SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #91

November 16, 2007

TOP OF THE NEWS

Yahoo Settles Lawsuit Brought by Jailed Dissidents' Families
Council Enumerates Minimum Security Skills for Java Programmers
UK Info Commissioner Pushes for Harsher Data Mismanagement Penalties

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Dutch Teen Arrested for Alleged Virtual Furniture Theft
Ex-CIA Agent Pleads Guilty to Conspiracy to Defraud Government
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Nevada Steps Up State Payroll Data Security
Visa Applicant Data Exposure Violated UK Data Protection Act
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Baseball and Hockey Sites Serving Malware
Apple Releases Big Security Update for Mac
Australian Bank to Give Out Free Anti-Virus Software
Microsoft Patches DNS Spoofing URI Flaws
STATISTICS, STUDIES & SURVEYS
Data Rights Awareness on the Rise in UK
MISCELLANEOUS
Ulster Bank Gives Card Readers to Online Customers
LIST OF UPCOMING FREE SANS WEBCASTS

---

********************* Sponsored By Sunbelt Software ********************

Email Security for Exchange in HALF the Admin Time! Osterman Research surveyed enterprises that use five of the leading email security tools. Read this white paper to learn what email security tool takes 50% less time to manage and has a lower cost per user.
http://www.sans.org/info/19431

*************************************************************************

TRAINING UPDATE
Where can you find Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - Washington DC (12/13-12/18): http://www.sans.org/cdi07
- - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
- - London (11/26 - 12/1): http://www.sans.org/london07/
- - and in 100 other cites and on line any-time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Yahoo Settles Lawsuit Brought by Jailed Dissidents' Families (November 13 & 14, 2007)

Yahoo has settled a lawsuit brought on behalf of the families of two Chinese dissidents who were identified and sent to prison by Chinese authorities based on information provided by Yahoo. While Yahoo maintains it had to surrender the information to comply with local laws in China, chief executive Jerry Wang said the company agreed to the settlement "to make this right for (the dissidents), for Yahoo and for the future." Details of the out of court settlement have not been released, but Yahoo will pay the legal costs of the suit and establish a fund to help other political dissidents. Last week, Yahoo executives were taken to task by a US House panel for omitting details when questioned about the situation at an earlier date.
-http://news.bbc.co.uk/2/hi/business/7093564.stm
-http://www.washingtonpost.com/wp-dyn/content/article/2007/11/13/AR2007111300885_
pf.html
-http://technology.timesonline.co.uk/tol/news/tech_and_web/article2868689.ece
-http://www.smh.com.au/news/Technology/Yahoo-settles-lawsuit-by-jailed-journalist
s-over-decision-to-giveinfo-to-Chinese-government/2007/11/14/1194766724468.html

Council Enumerates Minimum Security Skills for Java Programmers (November 15, 2007)

The Secure Programming Council, a group of security managers brought together by the SANS Institute, has released a document titled "Essential Skills for Secure Programmers using Java/J2EE," enumerating the most important skills and knowledge for Java developers to have when writing applications. The list includes detailed elements in several categories: input handling, authentication and session management, access control, error and exception handling, and encryption services.
-http://www.computerworld.com/action/article.do?command=printArticleBasic&art
icleId=9047098
-http://www.gcn.com/online/vol1_no1/45421-1.html?topic=security&CMP=OTC-RSS
[Editor's Note (Paller): Online examinations that allow programmers to demonstrate how well they have mastered the Council-defined essential skills and knowledge will be deployed in a pilot project involving approximately 20 large organizations over the next three months. The tests will be used to identify gaps in programmer skills and knowledge and to assess how well the exams can be deployed both in house and for outsourced programmers in India and China and the US. Comprehensive, paper-based examinations will held in London and Washington during early December and in 17 other cities in early 2008. More information at www.sans.org/gssp. ]

UK Info Commissioner Pushes for Harsher Data Mismanagement Penalties (November 15, 2007)

