SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #23

March 21, 2008

TOP OF THE NEWS

Application Flaw Exploits on the Rise
UK National Security Strategy Falls Short on Cyber Security
German High Court Says Part of Data Retention Law is Unconstitutional
Threat of Legal Action Halts Voting Machine Audit

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Hannaford Faces Lawsuits Following Breach Disclosure
Second Guilty Plea from Operation Bot Roast Arrests
Man Admits to Writing and Spreading Trojan
51-Month Sentence for Stealing Data Through Limewire
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
US Department of Energy (DOE) Inspector General's Report Finds Security Still an Issue
PA Voter Registration Web Page Shut Down Due to Data Leak
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple OS Security Update Addresses 80+ Flaws
MISCELLANEOUS
Faculty from Multiple Universities Share Tools and Tests for Teaching Secure Coding
LIST OF UPCOMING FREE SANS WEBCASTS

---

********************** Sponsored By PacketMotion ************************

How do you safeguard intellectual property, sensitive information and compliance-relevant data without hampering employee and contractor productivity? Find the facts, blind spots and new technology regarding real-time visibility and control of network user transactions and information assets. Download the FREE, must-read whitepaper "TRUST BUT VERIFY: 24/7 User Activity Monitoring to Protect Business Critical Information" now.
http://www.sans.org/info/26183

*************************************************************************

TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses? - - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad bonus sessions and a huge exhibition of security products: http://www.sans.org/sans2008
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Application Flaw Exploits on the Rise (March 18, 2008)

The number of security holes detected in widely used software applications is growing, as are attacks that exploit these holes. Users need to be wary of attachments; maliciously crafted ones can worm their way into systems and steal data. The applications can be exploited so that the recipients of the attachments are not aware that something malicious is going on behind the scenes of the seemingly innocent file.
-http://www.usatoday.com/tech/news/computersecurity/2008-03-18-hacker-attacks_N.h
tm
[Editor's Note (Schultz): The message in this news item is not really news, yet it is very much worth repeating. The focus of attacks has shifted dramatically over the last five or six (or maybe even more) years, with applications clearly becoming the target.
(Grefer): One helpful tool for end users (as well as companies) to keep an eye on which of the installed software may be insecure or end-of-life, is the Secunia Personal Software Inspector available free of charge at
-http://psi.secunia.com]

UK National Security Strategy Falls Short on Cyber Security (March 20, 2008)

Security companies are voicing their disappointment with British Prime Minister Gordon Brown's National Security Strategy for failing to adequately address the risk of cyber attacks. Despite the fact that the plan notes that cyber attacks, from both foreign states and terrorists, are on the rise, the plan offers no concrete strategy to mitigate the risks. Some have pointed out that the absorption of the National Hi-Tech Crime Unit (NHTCU) into the Serious Organized Crime Agency (SOCA) leaves inadequate resources to address cyber crime. Many would like to see the creation of an agency to address cyber crime as well as laws mandating data breach disclosure.
-http://technology.timesonline.co.uk/tol/news/tech_and_web/article3590336.ece
-http://www.vnunet.com/computing/news/2212365/national-security-strategy
-http://www.zdnetasia.com/news/security/0,39044215,62039143,00.htm
-http://interactive.cabinetoffice.gov.uk/documents/security/national_security_str
ategy.pdf

German High Court Says Part of Data Retention Law is Unconstitutional (March 19 & 20, 2008)

Germany's Federal Constitutional Court has placed new limits on a law that requires telecommunications companies to store phone call and Internet data for six months. This week, the court issued an injunction that declares parts of the law unconstitutional. The law, which was passed to fulfill a European Union directive, has faced a great deal of opposition in Germany from civil liberties proponents. It requires the telecommunications companies to retain phone numbers dialed and the duration and location of the calls. The court says the information may be retained, but it may only be given to law enforcement authorities when they are investigating serious crimes and have obtained a warrant.
-http://www.msnbc.msn.com/id/23725318/
-http://www.spiegel.de/international/germany/0,1518,542398,00.html
-http://www.dw-world.de/dw/article/0,2144,3203058,00.html
[Editor's Note (Honan): This is an interesting development as this decision could influence similar legal actions taken by civil liberty groups in other countries such as Ireland.]

