SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #92

November 21, 2007

TOP OF THE NEWS

Senate Approves Identity Theft and Restitution Act
Canada May Consider Amending Outdated Copyright Law
Storm Spreads Through GeoCities

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
911 "Swatter" Pleads Guilty
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
HM Revenue and Customs Chair Resigns After Latest Data Loss
NIST Releases Draft Update of Guidelines for Industrial Control Systems
Report Warns of Chinese Espionage and Cyber Attack Capabilities
Former VA Auditor Charged in ID Theft Scheme
Stolen Computer Holds VA Hospital Patient Data
Computers Stolen from Japanese Embassy in Belgium
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Monster.com Victim of IFRAME Attack
STATISTICS, STUDIES & SURVEYS
Database Exposure Survey 2007 Finds Unprotected Databases on the Rise
MISCELLANEOUS
Brain Drain In Technology
UK Law Enforcement Seeks Encryption Passwords Under RIPA
LIST OF UPCOMING FREE SANS WEBCASTS

---

********************* Sponsored By ArcSight, Inc. ***********************

Free Whitepaper: Solving the NOC/SOC Collaboration Puzzle

Until now, when Network Operations Centers and Security Operations Centers wanted to cooperate, the lack of shared, automated toolsets made the process cumbersome and expensive. Now you can learn how to integrate and manage network operations, security and compliance with this free whitepaper.
Brought to you by ArcSight, the ESM leader that turns data into action. http://www.sans.org/info/19571

*************************************************************************

TRAINING UPDATE
Where can you find Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - Washington DC (12/13-12/18): http://www.sans.org/cdi07
- - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
- - London (11/26 - 12/1): http://www.sans.org/london07/
- - and in 100 other cites and on line any-time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Senate Approves Identity Theft and Restitution Act (November 16, 2007)

The US Senate has passed the Identity Theft and Restitution Act, which would "expand the definition of cyber extortion" and allow people whose personal information has been stolen to seek restitution for time they spend fixing problems caused by the data theft. Cyber attackers who use spyware or keystroke loggers would face felony charges under the bill if they targeted 10 or more computers. In addition, the US $5,000 threshold necessary for felony prosecution would be removed.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9047578&source=rss_topic17
[Editor's Note (Schultz): This is an encouraging development because it addresses loopholes in previous US identity theft legislation as well as introduces new provisions concerning the use of spyware and keystroke loggers. At the same time, the provision concerning keystroke loggers is strange in that it says that for the use of keystroke loggers to be a felony, there must be damage to 10 or more computers. The threshold of 10 computers seems unreasonably high to me. ]

Canada May Consider Amending Outdated Copyright Law (November 17, 2007)

Canadian lawmakers may soon be considering legislation that would update Canada's Copyright Act. The law, which was enacted in 1921, does not adequately address issues raised by the advent of digital media and filesharing. Some Canadian musical artists have expressed concern that the Canadian Recording Industry Association (CRIA) may take it as a signal to go ahead with the type of copyright violation lawsuits filed by the Recording Industry Association of America (RIAA). CRIA president Graham Henderson denies his organization has any plans to file lawsuits.
-http://today.reuters.co.uk/news/articlenews.aspx?type=internetNews&storyID=2
007-11-17T035630Z_01_N16414216_RTRIDST_0_OUKIN-UK-CANADA.XML&archived=False

Storm Spreads Through GeoCities (November 16, 2007)

Storm-controlled bots are now sending spam with links to GeoCities sites. Those sites have been seeded with malicious code to redirect browsers to other URLs that attempt to manipulate users into downloading a codec advertised as being necessary for viewing GeoCities site images; it is actually malware designed to steal sensitive data. This attack is also believed to have connections to RBN (see previous story).
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9047483&source=rss_topic17
[Editor's Note (Skoudis): Storm is one of the biggest malware stories of 2007. Back in January, it didn't seem like a big deal -- yet another mass mailing worm with a subject line ripped from the day's headlines about a big storm in Europe. But, my how it's advanced since then. Storm is now a platform on which bad guys develop new techniques for exploiting systems and refine their business models. ]

---

************************* Sponsored Links: ***************************

1) ALERT: "How a Hacker Launches an XPath Injection Attack!"- SPI Dynamics White Paper http://www.sans.org/info/19576

