SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #28

April 08, 2008

It's very rare that we highlight a blog in NewsBites, but one posted last night, by Mary Ann Davidson of Oracle, tells of the first important development in the long quest to persuade college faculty to teach secure coding in their core curriculum. No other software company has done anything nearly as important in this arena as what Oracle has done. Her blog is at http://blogs.oracle.com/maryanndavidson/ (April 8) See the first story in this issue for more.

Alan

---

TOP OF THE NEWS

Oracle Takes The Lead In Encouraging Secure Coding Training In US Colleges
ISPs Conducting Deep-Packet Inspection
TIGTA Reports Finds Security Problems at IRS
Phorm Targeted Advertising Plan Comes Under More Fire

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Univ. Student Charged with Hacking eMail and Facebook Accounts
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
NIH Workers May Not Store Sensitive Data on MacBooks
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Kraken Botnet Twice as Large as Storm
Floppy USB Keys for HP Proliant Servers Infected with Malware
ActiveX Control Flaw in Symantec Products
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Lost Disk Holds Data on 370,000 HSBC Customers
Pfizer Data Security Breach
MISCELLANEOUS
Federal Investigators May Have Piggybacked on Wireless Account
Known Flaws Not Patched on Breached Antioch Univ. System
Gene Schultz On Using SIEMs to Detect Attacks
LIST OF UPCOMING FREE SANS WEBCASTS

---

********************** Sponsored By PacketMotion ************************

Are your internal controls and acceptable use policies for consultants, temporary, and high-risk users working? What information assets are in jeopardy? Find the facts, blind spots and new technology regarding real-time visibility and control of network user transactions. Download the FREE whitepaper "TRUST BUT VERIFY: 24/7 Monitoring of High-risk User Activity in the Network" now.
http://www.sans.org/info/27198

*************************************************************************

TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad bonus sessions and a huge exhibition of security products: http://www.sans.org/sans2008
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Oracle Takes the Lead In Encouraging Secure Coding Training In US Colleges (April 8, 2008)

Oracle's Chief Information Security Officer, Mary Ann Davidson, posted blog last night heralding the first important step in improving secure coding education in US colleges and universities. Here is an excerpt: "Last year, I got fed up enough with Oracle having to train otherwise bright and capable CS grads in secure coding 101 that I sent letters to the top 10 or so universities we recruit from. . . Specifically, we sent the letters to the chairmen of the department of computer science (or equivalent) and copied the deans of the schools with oversight of the CS departments. In the letter, we stated that Oracle expends significant resources training CS graduates in secure coding practices. We described the impact to us and to our customers of avoidable, preventable security defects, and why the insecurity of commercial software is a national security problem. . . . And we stated that in the future, Oracle would give preference in hiring to those universities that emphasize secure coding practices."
-http://blogs.oracle.com/maryanndavidson/

Oracle's letter is posted at
-http://www.oracle.com/security/docs/mary-ann-letter.pdf
[Editor's Note (Paller): The tests are now ready (www.sans.org/gssp); programmers can easily prove mastery of the basics. Faculty from many colleges are meeting next month to agree on exercises and other tools for embedding security in existing CS and programming courses. Maybe colleges are going to become leaders in helping programmers write code with fewer security flaws. If you hire more than a few programmers each year, please consider lending your voice to the growing chorus of employers asking colleges to make sure their graduates have the basics of secure coding. And when you send your letters, please share them so that faculty understand this is a national need they cannot ignore. ]

ISPs Conducting Deep-Packet Inspection (April 4, 2008)

The Internet use of at least 100,000 Americans is being monitored by ISPs. They collect the information so users can be targeted with advertisements that are more likely to be of interest to them and advertisers are likely to reach a more receptive audience. The companies involved in what is known as deep-packet inspection maintain that users' privacy is protected because personally identifying information is not shared.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/04/03/AR2008040304052_
pf.html
[Editor's Note (Schultz): You've got to be kidding. _Animal Farm_, here we come. (Northcutt): These practices are far more pervasive than most people understand. Here is a research note I keep on SANS college's Security Laboratory to keep track of this very disturbing trend:
-http://www.sans.edu/resources/securitylab/superclick_privacy.php
(Liston): This is the practice that has caused an uproar over Phorm (see "Phorm Targeted Advertising Plan Comes Under More Fire" elsewhere in NewsBites). What I find interesting is that the privacy implications of these systems aren't anything new: your browsing data has been traversing your ISP's network in the clear and subject to this type of analysis all along. Now that they're admitting to analyzing it, suddenly it's a privacy concern? ]

