SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #29

April 11, 2008

TOP OF THE NEWS

EU Data Protection Working Party Releases Report on Search Engine Data Retention
ICO Says Phorm Must be Opt-In

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Student Arrested for High School Data Theft
HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY
Data on Stolen NIH Laptop Include Some SSNs
Northern Ireland Government to Buy Secure Computers
SPYWARE, SPAM & PHISHING
Anti-Spam Services Throttling Web-Based eMail
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Attackers Already Taking Aim at Flaw Patched on Tuesday
Adobe Updates Flash Player
Millions of AT&T Modems May Be Vulnerable
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
WellPoint Customer Data Exposed for a Year
71,000 Georgia Families' Data Exposed
STATISTICS, STUDIES & SURVEYS
Symantec Internet Security Threat Report
MISCELLANEOUS
Black Hat Meets Search Engine Optimization, Part Two
LIST OF UPCOMING FREE SANS WEBCASTS

---

********************** Sponsored By Digital Persona Inc. ****************

Free Fingerprint Biometrics Test Drive - DigitalPersona's fingerprint authentication links actual people to individual actions. You know for sure, who does what, where and when. Implement strong security policies and make you and your users' lives easier. Eliminate password pain, simplify compliance and make auditors happy with DigitalPersona's fingerprint authentication. Get started: http://www.sans.org/info/27719

*************************************************************************

TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - SANS 2008 in Orlando (4/18-4/25) SANS' biggest program with myriad bonus sessions and a huge exhibition of security products: http://www.sans.org/sans2008
- - Washington DC (Tyson's) 3/24-3/31 http://www.sans.org/tysonscorner08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

EU Data Protection Working Party Releases Report on Search Engine Data Retention (April 4, 7 & 8, 2008)

The European Union's (EU) Article 29 Data Protection Working Party has published its report on data protection and privacy related to search engines. Among the recommendations made in the report are: search engines should retain user search information for no more than six months unless the information is "strictly necessary" for continuing to provide service; IP addresses should be treated as personal information; and users should have "the right to access, inspect and correct if necessary" their personal data and their search histories. Google, which retains search information for 18 months, has said on its Public Policy blog that keeping the data is necessary for fraud prevention and service optimization.
-http://arstechnica.com/news.ars/post/20080407-eu-issues-tough-data-protection-fi
nding.html
-http://www.cbpweb.nl/downloads_int/Opinie
WP29 zoekmachines.pdf
-http://www.heise.de/english/newsticker/news/106245
-http://technology.timesonline.co.uk/tol/news/tech_and_web/article3705743.ece
-http://euobserver.com/9/25940
[Editor's Note (Skoudis): Remember that old cartoon with a dog saying, "On the Internet, nobody knows you're a dog"? Well, your search engine company probably does, based on your frequent searches on fleas, dog food, and related items. In the past, some people held the idea that information technology could somehow enhance privacy. But, over the past 20 years, lots of companies (not just search engines but all kinds of companies) amassed a bunch of information about all of us, often stored in poorly secured machines. Then, with relentless breaches (see every NewsBites from the past 5 years), this accumulated data was spread far and wide among criminal enterprises. Increasingly, it feels like privacy is dead.
(Northcutt): Long time readers of NewsBites know I have struggled with whether the client source IP address should be considered PII, after all it is clearly displayed in the clear right in the packet. At this point though I think with the preponderance of data that is being collected on people this is the right call. ]

ICO Says Phorm Must be Opt-In (April 9, 2008)

The UK Information Commissioner's Office (ICO) says that the Phorm advertisement targeting system must be an opt-in program. Prior to the ICO's announcement, Phorm said it would operate on an opt-out basis. The ICO plans to monitor Phorm closely during trials and commercial implementation. According to the ICO, Phorm does not violate UK or European data protection laws, but declined to comment on whether or not it violates interception laws, saying that would have to be determined by the Home Office.
-http://news.bbc.co.uk/2/hi/technology/7339263.stm

