SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume VIII - Issue #101

December 22, 2006

TOP OF THE NEWS

Sony Settles DRM Lawsuit with California
UK National ID Card Info to be in Three Separate Databases
People Will be Permitted to Opt Out of Electronic Medical Records Sharing
Nearly One-Third of Top UK Companies Do Not Comply with EU Privacy Directive

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Six Arrested in Spain for Phishing Scheme
Music Labels Sue Allofmp3.com
Man Indicted for Planting Logic Bomb on Former Employer's System
Singapore Teen Pleads Guilty to Wireless Piggybacking
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Mozilla Issues Security Updates for Firefox, Thunderbird, and SeaMonkey
Mac OS X Update Fixes QuickTime Flaw
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Russian Bank Customer Data Stolen
MISCELLANEOUS
UK Apacs Declines to Name Banks with Poor Online Security
Discarded Computers' Hard Drives Still Serve Up Data
Opera Adds Anti-Phishing Feature to Browser
Book Review by Stephen Northcutt: The Art of Software Security Assessment

---

*************************************************************************

TRAINING UPDATE: Great security courses in Orlando and San Diego - Orlando: 15 immersion courses, January 13-19
http://www.sans.org/bootcamp07/
San Diego: 30 immersion courses, March 29-April 6
http://www.sans.org/sans2007/

*************************************************************************

---

TOP OF THE NEWS

Sony Settles DRM Lawsuit with California (20 December 2006)

Sony BMG has settled a lawsuit brought by the State of California regarding rootkit software on CDs. Sony had bundled digital rights management (DRM) technology with certain CDs to prevent copyright infringement; the software installed automatically on users computers when they inserted the disks. The software was hidden to prevent users from uninstalling it, but it also made users' machines vulnerable to exploits. Sony will pay a fine of US$750,000 and will reimburse each affected customer up to US$175. According to the terms of the settlement, Sony may not bundle DRM technology on its CDs without disclosing its existence. Sony settled a class action lawsuit regarding the same issue in January of this year.
-http://www.vnunet.com/vnunet/analysis/2171300/sony-settles-lawsuit-rootkit
-http://news.zdnet.co.uk/security/0,1000000189,39285213,00.htm

UK National ID Card Info to be in Three Separate Databases (20 & 19 December 2006)

The UK government has backed away from a plan to create a single database to hold all national ID card data; the information will instead be divided among three systems. Home Secretary John Reid said spreading the information out over three databases is "lower risk." The government has also decided to use only fingerprint and facial biometric identifiers, dropping a plan that included iris scans.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61976558-39000005c
-http://news.bbc.co.uk/1/hi/uk_politics/6192419.stm

People Will be Permitted to Opt Out of Electronic Medical Records Sharing (19 & 18 December 2006)

England's National Health Service (NHS) has said it will allow citizens to opt out of having their medical records shared across the country. Although the process has not yet been decided, it is likely that individuals will be able to access their medical records online to fix errors and to decide whether or not they want their information to be shared. Proponents of the plan say having access to medical records across the country could save lives. Opponents say that once the records have been uploaded to the national system, it will be difficult to make changes or to get them removed, and that individuals will not have control over who is permitted to see the data.
-http://www.theregister.co.uk/2006/12/19/doh_sticks_to_opt_out/print.html
-http://news.bbc.co.uk/2/hi/health/6189745.stm
-http://www.silicon.com/publicsector/0,3800010409,39164718,00.htm?r=1
[Editor's Note (Schultz): Allowing citizens to opt in or opt out is a brilliant decision. People will be allowed to make a decision concerning whether to have their medical records shared based on the risks associated with having their medical information compromised versus the risks related to not having their medical data available during a health-related emergency. ]

Nearly One-Third of Top UK Companies Do Not Comply with EU Privacy Directive (20 December 2006)

According to a survey of 200 top companies in the UK, 31 percent are not in compliance with the EU's Directive on Privacy and Electronic Communications. The directive, which became law in December 2003, requires that companies send unsolicited email to non-customers only if they have opted-in to receiving the email. Businesses that provide only an opt-out choice or that pre-select the opt-in choice are not considered to be in compliance. The survey looked at organizations from a variety of business sectors, including banking, credit card, publishing and travel. A similar study in 2005 found a noncompliance rate of 34 percent.
-http://www.crm2day.com/news/crm/120916.php

---

***************************** Sponsored Links: ************************

1) Rule #1- NOT Patching is NOT an option. To learn more, view this SANS Webcast:
http://www.sans.org/info/2526

2) Do you need more than one Password Policy in your Active Directory?
http://www.sans.org/info/2531

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Six Arrested in Spain for Phishing Scheme (21 December 2006)

