SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume X - Issue #30

April 15, 2008

TOP OF THE NEWS

Targeted Attacks Against Sensitive US Networks on the Rise
MEPs Say No to Cutting File-Sharers Off from Internet

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Bank Call Center Employee Jailed for Data Theft
Nine-Year Sentence for Data Theft and Fraud
NY Hospital Employee Arrested for Alleged Patient Data Theft
Librarian's Suspicions Led to Arrest of Internet Fraudster
POLICY & LEGISLATION
Australian Privacy Commissioner to Issue Breach Notification Guidelines
SPYWARE, SPAM & PHISHING
CAPTCHA-Defeating Attacks Spell Headaches for Anti-Spam Vendors
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Oracle Quarterly Patch Update to Address 41 Flaws
Fribet Trojan Detected on Pro-Tibet Websites
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
High School Students Allegedly Accessed Employee Data
STATISTICS, STUDIES & SURVEYS
Largest Botnets Control More than One Million Machines
LIST OF UPCOMING FREE SANS WEBCASTS

---

******************* Sponsored By HP (SPI Dynamics) **********************

Top 4 AJAX Security Dangers - Free White Paper! Are you ready for AJAX? Hackers definitely are! With the growth of Web 2.0 and Rich Internet Applications (RIA), developers are rapidly adopting AJAX and unknowingly exposing serious security risks.
This free whitepaper, from HP Software, 'AJAX Security Dangers', provides more information about AJAX and its risks http://www.sans.org/info/27754

*************************************************************************

TRAINING UPDATE
Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, both new Pen Testing courses, CISSP, and SANS' other top-rated courses plus evening sessions with Internet Storm Center handlers.
- - SANSFIRE 2008 in Washington DC (7/22-7/31) SANS' biggest summer program with many bonus sessions and a big exhibition of security products: http://www.sans.org/info/26774
- - London (6/2-6/7) and Amsterdam (6/16-6/21) http://www.sans.org/secureeurope08
- - San Diego (5/9-5/16) http://www.sans.org/securitywest08
- - Toronto (5/10-5/16) http://www.sans.org/toronto08
- - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

---

TOP OF THE NEWS

Targeted Attacks Against Sensitive US Networks on the Rise (April 10, 2008)

BusinessWeek takes a look at the growing number of targeted attacks against US government and private industry systems. The problem is serious enough to have prompted the Cyber initiative, signed by President Bush in January, and reportedly a classified operation known as Byzantine Foothold, aimed at discovering the source of the attacks and protecting systems from attacks in the future. The Office of the National Intelligence Director responded to questions from BusinessWeek in writing, saying, in part, that "computer intrusions have been successful against a wide range of government and corporate networks across the critical infrastructure and defense industrial base." A Chinese government spokesperson denies the allegations that the attacks came from China, even though considerable evidence that shows the origin of the attacks exists. The article also goes into some detail regarding a targeted email sent to a Booz-Allen executive that contained malware known as Poison Ivy, a remote administration tool that is capable of logging keystrokes. Another piece of malware that accompanied the email is designed to disable security measures.
-http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm
Chinese Embassy response to written questions from BusinessWeek:
-http://www.businessweek.com/magazine/content/08_16/b4080032243361.htm
[Editor's Note (Schultz): These threats are indeed extremely serious, so serious that conventional security measures do not appear to be capable of addressing them. Entirely new strategies for dealing with them need to be created and considered. ]

MEPs Say No to Cutting File-Sharers Off from Internet (April 10 & 11, 2008)

Members of European Parliament (MEPs) have voted against a plan to cut off the Internet access of habitual illegal filesharers. In a close vote, MEPs approved an amendment to a report on Europe's Cultural industries that says banning people from the Internet flies in the face of "civil liberties and human rights." Several MEPs have expressed the opinion that while it is appropriate to punish "commercially driven Internet piracy," punishing individuals by cutting off their Internet access "is an inappropriate response." The International Federation of the Phonographic Industry, which favored a three-strikes-and-you're-out approach, has called the amendment "badly drafted." The report is not legally binding.
-http://euobserver.com/9/25959
-http://news.bbc.co.uk/2/hi/technology/7342135.stm
[Editor's Note (Northcutt): You have to give them points for creativity, but I wonder how you could ever enforce such a law? I guess we will find out; it appears the French are going to give this idea a go:
-http://news.bbc.co.uk/2/hi/technology/7110024.stm]