---

********************** Sponsored Links: *******************************

1) SANS-LogLogic Third Annual Log Management Survey What are the challenges in log management? Have perceptions changed since last year? Help us find out! Take the survey at http://www.sans.org/info/27724

2) White Paper: How to Protect Your Network from Tomorrow's Threats. See Top Layer IPS @SANS Orlando.
http://www.sans.org/info/27729

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Student Arrested for High School Data Theft (April 10, 2008)

A Joliet West High School student allegedly downloaded the names and Social Security numbers (SSNs) of all the school's students onto an iPod. Police became aware of the situation after the student showed the information to other students, who then notified a teacher. George C. Janecek has been arrested and charged with computer tampering, a misdemeanor. He is in the ROTC program at his school which allowed him access to a school computer to work on the ROTC website.
-http://www.suburbanchicagonews.com/heraldnews/news/887530,4_1_JO10_HACK_S1.artic
le

HOMELAND SECURITY & GOVERNMENT SYSTEMS SECURITY

Data on Stolen NIH Laptop Include Some SSNs (April 10, 2008)

Officials from the National Institutes of Health (NIH) are now saying that information on a stolen laptop computer includes some study participants' SSNs. Initially, NIH said none of the data on the computer could be used to commit identity fraud. An examination of the most recent backup of the computer indicates that it held SSNs of at least 1,281 of the 3,078 study participants affected by the breach.
-http://www.washingtonpost.com/wp-dyn/content/article/2008/04/09/AR2008040903680_
pf.html

Northern Ireland Government to Buy Secure Computers (April 9, 2008)

The Northern Ireland (NI) government plans to purchase 14,000 new computers equipped with security technology in the wake of recent data security breaches. The Civil Service also plans to end the practice of sending sensitive information through the post. Currently, NI government departments send sensitive data to other departments over a secure intranet; data sent to entities outside the government do not presently have such a service.
-http://news.bbc.co.uk/2/hi/uk_news/northern_ireland/7338544.stm
[Editor's Note (Ullrich): Sounds like a good move. But there are few details in the article. It suggests that encrypting data for postal mailing is "too much of a pain". I hope whoever sets this up realized that encryption will still be required. ]

SPYWARE, SPAM & PHISHING

Anti-Spam Services Throttling Web-Based eMail (April 10, 2008)

Because spammers have managed to find a way to defeat the CAPTCHA image security required to create many web-based email accounts, some anti-spam services have started throttling email from Gmail and Yahoo. Spammers have been creating email accounts to send massive quantities of spam. CAPTCHA is the system that requires the person creating the account to identify and correctly type back a series of letters in a distorted image.
-http://www.theregister.co.uk/2008/04/10/web_mail_throttled/print.html
[Editor's Note (Frantzen): CAPTCHA has been broken a number of times, both by tricking users into helping the attackers, and through advanced OCR techniques. Increasingly complex images may help for a while, but ultimately it's going to be too hard for humans to prove they are human. ]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Attackers Already Taking Aim at Flaw Patched on Tuesday (April 9 & 10, 2008)

Attackers are already attempting to exploit one of the vulnerabilities addressed in Microsoft's software update release for April. The GDI vulnerabilities, which are addressed in Microsoft's security bulletin MS08-021, could potentially be exploited through malformed Windows Metafile (MWF) or Enhanced Metafile (EMF) image files. The only version of Windows not susceptible to the attack is Windows XP SP3, which has yet to be released. Users are urged to apply patches immediately. The software updates include eight security bulletins that address flaws in Windows and Internet Explorer; five of the vulnerabilities were rated critical. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=4274
-http://www.symantec.com/security_response/threatcon/index.jsp
-http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?a
rticleID=207100721
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9076800&source=rss_topic17
[Editor's Note (Honan): The Internet Storm Center has their usual excellent patch Tuesday overview available at
-http://isc.sans.org/diary.html?storyid=4264.
For MS08-021 the ISC class this as critical for workstations and important for servers. ]

