SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #26

April 01, 2008

The last item in this issue is a pointer to Rich Bejtlich's summary of new patterns in cyber defense. Definitely worth a read.

Some great news: SANS' new penetration testing classes are getting the highest ratings of any new courses since the Wireless class was launched. If you do pen testing - either application pen testing or traditional pen testing, these courses help make sure your tools and skills are state of the art.
Application Pen Testing Fundamentals: http://sans.org/training/description.php?mid=692
In Depth: http://sans.org/training/description.php?mid=942
Network Pen Testing: http://www.sans.org/training/description.php?mid=937
And if you hire pen testers, come find out how to find the best ones and make sure they are doing the job right, at the buyers' summits:
Web App Security Summit: http://sans.org/info/24609
Pen Testing and Ethical Hacking Summit: http://sans.org/pentesting08_summit/

Alan

---

TOP OF THE NEWS

Hannaford Attackers Placed Malware on All Store Servers
Computers Used in RCMP Investigation Infected with Malware
Study: Microsoft Manages Patches Better than Apple

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Swatter Draws Three-Year Sentence
POLICY & LEGISLATION
Washington State RFID Data Theft Bill Gets Gov.'s Signature
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Exploit Code for Microsoft Office Flaw Released
Storm Worm Stepping Up Recruitment Efforts
iFrame Attack Continues Spreading
Two Flaws in Safari 3.1 For Windows
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Job Applicant Data Stolen from Irish Employment Site
Antioch University Data Breach Affects 70,000
MISCELLANEOUS
Ten Themes in Digital Defense
LIST OF UPCOMING FREE SANS WEBCASTS

---

************************ Sponsored By Sybase ****************************

Future Proofing Mobile Device Security and Management - Webcast It can cost over $2,500 a year to provision, manage, maintain, update, and take care of a single mobile device. Therefore, anything you do to make mobile device management and security more efficient is a good idea. Learn more now. http://www.sans.org/info/26743

*************************************************************************

TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad bonus sessions and a huge exhibition of security products: http://www.sans.org/sans2008
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Hannaford Attackers Placed Malware on All Store Servers (March 28, 2008)

More details are emerging about the Hannaford Bros. data breach. Hannaford now says that the attackers managed to place malware on servers at each of the Maine-based company's stores in New England, New York and Florida. When the malware was detected, the company replaced all the servers, according to a letter from Hannaford general counsel to Massachusetts officials. The Hannaford breach is unusual because while most data thefts have involved stored data, this breach stole data while they were in transit between systems during the transaction authorization process.
-http://www.computerworld.com/action/article.do?command=printArticleBasic&art
icleId=9073138
-http://www.theregister.co.uk/2008/03/28/massive_credit_card_breach_explained/pri
nt.html
-http://www.boston.com/news/local/articles/2008/03/28/advanced_tactic_targeted_gr
ocer/?page=full
[Editor's Note (Pescatore): This type of incident really isn't all *that* unusual, as compromised servers have long been used to capture what is flowing through them. Many incidents at retailers, universities and businesses have resulted in the discovery of servers that were compromised for long periods of time. ]

Computers Used in RCMP Investigation Infected with Malware (March 29, 2008)

Computers used in a Royal Canadian Mounted Police (RCMP) investigation were infected with malware, according to a letter written by a senior Kamloops (British Columbia) Crown prosecutor. The computers held more than 250,000 pieces of evidence in a multi-million dollar case known as Project Eau. An officer connected the computers to the Internet and used them to view pornography, visit chat sites, and download music and video files. The officer also downloaded a variety of software, including LimeWire and an Internet chat program. The machines were connected to the Internet for more than a year-and-a-half and were disconnected only after the RCMP learned they had been made part of a zombie network and were being used for sending spam.
-http://www.canada.com/vancouversun/news/story.html?id=20ae6f79-876e-4bec-9a1f-e6
b6ca111893
[Editor's Note (Skoudis): There are some incredibly vital lessons in this story for all of us who perform investigations. Make sure you are using trusted machines dedicated to the analysis tasks for your work, and not the system you use for e-mail, web surfing, and practice analysis. ]

Study: Microsoft Manages Patches Better than Apple (March 31, 2008)

A study from researchers at the Computer and Engineering Networks Laboratory at the Swiss Federal Institute of Technology found that Microsoft's lag time in getting patches out is improving, while Apple's is getting worse. Overall, Apple has more vulnerabilities, takes longer to address them with fixes, and has more attacks on unpatched flaws.
-http://www.theregister.co.uk/2008/03/31/apple_security_response_pants/print.html
-http://www.heise.de/english/newsticker/news/105717
-http://www.informationweek.com/software/showArticle.jhtml?articleID=207000806&am
p;subSection=Operating+Systems
[Editor's Note (Schultz and Paller): Microsoft deserves considerable credit for doing increasingly better over the years when it comes to dealing with security issues such as addressing vulnerabilities. No vendor is perfect, but Microsoft in many ways is now setting a very positive example for the rest of the software industry to follow. (Skoudis): In my opinion, Apple operates in this way because it can get away with it, while Microsoft couldn't. That is, malware authors and computer attackers are far more aggressive against Microsoft because of the market share of its products, making it a juicy target for organized crime. As Apple's market share inches upwards, they will likely have to radically improve the way they are handling the release of important security patches. ]