Threat of Legal Action Halts Voting Machine Audit (March 20, 2008)

After noting discrepancies between the paper audit trail and the memory cartridges of Sequoia electronic voting machines used in the February presidential primary, election officials in Union County, New Jersey asked Princeton University computer science professor Ed Felten to examine the machines. Before the inspection took place, Sequoia threatened legal action against both Felten and Union County, saying that the inspection would violate its licensing agreement. Sequoia attributes the discrepancies to poll worker error. Felten has published a response, saying that an investigation is necessary and should be conducted by "someone not chosen by, ... paid by, ...
[or ]
reporting to Sequoia." Sequoia has announced that the machines in question are undergoing external analyses by two separate firms.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9069999
-http://www.theregister.co.uk/2008/03/20/sequoia_kills_evoting_review/print.html
[Editor's Note (Schultz): Here is another example of a voting machine vendor doing everything it can to prevent the truth about potential defects in its product from being found. I predict that Sequoia's intimidation tactics will work only for a little while. (Northcutt): Just say no to voting machines that do not leave a physical audit trail. The good news in this story is that there was a paper trail, so the machine could be audited. Remember, last year California did an inspection of the Sequoia machines and failed them (and a bunch of the competition, as well). The principal investigator on that study, Matt Bishop, said, "Although, we did not have enough time to perform a complete evaluation of the Sequoia voting system, we exposed a number of serious security issues. These vulnerabilities could be exploited by a determined attacker to modify (or invalidate) the results of an election.":
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9028262

-http://www.sos.ca.gov/elections/elections_vsr.htm]

---

************************** Sponsored Links: ***************************

1) SANS Third Annual Log Management Survey What are the challenges in log management? Have perceptions changed since last year? Help us find out! Take the survey at http://www.sans.org/info/26188

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Hannaford Faces Lawsuits Following Breach Disclosure (March 19 & 20, 2008)

Hannaford Brothers Co. is facing lawsuits over its recently disclosed data breach. Philadelphia law firm Berger & Montague PC filed a class-action lawsuit in US District Court in Portland, ME on behalf of all people whose credit and debit card information were stolen from the Hannaford computer network. An attorney based in Bangor, ME has filed the second suit. The breach affects customers of 165 stores in New England and New York, 106 stores in Florida, and 23 independent stores that sell Hannaford products. Approximately 4.2 million payment card accounts are believed to have been compromised, and there have been 1,800 cases of fraud associated with the breach. The data were stolen between December 7, 2007 and March 10, 2008.
-http://sev.prnewswire.com/supermarkets/20080319/DC1720519032008-1.html
-http://www.boston.com/news/local/maine/articles/2008/03/19/hannaford_hit_with_cl
ass_action_suit_in_data_breach_1205971643/
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9070281&source=rss_topic17
[Editor's Note (Cole): This is a good story to show your executives if you are having trouble justifying your security budget. The growing trend is toward trial lawyers bringing suit when data are lost. ]

Second Guilty Plea from Operation Bot Roast Arrests (March 6, 19 & 20)

Robert Matthew Bentley has pleaded guilty to charges of conspiracy to commit computer fraud. Bentley was indicted last November for his involvement in a scheme that surreptitiously installed adware on PCs in Europe. He was arrested as part of an investigation dubbed "Operation Bot Roast II." Bentley used computers in Florida to place the malware on the computers. He is scheduled to be sentenced on May 28. Seven others have also been arrested as part of the investigation; one of those, Robert Soloway, has already pleaded guilty to a number of charges.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/03/20/AR2008032001412_
pf.html
-http://www.darkreading.com/document.asp?doc_id=148801&print=true
-http://www.usdoj.gov/usao/fln/press%20releases/2008/mar/bentley.html

Man Admits to Writing and Spreading Trojan (March 19, 2008)

