SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #12

February 12, 2008

Breaking news: As we go to press on Tuesday afternoon, Google, Microsoft, IBM, Yahoo and Versign report that they have reached an agreement to support the OpenID spec that allows individuals to create one user name, password, and other credentials for logging onto multiple Web sites that support the spec. Could be a nice step forward. More data:
http://www.campustechnology.com/articles/58342
Alan

1. SANS Joins with Infosecurity Europe 2008 - London (22nd-24th April)
Four ways to take advantage of this joint initiative:
SANS leading instructor Arrigo Triulzi will be teaching SEC517:
Cutting-edge Hacking Techniques Hands-on, on Tuesday 22nd, a phenomenal one day experience of most important new exploits discovered in the last 18 months. Please register to avoid disappointment at http://www.sans.org/infosec08_london/ .
2. Alan Paller and Mason Brown will keynote on the topic of "Five Keys to Effective Application Security and Secure Coding" on Tuesday 22nd April. Details are available at
http://www.infosec.co.uk/page.cfm/action=Seminars/SeminarID=209
3. The Infosecurity Europe Hall of Fame on Wednesday 23rd.
and
4. Pick-up your new threat map and say hello at the SANS Booth A132.
http://www.infosec.co.uk/page.cfm/action=Seminars/SeminarID=212.

---

TOP OF THE NEWS

Russian Computers Sending an Increasing Share of Spam
Adobe Reader Flaw Actively Exploited
Families Affected by HMRC Data Loss Seek Compensation

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Spanish Police Arrest 76 for Internet Fraud
Authors of Negative Postings May Remain Anonymous
Police Officer Charged with Computer Crime
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Unencrypted UK Army Laptop Left in Pub
Irish Government Called on to Improve its Data Security
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple Issues Mac OS X Update
AV Site Infected with Malware
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
SQL Injection Attacks Expose MLSgear.com Customer Data
South Bend Hospital Employee Data on Missing Computer
MISCELLANEOUS
Two Sheriff's Office Employees Fired for Accessing Computer System "For Fun"
What's What in a Breach Notification Letter
Roman Aqueducts Redux
LIST OF UPCOMING FREE SANS WEBCASTS

---

*********** Sponsored By Credant Technologies ***********

WAIT 'TIL YOU HEAR WHAT'S NEW IN LAPTOP ENCRYPTION!
Outdated encryption methods, such as Full Disk (FDE), require unwelcome compromises to existing IT operations and support processes, and can't provide the level of data security now needed. A new, better encryption technology is here! Reg. for live webcast and to win $500 gift card.
http://www.sans.org/info/23953

*************************************************************************

TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad bonus sessions and a huge exhibition of security products:
http://www.sans.org/sans2008
- - Washington DC (Tyson's) 3/24-3/31 http://www.sans.org/tysonscorner08
- - Prague (2/18-2/23): http://www.sans.org/prague08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any-time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Russian Computers Sending an Increasing Share of Spam (February 11, 2008)

Experts at SophosLabs scanned all spam messages received in the company's global network of spam traps, and found a dramatic rise in the proportion of the world's spam messages being sent from compromised Russian computers. Russian now accounts for one in twelve junk mails seen in inboxes. Between October-December 2007, the USA relayed far more spam than any other country, because so many US computers have been taken over by remote hackers.
-http://www.sophos.com/pressoffice/news/articles/2008/02/dirtydozfeb08.html

Adobe Reader Flaw Actively Exploited (February 10 & 11, 2008)

Attackers have been actively exploiting a recently patched JavaScript vulnerability in Adobe Reader since January 20. Thousands of computers are believed to have been infected as a result. Adobe released an update last week to address a number of vulnerabilities, but did not provide details about the flaws. The exploit spreads the Zonebac Trojan horse program through a maliciously crafted PDF file traced to a server in the Netherlands. Zonebac reportedly disables antivirus programs and alters search results and banner ads. Users are urged to update their versions of Acrobat Reader.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9061938&source=rss_topic17
-http://www.theregister.co.uk/2008/02/11/adobe_reader_exploit/print.html
-http://www.vnunet.com/vnunet/news/2209318/attacks-target-pdf-flaw
[Editor's Note (Skoudis): Here's more proof that enterprises need patching processes and systems that can quickly test and deploy patches for third-party apps and not just for Microsoft products. While you are deploying this Adobe Reader update, double check your Java Runtime Environment, Quicktime, Flash, and other software patch levels. If you are going to touch all of your machines, get all of this stuff up to date, as exploits were released for all of them in the past several months. Whenever we do a penetration test, we almost always get in with a client-side exploit of such third-party software. ]

