URL browser bar become understood and looked for to raise the bar for this type of spoofing. A good opportunity to do this will be when Firefox 3 ships with EV cert support. ]
Mac OS X Leopard Firewall Presents Security Concerns (October 29, November 1 & 2, 2007)
A test of Apple's new Mac OS X Leopard operating system has revealed that it could put users' computers at increased security risk. Leopard's firewall is set to "allow all incoming connections" by default. If users upgrade from earlier operating systems to Leopard, any firewall settings they had set on the old OS would be overwritten by the Leopard default settings. Furthermore, "the Leopard firewall settings fail to distinguish between trusted networks ... and potentially dangerous wireless networks." Leopard was released on October 26.-http://technology.timesonline.co.uk/tol/news/tech_and_web/article2786157.ece
-http://news.bbc.co.uk/2/hi/technology/7071017.stm
-http://www.theregister.co.uk/2007/11/02/leopard_security_analysis/print.html
-http://www.heise-security.co.uk/articles/98120
[Editor's Note (Ullrich): It is not only (very) bad that this problem made it past all the testing. Worse... I still can't find any official note about it on the Apple website. Apple did slip a few nice security enhancements into Leopard, but the biggest enhancement still missing is a corporate capability to respond to security issues and distribute timely and authoritative information about vulnerabilities.
(Pescatore): A lot of this is Apple showing it is a consumer-oriented company at heart, where in the name of application compatibility the default for security is to let everything through unless explicitly denied.
(Honan): It seems there are other issues with the MAC OS X Leopard Firewall causing applications, such as Skype, not to run properly.
-http://www.heise-security.co.uk/news/98492]
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Pension Policy Holders' Data on Lost CD (November 3 & 5, 2007)
Personally identifiable information of approximately 15,000 Standard Life pension policy holders could be at risk of exposure following the loss of a CD. The disk was sent by courier from the UK's HM Revenue & Customs (HMRC) to Standard Life's Edinburgh headquarters. The data on the disk include names, national insurance numbers, dates of birth and addresses. The CD should have arrived at the office more than a month ago; news of the missing disk was made public just this past weekend. HMRC has not said if the data were encrypted.-http://www.theregister.co.uk/2007/11/05/standard_life_lost_cd_security_flap/prin
t.html
-http://www.channel4.com/news/articles/business_money/standard+life+pension+data+
stolen/997947
Co-Location Facility Experiences Fourth Physical Intrusion (November 2, 2007)
Chicago-based co-location facility C I Host has experienced its fourth physical intrusion in the last two years. On October 2, thieves stole US $15,000 worth of servers from the data center. The intruders apparently cut through a reinforced wall with a power saw to gain access to the servers. The night manager was tasered and beaten. At least one customer reportedly plans to pull its equipment from other C I Host facilities.-http://www.theregister.co.uk/2007/11/02/chicaco_datacenter_breaches/print.html
[Editor's Note (Pescatore): This may sound like just an oddball story, but do you really know what the physical security level is for the hosting firm *your* company is using? Even riskier: do you know what the physical security practices are at the software-as-a-service provider your company is using? I remember in the early days of the PKI industry being shocked at the complete lack of physical security at some of the startup Certification Authorities with root keys in all the popular browsers. Most of the established SaaS providers are actually doing a pretty good job on security these days but as the competition starts to focus on price, stuff happens. ]
MISCELLANEOUS
Dutch Ministry Had Access to News Agency Database (November 3 - 6, 2007)
Two former employees (partners) of the GPD news agency accessed the story database after leaving the news agency for jobs at the Dutch Ministry of Social Affairs. One left the GPD first and used the login of the other and when the second one left the GPD that access was revoked, after a month they started using the account of a third person still working at the GPD. The situation came to light when someone at the Ministry complained about a story that had not been published. An audit of the logs showed 366 unauthorized accesses to the story database in a period of over a year. The ministry has apologized for the activity. The GPD has reported the activity to the police. The GPD will tighten security on the database by tracking use from unknown locations.[With thanks to Koos van den Hout for correcting the original NewsBites description. ]
LIST OF UPCOMING FREE SANS WEBCASTS
Ask the Expert Webcast: Don't Bring A Knife To a Gunfight! - How threats are easily infiltrating most security deploymentsWHEN: Wednesday, November 7, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford, Paul Henry, and Andrew Stevens
-http://www.sans.org/info/18567
Sponsored By: Secure Computing
In this webcast, learn about some of the newest threats spotted in the wild, and why most of today's network firewalls won't be effective at preventing newer attacks.
WhatWorks Webcast: WhatWorks in Event and Log Management: Simplifying Global Log Management at Rockwell Automation
WHEN: Thursday, November 8, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Alan Paller and Scott Petinga
-http://www.sans.org/info/18517
Sponsored By: LogLogic
A hasty selection of a log management tool to meet SOX requirements prompted Rockwell Automation to seek an alterative solution. Their requirements? Something that was scalable, easy to deploy and lowered their overall log management and support time. Rockwell found a lower cost tool that all of IT could easily use.
Tool Talk Webcast: Be a Perfect 10: Nail the PCI Requirement
WHEN: Tuesday, November 13, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Dave Anderson
-http://www.sans.org/info/18577
Sponsored By: ArcSight
Track and monitor all access to network resources and cardholder data. It seems simple enough, but PCI requirement 10 can often get organizations into audit trouble. Your customers' card data gets stored, processed and transmitted at many other points besides devices on your corporate network. Log data from all these points needs to be collected and managed to build a strong foundation for your PCI compliance program. Do you even know where this data resides?
Internet Storm Center: Threat Update
WHEN: Wednesday, November 14, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich and Mike Yaffe
-http://www.sans.org/info/18582
Sponsored By: Core Security Technologies
This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.
Ask the Expert Webcast: Preventing Data Breaches: Protecting Critical Data through Database Compliance Monitoring
WHEN: Thursday, November 15, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Dave Steidle
-http://www.sans.org/info/18587
Sponsored By: netForensics
Traditional defenses have proven to be less than effective at protecting your data where it lives - your valuable databases and applications. Although network and host-based security technologies can detect and prevent many common attacks, they often miss more sophisticated penetration attempts such as electronic fraud, insider theft and sabotage, and unauthorized access.
=========================================================================
The Editorial Board of SANS NewsBites
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.
Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.
Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