---

********************** Sponsored Links: *******************************

1) IPS White Paper: Protect network from Threats. SC Magazine Rated Best Buy IPS. Visit @ SANS Orlando. http://www.sans.org/info/27759

2) Gain Network Visibility and Internal Security Using NetFlow - Fill the Gaps Left by Traditional Perimeter Defenses
Read More: http://www.sans.org/info/27764

*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Bank Call Center Employee Jailed for Data Theft (April 14, 2008)

A Royal Bank of Scotland call center employee has been sentenced to one year in prison for stealing customers' account information that was later used to make fraudulent transactions totaling GBP 33,585 (US $66,655). Asman Alyas, who provided the information to others, pleaded guilty to conspiracy to commit fraud. A spokesperson for the National Consumer Council said that banks should disclose information about data breaches so that customers can make informed decisions.
-http://www.manchestereveningnews.co.uk/news/s/1045113_call_centre_crook_helped_s
teal_33000
[Editor's Note (Ranum): Eventually, all interesting computer security problems boil down to trust. How many banks do you think would allow call center employees access to the bank's vaults? When are organizations that hold significant databases going to realize that there is no difference?
(Weatherford): Not that it would have prevented this incident but it is also good justification to begin conducting background checks on ALL personnel who handle sensitive and private information. To use an over-used word, it's called due diligence. ]

Nine-Year Sentence for Data Theft and Fraud (April 14, 2008)

Mario Simbaqueba Bonilla has been sentenced to nine years in prison for his role in a cyber crime scheme that resulted in losses of US $1.4 million. Simbaqueba Bonilla pleaded guilty earlier this year to charges of conspiracy, access device fraud, and aggravated identity theft. The scheme involved placing keystroke-logging software on computers in hotel business centers and Internet cafes. Bonilla Simbaqueba and an accomplice used the information gathered to siphon money from various bank, payroll, brokerage and other online accounts. He was also ordered to pay US $347,000 in restitution and will serve three years of supervised release upon completion of his prison sentence.
-http://www.vnunet.com/vnunet/news/2214210/colombian-fraudster-jailed-nine
[Editor's Note (Schmidt): At which point will ALL hotels, libraries and business centers restrict people from installing software on the common use machines? I have seen some major hotel chains have some common use computers "secured" but it varies from city to city and who they hire to manage these computers. (Weatherford and Paller): One of the longest sentences we have seen; perhaps the beginning of a welcome trend. ]

NY Hospital Employee Arrested for Alleged Patient Data Theft (April 13, 2008)

A former employee at New York-Presbyterian Hospital/Weill Cornell Medical Center allegedly stole and sold the personal information of nearly 50,000 patients. Dwight McPherson was arrested and charged with conspiracy involving computer fraud, identity document fraud, transmission of stolen property, and sale of stolen property. The compromised data include names and Social Security numbers (SSNs), but no medical information. The hospital is attempting to notify the patients affected by the breach.
-http://www.nytimes.com/2008/04/13/nyregion/13arraign.html
-http://www.news24.com/News24/World/News/0,,2-10-1462_2304983,00.html
[Editor's Note (Schmidt): This is happening with way too much frequency, if there is ever a reason for enhanced sentencing this would be one of the reasons, bad enough someone is in the hospital but to victimize someone in that situation is about as low as you can get. ]

Librarian's Suspicions Led to Arrest of Internet Fraudster (April 11, 2008)

A librarian's attentiveness resulted in the arrest of a man who allegedly used stolen information to make Internet purchases through computers at the library. The Collinsville (IL) Public Library librarian became suspicious when she noticed that the man used a variety of names and credit card numbers to buy items over the Internet. Jason David Lingo admitted to buying credit card numbers late last year and using 20 of those to make fraudulent purchases through library computers. Lingo has pleaded guilty to charges of possession of unauthorized devices, mail fraud, and aggravated identity theft. His sentencing is scheduled for July 10.
-http://www.bnd.com/breaking_news/story/307953.html
[Editor's Note (Northcutt): The story mentions that internet fraud often involves delivery to an empty house or lot. So, if you know a house in your neighborhood is vacant and you see FedEx pull up for a delivery, give your local police department a call. In this case Mr. Lingo was using empty lots, and mail carriers should have known better. Here are two good links, the second one requires digging down a bit, but if you scroll down to post number 7, you will get some advice from an obviously saavy retailer:
-http://www.ebizinsider.com/2008/03/14/e-commerce-fraud-sucks-hints-to-reduce-the
-rot/
-http://mybroadband.co.za/vb/showthread.php?t=79265]

