SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #95

December 04, 2007

The first story in this issue provides very strong evidence that many more organizations are direct targets of nation-state cyber attacks aimed at economic espionage: law firms, smaller businesses and more as well as the big banks and industrial companies. The TimesOnline story provides excellent coverage of the letter sent to 300 CEOs by the head of MI5 (the spymaster known as "M" to James Bond fans.)

And a similar wake-up call in the US: All across Washington DC, senior government and contractor officials are reacting with shock to the revelation that their systems have been deeply penetrated and taken over by unauthorized users who are stealing enormous amounts of sensitive data. Most of the penetrations were done through spear phishing emails with infected attachments or with urls that took victims to web sites where their systems were infected.

Now a new attack vector is being used increasingly against federal sites: direct attacks against federal web sites and commercial web sites. Apparently most developers that create web sites and other applications have had no intense training in secure coding, and they do not know what they don't know. If you would like to know whether your developers have good secure coding skill (in C or Java) there's a free assessment they can use next week in Washington, DC . (It will cost $250 after January 1). If you have developers who would like to know where their security knowledge gaps are, write me at apaller@sans.org.

Alan

---

TOP OF THE NEWS

MI5 Warns UK Businesses of China-Sponsored Cyber Attacks
TJX Agrees to Pay Banks for Losses
Spammer Will Pay Fine in FTC Case

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Two Arrested in Identity Fraud Scheme
110-Year Sentence for Online Extortion and Harassment
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
HMRC Establishes New Data Security Policies
US Special Counsel Refuses to Surrender Files
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Attackers Exploiting Unpatched QuickTime Flaw
FreeBSD Issues Security Updates
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Mass. Prescription Program Members Notified of Data Breach
STATISTICS, STUDIES & SURVEYS
McAfee's Virtual Criminology Report
MISCELLANEOUS
Google Gives Israeli Prosecutors Blogger's IP Address
PlayStation3 Used in Cryptology Cracking Demo
LIST OF UPCOMING FREE SANS WEBCASTS

---

*********** Sponsored By ArcSight, Inc. ***********

Free Whitepaper: Selecting a SIM Solution for Compliance Meeting compliance regulations doesn't mean sacrificing your security budget. Discover the best practices - based on actual customer experiences - that should be an integral part of your evaluation process when assessing a SIM. Brought to you by ArcSight, a leading provider of security and compliance management solutions.
http://www.sans.org/info/20346

*************************************************************************

TRAINING UPDATE
Where can you find Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - Washington DC (12/13-12/18): http://www.sans.org/cdi07
- - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
- - London (11/26 - 12/1): http://www.sans.org/london07/
- - and in 100 other cites and on line any-time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

MI5 Warns UK Businesses of China-Sponsored Cyber Attacks (December 2 & 3, 2007)

Reports in the English media say the UK government has accused China of breaking into computer systems at prominent UK businesses. The reports indicate that MI5 chairman Jonathan Evans sent a confidential letter to 300 chief executives and security chiefs at major UK companies, warning them of the attacks. Rolls Royce and Royal Dutch Shell have reportedly been targeted by the cyber attacks, but so have many smaller organizations and law firms representing companies doing business in China. A Chinese embassy official in London denies the allegations.
-http://business.timesonline.co.uk/tol/business/markets/china/article2988228.ece
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9050499&source=rss_topic17
-http://news.bbc.co.uk/2/hi/business/7123970.stm

TJX Agrees to Pay Banks for Losses (December 1 & 3, 2007)

TJX will set aside nearly US $41 million to reimburse banks for costs incurred as a result of the company's massive data security breach that exposed approximately 100 million credit and debit card accounts. In return, the affected banks will agree not to sue TJX or its business partners. TJX made the deal with Visa; issuing banks must approve the deal before it is finally accepted. It is expected that a similar agreement will be reached between TJX and MasterCard, although a spokesperson for MasterCard had no comment.
-http://www.boston.com/business/globe/articles/2007/12/01/tjx_agrees_to_reimburse
_banks?mode=PF
-http://www.channelregister.co.uk/2007/12/03/tjx_settlement_agreement/print.html
-http://www.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&
;newsId=20071130005355&newsLang=en

Spammer Will Pay Fine in FTC Case (November 29, 2007)