Families Affected by HMRC Data Loss Seek Compensation (February 10, 2008)

Thousands of families whose personal information was on the HM Revenue and Customs disks that were lost in the mail have signed up to file claims against the UK government. The families have registered with a company that maintains the government has breached the Data Protection Act (DPA) and that those affected are entitled to compensation of between GBP 50 and GBP 300 (US $98 and US $585). For the claims to move forward, however, HMRC would have to be found guilty of having breached the DPA. The results of an official inquiry into the data loss are expected in June.
-http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=5133
44&in_page_id=1770

---

************************** Sponsored Links: ***************************

1) SANS Third Annual Log Management Survey
What are the challenges in log management? Have perceptions changed since last year? Help us find out! Take the survey at http://www.sans.org/info/23958

2) By converging networking and security, StillSecure provides intelligent networks that are easy to manage and protect.
http://www.sans.org/info/23963
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Spanish Police Arrest 76 for Internet Fraud (February 11, 2008)

Seventy-six people arrested by Spanish police are believed to have stolen more than 3 million Euros in a variety of Internet fraud schemes. Some of the suspects allegedly sold expensive merchandise on auctions sites but never sent the items. Other suspects allegedly used stolen bank account information, probably stolen in a phishing scam, to siphon money into their own accounts.
-http://www.theregister.co.uk/2008/02/11/spanish_police_fraud_crackdown/print.htm
l
[Guest Editor's Note (Raul Siles): The police operation has been called Ulises and it involved actions in 14 different provinces plus Ceuta. The stolen bank credentials were obtained from phishing scams, impersonating banks and the national tax administration (equivalent to the IRS in the US), and they also used fake auction sites. The amounts stolen range from 400 to 10000 _ per victim, for a total of more than 3 million euros. The suspects are from Spain and other 16 different nationalities, and the victims are from all over the world. The attacks and frauds are not new, but it is good to see effective police operations and the criminals being arrested. ]

Authors of Negative Postings May Remain Anonymous (February 11, 2008)

Ten people who posted "unquestionably offensive and demeaning" comments on a Yahoo! message board about a company that conducts clinical trials of drugs will not have to be identified, according to a California Appeals court ruling. The plaintiff was initially granted the right to have those posting the negative comments identified, but the new ruling says the comments are protected under free speech laws.
-http://www.vnunet.com/vnunet/news/2209305/court-rules-internet-trolls
-http://blogs.wsj.com/biztech/2008/02/08/web-rage-protected-by-the-first-amendmen
t/?mod=googlenews_wsj

Police Officer Charged with Computer Crime (February 6 & 7, 2008)

A 17-year veteran of the Hartford, Connecticut police force has been arrested and charged with committing a computer crime in the third degree, which is a Class D (violent) felony. Sgt. Reginald Allen allegedly obtained information from the National Crime Information Center and provided it to a friend, who used the information to harass an ex-boyfriend's current girlfriend. The girlfriend alerted authorities.
-http://www.scmagazineus.com/Conn-police-sergeant-charged-with-computer-crime/Pri
ntArticle/105085/
-http://www.courant.com/news/local/hc-ctallenarrest0206.artfeb06,0,1692714.story
Editor's Comment (Northcutt): How long have we been preaching that if we create databases with information on citizens that access would be abused? There are two similar stories in this NewsBites and the words ringing in my head are that they did it, "for fun". Take a few minutes to read this analysis from the Cato Institute:
-http://www.cato.org/pubs/pas/pa-295.html
Totally off topic, but I was looking at PaulDotCom's youtube ad video for his SANS course on hardware hacking, and it hit me; if you can reprogram a wireless router, you can make it do just about anything (duh). Obvious threats are eavesdropping and masquerading as a trustworthy access point. However, you can do that without first modifying an access point. If you think of some really nefarious cyber ninja tricks that you could accomplish only by reprogramming a network device to do your bidding, please drop me a note, stephen@sans.edu, I am considering adding this to the threat section in my course.
-http://www.youtube.com/watch?v=uYBUixjnpgo

-http://www.sans.edu/resources/securitylab/81/
-http://www.sans.org/training/description.php?mid=62]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Unencrypted UK Army Laptop Left in Pub (February 12, 2008)