POLICY & LEGISLATION

Australian Privacy Commissioner to Issue Breach Notification Guidelines (April 15, 2008)

Australia's privacy commissioner Karen Curtis plans to issue draft guidelines regarding data breach notification to help companies address the issue while the details of the Privacy Act revision continue to be hammered out. Government agencies and businesses have contacted the privacy commissioner's office with questions about handling data security breaches. The guidelines will be voluntary; commentary on the guidelines will be accepted through June 16, 2008. The Australian Law Reform Commission's review of the 20-year-old Privacy Act is expected later this year, and it may be some time before new laws are enacted.
-http://www.australianit.news.com.au/story/0,24897,23539443-15306,00.html

SPYWARE, SPAM & PHISHING

CAPTCHA-Defeating Attacks Spell Headaches for Anti-Spam Vendors (April 6, 10, 11 & 14, 2008)

There are reports that a new botnet is able to break Hotmail's CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) technology within seconds. In addition, researchers in the UK have published a paper describing a Hotmail CAPTCHA-breaking method that has a 60 percent success rate, as compared to the 10-15 percent success rate attained by the bot. CAPTCHA technology is used to prevent automated creation of email accounts; it requires users to decipher and retype a distorted set of characters to identify the entity requesting the account as a real person instead of an automated program. Spammers are creating accounts with webmail services like Hotmail, Gmail and Yahoo Mail because using reputable domain names makes it "hard to use reputation tools" to filter out spam. However, anti-spam vendors have been throttling email from Gmail and Yahoo! to ensure that the messages that are sent are legitimate.
-http://arstechnica.com/news.ars/post/20080406-gmail-being-throttled-blocked-by-s
ome-anti-spam-vendors.html
-http://www.theregister.co.uk/2008/04/10/web_mail_throttled/print.html
-http://www.theregister.co.uk/2008/04/14/msn_captcha_breaking/print.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Oracle Quarterly Patch Update to Address 41 Flaws (April 14, 2008)

Oracle has announced that its next quarterly Critical Patch Update (CPU), scheduled for Tuesday, April 15, will address 41 vulnerabilities in many of the company's products. Seventeen of the flaws affect Oracle Database, three affect Oracle Application Server, 11 affect Oracle E-Business Suite, one affects Oracle Enterprise Manager, three affect Oracle PeopleSoft Enterprise products and six affect Oracle Siebel SimBuilder products. Fifteen of the flaws can be exploited remotely without authentication.
-http://www.heise-online.co.uk/security/Oracle-announces-patches-for-41-holes--/n
ews/110525
-http://www.eweek.com/c/a/Security/Oracle-Warns-of-Critical-DB-Server-Vulnerabili
ties/
-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=207200472

Fribet Trojan Detected on Pro-Tibet Websites (April 10 & 14, 2008)

A Trojan horse program dubbed Fribet has been detected on two websites devoted to supporting Tibet. The "malware can attack local or remote databases linked to the user's computer" as long as they are able to log on to those databases. Fribet creates a backdoor on compromised systems and "loads a SQL Native Client ODBC library that's designed to execute arbitrary SQL statements received from a command and control server." Attackers are believed to have exploited a known vulnerability to spread the malware. According to research from F-Secure, a spate of patches for Microsoft Office issued in 2006 and 2007 is likely related to attacks on pro-Tibetan websites through the then-unpatched vulnerabilities. The more recent attacks have been exploiting known vulnerabilities.
-http://www.scmagazine.com/uk/news/article/801701/mcafee-discovers-malware-target
s-tibet-supporters/
-http://www.theregister.co.uk/2008/04/14/database_trojan/print.html
-http://www.wired.com/politics/security/news/2008/04/chinese_hackers?currentPage=
all