---

*************************** Sponsored Link: ***************************

1) SANS Third Annual Log Management Survey
What are the challenges in log management? Have perceptions changed since last year? Help us find out! Take the survey at http://www.sans.org/info/26748

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Swatter Draws Three-Year Sentence (March 28, 2008)

A Washington state man has been sentenced to three years in prison for swatting. Randal T. Ellis pleaded guilty to five felony counts including computer access and fraud. Swatting involves calling emergency services with a spoofed phone number and reporting an incident serious enough to cause authorities send out a SWAT team to manage the situation. Ellis was also ordered to pay nearly US $15,000 in restitution, most of which will go to the Orange County (California) Sheriff Department where the incident took place.
-http://www.smh.com.au/news/security/hacker-jailed-for-swat-team-prank/2008/03/28
/1206207349894.html
-http://www.ocregister.com/articles/ellis-call-caller-2006151-calls-team

POLICY & LEGISLATION

Washington State RFID Data Theft Bill Gets Gov.'s Signature (March 27, 28 & 31, 2008)

Washington state governor Chris Gregoire has signed into law a bill that makes data theft with the use of RFID technology punishable by a prison sentence of up to 10 years. The legislation was prompted by the increased use of RFID tags in driver's licenses and other identification cards. The bill will take effect on July 1, 2008.
-http://www.theregister.co.uk/2008/03/28/us_rfid_bill/print.html
-http://seattletimes.nwsource.com/html/businesstechnology/2004316711_rfidside31.h
tml

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Exploit Code for Microsoft Office Flaw Released (March 31, 2008)

Exploit code for a known vulnerability in Microsoft Office has been made public. The attack targets one flaw that was patched on March 11 in Microsoft's security bulletin MS08-016. The attack uses a PowerPoint file to exploit the Microsoft Office File Memory Corruption Vulnerability, which was given a severity rating of critical for users running Office 2000. Other versions of Microsoft Office may also be affected.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9073399&source=rss_topic17

Storm Worm Stepping Up Recruitment Efforts (March 31, 2008)

The Storm worm appears to be using April Fool's Day to attempt to round up more computers. The email contains a brief message followed by a link to a numeric Internet address. Clicking on the link can infect vulnerable machines with malware that will make them part of the Storm worm botnet. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=4222
-http://www.news.com/8301-10789_3-9906880-57.html?part=rss&subj=news&tag=
2547-1_3-0-20
-http://www.net-security.org/malware_news.php?id=929
[Editor's Note (Skoudis): I received a ton of these e-mail messages yesterday and today, and you probably did too. From a malware research perspective, it's never been easier to get samples for analysis. Just check your e-mail filters. ]

iFrame Attack Continues Spreading (March 28 & 31, 2008)

The iFrame attacks that have made news in recent weeks are spreading to more prominent websites. Among the sites infected are USA Today, Target, and Wal-Mart. The most recent attack targets search engine results; the results are manipulated so that users are likely to visit sites that have been infected with malware.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9073098&source=rss_topic17
-http://www.vnunet.com/vnunet/news/2213090/search-engine-attack-lingers
-http://www.news.com/8301-10784_3-9905951-7.html?part=rss&subj=news&tag=2
547-1_3-0-20
-http://ddanchev.blogspot.com/2008/03/massive-iframe-seo-poisoning-attack.html
[Editor's Note (Northcutt): (Northcutt): Reading at least one of the stories and Danchev's blog is recommended. I have not validated Danchev's work, but it certainly appears that you can make the world a better place by blocking four IP addresses,: * 72.232.39.252 * 195.225.178.21 * 89.149.243.201 * 89.149.220.85]

Two Flaws in Safari 3.1 For Windows (March 27 & 31, 2008)

After meeting with criticism for the way it was launched, Apple's Safari 3.1 for Windows is facing reports of two highly critical vulnerabilities. One is a remote code execution flaw and the other allows attackers to display their own content in browser pages without changing what's in the address bar. Last week, Apple included Safari 3.1 as part of an update to iTunes and QuickTime, prompting some to call its release a stealth update that makes it possible for users to download the browser even when "they didn't ask for
[it ]
."
-http://www.informationweek.com/news/showArticle.jhtml?articleID=207000123
-http://www.scmagazineus.com/Two-vulnerabilities-found-in-Safari-browser-for-Wind
ows/article/108450/
[Editor's Note (Grefer): Apparently Steve Jobs mentioned his intention to push a browser down users' throats at last year's World Wide Developers Conference:
-http://tech-buzz.net/2008/03/21/apple-duped-itunes-users-to-install-safari/]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Job Applicant Data Stolen from Irish Employment Site (March 31, 2008)