Online advertiser Adteractive has agreed to pay a US $650,000 fine for violating the US CAN-SPAM Act. The US Federal Trade Commission (FTC) alleged that Adteractive sent unsolicited commercial email that promised recipients free items. In fact, people who tried to redeem the offer had to wade through advertisements, apply for car loans or credit cards, subscribe to a variety of services, and buy other items to get the "free" item. The company violated CAN-SPAM by failing to be up front with recipients about the terms of the offer. The terms of the settlement also require Adteractive to be forthcoming with purchase requirements in future messages. At least one FTC commissioner believes the settlement marks a downturn in penalties from previous cases and would not serve as a deterrent to spammers in the future.
-http://www.vnunet.com/vnunet/news/2204589/ftc-nails-free-gift-spammer

---

************************* Sponsored Links: ***************************

1) ALERT: "How a Hacker Launches a LDAP Injection Attack Step-by-Step"- White Paper http://www.sans.org/info/20351

2) Link here to take the SANS Database Security Compliance Survey and register to win a $250 AMEX Gift card. http://www.sans.org/info/20356

3) Complimentary Aberdeen Webinar December, 11th that addresses the challenges of deploying encryption and key management. http://www.sans.org/info/20361

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Two Arrested in Identity Fraud Scheme (December 3, 2007)

Two people, dubbed the "Bonnie and Clyde of ID Fraud," have been arrested in connection with a scheme in which they allegedly financed a lavish lifestyle by obtaining phony credit cards in their neighbors' names. Edward Anderton and Jocelyn Kirsch have been charged with identity theft, conspiracy, unlawful use of a computer, forgery, and other offenses. Police with a search warrant found numerous pieces of evidence in the couple's apartment, including keys to the mailboxes of all residents of their condominium complex and a third of their neighbors' homes and a machine used to create driver's licenses.
-http://www.transworldnews.com/NewsStory.aspx?id=29585&cat=14
-http://hitsusa.com/blog/364/jocelyn-kirsch/

110-Year Sentence for Online Extortion and Harassment (December 1, 2007)

Ivory Dickerson has been sentenced to 110 years in prison for gaining remote access to an unspecified number of Brevard County, North Carolina teen girls' computers and making threats against them and their families if they did not provide him with compromising pictures of themselves. Dickerson was able to make words appear on the girls' computer screens, making them feel that their every move was being watched. During the investigation, and FBI Task Force discovered a cache of child pornography in Dickerson's possession.
-http://www.orlandosentinel.com/technology/orl-porn0107dec01,0,3850696,print.stor
y
[Editor's Note (Northcutt): Thank heavens for the girls who had the gumption to come forward and get law enforcement involved. This type of story needs to be told (in an appropriate manner) in high schools and junior high schools, because at least one of the girls he threatened sent pictures before finally speaking with her parents. The Missing Kids site used to be a source for stories where the perp got caught, but has not been updated in a while. I have that URL below as well as the DHS guy from last year. Don't allow your teen to compute in their bedroom, but rather in a public part of the house (we still do that at my house even though the kids are grown ) and consider monitoring software like Spector Pro. We all want to trust our kids, but the real question is do we trust Ivory Dickerson?
-http://www.missingkids.com/missingkids/servlet/PageServlet?LanguageCountry=e
n_US&PageId=2952
-http://www.mtv.com/news/articles/1527897/20060405/index.jhtml
-http://www.spector.com/child-monitoring-software.html
(Grefer): Most of the tools used for such activities would be flagged by both a personal firewall and anti-spyware, some of them also by anti-virus software. For home users who may be on a budget, there are still some viable applications around that are free of charge for personal use, including ZoneAlarm firewall:
-http://www.zonealarm.com/store/catalog/products/sku_list_za.jsp
Spybot - Search & Destroy:
-http://www.safer-networking.org/en/mirrors/index.html
AVG Anti-Spyware Free Edition:
-http://free.grisoft.com/doc/downloads-products/us/frt/0?prd=asf
Lavasoft Ad-Aware Free:
-http://www.lavasoftusa.com/products/ad_aware_free.php
AVG Anti-Virus Free Edition:
-http://free.grisoft.com/doc/downloads-products/us/frt/0?prd=aff]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

HMRC Establishes New Data Security Policies (November 30, 2007)

HM Revenue & Customs (HMRC) has established new procedures regarding data encryption and transfers following the loss of data storage disks that compromised 25 million personal records. There is now a team at HMRC whose job it is to ensure encryption is effectively and properly used to protect data. In addition, staff members are no longer permitted to use removable storage media. "HMRC is also investigating the electronic transmission of data."
-http://www.computing.co.uk/computing/news/2204790/procedures-hmrc