TIGTA Reports Finds Security Problems at IRS (April 7, 2008)

A report from the US Treasury Inspector General for Tax Administration (TIGTA) office says the Internal Revenue Service (IRS) found that taxpayer data were not as well protected as they should be. The security issues surround routers and switches. Eighty-four percent of the time that IRS employees accessed systems to administer or configure routers, they did so through accounts that did not have proper authorization. The IRS says it has addressed some of the issues raised in the report, which did not indicate that there have been any breaches as a result of the vulnerabilities.
-http://www.cnn.com/2008/TECH/04/07/irs.computers/
-http://www.usatoday.com/tech/techinvestor/2008-04-07-irs-computer-security_N.htm
?csp=34
-http://www.treas.gov/tigta/auditreports/2008reports/200820071fr.pdf
[Editor's Note (Honan): The report is a good example of how information security professionals should not dread a review by auditors but rather work closely with them and use their input to improve security.]

Phorm Targeted Advertising Plan Comes Under More Fire (April 4 & 7, 2008)

A University of Cambridge computer security researcher has declared Phorm's advertising system to be illegal. Dr. Richard Clayton says "the
[Phorm ]
system performs illegal interception" according to the definition found in Section 1 of the Regulation of Investigatory Powers Act. The Information Commissioner's Office (ICO) plans to closely monitor BT's planned trial of Phorm's technology later this month. The trial will involve approximately 10,000 broadband customers. The ICO says BT understands that customers must opt into the trial; information may not be collected without their express consent.
-http://news.bbc.co.uk/2/hi/technology/7331493.stm
-http://www.theregister.co.uk/2008/04/07/bt_phorm_ico/print.html
-http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/

---

************************** Sponsored Links: ***************************

(1) With Rapid7 NeXpose, you can detect, report and remediate vulnerabilities throughout their entire network. Whether you want a "plug and play" appliance, downloadable software or an external hosted service, with NeXpose, you are assured your network, databases and web applications are free from vulnerabilities. http://www.sans.org/info/27203

2) SANS Third Annual Log Management Survey
What are the challenges in log management? Have perceptions changed since last year? Help us find out! Take the survey at http://www.sans.org/info/27208

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Univ. Student Charged with Hacking eMail and Facebook Accounts (April 2 & 4, 2008)

University of Oklahoma (OU) student Jose Antonio Roman has been charged with violating the Oklahoma Computer Crimes Act. Roman allegedly broke into other OU students' email and Facebook accounts and changed the passwords, locking them out of their own accounts. Roman allegedly obtained the information necessary to access the accounts by scanning the local OU subnet from his dorm room. He also allegedly launched a number of Address Resolution Protocol (ARP) poisoning attacks late last year.
-http://www.normantranscript.com/localnews/local_story_093235818.html
-http://www.koco.com/news/15795801/detail.html

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

NIH Workers May Not Store Sensitive Data on MacBooks (April 4 & 7, 2008)

A National Institutes of Health (NIH) agency memo forbids employees from storing sensitive data on MacBook laptop computers. As of April 4, all NIH laptops running Windows or Linux operating systems must have the Pointsec encryption tool; Windows Vista users may also use that operating system's BitLocker disk encryption tool. There is presently a beta version of Pointsec for MacBooks, but not an approved version. The ban on MacBooks holding sensitive data applies to contractors as well as in-house employees.
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=207001840
-http://www.fcw.com/online/news/152173-1.html
[Editor's Note (Schultz): As said so many previous times, nothing serves as a wake-up call for security as much as a serious security-related incident.
(Liston): Note: The issue here is the lack of an approved version of whole-disk encryption, not with OSX itself. Apple Fanboys: Return to standby. Nothing to see here-- you may safely return to caressing your MacBooks and iPhones.
(Frantzen): Those reading this might conclude Apple OS X has no disk encryption available. That's untrue: Macs come with FileVault out of the box since OS X 10.3 . It can be used to encrypt whole disks or virtual disks that can be mounted where you want them. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Kraken Botnet Twice as Large as Storm (April 7, 2008)