A UK Army captain left a laptop computer containing sensitive information in a pub. The unencrypted data include personal information pertaining to more than 200 soldiers, military exercises information and weapons store locations. Cabinet Secretary Sir Gus O'Donnell recently ordered that laptops containing unencrypted data not be removed from government offices. The laptop was handed in by the person who found it in the pub.
-http://www.thesun.co.uk/sol/homepage/news/article791210.ece
-http://ukpress.google.com/article/ALeqM5jDHYTZhBTz0zO3rv0NuPIlkpol5A

Irish Government Called on to Improve its Data Security (February 8, 2008)

Ireland's Fine Gael party wants the country's government to implement stronger security controls on its data management. In the last five years, 80 government laptops, 19 Blackberrys and 10 USB memory devices have been lost or stolen. In addition, four government websites have recently been attacked. Officials maintain that no sensitive data were compromised as a result of the missing devices. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=3958

-http://www.independent.ie/national-news/fears-for-our-personal-data-as-80-govern
ment-laptops-missing-1284944.html?service=Print
[Editor's Note (Honan): Maybe Irish Government employees should be directed to the recently launched and government sponsored security awareness website, in particular the section on encryption -
-http://www.makeitsecure.org/en/otherRisks_encryption.html.
The fact that these losses only came to light as a result of a parliamentary question highlights the need for effective breach disclosure laws in Ireland. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Apple Issues Mac OS X Update (February 11, 2008)

Apple has released Security Update 2008-001 for Mac OS X to address 10 vulnerabilities in the operating system. The update covers both Tiger and Leopard users; the flaws place unprotected systems at risk of code execution, denial-of-service, and information disclosure. One of the flaws fixed in the update is a stack buffer overflow that was disclosed about a year ago during the Month of Apple Bugs project. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=3974

-http://www.eweek.com/c/a/Security/Apple-Patch-Day-10-Holes-Covered-in-Tiger-Leop
ard/
-http://www.news.com/8301-10789_3-9869589-57.html?part=rss&subj=news&tag=
2547-1_3-0-20
-http://docs.info.apple.com/article.html?artnum=307430
[Editor's Note (Skoudis): These are big downloads -- 180 Megs or 340 Megs depending on the kind of Mac you have. With that magnitude, Apple's patches really do feel like you are downloading a whole new operating system. ]

AV Site Infected with Malware (February 10, 2008)

A web page on the website of Indian antivirus company AVSoft Technologies was "seeded" with malware that exploits the iFrame vulnerability to infect visitors' computers with the Virut virus. And iFrame vulnerability is caused by an unchecked buffer in Internet Explorer processing of certain HTML elements such as FRAME and IFRAME elements. That malware creates a backdoor on the machines it infects, allowing attackers to download more malware onto the computers.
-http://www.theregister.co.uk/2008/02/08/indian_av_site_compromise/print.html
[Editor's Note (Northcutt): What a bad day for them and to make things worse, if you tried to get to their site 24 hours after the incident from Google, you got the StopBadware.org intercept page from Google. That can't be good for business.
-http://isc.sans.org/diary.html?date=2004-11-20]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

SQL Injection Attacks Expose MLSgear.com Customer Data (February 8, 2008)

The names, addresses, credit card and debit card information of people who made purchases through Major League Soccer's MLSgear.com website were compromised last year. The data were exposed through SQL injection attacks during the first eight months of 2007 on third party servers hosting the customer data. MLS has terminated its relationship with that provider. A breach notification letter mentions that MLS has taken steps to improve security, but did not clarify what those steps were.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=internet_business&articleId=9061858&taxonomyId=71&intsrc=kc
_top
[Editor's Note (Honan): When you outsource services to a third party you should ensure that you retain the right to audit and test the security of the systems for the outsourced party. ]

South Bend Hospital Employee Data on Missing Computer (February 7, 2008)

A laptop computer holding personally identifiable information of approximately 4,300 current and former employees of Memorial Hospital in South Bend, Indiana was lost last November. The data were on an employee's computer that was lost while she was traveling; the computer was not encrypted.
-http://www.wsbt.com/news/local/15408791.html

MISCELLANEOUS

Two Sheriff's Office Employees Fired for Accessing Computer System "For Fun" (February 7, 2008)