UK Information Commissioner Richard Thomas wants people to be criminally liable for losing data storage devices that contain personal information of others. Thomas is pushing for fines of up to GBP 5,000 (US$10,221) in a magistrates' court, with an unlimited cap if a case goes to the crown court for people convicted of breaching the Data Protection Act. Thomas would also like the power to conduct unannounced "spot checks on companies to ensure their compliance with data protection legislation."
-http://www.pcpro.co.uk/news/139302/doctors-may-be-liable-for-stolen-laptops.html
-http://www.computerweekly.com/Articles/2007/11/15/228104/information-commissione
rs-office-asks-uk-to-criminalise-severe-data.htm

---

************************* Sponsored Links: ***************************

1) Complimentary Aberdeen research report that addresses the challenges of deploying encryption and key management.
http://www.sans.org/info/19436

2) Link here to complete the SANS Database Security Compliance Survey and register to win a $250 AMEX Gift card.
http://www.sans.org/info/19441

3) Over 450 security professional participated in the 2007 Web Security Leadership Survey. Get the results at http://www.sans.org/info/19446

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Dutch Teen Arrested for Alleged Virtual Furniture Theft (November 14, 2007)

Police have arrested a teenager in Holland for allegedly stealing 4,000 Euros (US $5,847) worth of virtual furniture from the Habbo Hotel, a popular social networking website. Users paid real money for credits to purchase the virtual goods; the teen allegedly tricked other users into revealing their account login credentials, and then used them to access their accounts and move the furniture into his own virtual room in Habbo Hotel. Five other juveniles have also been questioned in connection with the case.
-http://news.bbc.co.uk/2/hi/technology/7094764.stm
[Editor's Note (Pesactore): Calling this "virtual furniture theft" makes for a good headline, but it is really just another example of a targeted phishing attack. These are happening all the time, as salesforce.com and its customers recently experienced.
(Northcutt): This gets my vote for funniest story of the year. Not that a juvenile stealing is in any way funny, but the thought of $5,847 worth of virtual furniture is cracking me up. You can get the air spa massaging LaZBoy with power recliner for less than that! You can keep your virtual furniture, just do me a favor and get me a beer and put on a movie!]

Ex-CIA Agent Pleads Guilty to Conspiracy to Defraud Government (November 13, 2007)

Nada Nadim Prouty this week pleaded guilty in US District Court to conspiracy to defraud the US government. Prouty obtained US citizenship fraudulently and accessed a US government computer system without authorization. Prouty is originally from Lebanon. After her one-year, non-immigrant student visa expired in 1990, Prouty offered to pay an unemployed American citizen to marry her; the marriage was in name only as the two never lived together. Prouty was hired as an FBI special agent in 1999; she used that position to access the FBI's Automated Case System without authorization and search for information about herself and family members as well as information about a national security investigation into Hezbollah. Prouty joined the CIA in 2003 and was assigned to a post on Baghdad. The charges against her carry maximum prison sentences of between one and 10 years, as well as fines of between US $100,000 and US $250,000.
-http://www.computerworld.com/action/article.do?command=printArticleBasic&art
icleId=9046802
-http://www.msnbc.msn.com/id/21796035/
(Please note this site requires free registration)
-http://www.nytimes.com/2007/11/14/washington/14spy.html?_r=1&oref=slogin&
;pagewanted=print

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Nevada Steps Up State Payroll Data Security (November 10 & 14, 2007)

After learning that more than 470 CDs holding Nevada state payroll data have been lost over a three-year period, the state is instituting new procedures to guard against more data being lost. The Nevada personnel department sent CDs to 80 state agencies every two weeks for the past three years. There was no system in place to track the disks. Now, "disks must be signed for and returned to the personnel department after each pay period," the data on the CDs will be password-protected and state employees will no longer be identified by their Social Security numbers (SSNs). The problem came to light when former Nevada Department of Information Technology security manager Jim Elste tried to get the state to tell employees about the breach. He lost his job as a result of his efforts. Elste maintains he is protected under whistleblower statutes and is appealing his dismissal.
-http://www.gcn.com/online/vol1_no1/45412-1.html?topic=security&CMP=OTC-RSS
-http://www.nevadaappeal.com/article/20071110/NEWS/111100113/-1/NEWS
[Editor's Note (Northcutt): Nevada may have just picked a fight with the wrong guy. Elste was listed as a mover and shaker with CSO Magazine, has a degree from Norwich, holds a CISA and a CISM, he may just go down swinging:
-http://www.csoonline.com/movers/101606_4298.html
-http://www.linkedin.com/pub/1/a0b/159
(Honan): Effective security programmes include training staff to alert appropriate management when they see something that could result in a potential breach. Shooting the messenger by firing staff members who report issues does not address the security problem and only undermines the effectiveness of the overall security programme. ]