A cyber thief has stolen personal information submitted to Irish online recruitment firm Jobs.ie. A web address outside of Ireland was used to download client information. The attacker used login credentials supplied to employers registered with the agency; the credentials were illegally obtained. Jobs.ie has notified the individuals affected by the data theft.
-http://www.siliconrepublic.com/news/news.nv?storyid=single10628
-http://www.ireland.com/newspaper/frontpage/2008/0331/1206752249000.html
[Editor's Note (Honan): In the absence of mandatory breach disclosure laws in Ireland Jobs.ie should be commended for notifying affected clients within 24 hours of detecting the breach. ]

Antioch University Data Breach Affects 70,000 (March 28, 2008)

Antioch University has acknowledged that the personal information of approximately 70,000 individuals was accessed on their computer system three separate times in 2007. The breaches affect current and former students, applicants to the school and employees dating back to 1996. When the university learned of the problem, it took the affected server offline.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/03/28/AR2008032802398_
pf.html

MISCELLANEOUS

Ten Themes in Digital Defense (March 19, 2008)

Richard Bejtlich has compiled a list of "ten themes to describe the state of affairs and some general strategies for digital defense" he observed while attending a variety of conferences. The items include "we cannot stop intruders, only raise their costs;" "less vulnerability management, more system integrity analysis;" and "less blacklisting, more whitelisting."
-http://taosecurity.blogspot.com/2008/03/ten-themes-from-recent-conferences.html
[Editor's Note (Skoudis): This is an awesome list, and kudos to Richard Bejtlich for releasing it. Some of its conclusions are debatable, but every one of them is thought-provoking and worthwhile in pondering how to apply its wisdom to your own organization's defenses. Very nice. ]

LIST OF UPCOMING FREE SANS WEBCASTS

SANS Special Webcast: Eric Cole - Proving Web Vulnerabilities redux with Knowledge Compression (TM).
WHEN: Available NOW on YouTube.com
Featuring: Dr. Eric Cole
If you don't find it on YouTube - it is here
-http://www.sans.org/info/26743
Sponsored By: Core Security

An eight minute, information-packed remix of an earlier webcast. Grab the slides, click on the YouTube link and you are good to go. The goal is to get you the information you need as quickly as possible. Learn the core reasons for web vulnerabilities and how you can test for them. We would love to hear your thoughts about this YouTube experiment; drop us a note with your comments, stephen@sans.edu

***
SANS Special Webcast: Stephen Northcutt Presents: Managing Vulnerability Situational Awareness
WHEN: Wednesday, April 2, 2008 at 2:00 PM EDT (1800 UTC/GMT)
FEATURING: Stephen Northcutt
-http://www.sans.org/info/24668
Sponsored By: Core Security Technologies
Stephen Northcutt challenges leaders to move past "Security Theater", practices like confiscating nail files in airport security or running vulnerability scans and taking no action or pretending a SIEM "partial implementation" actually helps create effective security. If we want to get better and actually implement security well one of the atomic keys is to configure the system correctly and maintain that configuration. Stephen will discuss the three views, the inside view, outside view and user view that give us the information we need to assess the configuration of our system. We can use tools like the Center for Internet Security toolsets to create the inside view, vulnerability scanners and exploitation tools like CORE for the outside view and to get the user view we need to run a number of tests to determine the level of awareness and practice. The data from all three views gives us the ability to accurately assess our exposure to threat.

***
SANS Special Webcast: Data Leakage Landscape
WHEN: Thursday, April 3, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURED SPEAKERS: Barb Filkins, Robert Hemeryck and Malte Pollmann
-http://www.sans.org/info/24673
Sponsored By: TrendMicro and Utimaco Software

Data leakage occurs everywhere computing is conducted - whether it be hand-helds, USB tokens or even protected internal computers where cut, copy and paste functions are difficult to control. Organizations need a map of these leakage points so they can plug them and protect themselves against regulatory violations. This Webcast discusses where and how data leaks, what types of privacy violations these leakage points present, and what to do about them.

***
Internet Storm Center: Threat Update Webcast
WHEN: Wednesday, April 9, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
-http://www.sans.org/info/25514


This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

***
WhatWorks in Event Log Management: Solving FISMA Compliance Demands
WHEN: Thursday, April 10, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Elvis Shields-Moreland and Alan Paller
-http://www.sans.org/info/24659
Sponsored By: LogLogic

A need to meet the vague requirements of FISMA compliance prompted Lockheed to look for a new log management product to replace a recently acquired tool with one more suited to its manpower and skill level requirements. The company found a solution that had lower total cost of ownership, could process all logs and had correlation capabilities to show attack indicators.

***
Tool Talk Webcast: A Blueprint for Successful NAC Deployments
WHEN: Wednesday, April 16, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURING: John Curry
-http://www.sans.org/info/24618
Sponsored By: StillSecure

This webinar will discuss the challenges associated with NAC deployments and provide organizations with a blueprint on how to cost-effectively take advantage of this critical technology. Learn first hand how your organization can benefit from this ground-breaking technology.

*******************************************************************

Be sure to check out the following FREE SANS archived webcasts:

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
-http://www.sans.org/info/22979
Sponsored By: Q1 Labs

SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
-https://www.sans.org/webcasts/show.php?webcastid=91884


********************************************************************

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/