Masato Nakatsuji has admitted to writing malware and using copyrighted anime footage to help it spread. The Trojan horse program spread through the Winny filesharing program and attempted to remove music and movie files from infected computers. Nakatsuji is being charged with copyright law violation for using the animated content; there is currently no Japanese law that prohibits the creation of malware.
-http://www.yomiuri.co.jp/dy/national/20080319TDY02306.htm
-http://www.vnunet.com/vnunet/news/2212354/japanese-man-admits-unleashing
-http://www.theregister.co.uk/2008/03/19/winny_trojan_vxer_trial/print.html

51-Month Sentence for Stealing Data Through Limewire (March 18, 2008)

Gregory Kopiloff has been sentenced to 51 months in prison for stealing personally identifiable information of 50 people through P2P (peer-to-peer) filesharing programs. Kopiloff pleaded guilty to mail fraud, computer hacking, and aggravated identity theft. Kopiloff accessed tax returns, credit reports, bank statements and other financial documents through the Limewire filesharing program. He then obtained credit cards with the information and ran up US $76,000 in fraudulent charges. Kopiloff will be on probation for three years following his release and was also ordered to pay compensation.
-http://www.theregister.co.uk/2008/03/18/p2p_highwayman_jailed/print.html
[Editor's Note (Northcutt): Tain't the first or last time we will see this. Here is a case from over a year ago:
-http://www.zeropaid.com/news/8065/Meth+Ring+Used+Limewire+to+Steal+Cash+and+IDs]

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

US Department of Energy (DOE) Inspector General's Report Finds Security Still an Issue (March 19, 2008)

According to a report from the US Energy Department's Office of the Inspector General, DOE has experienced 60 security incidents on its public servers over the last three years. The national laboratories, managed by DOE, that handle nuclear weapons and nuclear waste are subject to the same rules as the the government department faces. One of the attacks redirected people visiting the Brookhaven National Laboratory web site's home page to pornographic web pages instead. In eight instances, personally identifiable information was compromised. Some sites do not comply with web server security standards from the National Institute of Standards and Technology (NIST).
-http://www.fcw.com/online/news/151957-1.html?type=pf
[Editor's Note (Cole): Security will always be a challenge since threats and vulnerabilities are always changing. The key task for security managers is to make sure that, based on your limited budget, are focusing in on the correct items. In spending any money on security you should always ask three questions: 1) what is the risk I am reducing; 2) is it the highest priority risk; and 3) is it the most cost effective way to reduce the risk? ]

PA Voter Registration Web Page Shut Down Due to Data Leak (March 19 & 20, 2008)

Pennsylvania's Department of State has disabled a page of its voter registration website after learning that a vulnerability exposed information entered by previous visitors. The compromised data include names, driver's license numbers, and in some instances, the last four digits of people's Social Security numbers (SSNs). The page allowed people to enter the information necessary for voter registration and then print out a form that could be mailed to election officials.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9069578&source=rss_topic17
-http://www.informationweek.com/security/showArticle.jhtml?articleID=206905007&am
p;cid=RSSfeed_TechWeb

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Apple OS Security Update Addresses 80+ Flaws (March 19, 2008)

Apple issued security updates earlier this week that address more than 80 vulnerabilities in the Tiger and Leopard operating systems. The flaws could be exploited to allow cross-site scripting, spoofing, privilege escalation, and denial of service; several could be exploited to allow remote code execution. Apple also released a new version of the Safari browser to fix 13 security flaws.
-http://www.theregister.co.uk/2008/03/19/monster_apple_patch_batch/print.html
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206904729

MISCELLANEOUS

Faculty From Multiple Universities Share Tools and Tests For Teaching Secure Coding (March 18, 2008)

Matt Bishop, Bill Chu, Pascal Meunier, Alec Yasinac, Sean Taylor, Giovanni Vigna are coming together with other computer science faculty to evaluate the secure coding exercises, teaching tools, and tests each has developed in an effort to build a shared body of tools and knowledge for teaching security as part of the core curriculum of computer science, computer engineering, and information technology degree programs. The goal of SANS (and three federal agencies) sponsoring this workshop is to make it easy for faculty unfamiliar with secure coding issues, to integrate key elements into their existing courses. Participant travel is covered by SANS. The meeting is open only to those who have developed tools and techniques that they are using in core CS, CE, and IT courses. For a copy of the call for participation, email ccalhoun@sans.org. If you are a vendor or other organization that wishes to get involved in the project, please email mbrown@sans.org.