Visa Applicant Data Exposure Violated UK Data Protection Act (November 13, 2007)

A UK Information Commissioner's Office investigation revealed that people visiting the UK's visa website could view personal details of people applying online for visas for entry into the UK. As a result, the Foreign and Commonwealth Office was found to be in violation of the Data Protection Act. The Foreign Office says it will close the website and create another, presumably more secure website. The Foreign and Commonwealth Office has signed a document saying it will comply with the Data Protection Act.
-http://www.theregister.co.uk/2007/11/13/foreign_office_data_security/print.html
-http://www.zdnet.co.uk/misc/print/0,1000000169,39290807-39001093c,00.htm
-http://www.computerweekly.com/Articles/2007/11/13/228058/fco-breached-data-priva
cy-of-50000-visa-applicants.htm
[Editor's Note (Honan): The breach was first reported in May of this year
-http://news.scotsman.com/uk.cfm?id=772752007
The management and running of the actual site in question was outsourced by the UK Home Office to a company called VFS Global, a company that also provides visa processing services for the United States, Australia, Italy, France, Canada, Germany, Belgium, The Netherlands, Sweden, Thailand and Ireland. Under European Data Protection Legislation organisations are obliged to ensure the security personal data even when processing is outsourced to a third party. With this in mind you should include in your outsourcing contract clauses to allow you verify the security of the outsourced data. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Baseball and Hockey Sites Serving Malware (November 15, 2007)

The Major League Baseball and National Hockey League websites are the latest high-profile sites to fall prey to malware purveyors. Both websites have been infected with a program that tries to get visitors to download malware onto their own machines. The lure appears as a pop-up advertisement that urges them to scan their computers for viruses. The exploit does not occur every time someone visits a website, making the attack more difficult to detect and identify.
-http://www.pcworld.com/article/id,139669-c,browsersecurity/article.html

Apple Releases Big Security Update for Mac (November 14 & 15, 2007)

On Wednesday, November 14, Apple Computer released a security update to fix 41 vulnerabilities in Mac OS X, as well as flaws in other applications. Fifteen of the 41 fixes to OS X could allow arbitrary code execution. The other flaws could be exploited to crash the system and applications, poison the DNS cache, let websites download malware surreptitiously or allow attackers access to data on computer hard drives.
-http://www.computerworld.com/action/article.do?command=printArticleBasic&art
icleId=9047018
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62034417-39000005c
[Editor's Note (Pescatore): On Nov 15th, Apple issued a number of patches to Leopard just 3 weeks after it was released. Whenever you see serious flaws patched that soon after release it is an indicator that marketing, not QA or engineering, drove the release date of a software product - not the way to go. ]

Australian Bank to Give Out Free Anti-Virus Software (November 14, 2007)

