SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #1

January 04, 2008

TOP OF THE NEWS

Australia Plans to Require Filtered Feeds from ISPs
Virginia Poised to Establish New Data Protection Laws
Privacy Advocates Appeal New German Data Retention Law

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Teen Draws 90-Day Sentence for Internet Service Disruption
Two Face Charges for Selling Phony Computer Components to US Military
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Passport Card Technology Concerns Privacy Advocates
POLICY & LEGISLATION
MPs Call for Tougher Data Breach Laws
German Justice Minister Denies Music Companies Access to Stored Data for Civil Cases
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
Warner Music to Offer its Catalog DRM-Free on Amazon MP3
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Just Two Security Bulletins for January's Patch Tuesday
US-CERT Warns of RealPlayer Flaw
MISCELLANEOUS
Should Digital Forensic Specialists Have to be Licensed PIs?
Malware Development Outpacing Anti-Virus
SANS READING ROOM PAPER REVIEW BY STEPHEN NORTHCUTT
LIST OF UPCOMING FREE SANS WEBCASTS

---

************************** Sponsored By SANS ****************************

Penetration testing is going through radical changes. People trained as little as two years ago are reporting that the techniques they learned then are completely out of date. At the Penetration Testing and Ethical Hacking Summit you will hear about the newest attacks and how the top penetration testers are changing the way they do business. Las Vegas March 17-18.
http://www.sans.org/info/21628

*************************************************************************

TRAINING UPDATE
Where can you find Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
- - San Jose (2/2 - 2/8): http://www.sans.org/siliconvalley08/event.php
- - Phoenix (2/11 - 2/18) http://www.sans.org/phoenix08/event.php
- - Prague (2/18-2/23): http://www.sans.org/prague08
- - and in 100 other cites and on line any-time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Australia Plans to Require Filtered Feeds From ISPs (December 31, 2007)

In an effort to ensure that inappropriate Internet content does not reach minors, the Australian government plans to require Internet service providers (ISPs) to provide "clean" feeds to homes and schools. If users want to opt out of the arrangement, they must contact their ISP individually. The measure is aimed at protecting minors from pornographic and violent material. Civil liberties advocates fear the move is a large step backward in freedom of the Internet. There is also some concern that parents will not monitor their children's Internet use as closely as they should because they will be lulled into a false sense of security. The mandatory filtering will be based in part on a list of blacklisted sites provided by the Australian Communications and Media Authority.
-http://www.australianit.news.com.au/story/0,24897,22989956-15306,00.html
-http://news.bbc.co.uk/2/hi/asia-pacific/7165987.stm
[Editor's Note (Pescatore): In most countries, demand for parental controls has made them available at most ISPs already, so the only real difference here is forcing opt out vs. allowing opt-in. Requiring ISPs to make filtered Internet feeds the default is sort of like making libraries have censored books on the shelves and requiring readers to ask for the uncensored versions. Censorship is always a slippery slope - - who gets to define "inappropriate"? ]

Virginia Poised to Establish New Data Protection Laws (January 3, 2008)

Virginia Governor Timothy M. Kaine has announced proposed legislation to help protect Virginia residents from identity fraud. The proposed laws include required breach notification; state government would be subject to the requirement as well. Entities would be exempt from the notification requirement if they can prove that there is no reasonable risk of harm as a result of the breach. Virginia residents would also have the power to place freezes on their credit reports until issues raised by the data breach are resolved.
-http://www.govtech.com/gt/print_article.php?id=242006
[Editor's Note (Schultz): I have mixed reactions towards this proposed legislation. Allowing state residents to freeze their credit reports until identity theft and related issues are solved is good, but allowing companies to decide whether there is a reasonable risk of harm is once again proverbially putting the fox in charge of the hen house. ]

Privacy Advocates Appeal New German Data Retention Law (January 2, 2008)

Citizens opposed to Germany's new data retention law are appealing it in the country's Federal Constitutional Court. The law, which took effect on January 1, requires telecommunications companies to retain customer telephone and Internet connection data for at least six months. Opponents call the law unconstitutional because it treats everyone like potential criminals. Proponents of the law say it is necessary to help fight terrorism and organized crime.
-http://www.heise.de/english/newsticker/news/101196
-http://www.theregister.co.uk/2008/01/02/german_data_retention_objection/print.ht
ml
[Editor's Note (Shpantzer): For a quick glimpse into the potential data mining capabilities available with this information, see
-http://www.i2inc.com/Solutions/MajorInvestigations/default.asp]

