SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #27

April 04, 2008

TOP OF THE NEWS

Software Engineer Indicted for Theft of Trade Secrets
British ISP Says it Won't Adopt BPI's Anti-Piracy Suggestions
TJX Reaches Tentative Settlement with MasterCard

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Davidson Companies Faces Lawsuit Over Data Compromise
New Zealand Teen Pleads Guilty in Botnet Case
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Apple Patches QuickTime for Windows and Mac
Microsoft Will Release Eight Security Bulletins next Week
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Vt. Ski Area Data Breach Resembles Hannaford Breach
MISCELLANEOUS
US Legislator's Data is on Missing NIH Computer
Laptop Hacked in Contest Makes Brief Appearance on eBay
SEOs Meet Hackers: Part One
Bruce Schneier: Seeing the World from the Attacker's Perspective
LIST OF UPCOMING FREE SANS WEBCASTS

---

*********************** Sponsored By PacketMotion ***********************

Are your internal controls and acceptable use policies for consultants, temporary, and high-risk users working? What information assets are in jeopardy? Find the facts, blind spots and new technology regarding real-time visibility and control of network user transactions. Download the FREE whitepaper "TRUST BUT VERIFY: 24/7 Monitoring of High-risk User Activity in the Network" now. http://www.sans.org/info/27048

*************************************************************************

TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad bonus sessions and a huge exhibition of security products: http://www.sans.org/sans2008
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Software Engineer Indicted for Theft of Trade Secrets (April 3, 2008)

Hanjuan Jin, a former software for a Chicago-based telecommunications company, has been indicted for allegedly stealing trade secrets from a telecommunications company and attempting to take the data to China. When her luggage was searched at O'Hare International Airport in Chicago, authorities discovered confidential technical documents and computer memory devices holding documents that belong to an unnamed company. Customs agents retained the documents and equipment. The intellectual property in the case is estimated to be worth US $600 million.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=207001607
-http://www.chicagotribune.com/news/local/chi-trade-secrets-both-03apr03,1,766331
6.story
[Editor's Note (Honan): Kudos to the affected company for having a data classification scheme in place for printed material which alerted the customs officials that something was amiss.]

British ISP Says it Won't Adopt BPI's Anti-Piracy Suggestions (April 4, 2008)

Carphone Warehouse-owned Internet service provider (ISP) TalkTalk has vehemently rejected the British Phonographic Industry's (BPI) suggestion that ISPs monitor customers downloading habits and impose a "three strikes and you're out" policy for repeat offenders. According to Carphone Warehouse chief executive Charles Dunstone, "The music industry has consistently failed to adapt to changes in technology and now seeks to foist their problems on someone else."
-http://www.guardian.co.uk/technology/2008/apr/04/internet.technology
-http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2008/04/04/cncarphone10.x
ml
[Editor's Note (Schultz): What Dunstone has said is very true. The real solution to the problem of music and movie piracy is for these industries to develop technology that thwarts piracy rather than forcing ISPs to monitor for and stop piracy by its customers when it occurs.]

TJX Reaches Tentative Settlement with MasterCard (April 2, 2008)

Under the terms of a settlement reached with MasterCard Inc., TJX Cos. will pay up to US $24 million to financial institutions for losses they incurred as a result of the data breach that exposed payment card information of millions of TJX customers. The settlement will be valid only if 90 percent of the banks that issued the cards involved in fraud claims decide to accept it. TJX reached a settlement with Visa in November of last year under which they will pay up to US $40.9 million.
-http://www.boston.com/business/ticker/2008/04/tjx_settles_wit_1.html
-http://www.informationweek.com/news/security/showArticle.jhtml;jsessionid=BHVOKI
12BIYXYQSNDLPSKH0CJUNN2JVN?articleID=207001404&_requestid=621884

---

************************** Sponsored Links: ***************************

1) SANS-LogLogic Third Annual Log Management Survey What are the challenges in log management? Have perceptions changed since last year? Help us find out! Take the survey at http://www.sans.org/info/27053

2) Free Biometric Security White Paper. Implement strong, compliant security policies and make user's lives easier. http://www.sans.org/info/27058

3) Come to the Application Security Summit and Penetration Testing & Ethical Hacking Summit - Las Vegas June 2-3. http://www.sans.org/info/27063 http://www.sans.org/info/27068

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Davidson Companies Faces Lawsuit Over Data Compromise (April 2, 2008)

A Montana law firm has filed a class-action suit against the Davidson Companies, alleging the company's negligence led to a breach of its computer system that exposed the names and Social Security numbers (SSNs) of 226,000 of the financial services company's clients. The lawsuit alleges that "the Davidson Companies failed to comply with the industry standards designed to protect such confidential and personal information from theft" and failed to provide "adequate safeguards in its storage and handling of its clients' confidential personal and financial information." There have been no reported instances of identity fraud related to the data compromise.
-http://www.greatfallstribune.com/apps/pbcs.dll/article?AID=/20080402/NEWS01/8040
20303