2) Link here to complete the SANS Database Security Compliance Survey and register to win a $250 AMEX Gift card. http://www.sans.org/info/19581

3) Security professionals focus on fighting the most common data threats - - Encryption Summit, December 3-4. http://www.sans.org/info/19586

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

911 "Swatter" Pleads Guilty (November 15, 19 & 20, 2007)

An Ohio man faces up to five years in prison and a US $250,000 fine after pleading guilty to a federal conspiracy charge for abusing the 911 emergency system to get SWAT teams sent out on false calls. Stuart Rosoff is believed to be the leader of the gang of people conducting these attacks; two others have already entered guilty pleas and two more face trial. The group allegedly conducted approximately 60 attacks. This type of attack appears to be growing, as a teenager last week pleaded guilty to charges that he placed a phony 911 call resulting in a SWAT team being sent to an Orange County, California home. The incident cost local law enforcement an estimated US $20,000. The teenager is not believed to be part of Rosoff's gang's activity.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9048039&source=rss_topic17
-http://blog.wired.com/27bstroke6/2007/11/guilty-plea-pho.html
-http://www.theregister.co.uk/2007/11/19/911_phone_phreakers/print.html
[Editor's Note (Pescatore): At the heart of this attack is caller ID spoofing, which should be illegal but isn't. The "Truth in Caller ID Act" (S.704) was introduced in early 2007 and tweaked in June 2007 but has yet to be passed - the direct marketers have lobbied against the scope of prohibiting all such spoofing, given that marketers often outsource outcalling. It is important to get a legal beachhead on Caller ID (which has been available for almost 20 years now and in widespread use for more than 10 years) so that we can then move forward on IP address and email address spoofing.]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

HM Revenue and Customs Chair Resigns After Latest Data Loss (November 20, 2007)

The chairman of Britain's HM Revenue and Customs (HMRC), Paul Gray, has resigned following the loss of data storage disks containing information about 7.5 million families (25 million people) that claim child benefits. The data include names, bank information and National Insurance numbers. Paul Gray said he was "standing down ... as a result of a substantial operational failure in the department." In the last several months, HMRC acknowledged two other data security breaches - a stolen laptop computer and a missing disk. In this most recent incident, the disks disappeared while in transit via courier.
-http://www.guardian.co.uk/uklatest/story/0,,-7091592,00.html
-http://www.itpro.co.uk/internet/news/140448/revenue-head-quits-after-massive-dat
a-breach.html
-http://www.thisislondon.co.uk/news/article-23422087-details/Tax+chief+quits+afte
r+details+of+15+million+child+benefits+claimants+go+missing+in+security+breach/a
rticle.do
-http://news.bbc.co.uk/2/hi/uk_news/politics/7103566.stm
[Editor's Note (Honan): I particularly liked the quote in the Guardian's story: that the official who mislaid the discs "'hoped that it would turn up' and so stayed quite". Ah yes, I must remember to put that in my incident response plans, hope the problem goes away!! The personal data on 25 million individuals and 7.25 families is missing. This effectively includes every family in the UK with a child under 16. The fact that technical controls were not in place to prevent this amount of sensitive data being downloaded by junior officials and then sent by courier is frightening. It also demonstrates a cavalier attitude to information security by staff whom appear to have little or no training with regards to information security or on their obligations on handling sensitive data in accordance with the UK's Data Protection Act. Policies are not effective if proper controls and training are not given to ensure compliance with same. ]

NIST Releases Draft Update of Guidelines for Industrial Control Systems (November 19, 2007)

The National Institute of Standards and Technology (NIST) has released an out-of-cycle draft update to Special Publication 800-53, "Recommended Security Controls for Federal Information Systems." The only change from the last draft is the replacement of Appendix I, which provides guidelines for government IT systems used in industrial control processes. Comments on the review of the draft appendix will be accepted through December 14, 2007.
-http://www.gcn.com/online/vol1_no1/45455-1.html?topic=security&CMP=OTC-RSS
-http://csrc.nist.gov/publications/drafts/sp800-53-rev2/Draft_800-53-rev2-Appendi
xI_fpd-clean.pdf

Report Warns of Chinese Espionage and Cyber Attack Capabilities (November 16, 2007)