Adobe Updates Flash Player (April 8 & 9, 2008)

Adobe has released an update for its Flash Player to address at least seven flaws that could be exploited to take control of vulnerable systems. The update includes a fix for the flaw that was exploited in a contest last month at the CanSecWest conference to take control of a laptop running Microsoft Windows Vista. Versions of the update are available for Adobe Flash Player 9.0.115.0 and earlier and Adobe Flash Player 8.0.39.0 and earlier. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=4268
-http://www.eweek.com/c/a/Security/Adobe-Issues-Critical-Flash-Player-Update/
-http://www.securityfocus.com/brief/719
-http://www.us-cert.gov/cas/techalerts/TA08-100A.html
-http://www.adobe.com/support/security/bulletins/apsb08-11.html
[Internet Storm Center (Siles): It is crucial to check your current Flash version, go through the update process, and double check your post-update version - we got a few reports where the update failed. Please, if you use multiple Web browsers update Adobe Flash through both Internet Explorer (ActiveX Flash control) and any other installed Web browser, such as Firefox, Safari, etc (using the OS Flash executable file). The process must be repeated twice. ]

Millions of AT&T Modems May Be Vulnerable (April 8, 2008)

2Wire manufactures DSL modems and routers for AT&T and other major carriers. Their devices suffer from a DNS redirection vulnerability, reported more than 8 months ago, that can be used as part of a variety of attacks, including phishing, identity theft, and denial of service. Has AT&T done anything about this problem?
-http://tech.slashdot.org/tech/08/04/08/1946214.shtml

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

WellPoint Customer Data Exposed for a Year (April 8 & 9, 2008)

Health benefits company WellPoint has acknowledged that personally identifiable information of 128,000 customers was exposed on the Internet over the last year. The breach affefts customers in several states; WellPoint is in the process of notifying those individuals. There have been no reports of identity fraud related to the data compromise. The breach involved two servers at an unnamed data management vendor; WellPoint says they are still working with that vendor and that the problem has been addressed. While the data were exposed for approximately one year they could not be found through search engines.
-http://money.cnn.com/news/newsfeeds/articles/apwire/a8805254560b7e273865624f15bc
fb53.htm
-http://www.scmagazineus.com/WellPoint-patient-information-exposed/article/108840
/
[Editor's Note (Ranum): It's about time that we assumed that all SSN#s in the US, as well as address information and mothers' maiden names have been compromised. Financial institutions need to step up to the plate and improve their "authentication" beyond relying on such useless "secret" information - it is absurd that we have an entire industry devoted to counting the number of horses galloping out of the barn, when the barn does not even have a door. This situation is comical, but nobody's laughing because the joke was stale 10 years ago. ]

71,000 Georgia Families' Data Exposed (April 8, 2008)

WellCare Health Plans Inc. is notifying as many as 71,000 Georgia families that their personally identifiable information was accessible on the Internet for an unspecified amount of time. It has not been determined if the data were viewed while accessible. The compromised data include names, birth dates, SSNs and other healthcare related identification numbers, but no financial information.
-http://www.ajc.com/metro/content/metro/stories/2008/04/08/breach_0409.html

STATISTICS, STUDIES & SURVEYS

Symantec Internet Security Threat Report (April 20008)

Symantec has released its Internet Security Threat Report Volume XIII, "providing a six-month update of worldwide Internet threat activity." The report covers the second half of 2007. It comprises four reports: one global, two regional, and one focused on government. Among the general findings are that "malicious activity has become web-based,
[and ]
attackers are targeting end users instead of computers."
-http://www.heise.de/english/newsticker/news/106333
-http://news.bbc.co.uk/2/hi/technology/7340315.stm
-http://www.zdnetasia.com/news/security/0,39044215,62040042,00.htm
-http://www.securityfocus.com/brief/717
-http://www.smh.com.au/news/technology/stolen-identities-going-cheap/2008/04/08/1
207420371697.html
-http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summ
ary_internet_security_threat_report_xiii_04-2008.en-us.pdf
[Editor's Note (Schultz): Symantec's threat reports are useful, but saying that "malicious activity has become web-based" is misleading. ]