New Zealand Teen Pleads Guilty in Botnet Case (April 1, 2008)

New Zealand teen Owen Thor Walker has pleaded guilty to a variety of charges, including accessing a computer for dishonest purposes, interfering with computer systems, possessing software for committing crime, and accessing computer systems without authorization. Walker is believed to be the ringleader of a group that surreptitiously recruited more than a million computers into a botnet. Walker could face a prison sentence of up to five years, but the judge in the case indicated he was considering a sentence that does not involve custody.
-http://news.bbc.co.uk/2/hi/asia-pacific/7323733.stm
-http://www.breitbart.com/article.php?id=080401110723.35qiroer&show_article=1
[Editor's Note (Honan): Walker's Botnet skimmed at least _20 million (US $31 million), anything less than a custodial sentence will send the wrong message to online criminals. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Apple Patches QuickTime for Windows and Mac (April 3, 2008)

Apple has released a fix for QuickTime for both Mac OS X and Windows. The fix addresses 11 vulnerabilities in the multimedia player. The flaws include a privilege escalation vulnerability in the way QuickTime handles Java and arbitrary code execution and information disclosure vulnerabilities that can be exploited through maliciously crafted QuickTime movies. The patch updates QuickTime to version 7.4.5.
-http://www.securityfocus.com/brief/715
-http://www.heise-online.co.uk/security/Apple-closes-11-security-holes-in-QuickTi
me--/news/110463
-http://www.us-cert.gov/cas/techalerts/TA08-094A.html
-http://support.apple.com/kb/HT1241

Microsoft Will Release Eight Security Bulletins next Week (April 3, 2008)

On Tuesday, April 8, Microsoft plans to release eight security bulletins to address vulnerabilities in Windows Vista, XP, 2000, Server 2003, and Server 2008 as well as Explorer. Five of the bulletins have severity ratings of critical; all five address remote code execution flaws. The remaining three bulletins, all of which have severity ratings of important include a remote code execution flaw, an elevation of privilege flaw, and a flaw that can allow spoofing. The updates will all require restarts.
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml;j
sessionid=BHVOKI12BIYXYQSNDLPSKH0CJUNN2JVN?articleID=207001596&_requestid=61
9656
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9074740&intsrc=hm_list
-http://www.microsoft.com/technet/security/bulletin/ms08-apr.mspx

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Vt. Ski Area Data Breach Resembles Hannaford Breach (March 31 & April 2, 2008)

The Okemo Mountain Resort Ski Area in Vermont has issued an advisory saying that an intrusion may have resulted in more than 46,000 payment card transactions being compromised over several weeks in February. Some Okemo data appear to have been stolen during the transaction authorization process, as were the data in the Hannaford Bros. breach. The intrusion may also have compromised information on more than 18,000 credit cards used in transactions during the first several months of 2006. A forensic review concluded that systems at two other resorts owned by the same company did not experience intrusions.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9074339&source=rss_topic17
-http://www.okemo.com/okemowinter/security_update.asps
[Editor's Note (Pescatore): These types of incidents, and the MSNBC/USA Today/Miami > Dolphins compromised web server incidents, are showing that there are a lot of compromised servers that are starting to be put to active cyber crime use. Good time to do some spring cleaning (I guess "fall pruning" if you are in the southern hemisphere) to make sure critical systems don't have rootkit or bot client issues: Compare the installed images against known good baselines, make sure all custom apps have been tested for the web vulnerabilities that are commonly exploited, etc. ]

MISCELLANEOUS

US Legislator's Data is on Missing NIH Computer (April 3, 2008)

A US legislator whose personal information is on a laptop computer stolen from a National Institute of Health (NIH) researcher's car wants the inspector general at the Department of Health and Human Services to conduct an investigation. Among the questions Representative Joe Barton (R-Tex.) wants answered is whether or not NIH has an effective means of contacting individuals affected by such a breach; at least one person did not learn his information was on the computer until he contacted NIH himself. It is also unclear whether or not the laptop was encrypted and why the initial estimate of affected individuals fell short by 500.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/04/02/AR2008040203371_
pf.html

Laptop Hacked in Contest Makes Brief Appearance on eBay (April 1, 2008)