---

************************* Sponsored Links: ***************************

1) Rediscover New Orleans and hear about Process Control Security issues. - Process Control & SCADA Summit January 16-17.
http://www.sans.org/info/21633

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Teen Draws 90-Day Sentence for Internet Service Disruption (January 3, 2008)

A Wisconsin teenager was sentenced to 90 days in jail for breaking into a computer network and cutting off Internet access to residents of the Marshfield, Wisconsin area for 18 hours last April. Shaun Lancaster was granted work-release status for his term. He was also ordered to serve three years probation and to pay restitution of approximately US $6,000.
-http://www.thenorthwestern.com/apps/pbcs.dll/article?AID=/20080103/OSH/80103040/
1987

Two Face Charges for Selling Phony Computer Components to US Military (December 24, 2007)

Two men have been charged with felony crimes for allegedly selling phony computer products to branches of the US military and US government agencies. Brothers Michael and Robert Edman allegedly imported imitation computer components as well as counterfeit Cisco Systems stickers to make the components appear legitimate. The brothers also allegedly sold phony components to federal prisons, a cable television company and local law enforcement agencies on the west coast.
-http://www.click2houston.com/news/14920413/detail.html

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Passport Card Technology Concerns Privacy Advocates (December 31, 2007)

The US State Department has approved technology that will allow US citizens traveling to Canada, Mexico, Bermuda and the Caribbean to use passport cards that can be machine read from a distance of 20 feet. The card can be used in place of a passport. Critics of the plan believe more should be done to protect the information contained on the card. The card will not contain biographical data, according to Ann Barrett, deputy assistant secretary for passport services at the State Department.
-http://www.msnbc.msn.com/id/22454148/
[Editor's Note (Pescatore): There are some security features with the card (a protective sleeve, minimal data on the chip) since it is really just an RFID chip. However, there are issues around cloning or spoofing that arise because of the simplicity. By far the biggest issue, though: why hasn't there been an open security review during the design phase? ]

POLICY & LEGISLATION

MPs Call for Tougher Data Breach Laws (January 3, 2008)

A report from a committee of UK members of Parliament (MPs) says government officials should face criminal charges if they handle personal information in a reckless manner that puts it at risk of misuse. The Commons Justice Committee's report was prompted by the recent disclosure that 25 million individuals' personally identifiable information was lost by HM Revenue and Customs (HMRC). The committee was surprised to learn that the changes made by HMRC after the breach had not been in place long ago. Furthermore, it appears that other ministers may soon be coming forward with admissions of data loss. The committee's report calls for entities that lose data to be legally obligated to notify both those affected and the information Commissioner. The report also called for giving Information Commissioner Richard Thomas the authority to conduct unannounced spot checks on data security procedures in both in the government and in private industry.
-http://news.bbc.co.uk/2/hi/uk_news/politics/7168588.stm
-http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2008/01/03/ndata203.xml

German Justice Minister Denies Music Companies Access to Stored Data for Civil Cases (January 2, 2008)

German Justice Minister Brigitte Zypries says that the music industry does not have the right to demand stored Internet data to pursue its copyright violation allegations in civil cases. Only police and the public prosecutor's office may use the stored data.
-http://www.heise.de/english/newsticker/news/101210

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

Warner Music to Offer its Catalog DRM-Free on Amazon MP3 (December 27, 2007 & January 2, 2008)

The Warner Music Group has reached a deal with Amazon to sell music from its catalog over the Internet without digital rights management (DRM) protection. The music will be available on Amazon MP3 and will play on any personal music device. The agreement between Warner and Amazon leaves BMG as the only major recording label that has not signed on with Amazon MP3.
-http://www.siliconrepublic.com/news/news.nv?storyid=single9933
-http://news.bbc.co.uk/2/hi/business/7162280.stm
[Editor's Note (Shpantzer): I tried this service out last week and it worked fine for me. Between iTunes Plus and Amazon MP3, we're beginning to see great DRM-free download services that are user friendly, cheap and include the most popular music available. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Just Two Security Bulletins for January's Patch Tuesday (January 3, 2008)

Microsoft's first security release of 2008 will include just two updates, according to Microsoft's Advance Notification. Both updates will address vulnerabilities in Windows. One of the two bulletins has a maximum severity rating of critical, while the other's highest rating is important. Many expect that the bulletin with the critical rating will address a remote code execution flaw in all supported versions of Windows. The second bulletin addresses a local elevation of privileges flaw in all versions of Windows except for Vista. The bulletins will be released on Tuesday, January 8.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9055182&source=rss_topic17
-http://www.microsoft.com/technet/security/bulletin/ms08-jan.mspx