Police in Spain have arrested six people who allegedly stole financial data from more than 20,000 individuals. The six allegedly created phishing web pages that collected credit card and bank account information they later used to make fraudulent transactions. Authorities seized more than 500 phony credit cards.
-http://www.iht.com/articles/ap/2006/12/21/europe/EU_GEN_Spain_Hackers_Arrested.p
hp
-http://www.eitb24.com/portal/eitb24/noticia/en/life/fraud-in-navarre-six-people-
arrested-for-hacking-over-20-000-comp?itemId=B24_26548&cl=%2Feitb24%2Fsocied
ad&idioma=en

Music Labels Sue Allofmp3.com (21 December 2006)

Several record labels, including Arista, Warner Bros. and Capitol, have filed a lawsuit against Russian music web site Allofmp3.com, which sells entire albums for approximately US$1. The record labels allege Allofmp3.com is profiting from selling copyrighted content without permission; the site maintains it is compliant with Russian copyright law because it pays royalties to an entity called Roms, a Russian licensing group. The music industry groups claim Roms does not have the authority to collect and distribute royalties. The British Phonographic Industry has also filed a lawsuit against Allofmp3.com.
-http://news.com.com/2061-11199_3-6145389.html?part=rss&tag=2547-1_3-0-20&
;subj=news
-http://news.bbc.co.uk/2/hi/technology/6199237.stm
-http://www.theage.com.au/news/Technology/Record-labels-sue-operator-of-Russian-m
usic-Web-site-AllofMP3com/2006/12/15/1165685862359.html

Man Indicted for Planting Logic Bomb on Former Employer's System (20 December 2006)

A federal grand jury has indicted Yung-Hsun Lin, also known as Andy Lin, on charges relating to a logic bomb that was detected on his former employer's computer system. Lin allegedly planted the malicious code on the system because he feared he was going to be laid off from his position at Medco Health Solutions after it spun-off from Merck. The logic bomb was detected before it was activated; if it had deployed as intended, it could have damaged more than 70 servers and destroyed customer prescription data and payroll information. Lin was indicted on two charges of intending to cause fraudulent, unauthorized changes to computer systems. If convicted, Lin could face up to 10 years in prison for each count as well as a fine up to US$250,000.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9006361&source=rss_topic17
-http://www.theregister.co.uk/2006/12/20/bofh_logic_bomb_charges/print.html
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61976560-39000005c
-http://www.usdoj.gov/usao/nj/press/files/pdffiles/linIndictment1219.pdf

Singapore Teen Pleads Guilty to Wireless Piggybacking (20 December 2006)

Singapore teenager Garyl Tan Jia Luo pleaded guilty to piggybacking on a neighbor's wireless network. Although the offense carries a maximum jail term of three years and a fine of as much as 10,000 Singapore dollars (US$6,493), the judge seemed inclined toward a more lenient sentence, asking the youth if he would be willing to enlist in mandatory national service earlier than the norm.
-http://www.smh.com.au/news/Technology/Singapore-teen-pleads-guilty-to-tapping-in
to-neighbors-wirelessInternet-network/2006/12/20/1166290612404.html
[Editor's Note (Schultz): As I said previously, a jail sentence of three years for wireless piggybacking seems excessive. I'm glad that Luo ended up with a much more reasonable sentence for his wrongdoing. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Mozilla Issues Security Updates for Firefox, Thunderbird, and SeaMonkey (21 December 2006)

Mozilla has released updates to address security flaws in Firefox 1.x, Firefox 2.0.x, Thunderbird and SeaMonkey. Users are encouraged to upgrade to Firefox 1.5.0.9 and 2.0.0.1, Thunderbird 1.5.0.9 and SeaMonkey 1.0.7. The updates address a total of nine vulnerabilities that could be exploited to steal data, launch cross-site-scripting attacks and take control of vulnerable systems.
-http://www.theregister.co.uk/2006/12/21/firefox_upgrade/print.html

-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=61976979-39000005c
-http://www.us-cert.gov/cas/techalerts/TA06-354A.html

Mac OS X Update Fixes QuickTime Flaw (21 December 2006)

Apple has released a patch for Mac OS X to address a vulnerability in QuickTime. The flaw could let attackers grab images from users' screens and upload them to a remote site. The flaw lies in QuickTime for Java and is not related to the QuickTime flaw that recently affected MySpace. Mac OS versions prior to 10.4 and Windows are not susceptible to the vulnerability.
-http://www.vnunet.com/vnunet/news/2171378/mac-users-delivered-quicktime

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Russian Bank Customer Data Stolen (19 December 2006)