The Kraken botnet is believed to be more than twice the size of the Storm botnet. Just 20 percent of antivirus (AV) packages are presently detecting Kraken, which comprises more than 400,000 zombie machines; Kraken is hard to detect because its code morphs. Researchers are still trying to determine how Kraken works its way into apparently well-fortified systems. One known technique it uses is to copy itself to infected computers' hard drives in an altered form that can be used to reinfect the machine if AV programs are eventually able to identify the original file. The Kraken botnet is used primarily to send spam. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=4256
-http://isc.sans.org/diary.html?storyid=4250
-http://www.theregister.co.uk/2008/04/07/kraken_botnet_menace/print.html

Floppy USB Keys for HP Proliant Servers Infected with Malware (April 3 & 7, 2008)

HP has acknowledged that optional USB 2.0 floppy drive keys that ship with some of the company's Proliant servers are infected with malware. The keys' part numbers are 442084-B21 and 442085-B21 and are infected with viruses known as W32.Fakerecy and W32.SillyFDC. While the viruses themselves are low-risk, the incident points to the increased use of USB drives as vectors for attack.
-http://www.theregister.co.uk/2008/04/07/hp_proliant_usb_key_infection/print.html
-http://security.blogs.techtarget.com/2008/04/07/hp-would-you-like-some-malware-w
ith-your-server/
-http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomy
Name=cybercrime_an
-http://www.auscert.org.au/render.html?it=9077
-http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&
amp;objectID=c01404119&jumpid=reg_R1002_USEN
-http://isc.sans.org/diary.html?storyid=4247

ActiveX Control Flaw in Symantec Products (April 4, 2008)

Symantec has acknowledged that flaws in an ActiveX control that ships with many of the company's security software products could allow attackers to take control of vulnerable computers. The flaws are in the ActiveX control, SymAData.dll, and allow arbitrary code execution with the privileges of the currently logged in user. Symantec says that to exploit the flaws, attackers would need to launch cross-site scripting or DNS poisoning attacks. SymAData.dll is used by Symantec's AutoFix tool. Users engaging in an online chat session with Symantec Technical support will have an updated version of the tool installed automatically; others can download and install an updated version of the tool, from Symantec's website.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9074979&source=rss_topic17
[Editor's Note (Schultz): Because of the lack of security in ActiveX, any credible security vendor should not rely on any ActiveX control for any security-related capability--end of story. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Lost Disk Holds Data on 370,000 HSBC Customers (April 7, 2008)

The UK's Financial Services Authority will investigate the loss of a disk containing personally identifiable information of 370,000 HSBC customers. The compromised data include names, dates of birth, and life insurance information, but no bank account information. The disk was being sent from HSBC to a reinsurance firm. The disk was not encrypted. Normally, the data are transferred electronically, but because the system was down, HSBC sent the information on disk through the post.
-http://www.vnunet.com/vnunet/news/2213667/hsbc-lose-370-customer-details
-http://www.theregister.co.uk/2008/04/07/hsbc_disc_loss/print.html
[Editor's Note (Liston): Ok, so during the whole time that they were trying to figure out how to get the data from point A to point B when the normal system was down, during the time they were writing it out to disk, during the time they were finding an envelope and figuring out who to send it to, no one thought to ENCRYPT it?
(Honan): I sincerely hope that the Financial Services Authority, which recently fined the Nationwide Building Society UK 980,000 for losing a laptop, and the UK Information Commissioner's Office deal with this with the seriousness it deserves. ]

Pfizer Data Security Breach (April 7, 2008)

Pfizer has experienced another data security breach. A laptop stolen from a contractor's home contains personally identifiable information of approximately 800 current and former Pfizer employees and contractors. The data include names, credit card numbers, and card expiration numbers. The theft occurred on February 7, 2008; an incident notification letter the company sent to attorneys general in several states was dated March 19. In 2007, Pfizer suffered four data security breaches that compromised personally identifiable information of more than 52,000 individuals.
-http://www.theday.com/re.aspx?re=6b8c60cf-8fa2-43f1-9238-6dba8792cfa3

MISCELLANEOUS

Federal Investigators May Have Piggybacked on Wireless Account (April 4, 2008)