US-CERT Warns of RealPlayer Flaw (January 3, 2008)

The United States Computer Emergency Readiness Team (US-CERT) has issued a warning about a critical flaw in RealPlayer software. The stack overflow vulnerability exists in RealPlayer version 11 on Windows XP with Service Pack 2. Although the group that discovered the flaw has not released technical details, it has released proof-of-concept exploit code.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9055038&source=rss_topic17
-http://www.theregister.co.uk/2008/01/03/realplayer_vuln/print.html
-http://www.scmagazine.com/uk/news/article/774594/us-cert-warns-realplayer-exploi
t

MISCELLANEOUS

Should Digital Forensic Specialists Have to be Licensed PIs? (January 2, 2008)

Proposed legislation in South Carolina would require that all digital forensic evidence be gathered by a licensed private investigator (PI) or through a PI licensed agency. Not only would evidence gathered by unlicensed individuals not be admissible in court, but the people who gathered the evidence could face criminal prosecution. At least seven states have pursued legal action against digital forensic specialists who work without a PI license. A proponent of the pending legislation says its aim is to protect the integrity of digital evidence and the quality of digital forensics. The claims have some basis in experience; evidence has been thrown out because investigators did not procure the digital evidence with enough caution, and others have used digital evidence that should not be admissible but the defendants are not knowledgeable enough to challenge its validity.
-http://www.baselinemag.com/print_article2/0,1217,a=222483,00.asp
[Guest Editor's Note (Rob Lee): While several years old, the debate over whether InfoSec consultants need to be licensed Private Investigators (PIs) to handle digital evidence seems to be gathering steam and lobbied for by existing PIs. Legislators should be extremely careful in passing such licensing requirements. A nurse can collect evidence of sexual assault or an accounting firm's CPAs could discover evidence of fraud. Given the technical nature of digital evidence, courts should be quick to recognize that special skills are required in the same vein as nursing, accounting, and other special skills certifications. Digital forensic and InfoSec training, experience, and certification are the right answer, not licensing without technical qualifications.
(Northcutt): Ex-cops that get their PI license and can barely push Encase around are not able to deal with anti-forensics tools. If you hear about PIs lobbying for this in your state or country, please drop me a note, stephen@sans.edu, we need to quit settling for the lowest common denominator. ]

Malware Development Outpacing Anti-Virus (January 1, 2008)

Protecting computers from malware infections requires a combination of anti-virus products, firewalls, tools that detect behavioral anomalies, and good old-fashioned human caution. Anti-virus alone cannot do the job because malware purveyors are growing skilled at releasing new variants that won't immediately be detected by signature-based anti-virus products. There are tools available on the Internet that allow users to test whether pieces of code are detectable by different anti-virus systems. Some malware creators have reportedly even set up their own laboratories to ensure that their latest releases will have time to infect computers before anti-virus companies learn of the new malware's existence.
-http://www.computerworld.com/action/article.do?command=printArticleBasic&art
icleId=9054758

SANS READING ROOM PAPER REVIEW BY STEPHEN NORTHCUTT

VoIP Security Vulnerabilities
By David Persky with Joey Niem as the paper advisor.

This GIAC Gold gets off to a slow start, but hang in there. If you keep hitting page down, I promise you will be rewarded by some serious nuggets. Overall, great material, the author clearly knows what he is talking about. Page 11 introduces the problem VoIP causes with perimeters. According to a reference in the paper, 75% of the polled organizations plan to replace their security appliance after implementing VoIP. On page 14, the author introduces VoIP penetration testing and provides a reference to a company that does this. The author then discusses general threats and architecture issues. On page 24, things start to get really interesting. We see a GUI interface for a Cisco VoIP phone and the Google search Persky used to find it. I typed the search into Google and sure enough, Cisco phones started appearing in my browser. We then learn how to do the same thing with the Uniden UIP1868P VoIP phone. Next, we learn how to take advantage of undocumented features in a Hitachi IP5000 VOIP WIFI Phone 1.5.6. On page 37, Persky begins a list of tools that can be used to test the security of a VoIP system. There are a number of pages that are required reading if you run the popular Asterisk VoIP PBX. On page 85, we reach my favorite section of the paper, a discussion on Skype. The author talks about vulnerabilities, but there is also a great discussion on how to detect Skype and how that is getting harder and harder to do. The final technical section is an in-depth discussion on the Cisco IP phone. If you are running VoIP or plan to run VoIP, or even believe you are NOT running VoIP, this is a valuable paper to read. I give it two thumbs up!
-http://www.sans.org/reading_room/whitepapers/voip/2036.php