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

High School Students Allegedly Accessed Employee Data (April 12, 2008)

For the third time in the last month, high school students in the Buffalo, New York area are believed to have gained unauthorized access to school computer systems. The most recent incident involves several current and former Williamsville North High School students who allegedly copied files that contain school employees' personal information, including SSNs. The other incidents occurred in the Grand Island and Seneca districts.
-http://www.buffalonews.com/home/story/321395.html

STATISTICS, STUDIES & SURVEYS

Largest Botnets Control More than One Million Machines (April 9, 2008)

Research presented at the RSA conference estimates that the largest eleven botnets cumulatively control more than one million machines and are capable of sending out 100 billion spam emails each day. The largest botnet is believed to be one known as Srizbi, controlling an estimated 315,000 machines; Bobax claims an estimated 185,000 machines, and Storm comprises about 85,000 compromised machines. The research also aims to clarify which botnets are which, as some recent reports have said that Kraken is the largest botnet, comprising more than 400,000 machines, but Kraken is believed to be another name for Bobax.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9076278&source=NLT_PM&nlid=8

UPCOMING SANS WEBCAST SCHEDULE

Tool Talk Webcast: A Blueprint for Successful NAC Deployments
WHEN: Wednesday, April 16, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: John Curry
-http://www.sans.org/info/24618

Sponsored By: StillSecure
-http://www.stillsecure.com/
v This webinar will discuss the challenges associated with NAC deployments and provide organizations with a blueprint on how to cost-effectively take advantage of this critical technology. Learn first hand how your organization can benefit from this ground-breaking technology.

***
SANS Special Webcast: Log Management Part II: Real-Time Event Management
WHEN: Thursday, April 17, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Sunil Bhargava
-http://www.sans.org/info/25523

Sponsored By: Intellitactics, Inc.
-http://www.intellitactics.com/int/

This Webcast discusses how logs and event correlation should be managed for compliance purposes and how auditors, working closely with security and operations teams, can help develop processes that leverage logging and event data to measure the effectiveness of their controls.

***
SANS Special Webcast: Monthly Series: "Security Insights with Dr. Eric Cole" This month's topic: DLP
WHEN: Tuesday, April 22, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURING: Dr. Eric Cole
-http://www.sans.org/info/25528

Sponsored By: Code Green Networks
-http://www.codegreennetworks.com/

Cyber security is all about reducing risk to critical assets. Protecting and controlling data flow is a critical part of an organizations security arsenal. Therefore data loss prevention would seem like a perfect solution for reducing risk. However, just because a product is called a data loss prevention solution, does not necessarily mean that it properly reduces risk. Before purchasing or deploying a solution it is critical to understand the key risks you are trying to reduce and make sure the solution is the most cost effective way to reduce risk. This talk will provide insight into what product features are most valuable and which solutions should be avoided. To accomplish this it will provide a detail understanding of the landscape and the best way to protect data at an organization. Register now for this free webcast!

***
Analyst Webcast: Security and Performance on Converged Networks
WHEN: Thursday April 24, 2008 at 1:00 PM EDT (1700 UTC/GMT)
FEATURED SPEAKERS: Dave Shackleford and Karl Schaub
-http://www.sans.org/info/25538

Sponsored By: NIKSUN
-http://www.niksun.com/

Events from security and monitoring devices fire off an unmanageable number of alarms with no way of telling how they're related, or how they impact performance. As networks converge their video, voice and data traffic over IP networks, these alarms will only increase, while providing less visibility into what set them off. This Webcast discusses what will be needed of security monitoring tools as these data, voice, video convergence becomes ubiquitous.

*******************************************************************

Be sure to check out the following FREE SANS archived webcasts:

Tool Talk Webcast: The ABC's of Dealing with Unique Network Security Risks in a World of Open Campus Networks
WHEN: Wednesday, March 5, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURING: Brian Mehlman
-http://www.sans.org/info/22979
Sponsored By: Q1 Labs

SANS Special Webcast: A Response to the "Cold Boot Attack" Announcement
WHEN: Thursday, March 6, 2008 at 3:00 PM EST (1900 UTC/GMT)
FEATURING: John Strand v
-https://www.sans.org/webcasts/show.php?webcastid=91884


********************************************************************

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/