The US-China Economic and Security Review Commission's annual report to Congress says "Chinese espionage activities in the US are so extensive that they comprise the single greatest risk to the security of American technologies." The report recommends investigating whether China's own military technology is benefiting from US research conducted in China. The report also says that the Chinese military is developing the capability for launching cyber attacks that could have the "magnitude of a weapon of mass destruction."
-http://www.zdnet.co.uk/misc/print/0,1000000169,39290843-39001093c,00.htm
-http://www.theregister.co.uk/2007/11/16/china_cyber_wmd_space_plague_horror/prin
t.html
-http://www.uscc.gov/annual_report/2007/annual_report_full_07.pdf
[Editor's Note (Northcutt): The report is important although it is a bit vague. According to the report, China's emphasis is on acquiring sophisticated ballistic and cruise missiles, submarines, mines, and information and electronic warfare capabilities. (Skoudis): Our threatscape is shifting. If your enterprise is part of the critical infrastructure of our world (and we're not just talking about electricity providers, phone companies, and ISPs here... this list also includes banks, transportation companies, manufacturers, government institutions, and so on) you really must add to your security planning the issue of state-sponsored cyber attack. Make sure you have good contacts with law enforcement, and consider participating in an Information Sharing and Analysis Center (ISAC) associated with your industry. There are ISACs now for communications, electricity, emergency management & response, financial services, highway, IT, state governments, public transit, surface transportation, supply chain, and water. Join one. ]

Former VA Auditor Charged in ID Theft Scheme (November 16, 2007)

A man who was formerly employed as an auditor for the US Department of Veteran Affairs was arrested in connection with the theft of 1.8 million Social Security numbers from the VA; Tae Kim also allegedly used phony credit cards to purchase more than US $5,000 worth of jewelry at a California store. The VA maintains that the number of records at risk of misuse is closer to 185,000 because many of the records found on Kim's computer contained duplicate information. Kim did not have the authority to access the information allegedly found on his home computer.
-http://www.ocregister.com/news/kim-numbers-affairs-1924451-security-social
[Editor's Note (Pescatore): That last sentence points out how many things have to be done right to prevent this kind of insider abuse but it also points out that just watching patterns of sensitive information retrieval will quickly indicate that something has gone wrong - if anyone is actually watching.
(Northcutt): Apparently he had auditor level access while he was a college student at USC. And whether a million credit card numbers or 185,000 these are truly at risk, Tae Kim is allegedly a member of the Koreatown gang, and they do all the bad things you expect from an LA area gang. In fact, Hong, Kim's accomplice in purchasing the jewelry is in jail for a suspected gangland style murder. ]

Stolen Computer Holds VA Hospital Patient Data (November 16, 2007)

Approximately 12,000 veterans treated at a VA hospital in Indianapolis are at risk of identity fraud following the theft of computer equipment from the facility. The names, birth dates and Social Security numbers (SSNs) of the affected individuals were inadvertently stored on the computer. VA data security policy requires that sensitive information be stored on servers, not on PCs. The VA inspector general and federal, state and local law enforcement agencies are investigating the incident.
-http://www.armytimes.com/news/2007/11/military_datatheft_varesponds_071115w/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyId=13&articleId=9047482

Computers Stolen from Japanese Embassy in Belgium (November 15, 2007)

Personally identifiable information of more than 12,500 Japanese citizens living in Belgium could be at risk following the theft of 11 laptop computers. The machines were stolen from the Japanese Embassy in Brussels, and contain names, birthdates, passport numbers, and family information. The theft is believed to have occurred on November 3.
-http://www.yomiuri.co.jp/dy/world/20071115TDY02303.htm

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Monster.com Victim of IFRAME Attack (November 20, 2007)

On Monday, November 19, an IFRAME attack forced Monster.com to take down the section of its site that allows job hunters to search by company. The IFRAME attack surreptitiously redirects users' browsers to a different site that hosts Neosploit, a malicious toolkit much like Mpack. The exploit site's IP address and the ISP to which the exploit site's domain is registered have both been linked to the Russian Business Network (RBN), the nomadic malware-hosting network. Monster.com experienced another security issue earlier this year when it revealed that attackers had managed to gain access to its database and used the information to send phishing emails.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9048019&source=rss_topic17
[Editor's Note (Pescatore): If you are storing sensitive personal information with a web interface, you are going to be attacked. Having a secure web site should be job one. Businesses who pay for recruiting services should make security a top criterion for using online services, that's what drives security improvements. ]