LIST OF UPCOMING FREE SANS WEBCASTS

Internet Storm Center: Threat Update
WHEN: Wednesday, January 9, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich
-http://www.sans.org/info/20187
Sponsored By: Core Security

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

SANS Tool Talk Webcast: NAC - After the Honeymoon
WHEN: Tuesday, January 15, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Alok Agrawal, Jimmy Ray Purser, and Robb Boyd
-https://www.sans.org/webcasts/show.php?webcastid=91714
Sponsored By: Cisco Systems

It's fair to say that NAC, or Network Admission Control, has certainly enjoyed its day in the sun. Despite being a very real technology solving very real problems, NAC has now moved out of the spotlight of center stage and is firmly entrenched as a set of technologies that every enterprise has some kind of an opinion on. Whether you have deployed some type of NAC solution today, have plans for it in the future or perhaps are truly wondering what the heck we are talking about.this conversation is for you. The problems can be pretty easy to understand but the devil is in the details - we promise to sort through the details in this interactive conversation. Please join Robb Boyd from Cisco's TechWiseTV as he welcomes his panel of experts, Jimmy Ray Purser, Chief Geek for Cisco's TechWiseTV and Alok Agrawal, Manager of Technical Marketing from Cisco's NAC Business Unit.

SANS Ask the Expert Webcast: Going beyond log management to solve security, risk and audit challenges
WHEN: Wednesday, January 23, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Vijay Basani
-http://www.sans.org/info/20202
Sponsored By: eIQnetworks

In this webcast, learn the benefits of going beyond log management to perform end-to-end correlation and analysis, how compliance can tie into the use of security technologies, and why the future of security information management (SIM) systems is shaping up to integrate security, risk and audit management onto one platform.

SANS Special Webcast: Things That Go Bump in the Network: Embedded Device Security
WHEN: Thursday, January 24, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Paul Asadoorian
-http://www.sans.org/info/20207
Sponsored By: Core Security

Embedded devices come into your network and appear in many different forms, including printers, iPhones, wireless routers and network-based cameras. What you might not realize is that these devices offer unique opportunities for attackers to do damage and gain access to your network - - and to the information it contains. This webcast will review known embedded device vulnerabilities and cover how these vulnerabilities can be used to gain control of devices, networks, and data - and, more importantly, what can be done about it.

SANS Special Webcast: The SANS Database and Compliance Survey
WHEN: Tuesday, February 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Barb Filkins
-https://www.sans.org/webcasts/show.php?webcastid=91486
Sponsored By: Lumigent Technologies

On Feb. 5, SANS analyst Barbara Filkins uncovers the findings in the SANS Database Auditing and Compliance Survey. Conducted over three months, 348 respondents answered a variety of questions ranging from their perceptions of compliance issues to security frameworks and roles and responsibilities for data privacy protection inside their organizations. We will also be announcing the $250 American Express card winner from among nearly 200 respondents who signed up for our drawing.

********************************************************************

Be sure to check out the following FREE SANS archived webcasts:

Internet Storm Center: Threat Update
WHEN: Wednesday, December 12, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich and John Weinschenk
-http://www.sans.org/info/20062
Sponsored By: Cezic
-http://www.cenzic.com/

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

SANS Special Webcast: Pinpointing and Proving Web Application Vulnerabilities with Eric Cole WHEN: Monday, December 10, 2007 at 1:00 PM EST (1800 UTC/GMT) FEATURED SPEAKER: Dr. Eric Cole
-http://www.sans.org/info/20057
Sponsored By: Core Security

The September "Internet Security Threat Report" from Symantec reported that 61% of all vulnerabilities disclosed in the first half of 2007 were web application vulnerabilities. It's no wonder, since web apps are often highly customized and can be rife with potential security holes. Fortunately, recent advances in penetration testing products can help you to pinpoint and prove web application security weaknesses - even in customized apps.

SANS Special Webcast: Analyzing a Traffic Analyzer: NIKSUN NetDetector/NetVCR 2005
WHEN: Wednesday, December 5, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Jerry Shenk
-http://www.sans.org/info/20052
Sponsored By: NIKSUN

How deep can traffic inspection reach without hindering data flow and how much data should it store for post-mortem analysis? Join this Webcast to hear senior SANS Analyst Jerry Shenk go over his test results on the NetDectector/NetVCR 2005 and features such as full packet inspection and the ability to call up and review raw data in its native format.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/