Two Collier County (Florida) Sheriff's Office employees have been fired for accessing the office's computer system and looking up information about other deputies, an FBI agent, and family members. One of the fired individuals said they did the searches "for fun." Both fired employees worked in the Fingerprinting Department. The unauthorized activity was discovered when one of the people whose information was searched alerted the authorities. To prevent future privacy breaches, the Sheriff's Office will conduct random checks of the computer system and audit for unusual activity.
-http://www.winknews.com/news/local/15408931.html

What's What in a Breach Notification Letter (February 2008)

Breach notification letters often involve an intricate dance of language. A pair of public relations professionals dissects actual breach notification letters from Monster.com and USAJOBS. They analyze the merits of differing approaches to notification: the choice of salutation; the pros and cons of apologizing; the level of detail offered. Most of the time, it appears that breach notification letters will raise as many if not more questions than they answer. This article is a good resource for those who find themselves burdened with the unfortunate task of drafting such a letter.
-http://www2.csoonline.com/exclusives/column.html?CID=33523
[Editor's Note (Northcutt): Just when you think there is nothing left to say about data breaches, someone amazes you. Nice job CSO Magazine! ]

Roman Aqueducts Redux

A concise version of the paper on lessons the Roman Aqueducts provide for securing power grids appears in CSO Online. (The original version ran on January 15, NewsBites Volume 10, Number 4.)
-http://www2.csoonline.com/exclusives/column.html?CID=33519
[Editor's Note (Ranum): The article sounds plausible, but the differences between Rome and its aqueducts and the US and its power grids are simply so vast that all we're left with is an article that amounts to argument by analogy. ]

LIST OF UPCOMING FREE SANS WEBCASTS

Ask the Expert: You've Collected the Logs, Now What? Reducing Risk through Integrated Log Management, Database Monitoring and Real-time Event Management
WHEN: Thursday, February 14, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Dave Shackleford
-http://www.sans.org/info/23528
Sponsored By: netForensics

So you've collected event logs from security devices and other critical systems and stored them away - great. Check the compliance box. Now what?

Logs are important... but only if you are doing something with them.

They provide valuable, credible, accurate information about what is going on in your inter-connected environment. But if your logs are not being analyzed regularly and in real-time, how can you tell if data isn't seeping out of your databases and other critical applications? Manually glancing through logs may be enough to "check the box" for compliance purposes, but it is definitely not enough to detect data theft or other malicious activity.

SANS Special Webcast: Beyond Security Basics: Emerging Defensive Strategies You Shouldn't Miss
WHEN: Tuesday, February 19, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: John Strand
-https://www.sans.org/webcasts/show.php?webcastid=91778

Sponsored By: Core Security

Still think that locking down root access to operating systems is the cornerstone of security, or that your perimeter can't be tunneled under? Please join John Strand, certified SANS instructor and security consultant with Argotek, for this free webcast.

Ask the Expert: Security Needs a Paradigm
WHEN: Thursday, February 21, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and A.N. Ananth
-http://www.sans.org/info/22959
Sponsored By: Prism MicroSystems

In this webcast, we'll discuss the reasoning behind a "whitelist" approach, how change monitoring can complement logging and event monitoring in your security program, and common system changes that may indicate malicious activity.

Tool Talk Webcast: A Practical Approach to Cyber Security within Control System Environments
WHEN: Tuesday, February 26, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Brian Contos
-http://www.sans.org/info/22964
Sponsored By: ArcSight

Recently there has been substantial media hype surrounding cyber attacks against critical infrastructure: oil and gas, power and energy, chemical, etc. Few disagree that systems controlling critical infrastructure make valuable targets for a wide range of attackers and pursuits; but the FUD sometimes shadows the facts. So rather than debate the threat level, this webcast will focus on empirical findings derived from multiple, federally funded research projects. These collaborative projects have brought together federal agencies, academia, control system vendors, IT security vendors like ArcSight, and industry representatives to research and test practical cyber incident prevention, detection and response.

SANS Special Webcast: How to Win Friends and Influence People (for Penetration Testers)
WHEN: Tuesday, March 4, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Lenny Zeltser
-http://www.sans.org/info/22984
Sponsored By: Core Security

The success of a security test is often determined in the planning stage, when the "human element" plays a critical role. This is especially true for penetration testing projects, which sometimes encounter political hurdles before they even begin.

Please join us to learn how, with a little transparency and tact, you can not only get approval for pen testing projects but also help colleagues use the results to improve your overall security.

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/