STATISTICS, STUDIES & SURVEYS

Database Exposure Survey 2007 Finds Unprotected Databases on the Rise (November 14, 2007)

According to David Litchfield's Database Exposure Survey 2007, thousands of Microsoft SQL Server and Oracle database servers are not adequately protected from attacks. Approximately 368,000 Microsoft SQL Servers and 124,000 Oracle database servers were connected to the Internet without any sort of firewall. Two-thirds of the Oracle database servers were running versions with known critical vulnerabilities; 82 percent of SQL Servers were running SQL Server 2000 with less than half running Service Pack 4. The estimated number of unsecure SQL Server databases has increased approximately 75 percent since the 2005 survey. Thirteen percent of the Oracle servers were running versions of products for which the company no longer issues patches. The number of unprotected Oracle databases has fallen about 12 percent since the 2005 study.
-http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1281896,0
0.html
-http://www.eweek.com/article2/0,1895,2217123,00.asp
[Editor's Note (Skoudis): These stats are really quite sad. In the last year, we've focused a lot on client-side exploitation (rightfully so). But let's not forget that our server side is still a problem, especially databases and web apps.
(Northcutt): To paraphrase Mr. Litchfield from an email message on this subject, the survey size may not be large enough to be statistically significant *grin*. Seriously, these are really scary numbers and this just should not be happening. Repeat after me folks, I will never place a database so that it is directly reachable by the Internet. ]

MISCELLANEOUS

Brain Drain In Technology

Both government and private industry face a brain drain. The US Government is looking at 4 retirements out of every 10 workers over the next 5 years. Private industry is in better shape, 2 out of 10 workers are expected to retire over the next 10 years. Neither government nor industry seems to be taking this issue urgently. All of this is poised to happen when not only do organizations have knowledge management software, but documentation is at an all time low.
-http://www.informationweek.com/news/showArticle.jhtml?articleID=202805954
-http://www.informationweek.com/showArticle.jhtml?articleID=202101526
[Editor's Comment (Northcutt): Actually with the declining dollar, we should keep our ears to the ground for something called a "reverse brain drain", bright educated people that came to the US or opportunity may start to return home:
-http://www.usatoday.com/news/opinion/editorials/2004-02-23-economy-edit_x.htm]

UK Law Enforcement Seeks Encryption Passwords Under RIPA (November 20, 2007)

Animal rights activists in the UK are believed to be the first group of people asked to surrender passwords for encrypted files under a recently activated section of the Regulation of Investigatory Powers Act (RIPA). The computers were seized in May during raids on people's homes. As of October 1, 2007, police have the authority to demand that people provide the keys so they will have access to encrypted files. People refusing to comply with a request could face up to two years in jail.
-http://news.bbc.co.uk/2/hi/technology/7102180.stm

LIST OF UPCOMING FREE SANS WEBCASTS

SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN NetDetector/NetVCR 2005
WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Jerry Shenk
-http://www.sans.org/info/19131
Sponsored By: NIKSUN

How deep can traffic inspection reach without hindering data flow and how much data should it store for post-mortem analysis? Join this Webcast to hear senior SANS Analyst Jerry Shenk go over his test results on the NetDectector/NetVCR 2005 and features such as full packet inspection and the ability to call up and review raw data in its native format.

Internet Storm Center: Threat Update
WHEN: Wednesday, December 12, 2007
FEATURED SPEAKER: Johannes Ullrich
-https://www.sans.org/webcasts/show.php?webcastid=90831

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

WhatWorks Webcast: Pinpointing and Proving Web Application Vulnerabilities
WHEN: Tuesday, December 18, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKER: Eric Cole
-http://www.sans.org/info/19176
Sponsored By: Core Security

Please join Dr. Eric Cole, SANS fellow and senior scientist with Lockheed Martin Information Technology, for a free webcast: "Pinpointing and Proving Web Application Vulnerabilities"

Dr. Cole will present new penetration testing technology that lets you to see your web applications from an attacker's perspective.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/