Customer data stolen from a number of Russian banks is being sold on the Internet for between 2,000 and 4,000 Rubles (US$76 - $152). Oddly enough, the names in this particular database are those of people who have defaulted on loans. Presumably whoever buys the data will use it to pretend they are collecting debts.
-http://www.zone-h.org/content/view/14448/31/

MISCELLANEOUS

UK Apacs Declines to Name Banks with Poor Online Security (21 December 2006)

The UK's payments association Apacs says it will not release information about banks' relative online security as members of the House of Lords Science and Technology Committee have requested. The committee is looking into Internet security and was told last week that phishing incidents had risen 8,000 percent over the last two years.
-http://www.vnunet.com/computing/news/2171369/banks-reject-lords-call

[Editor's Note (Grefer): While using the number of successful phishing attacks as a metric would be counterproductive, providing hard numbers regarding successful real attacks/intrusions may provide some valuable insight to and for customers. The same holds true for potentially successful social engineering attempts.
(Weatherford): When any kind of crime rises by 8000% in less than two years and costs an industry over $45M per year, regulation is sure to follow because the consumer ends up paying for it and they vote!" ]

Discarded Computers' Hard Drives Still Serve Up Data (21 December 2006)

Second hand computers being sold in Nigeria have been found to hold personally identifiable information about K-12 students and teachers from schools across the US. Some used computer brokers who advertise themselves as recyclers actually send the computers abroad. People and organizations getting rid of outdated computers are advised to use software specially designed to wipe drives clean or to have the drives physically destroyed.
-http://www.bradenton.com/mld/bradenton/news/world/16289389.htm

[Editor's Note (Weatherford): Nature abhors a vacuum. Even Nigerian swap meet dealers have discovered that the data is more valuable than the hardware. Who would have thought that our old junk would end up in Nigeria where, quote, "The e-waste you are exporting is coming back to you in the form of cyber-crime"? 500 shipping containers loaded with thousands of old monitors and computers each month...it's an unending supply of treasure! The sad fact is that most people don't have the slightest clue that they should do anything more than hit the delete key to remove data.
(Grefer): Various utilities help increase the effort required to access data that previously resided on the disks. Darik's Boot and Nuke (DBAN), a SourceForge project, may help our readers to bypass physical destruction if their drives' contents are not of a highly sensitive nature.
-http://www.sans.org/newsletters/newsbites/newsbites.php?vol=7&issue=17#sID32
0
-http://dban.sourceforge.net/]

Opera Adds Anti-Phishing Feature to Browser (21 December 2006)

The newest version of the Opera web browser, Opera 9.1, has added a phishing filter. Opera joins Microsoft and Mozilla, who in October released Internet Explorer 7 (IE 7) and Firefox 2.0, respectively, both of which have anti-phishing features.
-http://www.securityfocus.com/brief/389
-http://www.wilmingtonstar.com/apps/pbcs.dll/article?AID=/20061218/APF/612181265

Book Review by Stephen Northcutt

The Art of Software Security Assessment
Dowd, McDonald, Schuh, Addison Wesley Press

As I leafed through this book, once, twice, and then a third time, I started to realize this is one of those rare security books that has a chance to revolutionize the industry like Applied Cryptography, Snort 2.0, or Hacking Exposed. The longer you wait to read this book, the further you will fall behind.

Every week that goes by we see an increasing understanding in the community about the importance of secure software and the need for appropriate development processes to create that secure software. This book is hitting the marketplace at the perfect time. I hope people will be encouraged by its demonstration that secure software development is possible. It takes management support in terms of resources, training and good process, but it can certainly be done.

At 1128 pages, much of the material will be things that you have picked up from other books or courses you have taken. Much of it will be things you once knew and forgot. But this is the most complete book on software security out there covering Windows, Unix, Network Protocols, Web and other Applications.

What I particularly like is how approachable the majority of the information is. Please do not get me wrong; if you have never written a line of code you are going to be lost during the code examples. The only signpost you get is the occasional bolded line, but you will still be able to follow the discussion preceding and following the code examples.

The first section of the book, Introduction to Software Security Assessment, contains foundational material. If you are responsible for software development as a manager, I recommend you read at least this one section.

The next section, Software Vulnerabilities, starts with a buffer overflow chapter. This is a test of any good security book. This book builds the case, providing both code fragments and clear diagrams with plenty of explanations.

The final section is titled Software Vulnerabilities in Practice, though I am not convinced this is an accurate name. Network or Web should probably be included in the title. Chapters include Network Protocols, Firewalls (probably the weakest chapter in the book), Network Application Protocols, Web Applications and Web Technologies. Any book this big and technical is going to have errors pop up, but in the back of the book you have an opportunity to register your book to receive updates; that might be a good idea.

I hope the authors and publishing team have a runaway success with this book; they deserve it.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/