US Special Counsel Refuses to Surrender Files (November 28 & 30 & December 1, 2007)

Scott Bloch, who runs the Office of Special Counsel, is in the hot seat after evidence has emerged that he hired an outside contractor to wipe the computer hard drive of his office PC. Bloch maintains he made the decision to have the drive erased after the computer became infected with a virus, but the receipt for work done makes no mention of such malware. Bloch also had the company erase the drives of two laptop computers that his deputies had used. A spokesperson said last week that Bloch would not provide federal investigators with copies of the deleted files, which he has saved to other storage devices. The Office of Special Counsel is supposed to protect whistleblowers from retaliation and investigate occurrences of using federal resources to promote political candidates. Bloch was being investigated by the Office of Personnel Management for allegations that he retaliated against whistleblowers in his own office and dismissed cases that had been brought to the Office of Special Counsel. The Office of Special Counsel was investigating whether former White House aide Karl Rove and other White House officials used government agency resources to help other Republicans get re-elected in 2006.
-http://online.wsj.com/public/article/SB119621772122306160-BnQpG8biokxRSJRwL5QXkr
YGhHE_20081127.html
-http://www.washingtonpost.com/wp-dyn/content/article/2007/11/29/AR2007112902401_
pf.html
-http://www.theregister.co.uk/2007/12/01/official_purges_agency_computers/print.h
tml

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Attackers Exploiting Unpatched QuickTime Flaw (December 3, 2007)

Attackers are actively attempting to exploit an unpatched hole in Apple QuickTime. The flaw could allow attackers to execute code on vulnerable computers. The attacks appear to target Windows users, but Mac OS X users could be affected as well; the flaw exists in versions of the software for both operating systems. The vulnerability was disclosed on November 23. Two different attacks, both involving redirection from certain websites, have been detected so far. IT managers could block access to the sites known to be compromised as well as outgoing TCP access to port 554. An even safer alternative would be to uninstall QuickTime until fixes are available.
-http://www.cio.com/article/161450/Attackers_target_unpatched_QuickTime_flaw
-http://www.heise-security.co.uk/news/99918
[Editor's Note (Cole): Patching is important, but attacks in which no patch is available will continue to be the norm. Therefore it is important to run a piece of software only if it is needed to accomplish a specific task. If it is needed, see if there is a more secure alternative (which would work in this case). Make sure you uninstall any unneeded components. Finally make sure you have defense in depth with firewalls and other security devices.]

FreeBSD Issues Security Updates (November 30, 2007)

The FreeBSD Project has issued updates to address security flaws that could allow attackers to overwrite files or gain access to the internal state tracking used in the pseudo-random number generators (PRNGs) that are bundled with FreeBSD. The first flaw is in the GNU tar (gtar) utility and can be exploited by manipulating users into extracting specially crafted archives. The second flaw could "be exploited to allow replaying of data distributed during subsequent reads," allowing attackers "to determine fragments of random values previously read, allowing them to defeat certain security mechanisms." To exploit the second flaw, attackers would need local access to the targeted system.
-http://www.theregister.co.uk/2007/11/30/freebsd_bug/print.html
-http://security.freebsd.org/advisories/FreeBSD-SA-07:10.gtar.asc
-http://security.freebsd.org/advisories/FreeBSD-SA-07:09.random.asc

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Mass. Prescription Program Members Notified of Data Breach (November 30 & December 3, 2007)

Members of Massachusetts's state-run Prescription Advantage Insurance program are being notified that their personal information may have been compromised. The company plans to contact 150,000 individuals. Several members of the program have been victims of attempted identity fraud. A spokesperson for the Executive Office of Health and Human Services did not say what types of data had been compromised or if a suspect arrested in August was a Prescription Advantage employee. Police are investigating the matter.
-http://www.upi.com/NewsTrack/Top_News/2007/12/03/identity_thief_snatches_insuran
ce_data/9430/
-http://www.southcoasttoday.com/apps/pbcs.dll/article?AID=/20071130/NEWS/71130010
/-1/NEWS01
[Editor's Note (Cole): Organizations need to realize that if they have databases of PII (personal identifiable information) or credit card data, they will be targets for cyber criminals. Implementing access control and isolating those system on separate virtual LANs are critical preventive steps. However you should also run detective measures to make sure your information is not leaving the organization in an unauthorized manner.]