The office of Canadian Privacy Commissioner Jennifer Stoddart is investigating allegations that federal Human Rights Commission investigators broke into a woman's wireless internet connection and used it to post messages on a white supremacist website under investigation. The complaint was brought by Mark Lemire, who runs the website in question. He alleges that investigators' actions violated parts of the Criminal Code.
-http://www.thestar.com/printArticle/410352
-http://canadianpress.google.com/article/ALeqM5gNnqjbWO--KBqpYXgxYV9YMwpJUQ

Known Flaws Not Patched on Breached Antioch Univ. System (April 4, 2008)

Antioch University's data security breach has been attributed to a Sun Solaris server FTP vulnerability that had not been patched, despite the fact that there was a fix available before the intrusion. The attackers breached the ERP server on three occasions in 2007; however the breaches were not detected until February 2008, however, when university IT officials were investigating different malware that was causing the system to send out offensive content. At that time, they found an IRC bot installed on the server. Antioch University CIO William Marshall says there is no evidence that any data on the server were downloaded or copied.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9075098&source=rss_topic17
[Editor's Note (Schultz): Sorry, but when someone says "there is no evidence that" when all the appearances of a security-related incident exist, that person has reduced credibility because of how easy it is to overlook such an incident. ]

Gene Schultz On Using SIEMs to Detect Attacks

The latest Security Thought Leadership interview is with Dr. Gene Schultz of High Tower. Gene, a well known security researcher with a focus on intrusion detection shares his thoughts on security, governance and in particular using a SIEM to detect attacks:
-http://www.sans.edu/resources/securitylab/gene_schultz.php

LIST OF UPCOMING FREE SANS WEBCASTS

SANS Special Webcast: Eric Cole - Proving Web Vulnerabilities Redux with Knowledge Compression (TM)
WHEN: Available NOW on YouTube
FEATURING: Dr. Eric Cole
To find it on YouTube click here:
-https://www.sans.org/webcasts/special.php
Sponsored By: Core Security
-http://www.coresecurity.com/
">
-http://www.coresecurity.com/



This webcast is an eight minute information packed remix of an earlier webcast. Grab the slides, click on the YouTube link and you are good to go. The goal is to get you the information you need as quickly as possible. Learn the core reasons for web vulnerabilities and how you can test for them. We would love to hear your thoughts about this experiment, drop us a note with your comments, stephen@sans.edu The video of the webcast redux is live on youtube.com

***
Internet Storm Center: Threat Update Webcast
WHEN: Wednesday, April 9, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Johannes Ullrich
-http://www.sans.org/info/25514


This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

***
WhatWorks in Event Log Management: Solving FISMA Compliance Demands
WHEN: Thursday, April 10, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Elvis Shields-Moreland and Alan Paller
-http://www.sans.org/info/24659
Sponsored By: LogLogic

A need to meet the vague requirements of FISMA compliance prompted Lockheed to look for a new log management product to replace a recently acquired tool with one more suited to its manpower and skill level requirements. The company found a solution that had lower total cost of ownership, could process all logs and had correlation capabilities to show attack indicators.

***
SANS Special Webcast: Eric Cole's "Find and Fix Security Exposures
before You're in a Heap of Trouble"
WHEN: Tuesday, April 15, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole
-http://www.sans.org/info/25519
Sponsored By: Core Security
-http://www.coresecurity.com/
">
-http://www.coresecurity.com/



Please join Eric Cole for a discussion of how to keep your information systems in check as the vulnerability landscape rolls out around you with this free webcast: "Find and Fix Security Exposures before You're in a Heap of Trouble"

During the webcast, Eric will examine the technologies available for assessing both the security of your network systems and the effectiveness of the defenses meant to protect them.

***
Tool Talk Webcast: A Blueprint for Successful NAC Deployments
WHEN: Wednesday, April 16, 2008 at 1:00 PM EDT (1800 UTC/GMT)
FEATURING: John Curry
-http://www.sans.org/info/24618
Sponsored By: StillSecure

This webinar will discuss the challenges associated with NAC deployments and provide organizations with a blueprint on how to cost-effectively take advantage of this critical technology. Learn first hand how your organization can benefit from this ground-breaking technology.

*******************************************************************
Be sure to check out the following FREE SANS archived webcasts:

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
-http://www.sans.org/info/22979
Sponsored By: Q1 Labs

SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
-https://www.sans.org/webcasts/show.php?webcastid=91884

********************************************************************

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/