The man who won a laptop computer he hacked in a contest at the CanSecWest conference last week made a short-lived attempt to sell the machine on eBay. Shane Macaulay had offered the Fujitsu U810 Windows Vista-equipped laptop, saying that it was possible his exploit code could be derived from the machine. eBay removed the listing because they do not allow the sale of "anything that would do harm." Macaulay also received a US $5,000 cash prize for his successful hack of the computer. Macaualy's attack exploited a flaw in Adobe Flash Player. Adobe researchers say they knew of the flaw before Macaulay's attack and that they plan to patch it later this month.
-http://www.nytimes.com/idg/IDG_002570DE00740E180025741E005FFB74.html?ref=technol
ogy&pagewanted=print
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9074719&source=rss_topic17

SEOs Meet Hackers: Part One (March 31, 2008)

In the first article of a two-part series, Scott Berinato provides an overview of search engine optimizer (SEO) practices. While black hat hackers clearly inhabit shady territory, black hat (or gray hat, as they are sometimes called) SEOs often violate search engine terms of service agreements, but not laws. Initially, SEOs were employed by companies to help them get top rankings in search engine results. As the arena became more competitive, SEO's skills were being noticed by people hired to carry out more nefarious schemes.
-http://www.csoonline.com/article/print/221689

Bruce Schneier: Seeing the World from the Attacker's Perspective (March 20, 2008)

"Security professionals - at least the good ones -- see the world differently," says Bruce Schneier. "The security mindset involves thinking about how things can be made to fail." Schneier notes that the world would be a safer place if more people were trained in the art of the security mindset. Professor Tadayoshi Kohno is teaching a class at the University of Washington to try and instill the security mindset in his students. According to Schneier, "the security mindset is a valuable skill that everyone can benefit from, regardless of career path."
-http://www.wired.com/politics/security/commentary/securitymatters/2008/03/securi
tymatters_0320
[Editor's Note (Grefer): (Grefer): While this approach helps, from personal experience I can say that all the best suggestions, warnings and cautions are not of much use if the decision makers don't buy into them. It would not hurt to get them sensitized to the issues by suggesting they attend "SANS Security Leadership Essentials for Managers"
-http://www.sans.org/training/description.php?mid=62
and preferably also "Hacking for Managers"
-http://www.sans.org/training/description.php?mid=159]

LIST OF UPCOMING FREE SANS WEBCASTS

SANS Special Webcast: Eric Cole - Proving Web Vulnerabilities Redux with Knowledge Compression (TM) WHEN: Available NOW on YouTube
FEATURING: Dr. Eric Cole
To find it on YouTube click here:
-https://www.sans.org/webcasts/special.php
Sponsored By: Core Security
-http://www.coresecurity.com/
">
-http://www.coresecurity.com/



This webcast is an eight minute information packed remix of an earlier webcast. Grab the slides, click on the YouTube link and you are good to go. The goal is to get you the information you need as quickly as possible. Learn the core reasons for web vulnerabilities and how you can test for them. We would love to hear your thoughts about this experiment, drop us a note with your comments, stephen@sans.edu The video of the webcast redux is live on youtube.com

***
Internet Storm Center: Threat Update Webcast
WHEN: Wednesday, April 9, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
-http://www.sans.org/info/25514


This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

***
WhatWorks in Event Log Management: Solving FISMA Compliance Demands
WHEN: Thursday, April 10, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Elvis Shields-Moreland and Alan Paller
-http://www.sans.org/info/24659
Sponsored By: LogLogic

A need to meet the vague requirements of FISMA compliance prompted Lockheed to look for a new log management product to replace a recently acquired tool with one more suited to its manpower and skill level requirements. The company found a solution that had lower total cost of ownership, could process all logs and had correlation capabilities to show attack indicators.

***
SANS Special Webcast: Eric Cole's "Find and Fix Security Exposures before You're in a Heap of Trouble"
WHEN: Tuesday, April 15, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole
-http://www.sans.org/info/25519
Sponsored By: Core Security
-http://www.coresecurity.com/
">
-http://www.coresecurity.com/



Please join Eric Cole for a discussion of how to keep your information systems in check as the vulnerability landscape rolls out around you with this free webcast: "Find and Fix Security Exposures before You're in a Heap of Trouble"

During the webcast, Eric will examine the technologies available for assessing both the security of your network systems and the effectiveness of the defenses meant to protect them.

***
Tool Talk Webcast: A Blueprint for Successful NAC Deployments
WHEN: Wednesday, April 16, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURING: John Curry
-http://www.sans.org/info/24618
Sponsored By: StillSecure

This webinar will discuss the challenges associated with NAC deployments and provide organizations with a blueprint on how to cost-effectively take advantage of this critical technology. Learn first hand how your organization can benefit from this ground-breaking technology.

*******************************************************************
Be sure to check out the following FREE SANS archived webcasts:

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
-http://www.sans.org/info/22979
Sponsored By: Q1 Labs

SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
-https://www.sans.org/webcasts/show.php?webcastid=91884

********************************************************************

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/