LIST OF UPCOMING FREE SANS WEBCASTS

Tool Talk Webcast: Are You Naked? Why virtualization and service processors are leaving traditional log management customers naked.
WHEN: Tuesday, March 25, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKER: Bill Johnson
-https://www.sans.org/webcasts/show.php?webcastid=91798
Sponsored By: Tdi

Virtualization and on board service processors are making log management systems obsolete and opening their customers to huge compliance issues. All existing log management systems are based on an 'inside out' agent based, SYSLOG and SNMP architecture. This model is obsolete in today's datacenter. Traditional log management systems do not log all events or watch the data center all the time, opening the door to Sarbanes Oxley, HIPAA and other compliance risks.

***
Tool Talk Webcast: Analyzing Pen Testing Tools: Shootout at the Blackbox Corral
WHEN: Wednesday, March 26, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Larry Suto
-http://www.sans.org/info/24653
Sponsored By: Fortify Software

All black box testing tools are not created equal. In the Fall of 2007, security consultant Larry Suto published a report that evaluates the coverage and balance between false positives and false negatives of three popular penetration testing tools. His findings, which some found surprising, prompted official responses from a number of tool vendors that called into question areas of the experiment that could have led to shaky results.

***
SANS Special Webcast: Stephen Northcutt Presents: Managing Vulnerability Situational Awareness
WHEN: Wednesday, April 2, 2008 at 2:00 PM EDT (1800 UTC/GMT)
FEATURING: Stephen Northcutt
-http://www.sans.org/info/24668
Sponsored By: Core Security Technologies

Stephen Northcutt challenges leaders to move past "Security Theater", practices like confiscating nail files in airport security or running vulnerability scans and taking no action or pretending a SIEM "partial implementation" actually helps create effective security. If we want to get better and actually implement security well one of the atomic keys is to configure the system correctly and maintain that configuration. Stephen will discuss the three views, the inside view, outside view and user view that give us the information we need to assess the configuration of our system. We can use tools like the Center for Internet Security toolsets to create the inside view, vulnerability scanners and exploitation tools like CORE for the outside view and to get the user view we need to run a number of tests to determine the level of awareness and practice. The data from all three views gives us the ability to accurately assess our exposure to threat.

***
SANS Special Webcast: Data Leakage Landscape
WHEN: Thursday, April 3, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURED SPEAKERS: Barb Filkins, Robert Hemeryck and Malte Pollmann
-http://www.sans.org/info/24673
Sponsored By: TrendMicro and Utimaco Software

Data leakage occurs everywhere computing is conducted - whether it be hand-helds, USB tokens or even protected internal computers where cut, copy and paste functions are difficult to control. Organizations need a map of these leakage points so they can plug them and protect themselves against regulatory violations. This Webcast discusses where and how data leaks, what types of privacy violations these leakage points present, and what to do about them.

***
Tool Talk Webcast: A Blueprint for Successful NAC Deployments
WHEN: Wednesday, April 16, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURING: John Curry
-http://www.sans.org/info/24618
Sponsored By: StillSecure

This webinar will discuss the challenges associated with NAC deployments and provide organizations with a blueprint on how to cost-effectively take advantage of this critical technology. Learn first hand how your organization can benefit from this ground-breaking technology.

*******************************************************************
Be sure to check out the following FREE SANS archived webcasts:

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
-http://www.sans.org/info/22979
Sponsored By: Q1 Labs

SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
-https://www.sans.org/webcasts/show.php?webcastid=91884

********************************************************************

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/