Australia's Commonwealth Bank is giving its some of its customers security software, but denies suggestions that the move indicates a change in policy to resemble New Zealand's proposed rules that would place online banking security liability in the hands of the customers. The bank is targeting the software giveaway at the 20 percent of two million "regularly active" customers who do not have anti-virus software on their computers. The first 25,000 copies of the security software will be given away at no charge; after that, customers can obtain it from the bank for half price. In a separate story, a password-stealing Trojan horse program has been detected that targets Commonwealth Bank customers; ironically, the software the bank is providing did not detect the malware. The Trojan was traced to a server in Hong Kong, which has been taken down. The Trojan also targeted banks in Spain, Germany, Portugal, Greece, and Italy.
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=339283812-1300
61744t-110000005c
-http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=339283820-1300
61744t-110000005c
[Editor's Note (Pescatore): As this item points out, desktop AV software mostly only works as a removal tool - the malware gets on because there are no signatures for most targeted attacks and *may* get removed sometime later if a signature does come out. That's why most of the full endpoint protection products now include more than just signature-based defenses, but those aren't the versions being given out for free.
(Schultz): The problem of security software, anti-virus software in particular, not being able to detect Trojan programs is growing to the point that it is now a major concern. The best way to detect Trojan programs remains running integrity checking programs such as tripwire.
(Paller): Managing a tripwire implementation is beyond the capability of most users. Until file integrity is transparently built into operating systems, user acceptance of this technology will be miniscule. ]

Microsoft Patches DNS Spoofing URI Flaws (November 14, 2007)

Microsoft's patch Tuesday security release for November comprises a critical security bulletin to address a URI handling vulnerability in Windows and an important bulletin to address a flaw in Windows that could allow Domain Name System (DNS) spoofing. Some were expecting that the release would include a fix for a vulnerability in Macrovision SafeDisk copy protection software that comes bundled with Windows XP and 2003. Macrovision has released its own update for the problem.
-http://www.theregister.co.uk/2007/11/14/windows_novemeber_patch_update/print.htm
l
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62034383-39000005c
-https://www.microsoft.com/technet/security/bulletin/ms07-nov.mspx
-http://isc.sans.org/diary.html?storyid=3642

STATISTICS, STUDIES & SURVEYS

Data Rights Awareness on the Rise in UK (November 15, 2007)

Research from the UK's Information Commissioner's office shows that people are significantly more aware of their rights under the Data Protection Act (DPA) than they were three years ago. Ninety percent of people know they have the right to view information an organization keeps about them, and 87 percent are aware they have the right to correct information about them that is inaccurate. Three years ago, 74 percent of people knew they had the right to view their information and roughly 79 percent were aware they had the right to amend inaccurate data.
-http://www.kablenet.com/kd.nsf/FrontpageRSS/AABB89D0485AE02A80257393006012BA!Ope
nDocument

MISCELLANEOUS

Ulster Bank Gives Card Readers to Online Customers (November 14, 2007)

Ulster Bank has started providing card readers to its online customers at no charge to enhance the security of their banking transactions. In what amounts to three-factor authentication, thieves would need to have the card reader and the ATM or debit card, and would also have to know its PIN. The system works by having a user put the card through the reader and enter the PIN; a challenge code appears on the computer screen. When this code is typed into the card reader, it generates a response code that is ultimately used to authenticate the online transaction.
-http://www.siliconrepublic.com/news/news.nv?storyid=single9630

LIST OF UPCOMING FREE SANS WEBCASTS

SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN NetDetector/NetVCR 2005
WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Jerry Shenk
-http://www.sans.org/info/19131
Sponsored By: NIKSUN

How deep can traffic inspection reach without hindering data flow and how much data should it store for post-mortem analysis? Join this Webcast to hear senior SANS Analyst Jerry Shenk go over his test results on the NetDectector/NetVCR 2005 and features such as full packet inspection and the ability to call up and review raw data in its native format.

Internet Storm Center: Threat Update
WHEN: Wednesday, December 12, 2007
FEATURED SPEAKER: Johannes Ullrich
-https://www.sans.org/webcasts/show.php?webcastid=90831

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

WhatWorks Webcast: Pinpointing and Proving Web Application Vulnerabilities
WHEN: Tuesday, December 18, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKER: Eric Cole
-http://www.sans.org/info/19176
Sponsored By: Core Security

Please join Dr. Eric Cole, SANS fellow and senior scientist with Lockheed Martin Information Technology, for a free webcast: "Pinpointing and Proving Web Application Vulnerabilities"

Dr. Cole will present new penetration testing technology that lets you to see your web applications from an attacker's perspective.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/