STATISTICS, STUDIES & SURVEYS

McAfee's Virtual Criminology Report (November 29 & 30, 2007)

According to McAfee's annual Virtual Criminology Report, the world faces a cyber cold war over the next decade; 120 countries around the world are conducting cyber espionage operations. The operations target the military, political, economic, and technical arenas. The report also says that China is leading the way in cyber espionage. The Chinese government denies the allegations that it is at the forefront of the impending cyber cold war. The report was compiled with input from the UK's Serious Organised Crime Agency (SOCA), NATO, and the FBI.
-http://www.scmagazine.com/uk/news/article/769321/mcafee-report-issues-stark-cybe
rwarfare-warning/
-http://business.timesonline.co.uk/tol/business/industry_sectors/technology/artic
le2962570.ece
-http://www.zdnet.co.uk/misc/print/0,1000000169,39291156-39001093c,00.htm
-http://www.smh.com.au/news/Technology/Chine-disputes-McAfee-report-labeling-it-a
-key-cyber-warfareinstigator/2007/11/30/1196037112426.html

MISCELLANEOUS

Google Gives Israeli Prosecutors Blogger's IP Address (November 28, 2007)

Google revealed the IP address of an individual using its blogger software after an Israeli judge ruled that the blogger's allegations about some Israeli politicians constituted criminal defamation. Google had refused the initial request. After the ruling, Google reached an agreement that allowed them to email the blogger to let the author know about the trial and telling that person to appear. When the request went unheeded, Google surrendered the IP address, which prosecutors then submitted to the ISP to uncover the blogger's identity.
-http://www.vnunet.com/vnunet/news/2204540/google-hands-israeli-ip

PlayStation3 Use d in Cryptology Cracking Demo (November 28, 2007)

At a conference in New Zealand, a security specialist demonstrated a password cracking technique that takes advantage of PlayStation3's multi-core processor. The specialist demonstrating the technique claims to have cracked a strong 8-character password in just hours instead of the usual days.
-http://news.bbc.co.uk/2/hi/technology/7118997.stm
-http://www.pcworld.com/printable/article/id,140064/printable.html
-http://www.heise-security.co.uk/news/99674
[Editor's Note (Northcutt) Nifty, but not that new, I have a link below showing using the Cell to accelerate SSL. This is just the beginning of PlayStation crypto I expect:
-http://eprint.iacr.org/2007/061.pdf]

LIST OF UPCOMING FREE SANS WEBCASTS

SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN
NetDetector/NetVCR 2005
WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Jerry Shenk
-http://www.sans.org/info/20052
Sponsored By: NIKSUN

How deep can traffic inspection reach without hindering data flow and how much data should it store for post-mortem analysis? Join this Webcast to hear senior SANS Analyst Jerry Shenk go over his test results on the NetDectector/NetVCR 2005 and features such as full packet inspection and the ability to call up and review raw data in its native format.

SANS Special Webcast: Pinpointing and Proving Web Application Vulnerabilities with Eric Cole
WHEN: Monday, December 10, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Dr. Eric Cole
-http://www.sans.org/info/20057
Sponsored By Core Security

The September "Internet Security Threat Report" from Symantec reported that 61% of all vulnerabilities disclosed in the first half of 2007 were web application vulnerabilities. It's no wonder, since web apps are often highly customized and can be rife with potential security holes. Fortunately, recent advances in penetration testing products can help you to pinpoint and prove web application security weaknesses - even in customized apps.

Internet Storm Center: Threat Update
WHEN: Wednesday, December 12, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich
-http://www.sans.org/info/20062

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

Internet Storm Center: Threat Update
WHEN: Wednesday, January 9, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich
-http://www.sans.org/info/20067
Sponsored By: Core Security

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

SANS Special Webcast: Things That Go Bump in the Network: Embedded Device Security
WHEN: Thursday, January 24, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Paul Asadoorian
-http://www.sans.org/info/20087
Sponsored By: Core Security

Embedded devices come into your network and appear in many different forms, including printers, iPhones, wireless routers and network-based cameras. What you might not realize is that these devices offer unique opportunities for attackers to do damage and gain access to your network - - and to the information it contains. This webcast will review known embedded device vulnerabilities and cover how these vulnerabilities can be used to gain control of devices, networks, and data - and, more importantly, what can be done about it.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/