MISCELLANEOUS

Black Hat Meets Search Engine Optimization, Part Two (April 7, 2008)

Scott Berinato continues his exploration of the meeting of black hat hackers and search engine optimizers. While many SEOs maintained their practices of manipulating search engine results are inside the law, others began using illicit techniques that prompted search engines to step up and fight, sometimes by delisting the offending sites. This encouraged some black hat SEOs to turn back to more legitimate means of pursuing their goals. Others dove more deeply into the illegal end of the system, trying to manipulate search results so that users will be led to sites infected with malware.
-http://www.csoonline.com/article/print/205701
[From Internet Storm Center: Search Engine Optimizers (SEO) promote and tune a website in order to get better positions in the search engine results. Search engines have set guidelines for acceptable tuning behavior but SEOs often cross that line. Google, for example, provides web-tuning guidelines, and has penalized web sites.
-http://www.google.com/support/webmasters/bin/answer.py?answer=35769]

UPCOMING SANS WEBCAST SCHEDULE

SANS Special Webcast: Eric Cole's "Find and Fix Security Exposures beforeYou're in a Heap of Trouble"
WHEN: Tuesday, April 15, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole
-http://www.sans.org/info/25519

Sponsored By: Core Security
-http://www.coresecurity.com/

Please join Eric Cole for a discussion of how to keep your information systems in check as the vulnerability landscape rolls out around you with this free webcast: "Find and Fix Security Exposures before You're in a Heap of Trouble" During the webcast, Eric will examine the technologies available for assessing both the security of your network systems and the effectiveness of the defenses meant to protect them.

***
Tool Talk Webcast: A Blueprint for Successful NAC Deployments
WHEN: Wednesday, April 16, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: John Curry
-http://www.sans.org/info/24618

Sponsored By: StillSecure
-http://www.stillsecure.com/

This webinar will discuss the challenges associated with NAC deployments and provide organizations with a blueprint on how to cost-effectively take advantage of this critical technology. Learn first hand how your organization can benefit from this ground-breaking technology.

***
SANS Special Webcast: Log Management Part II: Real-Time Event Management
WHEN: Thursday, April 17, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Sunil Bhargava
-http://www.sans.org/info/25523

Sponsored By: Intellitactics, Inc.
-http://www.intellitactics.com/int/

This Webcast discusses how logs and event correlation should be managed for compliance purposes and how auditors, working closely with security and operations teams, can help develop processes that leverage logging and event data to measure the effectiveness of their controls.

***
SANS Special Webcast: Monthly Series: Security Insights with Dr. Eric Cole" This month's topic: DLP
WHEN: Tuesday, April 22, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole
-http://www.sans.org/info/25528

Sponsored By: Code Green Networks
-http://www.codegreennetworks.com/

This talk will provide insight into what product features are most valuable and which solutions should be avoided. To accomplish this it will provide a detail understanding of the landscape and the best way to protect data at an organization. Register now for this free webcast!

***
Analyst Webcast: Security and Performance on Converged Networks
WHEN: Thursday April 24, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Karl Schaub
-http://www.sans.org/info/25538

Sponsored By: NIKSUN
-http://www.niksun.com/

Events from security and monitoring devices fire off an unmanageable number of alarms with no way of telling how they're related, or how they impact performance. As networks converge their video, voice and data traffic over IP networks, these alarms will only increase, while providing less visibility into what set them off. This Webcast discusses what will be needed of security monitoring tools as these data, voice, video convergence becomes ubiquitous.

*******************************************************************

Be sure to check out the following FREE SANS archived webcasts:

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
-http://www.sans.org/info/22979
Sponsored By: Q1 Labs

SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand
-https://www.sans.org/webcasts/show.php?webcastid=91884


********************************************************************

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/